- Personal data should be retained only for as long as it is needed for the stated purpose.
- Access to sensitive candidate documents should be limited to people who need it.
- Criminal-record and DBS-related data should be handled under tighter controls and documented processing conditions.
- Where required for special-category or criminal-offence processing, an appropriate policy document and impact assessment may be needed.
- Deletion and subject-rights requests should follow a documented process rather than ad hoc handling.
Retention & Data Handling
Store less, keep it secure, delete what is no longer needed.
Recruitment and candidate preparation data should be subject to documented retention periods, access controls and deletion steps.