Data Protection Recruitment Process HRIS Programme Version: 10.3.11

Overview The Recruitment process involves the collection and use of candidate’s personal and sensitive data. Compliance with the Data Protection Act throughout the recruitment process helps to strike a balance between the University’s need for information and the applicants right to privacy. The Data Protection Act also covers the collection, storage and disposal of both successful and unsuccessful applicants. The Data Protection Act is applicable throughout the entire Recruitment Process. Further guidance: University of Oxford - Data Protection webpage Information Commissioner’s Office: The Employment Practices Code www.admin.ox.ac.uk/ps

Learning Objectives By the end of this module you will be able to Describe the key data protection considerations for the Recruitment process: Advertising Job Applications Shortlisting Interviews Pre-employment checks References Retention of Recruitment Records Explain University best practice to comply with the Data Protection Act throughout the Recruitment and Selection process

1) Recruitment Advertising ICO Data Protection considerations: Ensure that the organisation’s (or recruitment agency’s) name appears in all recruitment advertisements Inform applicants how their personal data provided will be used, unless this is self evident Ensure recruitment agencies send anonymised applicant information, if the employer does not wish to be identified in the early stages of the recruitment process University best practice All job advertisements should comply with the University’s branding to ensure applicants are aware where they are sending their personal information when applying for job vacancies. The University’s Privacy Statement explains what types of information is gathered when people visit the University’s web site. Individuals must expressly give their consent before their data is used on the University website in order to comply with Principle 8 of the Data Protection Act which restricts the transfer of personal information outside of the EU. The Terms of Use on the University’s online jobsite informs potential applicants how their personal information will be used. Further guidance: University’s Jobs and Vacancies at www.recruit.ox.ac.uk and www.ox.ac.uk/about_the_university/jobs/index.html University Data Protection website: www.admin.ox.ac.uk/councilsec/dp/index.shtml

2) Applications ICO Data Protection considerations: Ensure that the organisation’s name appears on the application form Explain to applicants how their personal data provided will be used, unless this is self evident Only seek personal information that is relevant to the recruitment decision to be made, for example are CRB checks required for all job vacancies. Explain the purpose of collecting any sensitive personal data, for example Equality and Diversity Monitoring Provide a secure method of sending applications University best practice University application forms (online and paper) require that applicants give their explicit consent to the processing of their personal data during the recruitment process: E-Recruitment: applicants must select a checkbox to agree to the Terms of Use before they register to use e- Recruitment and before they submit their online application. The Terms of Use document contains detailed information on how applicants’ personal data will be used during the recruitment process. Manual application forms: applicants must sign a declaration at the bottom of the form Further guidance: e-Recruitment Terms and Conditions of Use: www.recruit.ox.ac.uk/pls/hrisliverecruit/docs/0000000038.pdf

3) Shortlisting ICO Data Protection considerations: Be consistent in the way personal information is used to shortlist applicants. Ensure applicant data is only circulated to those who need to use it Train staff on shortlisting processes Inform applicants if an automated short-listing system will be used as the sole basis for making shortlisting decisions. Ensure any psychological tests used to shortlist applicants are assessed by appropriately qualified staff. University best practice Shortlisting decisions should be based on the same selection criteria agreed at the advertising stage. New criteria should not be introduced as these will not have been reflected in the advertisement or further particulars; this could be unlawfully discriminatory. Applicant data should only be circulated to the shortlisting panel for that job vacancy. Note: in CoreHR, Equal Opportunities data is entered by Applicants via the online application form, stored separately in CoreHR and accessible only to the Diversity team. Training for selection panels is a requirement of the Personnel Committee. Workshops are available and the online course offered by Oxford Learning Institute. Records must be kept of the shortlisting process such as reasons for selection or rejection Note: shortlisting records are potentially disclosable to applicants on request and may be required by an employment tribunal in the case of a complaint of unlawful discrimination. Records may also be used to provide feedback. Rejection reasons are required by the UK Border Agency (further guidance). Further guidance: Personnel Services: Criteria for Shortlisting for interviews http://www.admin.ox.ac.uk/eop/recruitmentmonitoring/recruitmentcodepractice/

4) Interviews ICO Data Protection considerations: Interviewers should be made aware that candidates may have the right to request access to their interview notes Ensure that interviewers know how to take notes during interview and store interview notes securely Ensure that interview notes are destroyed after a reasonable time Explain to interviewers how to deal with a subject access request to interview notes University best practice At least one member of the interview panel must have undertaken training Where possible use the same interview panel for the whole interview process Use the same selection criteria for all candidates Seek specific information relating to the candidate’s experience relevant to the job Ask open questions Avoid inappropriate questions Further guidance: Personnel Services: Conduct of interview Personnel Services: Practical organisation of interviews

5) Pre-Employment Vetting ICO Data Protection considerations: Make it clear early in the recruitment process that vetting will take place and how it will be conducted Only use vetting to obtain specific information and only where it is justified for a particular job Conduct pre-employment vetting as late as possible in the application process on the preferred candidate Obtain the applicant’s permission to obtain personal information from a previous employer University best practice: Ensure specific checks (eg CRB) are not carried out on jobs where there is no requirement Pre-employment health questionnaires should only be sent to candidates once a conditional job offer has been made Further guidance: Personnel Services: Pre-Employment Checks at www.admin.ox.ac.uk/ps/managers/appoint/index.shtml#checks www.admin.ox.ac.uk/hrisprogramme/usinghris/processes/

6) References ICO Data Protection considerations: Set out a company policy stating who can give corporate references Ensure that referees are informed that references will be regarded as potentially disclosable under a Subject Access Request (Note: marking references "strictly confidential" may not eliminate them from disclosure) University best practice: Obtain references before offering the appointment (in some circumstance a verbal reference may be accepted in advance of the written reference) Advise potential candidates in the further particulars document that references will be required Include a declaration in job application form that applicants must sign to agree for references to be taken up – applicants may determine that references may only be taken if they are invited to interview/offered the job Further guidance: Personnel Services References: www.admin.ox.ac.uk/ps/managers/appoint/references.shtml Data Protection Good Practice Note Subject access and employment references at www.ico.gov.uk/upload/documents/library/data_protection/detailed_specialist_guides/references_v1.0_final.pdf www.admin.ox.ac.uk/hrisprogramme/usinghris/processes for link to summary ‘pre-employment gates’ document

7) Retention of Recruitment Records To comply with the Data Protection Act an organisation should establish and adhere to retention periods for recruitment records that are based on a clear business need.  ICO Data Protection considerations:  assess who retains recruitment records and where they are held (centrally, department) ensure that recruitment records are not held beyond the statutory period in which a claim arising from the recruitment process may be brought, unless there is a clear business reason for exceeding this period anonymise any recruitment information that is to be held longer than the statutory period University best practice The University's policy for the retention of recruitment records is: 6 months following an appointment Note: In some cases eg where a work permit is required, or where an employment tribunal case is in progress, it may be necessary to keep records for longer than 6 months, but they should be destroyed as soon as possible after that time. Further guidance: Retention periods for University personnel records: www.admin.ox.ac.uk/ps/staff/codes/retention.pdf

Summary The Data Protection Act is applicable to the entire Recruitment and Selection Process Recruitment Advertising Ensure the University is identified on all advertisements and applicants are aware how their personal data will be used Agree the selection criteria to be used throughout the recruitment and selection process Job Applications Only seek information that is relevant to the recruitment decision to be made Ensure applicants consent to their personal data being used in accordance to the Data Protection Act Shortlisting Use selection criteria to ensure consistency when shortlisting candidates. Shortlisting records are disclosable under a Subject Access Request Interviews Use selection criteria to ensure consistency when interviewing candidates. Interview records are disclosable under a Subject Access Request Pre-Employment Vetting Only use vetting to obtain specific information and only where it is justified for a particular job Obtain the applicant’s permission to obtain personal information from 3rd parties such as previous employer Job References Obtain applicant’s permission before taking up references and follow University procedure in giving out references Job references may be disclosable under a Subject Access Request Retention of Recruitment Records Follow University procedure to dispose of recruitment records (6 months) Anonymise any recruitment information that is to be held longer than the statutory period