Recruitment Regulations for Collecting, Sharing and Destroying Candidate Information

The number of recruitment agencies has been on a sharp incline in the last decade. 8,448 new recruitment agencies opened in 2018 alone, bringing the UK total to 39,232. But why are increasing numbers of businesses choosing to add an extra step in their data processing by outsourcing recruitment?

The answer is simple.

Job hunting can be stressful, and many applicants use recruitment agencies because they may take some strain away from the application process. It’s more convenient, saves time, and recruiters are often very good at maintaining contact or recommending positions to suit individuals. Businesses that use recruitment agencies to find candidates will therefore have access to a wider pool of talent than they may have through direct applications. They are especially useful for start-ups who may not have yet established enough brand awareness to receive lots of organic applications.

When recruiting, having that middle-man or woman can make filling vacancies easier for everyone involved. But, by adding in that extra step, both businesses and recruiters must make sure the transfer of applicant information is treated with enhanced measures of data security in order to comply with GDPR.

So, how can this be done safely and securely?

First and foremost, when sharing any data with another company, you must be sure they are fully accredited. Some accreditations to look out for are:

  • ISO 9001 Quality Management
  • Cyber Essentials

These accreditations are proof that companies you work with are certified and responsible to handle sensitive data.
If properly accredited, companies and recruiters will know what information they are permitted to collect and share during the hiring process.

The first stage – compliantly collecting applications

If a company is publishing a job opening themselves, they should ensure the company name is cited on the advert. This is so applicants can decide with clarity whether or not they’d still like to share their personal details.

This is slightly different for recruitment agencies. Often, agencies will not cite the hirer name in job adverts. This is so they can proceed with the best applications and avoids hirers receiving direct applications from potentially unsuitable applicants. If the hirer is not cited, agencies must identify themselves and explain how they will process applicant data. They should, however, let suitable applicants know who the hirer is as soon as they can. If the hirer doesn’t wish to be identified in the early stages, applicant data should be protected or anonymised.

During the hiring process, employers and recruitment agents are likely to receive a lot of information. This will include CVs, cover letters and interview notes. Some businesses even like to check references prior to interviews.

Cartoon image of recruiter receiving four CVs

How long should this information be held?

With recruitment agencies, job-searchers typically create their own profile on the recruiter’s site. Thus, it is up to the job-searcher to deactivate their own profile and unsubscribe from blanket job alerts. Once a job-searcher finds work, agencies should mark candidates as engaged on their systems and cease sending personalised recommendations.

In contrast, unsuccessful candidate information held by employers must be destroyed 6 months after being received. However, it is wise to hold onto this information for the entirety of that time. This is because, for 6 months after a position has been filled, discrimination claims could be made against your organisation. Holding onto your recruitment data will help you to defend your organisation from any such claims.

During these 6 months, applicant data should be securely stored, and as mentioned, shredded once retention periods are over. If you wish to keep applicant data on file for longer than 6 months, you will need to prove consent was given by applicants. This is usually only the case when keeping a talent pool for any potential future vacancies.

For successful candidates, their applications and other recruitment information should be destroyed 6 months after their employment ends. For data security, this is best done with an external data destruction company such as Shred Station Ltd, as we will be able to provide you with a certificate of destruction.

What about data related to equal opportunities monitoring?

Here at Shred Station, we do conduct equal opportunities monitoring for applicants, and also have an equal opportunities policy. However, in the UK, employers are not obligated to track how many applications they receive from different groups of people. If this information is collected, it should be protected and destroyed securely.

When recruiting, companies should be very mindful of the information they do collect. Much of this information may be of personal nature and may affect a candidate’s privacy.

When posting job vacancies, recruiters must not ask:

  • The candidate’s marital or relationship status
  • If they are pregnant, have children or plan to have children
  • Information about specific disabilities unless there are necessary requirements of the role that cannot be met with reasonable adjustments
  • The applicant’s date of birth, unless they must be a certain age to do the job, for example selling alcohol
  • Details of any spent criminal convictions unless the area of employment is exempt, for example in schools
  • Whether candidates are a member of any trade unions
  • Information on any other protected characteristics, including gender reassignment, race, religion, sex, and sexual orientation. You may only request this information if you will be using it for equal opportunities monitoring.

Information collected and published for equal opportunities monitoring must be reviewed six years after the last action, and if no longer needed, must be destroyed. Ideally, if identifiable information can be anonymised, this should be done. It is very important with equal opportunities monitoring that the data cannot be traced back to individuals.

Cartoon image of three resumes / CVs

You want to make an offer, what happens next?

You’ve found an ideal candidate and want to make the job offer.

Recruitment agencies will already have received consent from applicants to share salary expectations, any current notice periods, and other candidate information upon the submission of the candidate’s CV and cover letter.

Once a candidate accepts the position and the business confirms a start date, employers must liaise with recruiters to settle their accounts. Many recruitment agencies will take payment in the form of commission if a candidate they refer secures the vacancy. This is usually a set percentage of the new starter’s annual salary and is the only piece of financial information about the employee which may be shared externally.

What information should you collect and retain?

Once everything is settled with the recruitment agent, HR departments will probably have already begun collecting important confidential information about the new starter.

This may include:

  • The new employee’s bank details
  • National insurance number
  • References
  • Emergency contact information
  • Any relevant medical risks
  • Any required screening or such as DBS and credit checks.

Employers can collect some information about employees without their permission, such as name and addresses. However, you must receive consent to keep sensitive data about things like medical conditions. Businesses should protect sensitive data such as this with the highest levels of security. Once all necessary checks are made and the new starter has begun, a contract of employment should be issued and agreed upon. This should happen within two months of starting.

During the period of time an individual is in employment, measures should be taken to protect their data. Only appointed staff members should be responsible for processing and accessing personnel files, including data regarding sickness and absence. Companies should limit record keeping and reports to non-specified absence records; specific information about illnesses or compassionate leave could be highly sensitive.

It’s important to remember that employees maintain the right to access information held about themselves. This can include absence records, disciplinary or training records, appraisal or performance review notes, email logs, and information held in personnel files.

What should you do with applicant information once they leave?

Once an employee leaves, many companies will prioritise protecting their own assets. This will often include revoking the ex-employee’s access to company files or accounts, changing entry codes to buildings, and destroying any identifiable uniform belonging to the employee. However, companies must also remember to protect the information of the ex-employee by adhering to retention periods of sensitive records.

Additional information about retention periods for human resource and employee data at the Information Commissioner’s Office in August 2018 are shown below. This is relevant for recruitment agencies, as well as HR departments.

Retention and Destruction Periods:

The table below highlights the retention and destruction periods adopted by the Information Commissioner’s Office for their own Human Resource Records. These examples are a good place to start when creating your own retention policies.

Human Resource Record

Retention Trigger

Retain For


Employee files & personal development records End of employment 6 years Destroy
Disciplinary & grievance, examination & testing, accident & ill health Last action 6 years Destroy
Job descriptions and terms & conditions Last action 6 years Destroy
Training material Superseded 6 years Destroy
Political declarations Superseded or end of employment 6 years Destroy
Industrial relations Last action 6 years Destroy
Payroll sheets End of financial year 6 years Destroy
Maternity, paternity, adoption, and sick leave End of financial year after return 3 years Destroy
Successful recruitment candidate information (including third-party referee details provided by the applicant) End of employment 6 months Destroy
Unsuccessful recruitment candidate information (including third-party referee details provided by the applicant) Last action 6 months Destroy
Staff pension, pay history, and termination reasons From DOB 100 years Destroy
Health surveillance Last action 40 years Destroy
Third-party emergency contact details provided by the staff member End of employment Immediate Destroy
Equality and diversity published information Last action 6 years Review

Keeping Sensitive Information Safe

Employers must ensure data is held securely and cannot be stolen or tampered with during retention periods. Employees can request details of their own information held, but must not be able to access information of others. Most HR software will allow you to centralise and protect employee data, allowing access to authorised personnel only. If your company doesn’t yet have HR software, ensure employee information is kept away from shared networks.

As well as making sure to retain sensitive information securely, it’s important to have regular clearouts. HR managers and recruitment agents must keep on top of any records that need to be destroyed. This goes for both paper information and digital files.

Here at Shred Station, we have an extensive list of accreditations proving we can safely handle your sensitive data. Our industrial shredders can destroy everything including paper documents, electronic storage devices, and everything in-between. We offer a vast range of cost-effective options including mobile on-site shredding, off-site shredding, regular, and ad-hoc services. We can tailor each of these options to suit your requirements.

Image of Shred Station's Norwich shredding depot including shredding machine and baler.

Additional Information.

For any additional information about managing staff records, retaining HR information, and about the ICO’s employment practices code, please visit the below links:

Information correct at time of publication, February 2019. If you would like further clarification with regards to retention and destruction periods for your specific industry, please seek further guidance from the Information Commissioner’s Office. Shred Station can accept no responsibility for any incorrect retention or review guidelines in the above text. These information retention schedule regulations are as detailed by the Information Commissioner’s Office in August of 2018. To stay updated with industry guidelines after the date of publication, please contact the Information Commissioner’s Office.

Sign-up to our newsletter here to be alerted about brand new blog articles, data protection advice, and news about Shred Station.