Finance, HR & Operations
      Back to home
      1. Knowledge Base
      2. FAQs by function
      3. Finance, HR & Operations

      How Should We Handle Data During Recruitment Process?

      • Always refer to our Data Recruitment policy when managing recruitment data. This will guide you on the best practices for handling candidate data.

      • It's important to verify the identity of a candidate before you share any sensitive information with them. If you do share personal data, send it via a secure Google Drive folder that you control. This allows you to manage access and to delete the data according to our retention schedule later.

      • CVs are personal and confidential. They should be stored securely on a cloud platform and avoid printing them out. If you must, ensure that they're securely destroyed after use.

      • Never disclose candidate information to third parties or anyone who doesn't have proper authorization. Information sharing should be strictly on a 'need to know' basis.

      • Be mindful of the personal data you ask from candidates. You should only ask for what you need and ensure you have their consent to process sensitive data.

      • Avoid recording personal data from a candidate that isn't related to the job role. Even voluntarily given personal data must be handled with care.

      • Be cautious about what you note down about a candidate - it could be requested in a data subject access request.

      • If you put candidates into an automated email sequence about job opportunities, remember to include an unsubscribe button. Before sending any email, always check if the recipient has already opted out.

      • If you plan to record a call, make sure you have a lawful basis for doing it. Consult the GDPR Principles or your Data Protection Champion for guidance.

      • Be extra careful when sharing your screen during a video call with a candidate. If they view personal information that isn't theirs, it could result in a data breach. If this occurs, contact your Data Protection Champion immediately and follow our Incident Response Plan.

      • Never CC a group of candidates in an email unless you have their prior consent. One of the most common forms of data breaches is sending an email with recipients in CC instead of BCC.

      • As the Data Controller, we bear the responsibility for the data security levels of our third-party recruitment tools like Workable. Be watchful of the security and data protection processes of these providers, and report any substandard practices to your Data Protection Champion.

      • Stick to our retention schedule when dealing with candidate data. Inform candidates about how long you'll keep their CVs, especially if their application was unsuccessful. We recommend retaining CVs for at least 6 months due to the possibility of discrimination claims.