Search Sign in Try for free
0 % read

Recruitment privacy notices: A recruiter's guide to safeguarding candidates' personal data

Guide Last updated 15 Oct 2024
As recruiters gather personal information from candidates as part of their daily operations, recruitment agencies must have robust data protection standards in place. To meet legal obligations and demonstrate commitment to data privacy, having a thorough recruitment privacy readily available to candidates is essential. The aim of this guide is to equip you with a deeper understanding of recruitment privacy notices and the importance of safeguarding candidates’ personal data.

What is a recruitment privacy notice?

A recruitment privacy notice (also known as a recruitment privacy policy) is a document that outlines how a recruiter collects, uses, discloses, and manages a candidate's personal data when they engage with a recruiter for their services. It informs candidates about the purpose of data collection, the legal basis for processing, data sharing practices, retention periods, and their rights under data protection laws.

Why does my business need a recruitment privacy notice?

1. Legal requirement

Candidates have the right to be informed about the collection and use of their personal data. This is a key transparency requirement under the UK GDPR and a legal requirement under data protection laws.

Under Article 13 of the UK General Data Protection Regulation (UK GDPR), organisations are required to provide certain information to individuals when they collect personal data from them. This information should be provided at the time that the personal data is collected, so it is usually provided via a recruitment privacy notice. Failure to comply with this legal requirement could lead to an Information Commissioner's Office (ICO) investigation, monetary fine, or claims from data subjects, as well as reputational damage to your business. Given that the recruitment industry heavily relies on collecting candidates' personal data, having a recruitment privacy notice is fundamental for any successful recruitment agency.

2. Transparency

Maintaining an easily-accesible recruitment privacy notice demonstrates your company's commitment to transparency and openness with candidates. It informs them about how their personal data will be processed, ensuring they have clarity and understanding about their privacy rights.

Using personal data without that person's knowledge can introduce potential risks to your business. If individuals do not know how their personal data is being used, they could be subject to discrimination or disadvantage. It also hinders their ability to exercise their rights under data protection laws effectively. Embracing transparency through a clear and comprehensive recruitment privacy notice can protect against these potential risks.

3. Build candidate trust

By being transparent about data processing practices through a recruitment privacy notice, your recruitment business can build trust with candidates. A well-drafted recruitment privacy notice enhances your company's reputation and builds trust with your candidates. This trust is invaluable, especially in the competitive world of talent acquisition, where candidates seek reassurance and reliability from recruiters and prospective employers. Establishing trust with candidates not only enhances their experience but also significantly impacts your ability to attract top talent for your clients. For this reason, investing in transparency through a meticulously crafted recruitment privacy notice is essential for positioning your recruitment business as a trusted partner in the recruitment process.

Basic data privacy terms that every recruiter should know

  • Data controller: In the recruitment industry, data controllers are typically recruiters and employers who are responsible for protecting candidates’ data. They determine how candidate data is used and processed throughout the recruitment process.

  • Data processor: Data processors process (i.e. collect, analyse, record, store, delete, etc.) personal data on behalf of data controllers. In recruitment, data processors include recruitment software such as candidate relationship management (CRM) systems or applicant tracking systems (ATS) that allow recruiters or employers to manage candidates throughout the recruiting and hiring process.

  • Data subject: A data subject is any identifiable living individual that personal data relates to. In the context of recruitment, this refers to any candidate who submits their personal data to you to assist them in finding a new job.

What are the basics when it comes to the UK GDPR for recruiters?

The UK GDPR establishes rules and regulations that govern the processing of personal data in the UK. For recruiters, understanding and adhering to the UK GDPR is essential to ensure compliance and protect the privacy rights of candidates.

Here are some key points to remember regarding the UK GDPR for recruiters:

  1. Lawful basis for processing: Recruiters must have a lawful basis for processing personal data. Common lawful bases include consent, contractual necessity, compliance with legal obligations, and legitimate interests. Recruiters should determine the appropriate lawful basis for each processing activity and this can be detailed in their recruitment privacy notice.

  2. Transparency and accountability: Recruiters must be transparent about how they collect, use, and process candidates' personal data. This includes providing candidates with clear and accessible privacy notices that explain the purposes of processing, the lawful basis for processing, and their rights under data protection law. Recruiters are also responsible for maintaining records of processing activities and demonstrating compliance with the UK GDPR. For this reason, having a robust recruitment privacy notice is vital for running a recruitment business.

  3. Security measures: Recruiters must implement appropriate technical and organisational measures to ensure the security of candidates' personal data. This includes measures to prevent unauthorised access, disclosure, alteration, or destruction of data.

  4. Data subject rights: Candidates have rights under the UK GDPR, including the right to access their personal data, rectify inaccuracies, erase data (the right to be forgotten), restrict processing, data portability, and object to processing. Recruiters must be prepared to facilitate the exercise of these rights by candidates. More information about the rights of data subjects can be found on the government website.

  5. Data breach notification: Recruiters are required to report certain types of personal data breaches to the ICO without undue delay and, where feasible, within 72 hours of becoming aware of the breach. Candidates should also be notified if the breach is likely to result in a high risk to their rights and freedoms.

What should I include in a recruitment privacy notice?

  • Controller details: Include the identity and contact details of your recruitment business, as well as your own contact information.

  • Data protection officer (DPO): If applicable, provide the contact details of the DPO in the recruitment privacy notice.

  • Purpose and lawful basis: Clearly state the intended purposes for processing candidates' personal data and the legal basis for doing so.

  • Data sharing: Specify any third parties with whom candidate personal data may be shared, such as clients or background check providers.

  • Retention period: Outline how long candidate data will be retained or the criteria used to determine retention periods.

  • International transfers: If relevant, mention any intention to transfer personal data to a third country or international organisation, including the safeguards used for the transfer.

  • Data subject rights: Inform data subjects of their rights under data protection laws, including the right to access, rectify, or erase personal data, the right to restrict processing or object to it, the right to data portability, the right to withdraw consent, and the right to lodge a complaint with the ICO.

  • Automated decision-making: Disclose any use of automated decision-making in the recruitment process in your recruitment privacy notice.

How do I give my recruitment privacy notice to candidates?

Your recruitment privacy notice must be easily accessible and brought to the candidate’s attention at the point their personal data is being collected. If you provide candidates with a link, you should ensure that you direct them straight to the relevant privacy information and do not have to seek it out amongst other information.

It is also important that the recruitment privacy notice is drafted in a way that follows the following ICO-recommended principles:

  • Conciseness – keep your sentences and paragraphs short. Do not include any irrelevant or unnecessary information.

  • Transparency – don’t hide information from candidates; make sure that you clearly bring to the candidate's attention any uses of data that may be unexpected, or could have significant effects on them.

  • Intelligibility – your recruitment privacy notice needs to be understood by candidates whose personal data you collect and obtain.

  • Ease of access – candidates should not have to look for your privacy notice, it must be easy for them to access:

  • Clear and plain language – ensure that the words and phrases you use are straightforward and familiar to your intended audience.

Do I need to give a privacy notice to other types of individuals too?

Any type of individuals that you collect personal data about should be provided with a privacy notice telling them how you will use their personal data. This could include:

  1. Website visitors - to cover personal data that you collect and process about You may want to combine your privacy notice to address how you gather, use, disclose, and manage personal data for both website visitors and candidates.

  2. Employees - to cover personal data that you collect and process about your employees during their employment e.g. address, salary data, sickness and disability data.

  3. Shareholders/investors - to cover personal data that you collect and process about shareholders in your company e.g. contact details and financial information.

How can Docue help? Use our templates created specifically for recruiters!

You can easily and quickly generate a privacy notice for your recruitment business using Docue’s recruitment privacy notice. Simply answer a series of simple questions, and you’ll receive a fully customised recruitment privacy notice in no time. Additionally, ensure that you have robust terms and conditions in place for your recruitment services.

If you also need terms and conditions for your recruitment services to create robust contracts with your clients, you can find our template here. This template is designed to protect both your business and your clients, ensuring clarity and transparency in your recruitment process.

The recruitment privacy notice includes model clauses designed by data protection lawyers to help you draft the notice yourself and tailor it to your needs. And don’t worry if you get stuck along the way - Docue’s lawyer-drafted guidance notes are there to assist you, providing detailed guidance on each section and question.

Sign up now to use Docue's recruitment privacy notice.

Author
Docue's Legal Team

Tags: privacy notice, recruitment privacy statement, data protection in recruitment

Related articles

Related legal templates

About Docue

Docue gives you access to 150+ automated legal templates for all important business situations. Templates are maintained by experienced UK lawyers to stay up-to-date with English and Welsh legislation.

Docue is trusted by so many growth companies – from sole traders to listed companies.

170,000+ Users
40,000+ Companies