Data Protection Act

Information which employers collect and store about employees comes under the Data Protection Act – and that begins with information collected at the recruitment stage.

The Act requires openness, so applicants should be aware that you collect information and what it will be used for: gathering information secretly about an applicant is unlikely to be justified. Information must also only be used for the purpose it was obtained, e.g. email addresses obtained as part of recruitment cannot be added to a marketing database, unless candidates have opted-in.

The Information Commissioner’s Office provides a series of guides designed for SMEs providing a useful checklist about the requirements of the Data Protection Act. Much of this is simply good practice, such as only using the information for the purpose for which it was obtained unless additional uses are clearly explained; ensuring that either the employer or their agency is identified; keeping personal information secure and treating it with respect; not asking for more information than needed; making sure people understand how information will be verified; and only keeping the information for as long as there is a clear business need for it.

The guides also contain information about employees’ rights to access information held about them, keeping absence records and monitoring staff while staying within the law. Its website includes an online self-test to determine whether employers have to register as a data controller. See