The ICO exists to empower you through information.

Shortlisting, testing, and interviewing candidates

Share Download options

Pages

Format

Our consultation on this draft guidance is open until 5 March 2024.

In detail

What do we need to consider when shortlisting or testing candidates?

How you select the most suitable candidates from the applications you receive may depend on the nature of the role, and the volume of applications.

Shortlisting can involve:

  • reviewing application forms to select candidates based on their qualifications and experience;
  • using automated systems to help you select candidates;
  • psychometric tests, skills tests, or aptitude tests; and
  • assessment centres.

You must comply with data protection law when shortlisting or testing candidates. You should select candidates in a way that is fair and consistent. For example, you might assess each candidate against specific criteria as this can help to ensure transparency. Having criteria in place also means that you’re likely to collect information about candidates only for your specified purposes, and you’re less likely to collect information you don’t need.

You should inform candidates about the selection criteria you will apply to their information in order to shortlist them. You should provide these details before you collect the information. For example, by including it in the job description or application form.

If you are using tests or assessments, you should pseudonymise candidates’ information, where possible. This is because any personal details about the candidate are unlikely to be relevant for marking their test or determining their score. Pseudonymisation can be an effective way of avoiding bias in decision-making and help ensure that decision-makers don’t take irrelevant information into account.

For most roles, it will usually be appropriate to shortlist candidates based on the information they provide rather than information you collect from other sources (eg references or from public social media profiles). This helps to ensure that your processing is fair and transparent. However, there are some roles which are subject to specific legal requirements or carry particular risks to others. In these cases, it may be reasonable to shortlist candidates on the basis of information you have obtained from other sources. If so, you should set out your reasons, including any relevant provisions you rely on, and inform candidates at the start of the recruitment process.

You should only provide staff who are making recruitment decisions with the information they need. For example, you should have a designated member of staff remove any irrelevant information from the application form before it’s presented to the decision-makers. This helps to ensure that decisions are not based on irrelevant information.

What data protection issues do we need to consider when conducting interviews?

Interviews can take many different forms. For example, you can carry out in-person, online or telephone interviews.

You are likely to collect additional information about candidates during the interview process. For example, you may record the candidate’s responses during their interview or your own opinion about the candidate’s suitability for the role.

Remember that the candidate can make a SAR for any additional information you record in the interview (eg interview notes). We have separate guidance to help you deal with SARs.

You must not collect excessive information about candidates at interview. For example, it is not usually necessary to make a video recording of each candidate’s interview performance.

If you need to have a process in place to make a decision between candidates with the same scores, you must inform them that this will form part of your process, and explain why and how you will do this.

You could give candidates an opportunity to comment on the information you hold about them during the interview. This may be appropriate if you collected the information from another source and you cannot be certain of its accuracy or the wider context and circumstances.

Example

A political party is recruiting a personal secretary for its party leader. The job description specifies that candidates have to share the political views and values of the party.

The party shortlists a number of candidates for interview. However, after performing an online search, it finds publicly available blogs, videos and conversation threads about one of the candidates. These suggest this person has strong views which align with those of another political party and oppose the views of the recruiting political party. This information shows that the candidate has publicly campaigned for issues that the party does not support and against issues the party does support. It is also clear that the candidate has deliberately made this information public.

The party does not want to interview the candidate. However, this would be unfair for a number of reasons:

  • The information obtained online may be out-of-date or inaccurate – the party might have mistaken the candidate for another person with the same name or the candidate may have since changed their political views.
  • If the party has not informed the candidate that they will use social media screening as part of the recruitment process, then it would not be fair to use the information.

Due to the nature of the information and its relevance to the vacancy, the party does not believe it can ignore the information. However, because there is a risk of unfairness, they should give the candidate an opportunity to explain or comment at interview.

Further reading

What do we need to consider if we’re carrying out interviews or testing remotely?

It’s not uncommon for employers to ask candidates to complete online assessments remotely or to attend virtual interviews (eg by video call). Candidates are likely to complete these assessments or attend virtual interviews in their own home, using their own devices or at a location where they can access a computer and the internet.

If you plan to incorporate remote testing or virtual interviews into your recruitment practices, you should identify the type of processing involved and consider the need for a DPIA. You should also document your decision.

You should also consider taking the following steps:

  • Consider and document what information you need candidates to provide.
  • Ask candidates who are attending a video interview to remove any sensitive or irrelevant information from their desktop and close down other applications if there is a risk that this may be disclosed (eg during their screen sharing of a presentation you’ve asked them to give).
  • Where possible, provide backgrounds to candidates attending video interviews to ensure that you aren’t processing unnecessary information (eg content from their homes might reveal their religious beliefs).

You may need to consider whether there are any security implications if candidates are using their own devices and software to complete assessments and interviews.

Further reading