contents
- About the Supplementary Guidance
- Managing Data Protection:
Supplementary Guidance - Part 1: Recruitment & Selection: Supplementary Guidance
- Part 2: Employment Records:
Supplementary Guidance - Part 3: Monitoring at Work:
Supplementary Guidance - Part 4: Information About Workers' Health: Supplementary Guidance
- Conditions for Processing Sensitive Data
- Frequently Asked Questions
- Useful Addresses
Good Practice Recommendations –
Part 1: Notes and Examples
1.1 Advertising
1.1.1 Individuals providing personal information, even if only giving their name and address, in response to a job advertisement should be aware of who they are giving their details to. They should be made aware of this before they supply their details. Individuals should not be asked simply to provide their details to a PO Box Number or to an inadequately identified answering machine or website. Provide this explanation
a. in the advertisement if postal, fax or email responses are sought
b. in the advertisement or at the start of the telephone call if telephone responses are sought
c. on the website before personal data are collected via an online application form.
Advertisements for specific jobs need not state how the information supplied will be used, provided that this is self-evident. Only where the link between the information being asked for and its potential use is unclear need an explanation be given. For example if an advertisement for a specific job simply asks those interested to send in personal details and these might also be passed on to a sister company to see if it has any suitable vacancies this should be explained in the advertisement
1.1.2 Where a recruitment agency places an advertisement on behalf of an employer, the identity
of the agency must be given. The agency must also be identified as such if this is not apparent from its name. The agency should also inform the applicant if it intends to use the information supplied by the applicant for some purpose of which the applicant is unlikely to be aware, for example where the information will be used to market goods or services to the applicant. If the information supplied in response to a recruitment advertisement is to be retained for use in connection with future vacancies, the advertisement should make this clear.
1.1.3 An advertisement placed by a recruitment agency need not show the identity of the employer on whose behalf it is recruiting. The agency may pass information to the employer provided that the applicant understands that his or her details will be passed on. Once the employer receives identifiable particulars it must, as soon as it can, inform the applicant of its identity and of any uses it might make of the information received that are not self-evident. It can arrange for the agency to provide this explanation on its behalf.
If for whatever reason the employer does not want to be identified to the applicant at an early stage in the recruitment process, it is acceptable for the agency to only send anonymised information about a candidate to the employer, and for the agency or employer to provide information as to the employer's identity once the employer has expressed interest in receiving personally identifiable information about the applicant.
1.2 Applications
1.2.1 Where an organisation is recruiting for a specific job, it is unnecessary to explain how the information will be used if this is self-evident. For example there is no need to explain that information will be passed from the personnel department to the department where the job is located. However, if an organisation is, for example, conducting an initial trawl of applicants for a range of different jobs, perhaps to keep on file and return to as needed, this should be explained.
Where an applicant makes an unsolicited application for recruitment to an employer, typically by sending a speculative letter or email, the employer need only provide the applicant with an explanation if;
- the application is to be retained, and
- the use made of the information on the application or the period of retention goes beyond what would be self-evident to the applicant.
Any necessary explanation could be included in a letter of acknowledgement sent by the employer. If there is no unexpected use, then no acknowledgement letter is required. Employers should have a policy on the retention or disposal of unsolicited applications for employment.
1.2.2 Information should not be sought from applicants unless it can be justified as being necessary to enable the recruitment decision to be made, or for a related purpose such as equal opportunities monitoring. For example, there is no obvious reason why employers should ask applicants for information about their membership of a trades union.
The scope of the information gathered must be proportionate to what the employer is seeking to achieve, for example the extent and nature of information sought from an applicant for the post of head of security at a bank would be very different from that sought from an applicant for work in the bank's staff canteen.
Employers should also be aware of the difference between the information needed to process an application for employment and that needed to actually administer employment. There is no obvious justification, for example, for an employer to hold information about an applicant's banking details, although it will normally be legitimate to hold these details for payment purposes once employment starts.
1.2.3 The same questions should not necessarily be asked of all prospective workers. For example, an applicant for a purely administrative job with a haulage company should not be asked for details of driving convictions, if these are only relevant to the recruitment of drivers. However some questions will be clearly relevant to all applicants. It is acceptable to ask all candidates certain core questions, such as whether they are eligible to work in the U.K
Information on criminal convictions should only be sought if it is relevant to the job being filled. Where appropriate questions should be designed to obtain no more than the information actually needed, e.g. ‘Do you have any criminal convictions in the last 5 years involving dishonesty?’ Whether by omission of an explanation or otherwise applicants should not be led to believe they have to disclose spent convictions if they do not.
See details of the Rehabilitation of Offenders Exceptions Order.
1.2.4 One example is, if, beyond taking up references you obtain information from other local employers or other companies in your group which the worker may have been employed by or may have applied to previously. Another example is where an applicant’s qualifications are to be verified in the course of the recruitment process – this should be clearly stated in the application form or surrounding documentation.
1.2.5 No further guidance on this recommendation
1.2.6 The return of applications to a postal address or fax number should be organised so that access to applications is limited. A secure method of transmission should be provided if an employer provides an on-line application facility. The use of widely available encryptionbased software could be used to do this. Once the application has been received, electronically or otherwise, it must be securely stored.
1.3 Verification
1.3.1 Applicants may not always give complete and accurate answers to the questions they are asked. Employers are justified in making reasonable efforts to check the truthfulness of the information they are given. The verification process should be open; applicants should be informed of what information will be verified and how this will be done. Where external sources are to be used to check the responses to questions, this should be explained to the applicant.
Access to certain records needed for the verification process may only be available to the individual concerned. You should not force applicants to use their subject access right to obtain records from a third party by making it a condition of their appointment. This is known as ‘enforced subject access’. Requiring the supply of certain records in this way, including certain criminal and social security records, will become a criminal offence under the Act when the Criminal Records Bureau starts to issue basic “disclosures”.
1.3.2 One method that is sometimes used to try to find information about a worker’s criminal record is a media check. This involves obtaining information from old newspaper articles or similar sources about the person. The carrying out of media checks to look for spent convictions for a post that is not eligible for standard or enhanced disclosure is likely to breach the Act.
The obtaining of information about an applicant through the CRB or Disclosure Scotland is an intrusion into an applicant’s private life. The intrusion may be justified by the nature of the job being filled but it should not be undertaken unnecessarily. It should therefore be left as late as is practicable in the recruitment process.
For more information relating to the Criminal Records Bureau and Disclosure Scotland, click here.
1.3.3 Some organisations will require a signed approval form from an individual before they confirm information such as his or her qualifications to a third party. Under the Act it can be an offence to bring about a disclosure of personal information without the consent of the holder of the information. You would not have the holder’s consent if you misled them into disclosing the information to you, for example, by saying that an applicant for a job had agreed to a disclosure when the applicant had not in fact done so.
1.3.4 Where information obtained from a third party differs from that provided by the applicant, it should not simply be assumed that it is the information provided by the applicant that is incorrect or misleading. If necessary, further information should be sought and a reasoned decision taken as to where the truth lies. As part of this process the applicant should be asked to provide an explanation where information he or she has provided is suspected of being incorrect or misleading. This is necessary to ensure that the information held is accurate and processed fairly.
1.4 Short-listing
1.4.1 It is beyond the scope of the Code to set down general rules as to how short-listing and selection testing should be carried out. This should be primarily a matter of good employment practice, although short-listing and selection testing that leads to unlawful discrimination on the grounds of race, sex or disability is likely to breach the requirement that personal data are processed fairly and lawfully. The Information Commissioner’s concern is more with ensuring that the selection criteria are applied in a way that is consistent and fair to applicants, rather than that the criteria are, in themselves, fair.
1.4.2 The Act contains specific provisions on decision-making carried out by solely automated means. To fall within these provisions the decision-making must evaluate matters such as an applicant’s work performance or reliability. A system that automates a simple decision, for example, to reject all applicants who are under 18 years of age, is not covered by the provision.
An example of a decision that is covered is where an individual is short-listed purely on the basis of answers provided through a touch-tone telephone in response to psychometric questions posed by a computer. The Act requires that where the individual requests it, the logic involved in making such a decision should be explained and, in some circumstances, that the decision should be reconsidered or retaken on a different basis. This right will apply if an applicant is rejected or treated in a way that is significantly different from other applicants solely as a result of the use of an automated process.
This right will not apply if the automated process merely provides information, such as the score resulting from a psychometric test where this is just one of a range of factors taken into account as part a decision-making process that has an element of human intervention or scrutiny.
1.4.3 Only by using qualified people to assess psychometric and other complex tests can shortlisting be done fairly. This is normally part of good human resource practice but should also help to meet the data protection requirement that personal information is adequate for the purpose for which it is used.
1.5 Interviews
1.5.1 This Code is not concerned with setting out how interviews should be conducted. This should be primarily a matter of good employment practice.
However, the collection of personal information at interview, its recording, storage and use may well represent processing which falls within the scope of the Act. This means that, for example, applicants will then be entitled to have access to interview notes about them which are retained as part of the record of the interview.
1.6 Pre-employment vetting
1.6.1 Checks should be proportionate to the risks faced by an employer and be likely to reveal information that would have a significant bearing on the employment decision. The risks are likely to involve aspects of the security of the employer or of others. They could range from the risk of breaches of national security, or the risk of employing unsuitable individuals to work with children through to the risk of theft or the disclosure of trade secrets or other commercially confidential information.
It is less intrusive to obtain relevant information directly from the applicant and then verify it than it is to obtain information about the applicant directly from third parties. The former approach should be adopted wherever practicable.
Sometimes a customer for a supplier’s products or services may seek to impose a condition requiring the supplier to carry out pre-employment vetting of its workers. For example, a contractor working in a defence establishment may be required to vet workers taken on to work on the relevant contract. If this vetting involves processing personal information about the workers it will not be justified simply because it is a condition of business. Such a condition cannot override the employer’s obligation to comply with the Act. Vetting of workers by the supplier or contractor must be based on the outcome of its own assessment. This does not stop the supplier or contractor being guided by any assessment the customer for its products or services might have undertaken for itself.
1.6.2 As a general rule
- do not routinely vet all applicants
- do not subject all short-listed applicants to more than basic written checks and the taking up of references
1.6.3 No further guidance on this recommendation
1.6.4 An employer intending to use pre-employment vetting must determine carefully the level of vetting that is proportionate to the risks posed to his or her business. Employers must be very clear as to what the objectives of the vetting process are and must only pursue avenues that are likely to further these objectives.
1.6.5 In exceptional cases an employer might be justified in collecting information about members of the family or close associates of the applicant. This is most likely to arise in connection with the recruitment of police or prison officers.
If sensitive data are collected one of the Conditions for Processing Sensitive Data must be satisfied.
1.6.6 Employers should use all reasonable means to ensure that any external sources used as part of the vetting process are reliable. Where the vetting results in the recording of adverse information about an applicant, the applicant should be made aware of this and should be given the opportunity to make representations, either in writing or face to face.
1.6.7 Where information about a third party, e.g. the applicant’s partner, that affects the third party’s privacy is to be recorded, the collection must be fair and lawful in respect of the third party. This will mean informing third parties that information about them has been obtained and informing them as to the purposes for which it will be processed, unless this would not be practicable or would involve disproportionate effort, for example where the employer does not have contact details for the third party or the information will be kept in an identifiable form for only a very short period. In such cases there is no obligation to act.
1.6.8 During the vetting process information might be sought from a third party, e.g. a previous employer that the applicant has not given as a referee. If the information is subject to a duty of confidentiality, the third party will need some basis on which to justify its release. The employer might obtain consent for this from the applicant in order to avoid the need for the third party to contact the applicant to seek consent.
Under the Act it can be an offence to bring about a disclosure of personal information without the consent of the holder of the information. You would not have the holder’s consent if you misled them into disclosing the information to you, for example, by saying that an applicant for a job had agreed to a disclosure when the applicant had not in fact done so.
1.7 Retention of recruitment records
1.7.1 It falls primarily to the employer to set retention periods in respect of recruitment records. No specific period is given in the Act; the Act merely requires that the personal data in a record shall not be kept for longer than is necessary for a particular purpose or purposes. Employers must though consider carefully the justification, if any, for retaining recruitment records once the recruitment process has been completed. Any relevant professional guidelines should be taken into account.
Retention of recruitment records may be necessary for the organisation to defend itself against discrimination claims or other legal actions arising from recruitment. However, the possibility that an individual may bring a legal action does not automatically justify the indefinite retention of all records relating to workers. A policy based on risk-analysis principles should be established.
Recruitment agencies have some legal obligations to retain records under the Employment Agencies Act 1973.
Employers should consider the possibility that some business needs might be satisfied by using anonymised rather than identifiable records. For example, if the organisation wishes to compare the success of various recruitment campaigns, this could be achieved by using anonymised records.
1.7.2 This is consistent with the Criminal Records Bureau and Disclosure Scotland Codes of Practice. However, if you are required by law to retain specified information for longer than 6 months, the legal obligation must be complied with.
For more information relating to the Criminal Records Bureau and Disclosure Scotland, click here.
1.7.3 Some information is gathered during the recruitment process that may not be relevant to the employment situation. Only retain information that has on-going relevance or is needed as evidence of the recruitment process. For example, consider carefully whether there is a reason to retain information about an applicant’s former salary once he or she has started employment. For practical reasons it may be difficult to delete some information on application forms whilst retaining the rest. Employers should however design application forms to facilitate the easy deletion of information which is irrelevant to the on-going employment relationship.
1.7.4 A note may be kept showing that a check was completed and the results of the findings.
1.7.5 Unless there is a reason to believe that an applicant wishes to be considered again, the assumption should be that he or she has applied only for the vacancy advertised. Application forms or recruitment advertisements can give the applicant the choice as to whether he or she wishes to apply only for the advertised post or would like his or her details to be kept on file in case another position arises.
1.7.6 Whether stored manually or electronically, personal information should be kept secure and as far as is practicable access to the information should be limited.
See Part 2 Employment Records for recommendations on security.