On 25 May 2018, the General Data Protection Regulation (GDPR) comes into effect. These laws govern the processing of personal data relating to data subjects by data controllers.
Job applicants are data subjects and provide personal data which often includes sensitive personal data to employers, who, as data controllers, process that data. Recruitment processes therefore raise several questions in relation data protection:
How do you deal with personal data you receive from job applicants?
What do you do with the information you receive at the end of the recruitment exercise?
By way of background, the GDPR provides the following rights to individuals in relation to their personal data:
- The right to be informed
- The right of access
- The right of rectification
- The right of erasure
- The right to restrict processing
- The right to data portability
- The right to object
- Rights in relation to automated decision making and profiling
Some of the key changes to be introduced by the GDPR to be mindful of when recruiting staff are as follows:
Processing of “special categories of personal data”
There will be slight changes to the categories of sensitive personal data currently identified in the Data Protection Act 1998 which will now be labelled “special categories of personal data”.
Special categories of data broadly includes information about the job applicant’s race or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, health, sex life and sexual orientation.
You are required to have the job applicant’s express consent when processing these special categories of data. In order to obtain consent, you may wish to include a declaration at the bottom of your application form stating that by signing the application they consent to the processing of special categories of data. Alternatively, you could prepare a GDPR candidate privacy notice which is issued to all job applicants for signature. This document might include the kind of information you will collect about the applicant, how the personal information will be collected, how you will use the information about the applicant, how you will use particularly sensitive information, data security and data retention.
Changes to Subject Access Requests
A subject access request can be made by an individual (in this case, a job applicant) to access the personal data you hold about them either verbally or in writing. Whilst this is not a new requirement under the GDPR, it is no longer possible to charge a £10 fee to the data subject meaning that this may result in an increase in subject access requests.
Upon receipt of a subject access request from a job applicant, you will need to supply copies of all interview notes, scoring sheets along with any other documents created during the recruitment process. You may need to increase your administrative resources, particularly if you are a big organisation, to ensure you deal with subject access requests within one month of receipt of the request.
Use of publically available information
Individuals, including job applicants, have the right to privacy over their publically available information. You must inform job applicants if you may review publically available information such as their social media accounts. This can be done on the job application form or on your privacy notice.
An applicant has a right to object to processing such data meaning that you must not process such data in those circumstances.
Use of automated decision making
If you use automated decision making to filter job applications, you will need to obtain the applicant’s specific consent. Ensure there is a declaration on the job application form consenting to automated decision making.
The right to be forgotten
The GDPR introduces the right for data subjects to request the erasure of their personal data in certain circumstances. For example, where the personal data is no longer necessary in relation to the purposes for which it was collected or otherwise processed. Candidates are unlikely to request this but if they do, you will need to ensure you comply with it.
How should you deal with data at the end of the recruitment process?
You must not keep data longer than is reasonably necessary. You have to decide how long is reasonably necessary in the circumstances. You will have a legitimate interest in keeping records about any shortlisted candidates in case the successful candidate does not commence employment so you do not need to repeat the recruitment process. You also have a legitimate interest to keep the data for a certain period of time to enable you to defend any discrimination claim that may be brought in the Employment Tribunal by a job applicant.
It seems sensible to keep the data for at least six months for the purpose of defending a discrimination claim given the limitation date to bring such claims and the possibility of any extension of time that might be granted by a Tribunal if a claim was issued after the limitation date has passed. You should carry out an assessment periodically to decide whether to change the length of time that data is kept.
You should state how long you anticipate data will be kept in your privacy notice and delete it in accordance with what you have informed candidates.
If you require any advice in relation to GDPR, please contact Farleys Solicitors on 0845 287 0939 or contact us through our online contact form.
Download Your FREE GDPR Checklist
We have created this handy GDPR checklist to check where your business is now in terms of compliance.