The data protection principle about fairness, lawfulness and transparency requires organisations to provide a privacy notice before any personal data is obtained to give people advance notice of how their data will be used and who it will be shared with.  This gives them a chance to decide not to provide their personal data on the terms outlined.  Authority to process personal data is based on the privacy notice in general rather than consent.

In the case of speculative CVs, the individual unilaterally decides to approach the business and there is no opportunity to provide a privacy notice in advance.  So, we need to take steps to ensure that every speculative applicant can access a copy of a relevant privacy notice.  The best way to achieve this is to publish it to the website careers page if you have one.  Just make sure that you link to a specific recruitment privacy notice not to the general website visitor privacy notice!

Other top tips for managing CVs

  • In general a CV should be kept for no more than six months following an unsuccessful application.
  • A speculative CV that is likely to be of interest to the organisation can be kept for up to two years, then it will need the consent of the individual so you need to email for consent to keep it longer.
    • Keep a note of the date the CV is received so that it can be reviewed annually and deleted after two years
  • When sharing a CV or other application material with colleagues it is best practice to put the documents in a central location and invite colleagues to view the information.  In that way emails addressed to any wrong recipients do not carry any personal data and so avoid a data breach.  It also helps to prevent duplicate copies of the materials around the business.

Mandy P Webster, Data Protection Consultant