The ICO exists to empower you through information.

Keeping recruitment records

Share Download options

Pages

Format

Our consultation on this draft guidance is open until 5 March 2024.

In detail

How long can we keep recruitment records for?

Under data protection law, you must not keep information for longer than you need to. However, it does not specify timescales for keeping recruitment records. You should carefully consider how long you need to keep this information for and set clear retention periods.

Example

A restaurant receives 50 applications for a job vacancy. Unless there is a clear business reason for doing so, the restaurant should not keep recruitment records for unsuccessful candidates beyond the statutory period in which an applicant can bring a claim arising from the recruitment process.

You should also establish and document standard retention periods for the different categories of information you hold, when this is possible. Depending on the circumstances, you may be legally required to keep information for a specified period of time to comply with certain laws.

For example, recruitment agencies in England, Wales and Scotland are required to comply with the Employment Agencies Act 1973, while recruitment agencies in Northern Ireland are required to comply with the Employment (Miscellaneous Provisions) (NI) Order 1981.

When can we keep information about candidates?

When you collect information for the purposes of recruitment and selection, it’s unlikely that you will need to keep all of it after the recruitment process is complete and you’ve appointed someone to the role.

You may need to keep some details about the candidate you appoint. You must carefully select what information is needed for your employment relationship. If this information is no longer relevant now that the candidate is an employee, you must securely destroy it, in accordance with your retention and disposal policy.

However, if you destroy records about any of the candidates too quickly, it may be more difficult for you to prove that your end-to-end process is transparent, fair and accountable. In particular, as candidates may make a SAR for their information. You should consider this when you set retention periods for recruitment information.

Example

An airport uses psychometric testing and interviews to recruit staff. In setting retention periods, it considers the following issues in deciding how long it might need to keep the information for:

  • candidates may request their information;
  • its appeal process for candidates who believe the airport has reached a recruitment decision in an unfair way; and
  • the possibility of legal proceedings being brought against the airport.

If you wish to keep candidates’ information for a new purpose, you must:

  • review whether you may need a different lawful basis (and if required, a condition) for processing the information;
  • have previously informed candidates that you will keep their information for another purpose, and explained what this purpose is; and
  • destroy the information you do not need.

Example

A law firm is running a recruitment exercise for the position of assistant solicitor. There is currently only one vacancy but the firm has identified a business need to appoint more assistant solicitors within the next six months.

The law firm appoints one candidate but it also creates a waitlist by ranking candidates on their scores during interview and assessment. It informs candidates on the application form that it intends to retain the recruitment information for the top 10 scoring candidates for a period of six months, in case further vacancies arise within this time.

Retaining recruitment records may be necessary in case you need to defend yourself against claims of discrimination or other legal actions arising from recruitment. There are statutory limitation periods in place for bringing claims, which means that candidates have a limited period of time to bring a claim. This period varies depending on the nature of the claim, and may be a number of years. The relevant legislation is as follows:

  • the Limitation Act 1980 (applies to England and Wales);
  • The Limitation (Northern Ireland) Order 1989 (applies to Northern Ireland); and
  • the Prescription and Limitation (Scotland) Act 1973 (applies to Scotland).

You may wish to refer to these statutory limitation periods for bringing claims and seek independent legal advice on how long you may need to keep these records for. However, the possibility that a person may bring a legal claim does not mean that you have to keep records about recruitment indefinitely.

In general, you should not keep information beyond the statutory period in which a legal claim can potentially be brought. It’s also unlikely that you need to keep all the information you hold for the purpose of defending potential legal claims. You must only keep information if you can justify why this is necessary. If you have a different purpose for keeping the information, you may need to review your lawful basis and condition for processing.

If you need to keep candidates’ information for statistical purposes only, then you should anonymise it. Fully anonymised records are not considered to contain personal information which means that data protection rules do not apply to them.

However, if you plan to retain candidates’ personal information, then you must comply with data protection law. This is the case even if you intend to pseudonymise the information because it’s still possible to identify people from pseudonymised information.

Example

An organisation develops a secure portal to obtain equality and diversity information about candidates and existing staff members. This allows them to track the success of its equal opportunities initiatives in recruitment.

Candidates are required to submit their equality information using this secure portal when they apply for a vacancy. Existing staff members are invited to voluntarily submit and maintain their information online. After they have appointed a candidate, they will automatically delete the information about all candidates unless they explicitly consent by opt-in to the organisation using their information for the specified purposes. This applies to all successful and unsuccessful candidates.

The organisation must take the following steps:

  • provide a link to its privacy information;
  • make it easy for people to withdraw their consent; and
  • restrict access to the information only to staff members who need to access it in order to track the success of the organisation’s equality opportunity initiatives in recruitment.

The organisation uses the information to generate fully anonymised statistics. It does this by taking steps to ensure that people cannot be identified from the statistical information, using any other personal information.

The organisation must store the personal information securely until it has been fully anonymised and destroy it once it is no longer needed.

 

Further reading