Printing a copy of a candidates CV to use as reference throughout the interview is standard practise across many organisations. However in line with the forthcoming GDPR updates, printing out personal information such as applications and CV’s could become a thing of the past as creating hard copies of this kind of information presents a whole host of potential data breach opportunities.
Whilst our software currently supports the ability to print CV’s and applications, we have made the necessary updates to this functionality providing HR with the ability to remove the option to print and help prevent data breaches caused by this simple process.
Whether you need to impose a ban on printing CV’s depends on a number of factors including how you store the information, who can access it and what you do it after it has served its purpose.
Where do you store the printed information?
Whilst there was a time when it was perfectly acceptable for Line Managers to have a pile of CV’s on their desk in preparation for interviews to take place etc this is definitely not the case now. Printed CV’s are treated in the same way as information held online. You must ensure that the information is kept in a secure manner and is only accessed by those who need to see it as part of the application/ selection process.
In case of a data breach, you will need to provide an audit trail. If you have allowed the information to be printed this could include who printed the CV, where it was being held, how many copies had been made and who had access to the information.
Unfortunately once a CV is printed it becomes extremely difficult to track. Would the cleaner have access to the documents after work hours? Could a colleague pick up the documents and make copies whilst away from your desk? Or what if the documents are taken outside of the building and left in a car that is stolen or mistakenly left on a train?
Once you have created one hard copy of a CV it is very easy to make multiple copies without it being tracked or recorded. Even if clients do have policies and procedures it is extremely difficult to enforce.
Who has access to the information?
Again hard copies of personal information present a number of issues when it comes to who can access the information. Unless they are locked away in a cupboard and signed out by assigned individuals and viewed within an extremely strict environment, it is almost impossible to accurately record the necessary information in terms of who has accessed the document, read the document, taken a copy or shared it etc
Unfortunately without this information you may not even be aware of a data breach!
What happens to the document after the interview?
Once the candidate has been interviewed the CV becomes somewhat redundant. In line with GDPR practice however you will now have to have a clearly outlined disposal process in place. Even if you shred the document, essentially you should have a record of this taking place!
Alternatively should you decide to keep the hard copy information in a secure filing cabinet, you will also need to ensure that this data is only kept for as long as the candidate initially gave you permission for.
But if the interviewer has chosen to record their interview notes on the CV the situation then becomes a little more complicated.
Under GDPR a candidate has increased rights to request a copy of all information you hold about them. This includes interview notes.
If a candidate asked for a copy of their data, could you easily provide the interview notes relating to a candidate interviewed 3 months ago?
The simple act of printing out a CV is unfortunately no longer simple!
Thankfully our ATS can ease the process on behalf our clients with many already choosing to remove the option to print CV’s.
Find out more.
As an organisation, networx have undergone extensive GDPR training and are recognised as fully Certified GDPR Practitioners.
Whilst every effort has been made to ensure that the information included in this article is accurate at the point of release this should not be relied upon as legal advice or be used to determine how GDPR will apply to your and your organisations.
We encourage all organisations to seek the advice of a legally qualified professional to discuss GDPR and how best to ensure compliance.