The onboarding process is the most vital part of your recruitment process, and for good reason. You want to make a good impression.
It has been found that companies with an employee-centric onboarding process are likely to obtain and retain top talent. In the long term, this creates less staff turnover, happier employees, and competitive advantage for the company.
However, there is one area of this process that is often neglected: the candidate’s personal data.
In an age of data-driven decision making and automation, human resource professionals process more personal data than ever before.
And with an abundance of personal data, how are you ensuring its processed compliantly?
In this guide, we look at stages of the onboarding process and the considerations you should make when it comes to processing your candidate’s data.
The Initial Application
Typically, companies receive applications via a job website (e.g. Reed, Indeed) or through an online application form on their website.
Once an application has been made, you now have access to a candidate’s sensitive information.
Typically, a candidate will only put their name and contact details on a CV and covering letter.
In some rare cases, a candidate may supply their national insurance number or passport details**.
Regardless of the sensitivity of the information, you have personal data in your hands. And this data and must be handled and processed accordingly.
If you advertise on job websites, you will find that its their responsibility to ensure all data is processed legally and compliantly. However, there are still some questions you should ask:
- Once an application has been received, how will we store this information securely?
You may also receive applications through your website (via an online application form or otherwise). If so, you must:
- Secure your website with HTTPS
- Keep a protected list of the website administrators and their passwords
- Prevent sending website login details outside of the company
- Implement and manage a secure folder for all applications received
- Regularly change passwords
- Implement a process to store all cover letters and CVs (with access granted accordingly)
**you should inform your candidates not to include national insurance and/or passport details on their CV. This particularly important if they are sharing this online via platforms like LinkedIn.
The Job Offer – Vetting & Background checks
Your applicant was impressive. They interviewed well, have the experience, and they are eager to work for you. You offer them the job.
Now, you need to perform background checks on your candidate.
Also known as pre-employment screening, this process ensures the person you are hiring has the credentials and experience they have stated on their application.
This is the stage of the onboarding process where you will process A LOT of your candidate’s personal data. This will include:
- Passport or birth certificate
- Relevant visa (if applicable)
- National Insurance number
And you will need this information to verify the candidate’s…
- Right to work
- Employment references
- Educational credentials
- Criminal record
Not only will this ensure your candidate can legally work for you, but it will also tell you if they have the credentials and experience stated on their application. In addition, pre-employment screening can protect your company from legal and reputational ramifications.
To ensure compliant and efficient vetting, you should implement the following:
- A process that considers all 10 background checks
- Background checks that are proportionate to the role (e.g. a UK credit check for insurance sales roles)
- A digital consent form. You will need written consent from your candidate before you can process any of their data
- A dating and filing procedure of data and documents (that complies with GDPR)
Failure to perform required checks can instantly lead to non-compliance.
If you are onboarding many new starters, then you should consider automating the process. There is software available that can assist.
Your new employee – What do you do with their data?
After your new employee has been inducted it is easy to assume their data just sits around and is deleted if they decide to leave your company.
However, this is simply not the case.
Your employee’s personal data must be filed and dated securely, with access granted to authorised personnel who need to process it. For example, accountants will need access to certain data to process the company payroll. Also, this data may need to be processed for annual checks (e.g. DBS enhanced or DVLA).
If an employee leaves, you must keep their details for a statutory retention period of 5 years from their leave date (7 years for BS7858 checks).
To ensure compliance, you should look to:
- Obtain the employee’s consent before processing any of their personal data
- Inform the employee how you intend to process their data
- Date and file their personal data and documents (however you file this information, you should perform risk assessments to prevent data breaches and unlawful access)
- Implement regular checks that are proportionate to the role (e.g. annual DVLA checks for drivers)
It can be easy for the onboarding process to be overshadowed by data protection law and compliance processes.
That is why you should devise your company’s onboarding process alongside your compliance manager, human resources manager, or similar.
If you feel your current onboarding process lacks data compliance, review your process with your human resources team (or consider outsourcing to a consultant, if you are a small company).
Not only will an emphasis on data compliance protect your company, it will allow for streamlined data processing company-wide.