Xref events

Protecting data and ensuring candidate privacy in HR

min read
Fingerprint scanner on a keyboard to ensure data privacy for candidates and employees

Recruit, retain and remember your people

Simplify your talent journey and make confident people-focused decisions with Xref. Find out why the organisations you trust, choose Xref.

Learn more

Remember top talent with an Exit Survey

Reduce attrition, improve retention, build corporate memory to improve organisational metrics with an Xref Exit Survey.

Find out more

Retain and engage your talent for positive change

Give your people a voice with a tailored Xref Engage survey.

Learn more

Retain your people and make meaningful change

Increase retention and reduce turnover with quick employee feedback from an Xref Pulse Survey.

Learn more

Try Xref Reference for free today

Get started with referencing in Xref today for free. No credit card required.

Get started for free

Keeping candidate and employee data safe and secure is a hugely important role for all HR professionals. From hire to exit, candidates and employees share personal data they expect to be kept private and secure. 

Human Resources teams are entrusted with personal information like home addresses, bank account and pension information, proof of identity documents, past employment history and much more. 

HR departments have a duty of care to ensure their teams know how to protect candidate and employee data. Candidates and employees should have confidence in how their information is used and kept safe.

In today’s environment, consumers have more awareness of data privacy and higher expectations of how they’d like their data to be managed. 

Recent high-profile hacks on companies like Optus, Medibank in Australia and an unnamed healthcare insurance service in the US have shown that even the largest corporations need to be careful when keeping information safe and reducing the opportunities for personal data to be exposed.

As a result, more candidates want to know how their data is used and how it remains private, protected and secure. 

Applying for a job naturally requires sharing a lot of personal information, from home addresses, email addresses and phone numbers to past salaries and previous employer details. Organisations must ensure they have the right processes in place to protect any data collected. 

Similarly, HR privacy and HR security standards need to be in place to ensure candidates are confident their data is handled adequately and kept secure. 

This blog discusses the challenges HR leaders face regarding data security and ensuring candidate privacy. Plus, we outline fundamental information about privacy principles so all HR and recruiting teams can ensure the right processes are being followed. 

Keeping employee data private in a digital world

When applying for a job, candidates send over personal information like their full names, email addresses, phone numbers, education history, work history, home addresses, past salaries, previous employers' contact details, and more. 

The collection of data isn’t only limited to candidates. Organisations also regularly collect employee data like social security numbers in the US, tax file numbers, bank details and superannuation or pension information. 

Some of this information is required by law. However, HR may also collect other employee data like performance reports or employee engagement statistics.

While staff performance or engagement information may not seem very sensitive, ensuring it remains secure and only in the hands of those with legitimate interests is essential for building and maintaining employee trust. 

In our technology-driven world, data is stored in multiple locations. From applicant tracking systems to HRIS platforms, reference checking platforms, excel sheets and emails. 

Each place where data is stored has varying levels of security and carries some level of risk. 

Cybercrime is rising worldwide and is expected to cost $10.5 trillion by 2025. Digital identity theft is a considerable risk for anyone sharing their data, particularly candidates and employees who share the information needed to verify who they are. 

HR and recruiting teams must ensure the digital systems they use to collect data are secure and adhere to the proper compliance standards. HR teams can work with IT and other departments to protect employees against cybercrime. Start with choosing trusted platforms to collect and store information and implementing solid processes to monitor all data points. 

Training employees on data protection and what to look for if they see something suspicious relating to data and personal information may be helpful. The more people looking out for the protection of personal information, the better. 

HR teams must also be aware of the risks of using tools like ChatGPT, which are gaining popularity. While AI platforms offer a world of possibilities for HR leaders, they can also lead to data breaches and have murky compliance requirements. 

Legislation around Artificial Intelligence (AI) tools is still largely taking shape. In Australia, the Federal Government is beginning to explore AI regulation and legislation. 

On the other hand, the European Union (EU) is very close to being the first jurisdiction to implement the world’s first rules around AI.

The ethics and legality of feeding free tools with confidential data is a topic currently being discussed by lawmakers and business leaders. 

For HR leaders, the right way to use free AI tools must still be determined. For example, AI can serve as a chatbot that answers candidate questions. But, the way the AI stores candidate details might breach an organisation’s privacy policy and, therefore, a candidate’s trust. 

That’s not to say recruiting and HR teams shouldn’t innovate using the latest technologies. It’s just as important that the proper privacy and compliance rules are consistently followed when collecting and using candidate and employee data in any capacity. 

Using data safely and correctly starts with a firm grasp of security and privacy principles—a topic we will explore in the rest of this blog.  

Key regulations about data privacy 

Every country has its own data privacy regulations, which can vary by state. Recruiters and HR leaders must be aware of key regulations in every jurisdiction they operate in or have support from a knowledgeable legal team.  

The way candidate and employee data is collected and used should adhere to your organisation's privacy policies. 

For example, GDPR legislation gives stakeholders the right to ask for their data to be deleted. 

HR and recruiting teams operating in Europe or dealing with European citizens must therefore have processes that make it easy to delete candidate, employee and referee data permanently and within the prescribed timeframes. 

If you’re unsure if your organisation is up-to-date with the latest regulations, it’s best to get a legal expert to conduct a data privacy health check. Legal professionals can assess which legislations and regulations apply to your organisation and judge how well your team adheres to them. They may provide recommendations on how to improve, if necessary. 

Common data protection laws include: 

The Australian Privacy Act  

This Privacy Act (Cth) 1988 protects the handling of personal information, including the collection, use, storage, and disclosure of personal information in the federal public and private sectors.

The Australian Government is currently reviewing the Privacy Act. HR teams operating in Australia must stay abreast of developments in this area as it will impact how employee data is allowed to be stored and used.

General Data Protection Regulation (GDPR) 

The European Union’s GDPR is the most rigorous privacy legislation. All HR leaders should have a working knowledge of these regulations and may even choose to use them as the gold standard. 

GDPR standards include giving people the right to ask for their data to be deleted and require organisations to only store data for as long as necessary. Recruiting and HR teams should keep a special eye on how they manage talent in the EU to ensure they aren’t unnecessarily keeping candidate information on file. 

The Personal Information Protection and Electronic Documents Act (PIPEDA)

PIPEDA is Canada’s primary privacy legislation. It governs how private sector organisations collect, use, and disclose personal information across Canada.

Recruiting and People and Culture teams operating in Canada must ensure that they collect candidate and employee information in line with PIPEDA standards. 

Xref branded graphic with five tips for ensuring data security from below

Best practices for data privacy and information security when using tech

HR and recruiting teams handle plenty of personal information, and it’s important to keep it protected. Every element of your recruiting and HR system should consider data privacy. 

Here are five tips for ensuring data security. 

1. Practice good privacy governance

Privacy governance is your framework to keep candidate and employee data safe. 

Ensure robust policies, processes, and tools are in place to help manage employee data privacy issues.‍ This means choosing technology that is compliant with privacy laws, training staff on privacy issues and keeping all policies regarding privacy up-to-date. 

When a strong privacy framework is in place, it’s easier to identify weaknesses or areas for improvement before they become a problem. 

For example, if your team is aware that employee privacy is a high-priority issue, it pays to ensure that your people are across what is required of them and what they can do to maintain privacy. Data sharing processes can be covered as part of onboarding, and reminders can be included in regular training. 

2. Create a privacy policy for candidates and employees

Create an open and transparent policy about handling personal information from candidates and employees. Privacy policies written for candidate and employee data will help ensure compliance measures are met and help in gaining candidate and employee trust. 

Your privacy policy must be easily accessible to candidates and employees. Adding your privacy policy to your organisation’s website, internal HR portal and email footers is an easy way to allow candidates and employees to openly access the policy. Recruiters and HR team members should be able to discuss privacy basics with any candidate or employee asking how their data is managed. 

3. Create a data usage process

How are you using candidate and employee data, and who has access to it? Create a clear policy that specifies who has or could access sensitive data, what constitutes correct data usage, and everything else that applies. From this policy, your organisation can implement access and usage processes for safe data keeping.

For example, recruiters may access data from candidates who apply for specific jobs, and HR teams may only have access to data from candidates who make it to final round interviews. 

Ensure your teams are trained in your data usage process. If recruiting and HR teams do not adhere to policies, sensitive candidate data may be at unnecessary risk. 

4. Collect essential information only 

It can be difficult to only collect essential information during the recruiting process since candidates can choose how much they’d like to share in cover letters and CVs. 

During the later stages of recruiting, some candidates may need to undertake background checks like Police Checks and Working with Children Checks. These checks should only be conducted if necessary. 

The best way to maintain compliance is to ensure you are collecting data with a clear purpose. Know exactly why you need the data, how you will use it and how you will dispose of it when needed. 

There are laws around how long any entity can store personal information, and it is your organisation's responsibility to know the requirements when it comes to data privacy and compliance. 

If a candidate or employee requests their data be deleted, there are timeframes that your organisation must complete these requests by. Your legal team can help here.

Similarly, all data should have an ‘expiry date’ where it is removed if it is no longer required. Tech giant Amazon was fined for historical privacy abuses, such as retaining data from children after being explicitly asked to delete it. 

5. Choose the right tech to support compliance and security

Only some organisations will need to obtain security certifications like ISO 27001, which ensures compliance around data use and storage. 

There are benefits to using software that has robust security features and certifications. Choosing secure and compliant technology can help protect your organisation from common security risks and will naturally raise your security levels. 

The technology you use at each stage of the talent journey should work to protect the data you collect from every person. 

For example, Xref is ISO 27001 certified, so our users feel confident that candidate, employee and referee information is securely collected and stored according to these standards. 

Planning for the future 

As the risk of cybercrime grows and HR processes increasingly rely on technology, all HR professionals must focus more on protecting candidate and employee data privacy. 

By implementing robust security measures and adhering to best practices, HR teams can ensure the confidentiality and privacy of candidate and employee information. Strong security measures will help organisations protect against cybercrime, keep candidate data safe and encourage innovation within a strong data compliance framework. 

Xref's commitment to security and compliance

Xref takes data security and compliance very seriously. Being ISO27001 certified and GDPR compliant, Xref prioritises the protection of candidate and employee data, meeting the highest international security standards. 

Xref stores all data within local geographies, ensuring compliance with regional requirements and enhancing data privacy and protection.

For more information about how Xref protects your data and privacy or for a guided tour of our platform, book a free demo.

Recent articles

View all