Managing a job application is not simply an administrative step in recruitment. For UK employers, every job application creates legal exposure. From the moment an individual submits a job application form, the employer is processing personal data, applying selection criteria and making decisions that may later be scrutinised in a tribunal or by a regulator.
The job application process is therefore a regulated legal activity. It engages data protection law, equality legislation, criminal record rules and right to work obligations. Errors at this early stage can result in discrimination claims, regulatory fines, reputational damage and costly disputes. Where Home Office compliance and enforcement issues arise, employers should understand the role of UKVI oversight and how recruitment decisions can connect with wider compliance obligations.
What this article is about:
This guide explains how UK employers should manage a job application lawfully and defensibly. It covers the legal framework governing job applications, how to design a compliant job application form, how to run a fair job application process, how to handle job application data in line with UK GDPR and the Data Protection Act 2018, and how to reject job applications without creating avoidable legal risk.
A legally compliant job application process is structured, objective and documented. It limits the data collected, applies consistent criteria and ensures that all candidates are treated fairly and equally.
Section A: Job Application Law in the UK
Every job application is shaped by statutory obligations. Employers cannot treat recruitment as an informal exercise; it must operate within a defined legal framework. Understanding which laws apply is the foundation of managing job applications safely and in line with UK employment law.
1. What laws apply to a job application?
Several key legal regimes govern how employers manage job applications in the UK. As a starting point, employers should ensure their processes reflect current recruitment law requirements, with particular attention to discrimination controls, evidence trails and lawful handling of applicant data.
UK GDPR and the Data Protection Act 2018
As soon as a candidate submits a job application form, the employer becomes responsible for processing personal data. Employers must identify a lawful basis for processing, typically legitimate interests and/or processing necessary to take steps prior to entering into a contract. Where legitimate interests is relied on, employers should document a balancing exercise (often referred to in practice as a Legitimate Interests Assessment) to demonstrate why the processing is necessary and proportionate in the circumstances. Practical compliance steps are addressed in GDPR for HR guidance.
Where special category data is processed, such as health information relating to reasonable adjustments, an additional lawful condition under Article 9 UK GDPR and Schedule 1 of the Data Protection Act 2018 is required. Criminal conviction data is subject to stricter safeguards under Article 10 and the DPA 2018, and employers should keep any criminal record processing tightly controlled, role-specific and supported by appropriate policies and safeguards.
Equality Act 2010
The Equality Act prohibits discrimination during recruitment on the basis of protected characteristics: age, disability, gender reassignment, marriage and civil partnership, pregnancy and maternity, race, religion or belief, sex and sexual orientation. Employers must ensure job application decisions do not expose them to recruitment discrimination claims.
The duty to make reasonable adjustments applies at the job application stage. Employers must take reasonable steps to ensure that disabled applicants are not placed at a substantial disadvantage, and should have a clear pathway for requesting reasonable adjustments. A failure to act appropriately can result in failure to make reasonable adjustments claims and wider disability discrimination exposure.
Employers should also be mindful that pre-employment health enquiries are restricted in law. In practice, questions about health or disability should be limited to what is necessary for the recruitment process itself, for example to identify reasonable adjustments, and should not be used to screen out candidates.
Rehabilitation of Offenders Act 1974 and DBS disclosures
Certain convictions become “spent” after a rehabilitation period and do not need to be disclosed, unless the role is legally exempt. Employers should structure criminal record questions carefully. In broad terms, employers should not ask applicants to disclose spent convictions unless the role is covered by the relevant statutory exceptions (including the Rehabilitation of Offenders Act 1974 (Exceptions) Order), and DBS checks should only be carried out where the role and legal framework permit them.
Immigration compliance and right to work checks
Employers must carry out compliant right to work checks before employment begins. Employers should avoid conducting checks selectively or inconsistently, as this can create discrimination exposure. A consistent approach helps reduce the risk of discrimination in right to work checks allegations. Where right to work compliance links into wider sponsor or Home Office risk, employers should also consider the relevance of UK immigration compliance as part of overall risk management.
Employment Rights Act 1996 and contracts
Although job applicants do not yet benefit from full employment rights, once hired, employees and workers are entitled to a written statement of particulars and other statutory protections. Recruitment documentation should therefore align with the terms ultimately offered and the underlying employment contract arrangements, to reduce disputes about what was represented during recruitment.
2. Legal risks when handling job applications
The legal risk attached to a job application process is often underestimated. The primary areas of exposure include discrimination, data protection failings and evidential weakness when decisions are challenged.
A well-run job application process reduces the risk of:
– Direct discrimination during shortlisting or interviewing
– Indirect discrimination arising from selection criteria or assessment design
– Failure to make reasonable adjustments
– Mishandling personal data and poor privacy governance
– Inconsistent decision-making and poor documentation
- To defend indirect discrimination risk, employers should ensure any potentially disadvantageous criterion pursues a legitimate aim and is a proportionate means of achieving that aim.
- Where structured scoring is used, ensure the scoring matrix is applied consistently and supported by evidence.
- Where recruitment tools are used to filter or rank applicants, bias monitoring and governance controls are essential.
A poorly documented recruitment decision can be extremely difficult to defend in a tribunal claim. Employers should assume that selection decisions may later be examined in detail, including through requests for information and data access routes such as a subject access request.
Section Summary
A job application engages multiple areas of UK law. Data protection obligations begin immediately upon receipt of candidate information. Equality duties apply throughout the job application process, including advertising, shortlisting and interviewing, and employers must build in reasonable adjustments from the outset. Right to work checks must be managed consistently and completed before employment begins, with awareness of Home Office and UKVI compliance expectations. Employers who understand this framework are far better positioned to run a defensible and compliant recruitment process.
Section B: Job Application Form UK
The job application form is the structural backbone of the recruitment process. It determines what information is collected, how candidates are assessed and how defensible the eventual hiring decision will be. A poorly designed job application form increases the risk of discrimination, excessive data collection and inconsistent shortlisting.
A compliant job application form should collect only information that is genuinely relevant to the role. It must avoid questions that could expose the employer to claims under the Equality Act 2010 or breaches of the UK GDPR and Data Protection Act 2018. Employers should also ensure the form aligns with the role requirements as set out in the job description and person specification, because unclear or shifting criteria can undermine fairness and defensibility. Where employers need to refine role requirements, they should approach changes carefully and consistently, including in relation to changing a job description.
1. What to include in a job application form
A lawful job application form focuses on objective, role-related information. Employers should limit questions to details that are necessary to assess whether the candidate meets the essential and desirable criteria for the position.
Appropriate content typically includes:
- Employment history and relevant experience
- Qualifications and professional memberships
- Role-specific skills and competencies
- Availability and notice period
- Confirmation of the right to work in the UK, framed in a way that avoids unnecessary nationality detail at application stage
- Professional references, where relevant
Where references are requested, employers should be clear about when they will be taken and ensure that personal data shared by referees is handled lawfully and securely. Employers may also include declarations confirming that the information provided is accurate. This can be important where misrepresentation later comes to light and the employer needs to evidence that the candidate was required to provide truthful information.
The key principle is necessity. If a question does not assist in assessing suitability for the role, it should not appear on the job application form.
2. What not to ask on a job application form
The Equality Act 2010 makes it unlawful to discriminate in recruitment. Certain questions create unnecessary legal exposure and should generally be avoided.
Employers should not ask about age, marital status or family plans, religious beliefs, sexual orientation or ethnicity in the main job application form. Employers should also avoid asking broad questions about health or disability at application stage, unless the question is limited to what is necessary for the recruitment process itself, such as identifying reasonable adjustments. Health and disability questions should never be used as a proxy for capability screening at the job application stage.
Criminal record questions must be carefully framed. For most roles, employers should not request disclosure of spent convictions. Where a role is exempt and requires disclosure, the employer should ensure its approach aligns with the appropriate legal framework and data protection safeguards, and that any criminal record processing is restricted to what is necessary for the role.
Employers must also avoid criteria and wording that can operate as indirect discrimination. For example, demanding rigid experience thresholds may disadvantage younger candidates unless the requirement is objectively justified by a legitimate aim and is proportionate to that aim. The form should support consistent decision-making, not introduce avoidable bias risk.
3. Diversity monitoring and equal opportunities forms
Many employers collect diversity data to monitor equality and inclusion. This can be lawful and appropriate, provided it is handled correctly. The most important safeguard is separation: diversity data should not influence shortlisting or selection decisions.
Best practice requires that diversity monitoring questions are:
– Separate from the main job application form
– Voluntary
– Used for monitoring and reporting only
– Restricted so that hiring decision-makers cannot access identifiable diversity data during selection
This is also where policy alignment matters. Employers should ensure their monitoring approach is consistent with internal standards and communications, including any equal opportunities policy and recruitment governance documents.
Where diversity monitoring involves special category data, employers must ensure they have an appropriate lawful basis and condition for processing, and apply the safeguards required by the Data Protection Act 2018. Employers should also be clear with candidates about why the information is collected, how it will be used and who will have access to it, typically through a recruitment privacy notice.
Section Summary
A legally compliant job application form is structured, focused and proportionate. It collects only information necessary to assess suitability, avoids discriminatory questions and handles diversity and sensitive data separately with appropriate safeguards. The form should reinforce fairness, transparency and objective decision-making and ensure that every candidate is assessed against clear, consistent criteria.
Section C: Job Application Process
The job application process extends beyond the form itself. It includes advertising, shortlisting, interviewing, assessment and final selection. Each stage must be structured, consistent and capable of justification. A legally compliant job application process is one that can withstand scrutiny months or even years after the decision was made.
Employers should approach recruitment on the basis that any unsuccessful candidate may later challenge the fairness of the process. Objective criteria, documented scoring and consistent treatment are the strongest safeguards against legal exposure.
1. Advertising roles lawfully
The job application process begins with the job advert. The wording of the advertisement shapes who applies and may itself create discrimination risk.
Employers should ensure that:
– Job descriptions reflect genuine business requirements
– Essential criteria are objectively justified
– Language is inclusive and neutral
– Experience requirements are proportionate
Requiring a specific number of years’ experience may indirectly discriminate against younger candidates unless it can be justified as pursuing a legitimate aim by proportionate means. Similarly, phrases such as “recent graduate” or “mature individual” may create unnecessary legal exposure.
Adverts should make clear that reasonable adjustments are available during the job application process. This reinforces compliance with the Equality Act 2010 and reduces the risk of later allegations of unfair treatment.
2. Shortlisting job applications
Shortlisting is one of the highest-risk stages of the job application process. Decisions are often made quickly, yet they must be defensible and evidence-based. Employers should treat shortlisting as a structured assessment exercise rather than an informal review.
Good practice includes:
- Creating a scoring matrix aligned to the job description and person specification
- Applying the same criteria to all candidates
- Avoiding subjective “culture fit” assessments unless clearly defined in advance
- Recording reasons for rejection
Consistency is critical. If one candidate is rejected for lacking a particular qualification, all candidates should be assessed against the same requirement. Employers should also avoid making assumptions based on gaps in employment history, foreign qualifications or non-traditional career paths.
Further structured approaches to shortlisting and objective candidate selection can significantly reduce discrimination risk and strengthen defensibility.
3. Interviews and assessments
Interviews must focus on assessing the candidate’s ability to perform the role’s essential functions. A structured format is strongly recommended.
Structured interviews typically involve:
- Asking all candidates substantially similar questions
- Using predetermined competency-based questions
- Scoring answers against clear benchmarks
Guidance on conducting a compliant interview process emphasises the importance of preparation, documentation and consistency.
Questions relating to protected characteristics should be avoided. Enquiries about childcare arrangements, future family plans or religious observance are inappropriate and potentially discriminatory. Employers should also ensure that interviewers understand the risks of unconscious bias and interviewer bias, and take steps to mitigate these risks through training and structured assessment design.
Employers may use different assessment formats, including presentations or group exercises, but these should be applied consistently and aligned with role requirements. Where alternative formats such as group interviews are used, the advantages and disadvantages of group interviews should be considered carefully to ensure fairness and accessibility.
Where psychometric testing or automated screening tools are used, employers should monitor outcomes for disproportionate impact. Automated tools should not replace human judgement, and appropriate oversight must remain central to final decision-making.
4. Record-keeping and audit trail
A defensible job application process depends on documentation. Without clear records, it becomes difficult to demonstrate that decisions were lawful and non-discriminatory.
Employers should retain:
– The job description and person specification
– The scoring matrix used
– Interview notes
– Assessment results
– Written reasons for final decisions
Records must be factual and professional. Informal commentary, speculative remarks or humour in interview notes can create significant evidential problems if disclosed in tribunal proceedings or through data access routes.
All documentation should be stored securely in line with UK GDPR requirements and retained only for as long as necessary in accordance with the organisation’s retention policy.
Section Summary
The job application process must be structured, objective and consistently applied. Lawful advertising, evidence-based shortlisting, structured interviews and disciplined record-keeping are central to a defensible recruitment framework. Employers who embed consistency and documentation into every stage of the process significantly reduce exposure to discrimination and data protection claims.
Section D: Job Application Data & GDPR
Every job application generates personal data. From CVs and cover letters to interview notes and scoring sheets, employers are processing information that falls within the scope of the UK GDPR and the Data Protection Act 2018. Recruitment is therefore not just an HR function but a regulated data processing activity.
Employers must ensure that job application data is processed lawfully, stored securely and retained only for as long as necessary. Failure to do so exposes the organisation to regulatory action, financial penalties and reputational damage.
1. Lawful basis for processing job application data
Under the UK GDPR, employers must identify a lawful basis before processing personal data in connection with a job application.
In recruitment, the most commonly relied upon lawful bases are:
– Legitimate interests, where processing is necessary for the employer’s recruitment purposes and those interests are not overridden by the candidate’s rights and freedoms
– Processing necessary to take steps at the applicant’s request prior to entering into a contract
Where legitimate interests is relied upon, employers should document a balancing assessment to demonstrate why the processing is necessary and proportionate.
Consent is rarely appropriate as a primary lawful basis in recruitment, given the imbalance of power between employer and applicant and the fact that consent can be withdrawn.
Where special category data is processed, such as health information relating to reasonable adjustments, employers must identify both a lawful basis under Article 6 and an additional condition under Article 9 UK GDPR, supported by safeguards under Schedule 1 of the Data Protection Act 2018.
Criminal conviction data is subject to additional restrictions under Article 10 UK GDPR and the DPA 2018. Employers must ensure that any request for criminal record information is strictly necessary, legally justified and accompanied by appropriate safeguards and policies.
Transparency is fundamental. Candidates must be provided with a clear recruitment privacy notice explaining:
- What data is collected
- Why it is collected
- The lawful basis relied upon
- Who it may be shared with
- How long it will be retained
- Their data protection rights
2. Security and storage of job application data
The UK GDPR requires employers to implement appropriate technical and organisational measures to protect personal data.
In the context of job applications, this includes:
- Restricting access to recruitment data to authorised personnel only
- Using secure applicant tracking systems
- Encrypting data where appropriate
- Conducting due diligence on third-party recruitment platforms
- Ensuring secure transmission of CVs and assessment materials
Where recruitment is outsourced or an external platform is used, the employer will typically remain the data controller. Written agreements with processors must comply with Article 28 UK GDPR and clearly allocate responsibilities for data security and breach management.
Employers must also have procedures in place to detect, investigate and respond to personal data breaches. Where a breach involving job application data is likely to result in a risk to individuals’ rights and freedoms, notification to the Information Commissioner’s Office may be required within 72 hours.
3. How long can you keep job application data?
Personal data must not be retained longer than necessary for the purpose for which it was collected.
Many employers retain job application records for a limited period after the recruitment process concludes in order to manage potential disputes, including discrimination claims. However, there is no universal statutory retention period. The appropriate timeframe should be determined by reference to necessity, documented in a retention policy and applied consistently.
Retaining job application data indefinitely “just in case” is not compliant with UK GDPR principles.
Once the retention period expires, data should be securely deleted or anonymised. Employers must ensure that deletion is effective and that backup systems are also addressed where appropriate.
4. Applicant data rights
Job applicants, as data subjects, have rights under the UK GDPR. Employers must have systems in place to respond to these requests promptly and lawfully.
These rights may include:
- Right of access: Candidates can request copies of their personal data. Employers must normally respond within one month.
- Right to rectification: Inaccurate or incomplete data must be corrected.
- Right to erasure: In certain circumstances, candidates may request deletion of their data, although this right is not absolute where data must be retained for legal defence or compliance purposes.
- Right to restrict processing: Where accuracy or lawfulness is contested.
- Right to data portability: Applicable only in limited circumstances, typically where processing is based on consent or contract and carried out by automated means.
Employers should ensure recruitment teams understand that interview notes, scoring sheets and internal emails relating to a job application may be disclosable in response to a subject access request.
Section Summary
Job application data must be processed lawfully, transparently and securely. Employers must identify an appropriate lawful basis, safeguard special category and criminal record data, implement robust security controls and define clear retention periods. A disciplined approach to recruitment data management significantly reduces regulatory and litigation risk.
Section E: Online Job Application Compliance
The majority of employers now rely on digital systems to manage the online job application process. While online platforms improve efficiency and record-keeping, they also introduce additional legal risks relating to accessibility, cybersecurity and automated decision-making.
An online job application system must comply with the Equality Act 2010, the UK GDPR and the Data Protection Act 2018. Employers remain responsible for compliance even where third-party applicant tracking systems are used.
1. Accessibility and reasonable adjustments
The Equality Act 2010 imposes a duty on employers to make reasonable adjustments for disabled applicants. This duty applies fully to online job applications.
An online application process must not place disabled candidates at a substantial disadvantage compared to non-disabled candidates. Employers should therefore:
- Ensure that the platform is compatible with assistive technologies such as screen readers
- Provide alternative methods of application where necessary
- Offer additional time for timed assessments where justified
- Clearly explain how candidates can request adjustments
While the Web Content Accessibility Guidelines (WCAG) are not themselves legislation for most private employers, they provide a recognised benchmark for accessibility standards. The legal obligation, however, remains the statutory duty to make reasonable adjustments.
Failure to make reasonable adjustments during the job application process can result in a discrimination claim, even if the candidate is ultimately unsuccessful.
2. Security of online job application systems
Online job applications involve the transmission and storage of significant volumes of personal data, including contact details, employment history and sometimes sensitive information.
Employers must implement appropriate technical and organisational measures to protect this data. This includes:
- Secure login systems with appropriate authentication controls
- Encrypted data transmission
- Access controls restricting recruitment data to authorised staff
- Regular security reviews of recruitment platforms
- Formal data processing agreements with third-party providers
Where applicant tracking systems are cloud-based, employers must ensure that any international data transfers are lawful and adequately safeguarded.
In the event of a personal data breach involving job application data, the employer must assess whether notification to the Information Commissioner’s Office is required within 72 hours.
3. Automated screening and AI tools
Increasingly, employers use automated tools to filter or rank job applications. These systems can improve efficiency but must be deployed carefully.
Automated screening tools may create discrimination risk if they indirectly disadvantage candidates with protected characteristics. Employers should:
- Understand how the tool makes decisions
- Monitor outcomes for bias or disproportionate impact
- Ensure meaningful human oversight in final decision-making
- Provide transparency in privacy notices regarding automated processing
Where decisions are made solely by automated means and produce legal or similarly significant effects, additional safeguards may apply under Article 22 UK GDPR. In many recruitment processes, automated tools are used to assist rather than replace human judgement, but employers should be clear about the role of automation and retain ultimate decision-making responsibility.
Further guidance on emerging risks can be found in discussions around AI in recruitment, particularly in relation to bias monitoring and governance controls.
Section Summary
Online job applications increase efficiency but also increase compliance obligations. Employers must ensure accessibility under the Equality Act, robust security under the UK GDPR and careful governance of automated screening tools. Responsibility for compliance remains with the employer, even where third-party platforms are used.
Section F: Rejecting Job Applications
Rejecting a job application is often treated as an administrative step. In legal terms, it is a decision that may later be challenged. How employers communicate rejection and how they document the reasoning behind it can significantly affect litigation risk and reputational impact.
A fair and defensible rejection process is grounded in objective criteria, consistent treatment and clear record-keeping. Employers should assume that rejection decisions may later be examined in tribunal proceedings or through data access requests.
1. How to reject a job application fairly
Every rejection decision should be traceable to the criteria set out in the job description and person specification.
Employers should ensure that:
- The candidate was assessed against the same criteria as all other applicants
- The reasons for rejection are documented clearly and objectively
- Decisions are based on evidence rather than assumptions
- No reference, direct or indirect, is made to protected characteristics
Rejection communications should be professional, neutral and consistent. Employers are not legally required to provide detailed reasons at the initial rejection stage, but any communication must avoid wording that could imply bias or discriminatory reasoning.
For example, vague statements such as “not the right fit” may appear subjective if later challenged. Where explanations are provided, they should align directly with job-related criteria and the documented scoring matrix.
2. Job application feedback: what is safe to say
There is no statutory obligation to provide feedback on a rejected job application. However, many employers choose to do so as part of good practice and employer branding.
When providing feedback, employers should:
- Focus strictly on skills, experience and performance against the role criteria
- Avoid commentary on personality traits unrelated to job requirements
- Avoid comparative statements about other candidates
- Ensure consistency if feedback is offered to one candidate and refused to another
Feedback should be factual and capable of being supported by interview notes or scoring documentation. Informal, speculative or subjective commentary increases legal exposure and may undermine the organisation’s position if challenged.
Where written feedback is provided, it should be carefully reviewed before being issued.
3. Handling complaints or discrimination allegations
Rejected candidates may raise concerns alleging unfairness or discrimination. Employers must respond promptly, objectively and in line with internal procedures.
A structured response should include:
- Reviewing the job description and selection criteria
- Examining shortlisting and interview notes
- Confirming that reasonable adjustments were considered where relevant
- Assessing whether procedures were applied consistently across candidates
If the complaint raises potential legal exposure, early professional advice should be considered. Employers should avoid defensive or dismissive responses. Even where no wrongdoing is identified, clear communication explaining the objective basis for the decision can reduce escalation.
4. Record-keeping following rejection
Documentation is critical in defending discrimination claims. Employers should retain:
– Application materials
– Shortlisting matrices
– Interview notes
– Scoring records
– Copies of rejection communications
Records must be retained in accordance with the organisation’s documented retention schedule and securely deleted once no longer required.
Interview notes should remain factual and professional. Subjective language, personal commentary or informal remarks can become problematic if disclosed in tribunal proceedings or via a subject access request.
Section Summary
Rejecting a job application must be handled carefully and consistently. Decisions should be rooted in objective criteria, supported by clear documentation and communicated professionally. Employers who maintain disciplined record-keeping and structured decision-making significantly reduce the risk of discrimination claims and reputational damage.
FAQs: Job Application
What laws apply to a job application in the UK?
A job application engages several areas of UK law. These include the UK GDPR and Data Protection Act 2018 for handling personal data, the Equality Act 2010 for preventing discrimination and ensuring reasonable adjustments, the Rehabilitation of Offenders Act 1974 for criminal record disclosure and the Immigration, Asylum and Nationality Act 2006 for right to work compliance. Employers must ensure that each stage of the job application process aligns with these obligations.
What can I legally ask on a job application form?
Employers may ask for information that is directly relevant to assessing suitability for the role, such as qualifications, employment history, skills and availability. Questions must be necessary and proportionate. Employers should avoid asking about protected characteristics or personal matters unrelated to job performance.
Can I ask about health or disability on a job application?
Health-related questions before a job offer are restricted. Employers may ask limited questions where necessary to establish whether reasonable adjustments are required for the recruitment process itself. Broad medical enquiries at the initial job application stage are high risk and rarely justified.
How long can I keep job application data?
There is no fixed statutory retention period. Employers must retain job application data only for as long as necessary for the purpose for which it was collected. Many organisations retain recruitment records for a limited period after the process concludes in order to manage potential disputes, but this should be defined in a documented retention policy and justified on necessity grounds.
Do I have to give feedback on a rejected job application?
There is no legal requirement to provide feedback on a rejected job application. However, if feedback is provided, it must be factual, job-related and consistent. Any comments should be capable of being supported by interview notes or scoring documentation.
How do I ensure my online job application system is compliant?
Employers must ensure that online job application platforms are accessible to disabled applicants and that reasonable adjustments are available where required. Systems must also comply with UK GDPR security requirements, including access controls and secure data storage. Where third-party providers are used, appropriate data processing agreements must be in place.
Section Summary
Managing a job application lawfully requires employers to integrate equality, data protection and immigration compliance into every stage of recruitment. Clear criteria, consistent decision-making and disciplined record-keeping remain the most effective safeguards against legal risk.
Conclusion
A job application is not merely an administrative formality. It is a regulated legal process that engages equality law, data protection law and immigration compliance obligations from the outset.
Employers must design job application forms that collect only necessary information, avoid discriminatory questions and separate diversity monitoring from decision-making. The job application process itself must be structured, consistent and evidence-based, with clear documentation supporting each decision.
Job application data must be processed under an appropriate lawful basis, stored securely and retained only for as long as necessary. Online job application systems introduce additional responsibilities relating to accessibility, cybersecurity and automated screening.
By implementing disciplined procedures, maintaining objective criteria and keeping accurate records, employers can significantly reduce tribunal and regulatory risk while promoting fairness and transparency in recruitment.
Glossary
| Term | Definition |
|---|---|
| UK GDPR | The United Kingdom’s data protection framework governing how personal data is processed following the UK’s departure from the European Union. |
| Data Protection Act 2018 | The UK legislation that supplements the UK GDPR and sets out additional rules for processing personal and special category data. |
| Equality Act 2010 | UK legislation prohibiting discrimination in employment and recruitment based on protected characteristics. |
| Protected Characteristics | Age, disability, gender reassignment, marriage and civil partnership, pregnancy and maternity, race, religion or belief, sex and sexual orientation. |
| Reasonable Adjustments | Changes or accommodations employers must make to remove disadvantages experienced by disabled applicants or employees. |
| Legitimate Interests | A lawful basis under UK GDPR permitting processing of personal data where necessary for the employer’s legitimate purposes, balanced against the individual’s rights. |
| Subject Access Request | A request made by a data subject to obtain a copy of personal data held about them. |
| Special Category Data | Sensitive personal data, including information about health, ethnicity or religion, subject to stricter legal safeguards. |
| Right to Work Check | A statutory check employers must carry out before employment begins to verify that an individual has permission to work in the UK. |
Useful Links
| Resource | Link |
|---|---|
| ICO – Recruitment and Selection Guidance | https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/employment/recruitment-and-selection/ |
| Equality and Human Rights Commission – Employer Guidance | https://www.equalityhumanrights.com/en/advice-and-guidance/guidance-employers |
| Acas – Recruitment Guidance | https://www.acas.org.uk/recruitment |
| GOV.UK – Right to Work Checks Employer Guide | https://www.gov.uk/government/publications/right-to-work-checks-employers-guide |
| Legislation.gov.uk – Equality Act 2010 | https://www.legislation.gov.uk/ukpga/2010/15/contents |
| Legislation.gov.uk – Data Protection Act 2018 | https://www.legislation.gov.uk/ukpga/2018/12/contents |
