The ICO exists to empower you through information.

Our consultation on this draft guidance is open until 5 March 2024.

In detail

Who is this guidance for?

This guidance is aimed at employers and organisations which carry out recruitment on behalf of employers, such as recruitment agencies, head-hunters or consultancies. It covers recruitment in the context of all potential employment relationships, including employees, contractors, volunteers or gig and platform workers.

As an employer or recruiter, you are likely to process information for the purpose of recruitment and selection about candidates, prospective candidates, temporary workers, contractors, referees, emergency contacts, and dependants. Some of this information may be sensitive and include, for example, details about health, diversity, or criminal convictions.

The labour market supply chain can be complex, with end-to-end recruitment processes often involving several organisations. The use of novel technologies in recruitment processes means that organisations are processing increasingly large amounts of information about people. 

This guidance is designed to help employers and recruiters understand their data protection obligations under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 (DPA 2018) (we refer to these as data protection law) when handling the personal information of candidates.

The guidance aims to:

  • help provide greater regulatory certainty;
  • protect candidates’ data protection rights; and
  • help employers and recruiters carry out effective recruitment exercises in compliance with data protection law.

We also provide links to other pieces of key data protection guidance if you want to find out more information.

What are the key definitions?

The terms ‘recruitment’, ‘recruitment process’ and ‘recruitment and selection’ are used throughout this guidance to refer to the process of identifying, selecting, verifying, and vetting candidates.

The term ‘candidate’ is used throughout this guidance to refer to a person who has either applied for work or has been identified through a selection process or talent search.

The term ‘recruiter’ is used throughout this guidance to refer to a recruitment agency, head-hunter or consultancy, other than the employer itself, which is involved in the headhunting, recruitment and selection of candidates.

How is this guidance structured?

This guidance covers all aspects of the recruitment and selection process from advertising vacancies through to deleting information about candidates. It has two main parts:

  • The first section, Data protection and recruitment, is an overview of how data protection law applies to processing candidates’ information for recruitment purposes. It looks at the data protection principles and the basics for compliance.
  • The rest of the guidance focuses on the specifics of the recruitment process in which you process candidates’ information. It looks at what the law requires you to do and provides good practice advice.

While we recommend that you read the guidance in full, you can choose which parts of the guidance you read to fit your needs.

How do we use this guidance?

To help you understand the law and good practice as clearly as possible, this guidance says what organisations mustshould, and could do to comply.

Legislative requirements

  • Must refers to legislative requirements.

Good practice

  • Should does not refer to a legislative requirement, but what we expect you to do to comply effectively with the law. You should do this unless there is a good reason not to. If you choose to take a different approach, you must be able to demonstrate that this approach also complies with the law.
  • Could refers to an option or example that you could consider to help you to comply effectively. There are likely to be various other ways you could comply.​​​​​​​

This approach only applies where indicated in our guidance. We will update other guidance in due course.