ICO Issues Draft Guidance on Employment Records and the Recruitment and Selection Process

Reading Time: 6 minutes


Panagiota Kourti | Data Protection Advisor

Date: 20 February 2024

On 12 December 2023, the Information Commissioner’s Office (ICO) released two draft guidance documents regarding employment practices and data protection, in order to help organisations identify their data protection obligations under the UK data protection legislation. The first guidance provides practical advice to employers on keeping employment records. The second guidance assists employers with compliance during the recruitment and selection process. Both documents are open for public consultation until 5 March 2024. 

Employers face numerous considerations in their daily operations, including compliance with UK data protection legislation, particularly the UK General Data Protection Regulation (UK GDPR) and Data Protection Act 2018 (DPA 2018). These two guidance documents follow a series of guidance the ICO has released over the last 2 years in the context of employment and underscore its commitment to aiding employers in meeting their accountability obligations.   

This article provides organisations and their relevant departments (privacy teams, HR Divisions etc.) with a high-level analysis of data protection considerations in these two fundamental business functions; the collection and maintenance of employment records and the recruitment and selection process.  

Use and maintenance of employment records  

The collection and maintenance of workers’ records is of course essential for businesses. Organisations need to process various staff information such as personnel files, sickness records, disciplinary and grievance records, performance review records, and equality and diversity information (which include special category data such as ethnicity, religion, disability and sexual orientation).  

ICO data protection recommendations and key take-aways on employment records 

Although the data protection legislation allows the collection, retention, and use of workers’ records, organisations are expected to strike a balance between the necessity of employment records and the privacy rights of workers. The guidance reiterates and clarifies previous guidance from the ICO on this matter, the key obligations for organisations highlighted where processing such data are as follows: 

  • Avoid relying on consent as the lawful basis under art.6 (UK GDPR) for such processing. This is due to the imbalance of power between an employer and their employees. 
  • Avoid relying on contract as the lawful basis under art.6 prior to an employment offer being accepted. At this pre-contract stage legitimate interest is the more appropriate basis.  
  • The ICO reminds organisation that where processing special category data, they must identify a condition under art.9 (UK GDPR) in addition to the art.6 lawful bases. They also reiterate the need to identify a condition under Schedule 1 of the DPA 2018 where collecting criminal offence data. 
  • Ensure personal data is only collected where it is necessary for their purposes. 
  • To meet transparency requirements, organisations must inform staff about the types of data, the purposes of the processing, any third parties that they might share this information with as well as reminding staff how they can find this privacy information.  
  • Remind new and existing workers of their rights under data protection law, including their right to access the information held about them.  
  • To ensure information security, access to employment records should be restricted to HR staff and information owners on a strictly need to know basis in view of their roles. 
  • Clear retention policies should outline how long different categories of personal information are retained, with secure and effective erasure or anonymisation of records when no longer needed. 
  • Given that most workplace pension and health insurance schemes are run by third parties; When a worker joins a health or insurance scheme, they must be informed of the information sharing with the scheme provider and how their data will be used. 
  • Where considering the public dissemination of activities through annual financial reports, advertising materials, media articles, social media posts etc. and even where under a legal obligation for disclosure (such as an FOI request), organisations must conduct a balancing exercise. This should determine if the employees’ reasonable expectation of privacy supersede the benefits of disclosure. The ICO recommends implementing a disclosure policy to address such situations.  
  • Where outsourcing record-keeping activities to another entity, (e.g., human resources or payroll function), the ICO stipulates that the employer retains the role of data controller, with the third party acting as a processor. With the controller retaining ultimate responsibility for data protection obligations. 
  • Lastly, where organisations need to share employee data with another organisation due to a takeover or another such organisational restructure (acquisition, merger or insolvency) organisations should anonymise the data and inform workers prior to sharing. 

Processing data in the recruitment and selection process 

Employers or recruiters often process multiple types of information in the course of the recruitment and selection process of candidates. This information is often sensitive as it may reveal information about their health, diversity, or criminal history details. The recruitment process may involve complex processing structure, with the involvement of multiple organisations in the end-to-end recruitment cycle. The draft guidance is addressed at employers but also organisations which carry out recruitment on behalf of employers.  

ICO general data protection recommendations and key take-aways in the recruitment and selection process 

Key obligations highlighted for organisations for the general processing of such data are as follows: 

  • Avoid searching for candidates on their personal social media profiles, even when made public by the individuals themselves. The ICO confirms such processing is intrusive, high risk, and not likely to reveal relevant information. Manually searching for information using recruitment-based social media platforms may be acceptable, given candidates are reasonably likely to expect their information to be used in this way.  
  • Once an offer has been provided to an applicant, employers will need to consider what candidate data is reasonable to retain. For unsuccessful candidates, however, the ICO confirm there are a few circumstances where records may be retained, and these reasons should be determined in advance and communicated to the candidates.  
  • Where organisations perform pre-employment vetting checks any checks into a candidate’s political beliefs, credit history or criminal convictions should only be performed where there is a legal obligation, or a significant and particular risk can be identified. 

Data protection considerations and key takeaways regarding the use of AI in automated decision making during the recruitment process  

Increasingly, organisations use AI tools in the recruitment process. This may be to filter CVs, to source and locate potential candidates as well as to assess the skill sets of candidates based on their CV in order to predict whether they will be successful in a role. This processing may rely on:  

  • Solely automated decision making: Decisions made without any meaningful human involvement. 
  • Partly automated decision making: Decisions made with some meaningful human involvement. 
  • Profiling: Analysis of aspects of a candidate’s personality, behaviour and interests to make decisions about them.  

Under art. 22 (UK GDPR) candidates have the right not to be subject to solely automated decision making and profiling for recruitment purposes, as this may have legal or similarly significant effects on them. In its draft guidance, ICO lays down a list of conditions that must be met in the context of automated decision-making and profiling for recruitment and selection. 


  • Organisations should not screen candidates through solely automated decision-making and profiling unless they can rely on an exception of art.22 (necessity for entering into a contract with the candidate, explicit consent or lawful authorisation) and they have safeguards in place (giving data subject the right to: obtain human intervention, express their point of view; and challenge the decision). 
  • Where processing special category data, organisations can only use solely automated decision-making and profiling if they can rely on one of the above exceptions, and either obtain the candidates’ explicit consent or the processing is necessary for reasons of substantial public interest. 
  • For solely automated decision-making and profiling, organisations must meet transparency obligations by providing meaningful details to candidates about the logic involved and the significance and likely consequences for them. 
  • Where relying on partly automated decisions and profiling, organisations must build meaningful human involvement into each phase of the process where recruitment decisions are made. For example, any solely automated outputs that are to be used in determining whether a candidate is selected or eliminated from the recruitment process must be reviewed by a human, which is able to disagree with and overturn the AI’s recommendations. 
  • Organisations who rely on third parties’ AI systems need to be able to determine the role of the involved parties. Therefore, whether it is appropriate for the AI service provider to be the controller or joint controller for some AI processing phases and a processor for others, or just the processor.  
  • Lastly, where AI is in use in recruitment a data protection impact assessment (DPIA) must be conducted for such use as it is likely to result in a high risk to the rights and freedoms of candidates. 


Through these two different sets of guidance, the ICO aims to provide greater regulatory certainty to organisations and at the same time shield and enhance workers’ and candidates’ data protection rights. With regard to the draft guidance on recruitment and selection, this offers a beacon for businesses to not only to stay compliant with data protection but also account for the ethical implications of the use of AI within recruitment.  

Trilateral’s Data Protection and Cyber-Risk Team has extensive experience in assisting organisations to stay compliant with their data protection obligations through the development of policies as well as the implantation of appropriate organisational and technical measures. Trilateral has also a range of AI services to help organisations implement the principles of Responsible AI and comply with AI laws and regulations. Please contact our advisors if you would like to receive expert assistance in data protection compliance or Responsible AI. 

Related posts

Get the latest insights from Trilateral in our new monthly article, featuring the latest developments from across our innovation and researc…

Let's discuss your career