Skip to content

Can I Collect Personal Data From Job Candidates?

Table of Contents

Hiring new candidates is a common and often vital business practice. However, it is essential to remember that collecting personal data from candidates requires careful consideration from a UK General Data Protection Regulation (UK GDPR) perspective. This fundamental data protection law sets out various strict rules on how organisations can collect, store, and use personal data, including data collected from job candidates. This article explores some critical considerations for businesses collecting personal information from candidates as part of their recruitment process. 

What is Personal Data and How Does it Apply to Candidates?

Personal data refers to any information that can identify an individual. For job applicants, this may include names, contact details, employment history, educational qualifications, personal data in references, personal statements, and other personal information in a CV or job application. 

Because employers collect a range of personal data from candidates, the UK GDPR rules apply. These legal rules apply to all prospective staff from whom you collect personal data, including potential employees, freelancers, or contractors. 

Which Data Protection Issues Should Your Business Consider When Collecting Candidate Data?

There are several issues to consider when collecting personal data from candidates. Here are a few key considerations:

Have You Considered a Lawful Basis for Processing Candidate Data?

Under UK GDPR, you need a lawful basis to collect and process personal data. There are various lawful bases under UK GDPR rules (including complying with a legal obligation, consent, or performing a contract).

Front page of publication
GDPR Essentials Factsheet

This factsheet sets out how your business can become GDPR compliant.

Download Now

Your business must carefully consider, justify, and document which lawful grounds to rely upon to lawfully process a candidate’s data.

Have you provided Transparency Information to Candidates?

Transparency is a core principle of UK GDPR. Candidates must be informed about what data you collect, why you collect it, and how you will use it. You can present this information through a Candidate Privacy Notice.

A comprehensive Candidate Privacy Notice should include various information such as:

  • the specific types of personal data your business collects from candidates (e.g., name, CV, references);
  • the lawful basis for collecting the data and how you will use it (e.g., to determine whether they are suitable for a particular role); 
  • the data retention period determines how long you will hold onto candidate data before deleting it; 
  • who your business shares candidate personal data with (e.g., any external background check providers your business works with); and
  • the rights of the candidates under UK GDPR.

The Candidate Privacy Notice must be provided to candidates promptly and clearly so that they can review this information before providing their information to your business. 

Have you Considered Candidate Rights Under UK GDPR?

Candidates have several rights regarding their data under UK GDPR, and you must be able to address these requests and have processes in place to handle them effectively.

For example, candidates can request a copy of your data about them. This is commonly called a Subject Access Request and is available to candidates, as are various other rights.

Have You Considered the Principles of Data Minimisation and Security?

UK GDPR identifies fundamental principles your business must comply with when processing candidate data. Some important principles to observe include data minimisation and data security, which means you should:

  • only collect data that is necessary for the recruitment process. Your business should refrain from collecting excessive personal details your business does not need, particularly at the initial application stage. For instance, asking for detailed personal history or sensitive information up front is generally unnecessary;
  • protect and secure the data collected from candidates. Your business should carefully implement appropriate technical and organisational measures to secure data. This might include using secure storage solutions for physical documents and access controls to ensure that only authorised personnel can view or process candidate information; and
  • only retain personal data for as long as necessary. Your data retention policies should clearly define and document how long you will maintain candidate information. You should not hold candidate data indefinitely, and you should have a transparent and UK GDPR-compliant data retention and deletion process.

These are some general vital issues to consider when collecting candidate data. However, your business should take legal advice if you require a thorough understanding of your obligations when collecting candidate personal data.

Continue reading this article below the form
Need legal advice?
Call 0808 196 8584 for urgent assistance.
Otherwise, complete this form and we will contact you within one business day.

Key Takeaways

When collecting personal data from candidates, you should understand the importance of the UK GDPR rules and ensure your business complies with them. Candidates are data subjects, so your business must follow strict legal rules when processing certain information. For instance, you must provide candidates with privacy information and document a lawful basis for processing personal data. If you require support understanding the scope of your legal obligations, you should seek legal advice.

If you need advice on your legal obligations when collecting personal data from candidates, LegalVision’s experienced data privacy lawyers can assist as part of our LegalVision membership. For a low monthly fee, you will have unlimited access to lawyers to answer your questions and draft and review your documents. Call us today on 0808 196 8584 or visit our membership page.

Frequently Asked Questions 

1. Is a candidate applying for a job considered a data subject under UK GDPR?

Yes.  Under the UK GDPR, anyone you collect personal data from during recruitment is considered a data subject. This includes information from potential employees, freelancers, or contractors. 

2. What is a Candidate Privacy Notice, and why is it important?

A Candidate Privacy Notice informs candidates about how your business collects, uses, and stores their data during recruitment. This document is important because transparency is a core principle of UK GDPR. 

Register for our free webinars

Protecting and Enforcing Your Brand

Online
Protect your brand from misuse and infringement. Register for our free webinar.
Register Now

Deal Structures 101: Understanding Equity, ASAs and Convertible Notes

Online
As a startup founder, understand your capital raising options. Register for our free webinar today.
Register Now

Common Legal Pitfalls for SaaS and Online Businesses

Online
Protect your online or SaaS business from common legal pitfalls. Register for our free webinar.
Register Now

GDPR Compliance Essentials for SMEs

Online
Ensure our business is compliant with GDPR and build trust with customers. Register for our free webinar.
Register Now
See more webinars >
Sej Lamba

Sej Lamba

Read all articles by Sej

About LegalVision

LegalVision is an innovative commercial law firm that provides businesses with affordable, unlimited and ongoing legal assistance through our membership. We operate in Australia, the United Kingdom and New Zealand.

Learn more

We’re an award-winning law firm

  • Award

    2024 Law Company of the Year Finalist - The Lawyer Awards

  • Award

    2024 Law Firm of the Year Finalist - Modern Law Private Client Awards

  • Award

    2023 Economic Innovator of the Year Finalist - The Spectator

  • Award

    2023 Law Company of the Year Finalist - The Lawyer Awards

  • Award

    2023 Future of Legal Services Innovation - Legal Innovation Awards