The ICO exists to empower you through information.

Responsibility for data protection compliance during the recruitment process

Share Download options

Pages

Format

Our consultation on this draft guidance is open until 5 March 2024.

In detail

What do we need to consider if we want to work with others during the recruitment process?

Sometimes you’ll want to work with others on your recruitment campaigns. You must be clear about who has responsibility for data protection compliance. You should take the time to assess and document:

  • the status of each organisation as either a controller, joint controller or processor; and
  • the personal information you collect, use and store in support of your recruitment and selection-related activities.

Recruiters are likely to act as controllers in most circumstances. However, if you act as a processor on an employer’s behalf, you must have a binding written contract in place.

If you are acting as a joint controller with another organisation (eg you are the employer and someone else is the recruiter), you must have a transparent arrangement in place which sets out your agreed roles and responsibilities.

Further reading

When are we a controller and what are our responsibilities?

As an employer, you will typically be a controller, as you decide what candidate information you need to collect and what you use it for.

You are also responsible for retaining or destroying the personal information of candidates in line with your established retention policies and procedures.

If you are recruiting on behalf of another organisation, you are a controller if you collect and use candidate information for your own purposes. For example, you may use candidate information in order to enter into a service agreement with a job-seeker prior to sending their application to a client organisation. You may also process the financial information of temporary workers you have placed within a client organisation in order to pay their salary directly.

Example

A factory decides to use a recruitment agency to conduct an advertising campaign and candidate search on its behalf. The factory has instructed the agency to only accept candidate applications that meet the minimum qualification or experience requirements set out in the job description.

Once the agency has gathered a list of relevant applications, the factory will use this information to shortlist candidates. It will then conduct its own candidate verification and pre-employment checks, as necessary.

For the purpose of this recruitment exercise, the factory is the controller for the candidate information being processed.

However, if the agency decides to also use the candidate information for its own purposes, for example to explore alternative job opportunities with unsuccessful candidates at their request, then they will also be a controller for this information.

Employers or recruiters may also be controllers in circumstances where they are only processing personal information to comply with a particular statutory obligation. This processing requirement would be undertaken in line with their own professional obligations which cannot be transferred or shared with another organisation.

Example

After providing relevant applications to the factory, the recruitment agency retains certain records about the individual applicants. This is in line with its statutory obligations under relevant employment agencies legislation.

As the agency is acting without the factory’s instructions, by determining the purpose and means of retaining these records, it is the controller for this processing.

Whether you are an employer or a recruiter, it is important to remember that you are ultimately accountable for the data protection compliance of any processor you decide to engage. In particular, you must ensure that they provide you with sufficient guarantees that they will implement appropriate technical and organisational measures to meet the requirements of the data protection law.

Further reading

When are we a joint controller and what are our responsibilities?

You are likely to be acting as joint controllers if you and another organisation both determine the purposes and means of processing the same personal information during the recruitment and selection process.

Example

A law firm engages a recruitment agency to search, sift applications and conduct first stage interviews for permanent paralegal positions at their organisation.

The law firm briefs the agency on the minimum qualifications and training required for the role; how many positions it is looking to fill; and the timeframe in which the initial recruitment stage has to be completed.

Both organisations agree that the agency will decide:

  • the advertising channels;
  • how many candidate interviews will be conducted;
  • the interview questions; and
  • the format of each interview (ie by telephone, video call or in person).

The agency determines both the information to be requested from candidates during initial interviews and how the interviews will be conducted without instruction from the law firm. However, the law firm retains ultimate control over how candidate information will eventually be used (ie to shortlist relevant candidates for potential employment).

Both organisations are joint controllers of the personal information being used for the initial stage of the recruitment exercise.

 

Example

A temporary staffing agency places a group of workers at Company A for a period of six months.

As the agency is responsible for paying their wages, it tells each temporary staff member that they need to complete a weekly timesheet of the hours they work. The agency uses these timesheets to calculate the total amount to bill to Company A.

Whilst the agency decides what information is collected within the timesheets, it shares this same information with Company A as they also need to record how long each staff member has worked for the purpose of billing and maintaining its own HR records.

The agency and Company A are joint controllers for this personal information as they mutually determine the purpose and means of its processing.

If you are acting as a joint controller with another organisation during the recruitment and selection process, you must both determine and agree who takes primary responsibility for complying with certain obligations under data protection law.

For example, you should have a transparent arrangement in place with the other joint controller setting out how you deal with SARs from candidates.

You should make information about the terms of this agreement available to candidates (eg through your privacy notice).

You are not a joint controller with another organisation during the recruitment process if you are processing the same information for different purposes.

Example

An employer is required to check a job applicant’s right to work in the UK.

It carries out a Home Office online check using the applicant’s date of birth and right to work share code.

In response to the employer’s request, the Home Office provides the applicant’s immigration status via a Positive Verification Notice to confirm that they have a right to work in the UK. The employer’s HR department retains this document for verification purposes.

The employer and Home Office are not joint controllers. They are both controllers in their own right for the processing of the applicant’s personal information. This is because the employer is processing this information for the purpose of verifying an applicant’s right to work, and the Home Office is processing this information for the purpose of fulfilling its own legal and official functions.

 

Further reading

When are we a processor and what are our responsibilities?

As a recruiter, you are typically contracted to source relevant candidates for a particular job role on behalf of an employer. In such cases, you are likely to be a processor, and the employer is the controller.

You have more limited compliance responsibilities under the data protection law as a processor. However, within the terms of your contract with a controller, you may make certain daily operational decisions including how you:

  • store candidate information;
  • transfer candidate information from one party to another; and
  • delete or dispose of candidate information when it is no longer required as part of your contract with the employer.

Example

A secondary school has contracted an executive search firm (ESF) to fill a number of its senior positions as soon as possible.

Given the urgency, the ESF has been given the freedom to use its professional knowledge and expertise to decide how it will source suitable candidates. It opts to do this predominantly through its subscription access to an executive job board and a professional networking site.

Although the ESF is using its professional judgement to decide how best to search for candidates, it cannot make any overarching decisions about the processing itself. This includes what personal information to collect or how it will be used by the school.

Therefore, the ESF is likely to be a processor for this specific processing activity, with the school as controller.

If you decide to employ a third party to assist you with the processing you are carrying out on an employer’s behalf, they will be acting as a “sub-processor”. For example, you may decide to contract a cloud service provider to securely store and back-up the candidate information you are processing.

However, before engaging a sub-processor, you must obtain prior written authorisation from the employer. If this is provided, you must enter into a contract with the sub-processor with terms that offer a level of protection for candidate information that is equivalent to the contract terms between you and the employer.

Processors are not responsible for complying with requests they receive on behalf of the controller from candidates wishing to exercise their data protection rights. Ultimate responsibility lies with the controller. However, the contractual arrangements you have in place with a controller must guarantee that they can deal with candidate requests appropriately, regardless of whether you or the controller receives them. In practice, this means that as a processor, you must still help the controller to comply with requests from candidates in the exercise of any of their data protection rights.

Example

A recruiter holds candidate information on behalf of a client organisation, and this is not held separately by the client. 

The client may reasonably instruct the recruiter to search for this information and provide them with a copy in order to respond to a candidate’s SAR.

People acting within the scope of their duties as an employee of the controller are not processors (eg a staff member who is tasked with conducting initial candidate shortlisting for a job role at their own organisation).

Further reading

Can our status as a controller or processor change during the recruitment process?

Yes, your status as a controller or processor can change throughout the recruitment process. This is because it is entirely dependent on the processing activity you are undertaking, and who is ultimately in control of the purpose and manner in which that processing is taking place.

For example, you may be both a controller and a processor for candidate information, but only where this relates to separate processing activities, or where you are processing the same candidate information for different purposes.

Example

A recruitment agency initially holds candidate information as a processor on behalf of an employer organisation to fill a vacancy, but later retains this information to comply with a separate legal obligation it has as a controller under the Employment Agencies Act 1973.

Alternatively, you may be a controller for candidate information during certain stages of the recruitment process and a joint controller with another organisation for others.

Example

An employer is a controller for candidate information obtained by a recruitment agency on its behalf during an interview process. It is also a joint controller with the same agency for the purpose of processing a candidate’s salary information where the agency is responsible for paying them directly.

 

Example

A recruitment agency receives a CV from a prospective candidate who is looking for roles in the insurance sector on a speculative basis. It processes the candidate’s information as a controller.

Upon their request, the agency shares the prospective candidate’s CV with an interested client in the insurance sector for their consideration. At this stage, the agency and the client will be joint controllers for the purpose of identifying a relevant role for the prospective candidate.

Although the prospective candidate is considered for a number of roles at the client organisation, they do not receive a formal job offer.

The agency retains the prospective candidate’s CV for further job opportunities. It is a controller for this processing activity.

It’s important that the systems you use and procedures you follow clearly distinguish between the personal information you are processing in your capacity as controller and the information you are processing on behalf of a controller. This allows you to apply different measures to each data set as necessary, in line with your obligations under data protection law.

Are we a controller if we use job boards for recruitment purposes?

Job boards offer both free and paid for job listings on their websites for employers and recruiters to help broaden their search for relevant candidates. Some job boards also offer candidates the ability to create their own job seeking profile where they can upload their CV for employers or recruiters who pay a subscription fee to view.

Job boards are not usually involved in the candidate hiring process. Therefore, any employer or recruiter that obtains and later processes personal information from a job board will typically be doing so as a controller in their own right unless they are specifically acting on the instructions of a separate controller. This is because the personal information obtained by employers and recruiters (from the job board) is processed for the purpose of identifying and placing candidates in specific roles. This purpose sits independently from the job board’s purposes for processing.

Therefore, your controller obligations under data protection law apply once you use the personal information you have collected from a job board for your own recruitment purposes.