What is GDPR?
The General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679) is a regulation by which the European Parliament, the Council of the European Union and the European Commission intend to strengthen and unify data protection for all individuals within the European Union (EU). It replaces the 1995 Data Protection Directive which current UK law is based.
When did the new regulation start?
25th May 2018.
Does it apply to clients of Jobtrain?
Who will enforce GDPR in the UK?
The Information Commissioner’s Office (the ICO).
The General Data Protection Regulation gives new rights for people to access the information that companies hold about them, obligations for better data management for businesses, and a new regime of fines. Organisations must be much more explicit in telling individuals what data will be held about them and how it will be used before they submit it. Of particular note, is that candidates will have the right to request the information be deleted at any time. The information is extensive, and we advise your organisation undertakes a detailed review of this legislation to prepare accordingly.
How can Jobtrain help?
We’ve collated guidance on how to prepare for this legislation with regards to your recruitment process and use of the Jobtrain ATS.
Our dedicated Client Success Managers and our helpdesk, backed up by our in-house technical team are here to help with system set up and any questions on system use.
Jobtrain’s archiving feature – whether by the automated method or individual requests managed by our helpdesk – has been developed to anonymise data so it is no longer “personal data’’ but leaves an anonymous “footprint’’ to enable extensive historic reporting.
Preparation – 4 ‘W’s
In the GDPR, personal data is broadly defined as any information relating to an individual who can be identified, directly or indirectly, in particular by reference to an identifier such as for example a name, address, identification number, email, social media handle, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person.
So with specifically Jobtrain in mind…
WHOSE personal data is processed?
Consider whose data you hold. For example:
- Job alert registrants
- Job applicants
- Third party recruitment consultants
- Referees / former employers
WHY is personal data processed?
Consider why you collect, use and hold this data. For example:
- Job alerts – holding individuals’ data to alert them about jobs they may be interested in, based on their expressed preferences
- Job applications – holding individuals’ data to assess their suitability for a job
- Talent Pooling – holding individuals’ data to assess their suitability for future jobs that may or may not arise
- Offers made – holding individual’s data for offers made (whether accepted or not)
WHAT personal data is processed?
Based on whose data you hold and why you hold it, review what data you’re holding, and consider if it’s all necessary? For example:
- Registration form content
- Application form content
- Offer / onboarding content
- Email / SMS communications
- Selection data
WHEN is personal data processed?
“Processing” includes the actions of obtaining, disclosing and deleting personal data. Consider the following points:
1. When is the personal data obtained?
- First stage application
- Second stage application
2. To who is it disclosed to and why?
- Line managers
- HR Partners
- Jobtrain helpdesk
3. How long is it retained for?
Consider the following:
- The retention period may be determined by:
- A statutory requirement. Identify which particular section of law/regulation sets out the retention period – is that a maximum or minimum period?
- A business/professional practice – what is it?
- Other reason – provide an explanation
- How long is data held within Jobtrain? Is auto-archiving* switched on and what time period is it set to initiate?
- How long is data held outside of Jobtrain, for example:
- Offline Interview / Assessment Centre records
- Print Outs / Exports
The GDPR does not apply to data that is anonymised in such a way that an individual can no longer be identified from the information on its own, or “reconstituted” with other data to enable identification, as it is no longer “personal data”.
Jobtrain’s archiving feature, whether by the automated method or individual requests via our helpdesk, anonymises data so it is no longer “personal data” but leaves an anonymous “footprint” to enable extensive historic reporting.
Once you have defined the “Whose”, “Why”, “What” and “When”
- Draw up a policy process and a governance/auditing process. These should be written for both those submitting information (candidates) and those receiving and processing it (your employees)
- Adapt your recruitment polices, process and user roles/practices accordingly
- Communicate and train this out across your organisation
Specifically relating to Jobtrain:
- Ensure you include a link to your policy/process document available to candidates, immediately prior to the option to register their details. This document should be explicit as to the reason you are asking for this data and how you intend to use it
- You may wish to remind candidates of this at the point they complete the declaration (which has previously been focused on them declaring their application is truthful) prior to submission of their application
- In your email templates within Jobtrain, consider adding a footnote to each explaining why they have been sent the email and who they should contact if they have a concern. In the case of Job Alert communication templates, draw attention to the fact they can unsubscribe from these alerts and provide steps on how to do this
- Ensure the auto-archiving (within Settings>System Customisation) is switched on and set to the appropriate time period
- Have a process for handling ad-hoc requests for data removal. The Jobtrain helpdesk can support with archiving of an individual’s data on a case by case basis
- Review the data collected, who has access and where necessary adapt:
- Application forms
- Assessment forms
- Sifting/shortlisting forms or any other selection orientated data stored
- User profiles
- Security roles
Data Subject Access Request Flowchart
Download an example of a GDPR data subject access request flowchart – download flowchart.
Jobtrain client, The Isle of Man Government, displays this statement prior to registration which in turn links to the full statement which they call ‘Fair Processing Notice’.
Fair Processing Notice:
The Office of Human Resources, Cabinet Office has a Fair Processing Notice which informs you how we collect and use your personal data. This information is important, therefore, we encourage you to read the Fair Processing Notice carefully. To be able to enter personal data in Isle of Man Government Recruitment Online system, you must give your consent to the processing of your personal data. The Fair Processing Notice is available by clicking here. We may also record information about the way you have used our Site to improve the way it operates.
How we process your information
This notice explains how we collect and use your personal data. Personal Data is any data that relates to you for which you can be identified.
This Site is owned by Isle of Man Government and hosted by Jobtrain Ltd, 4 Tabley Court, Victoria Street, Altrincham, Cheshire, WA14 1EZ. Jobtrain client data is held in the UK only.
Data Controllers – the personal data provided by you on the Isle of Man Government’s e-Recruitment system is controlled by:-
Cabinet Office of the Isle of Man Government
Contact : firstname.lastname@example.org – 01624 686300
Purpose: Collection of all data entered by prospective job applicants in the process of accessing the e-Recruitment system which includes data entered where the application has not been submitted. Collection and processing of all data submitted by prospective job applicants for the purposes of recruitment which includes any ‘uploaded’ documents and access to Registered Users contact details
Contact : email@example.com – 0161 850 2004
Purpose : Collection and processing of all data submitted by registered users (interested job applicants) which also includes any ‘uploaded’ documents with transfer of this information to the Cabinet Office;
Collection and maintenance of Registered Users contact details for the purposes of job applications, job alerts, password reminders and email correspondence relating to site use
Processing of the personal data – Cabinet Office
The Cabinet Office will use the information provided by you for recruitment and selection, personnel management and for employment purposes in respect of successful candidates. The information you give us will be kept confidential and your personal information will not be disclosed to third parties without your prior consent except where necessary to confirm factual information provided by you; to protect public funds, including the prevention and detection of fraud and/or otherwise required by law.
The information you provide, and obtained from other relevant sources, such as previous employers, professional bodies etc, will be treated confidentially and used by The Cabinet Office to process your application for employment.
The information will be shared with the Department you are applying for employment with and, if you succeed in your application and take up employment with us, it will be used in the administration of your employment. We will, where necessary, check information you supply to us in your application form. Enquiries may be made to determine immigration or work permit status, or to relevant persons such as previous employers or professional bodies
We may also record information about the way you have used our Site to improve the way it operates.
Processing of the personal data – Jobtrain Ltd
Jobtrain Solutions uses the information provided by you for the purposes of transferring this information to the Cabinet Office. Jobtrain Solutions will carry out maintenance of the system and data on the instructions of the Cabinet Office.
The information you give us will be kept confidential and your personal information will not be disclosed to third parties without your prior consent except where required by law.