UK businesses and recruitment agencies could be falling foul of the law by failing to correctly process and store job candidate records.
A new code of practice for UK businesses has warned that secure transmissions and encryption should be used for online recruitment to ensure compliance with data protection legislation.
The Office of the Information Commissioner has published the first of four parts of The Employment Practices Data Protection Code covering the collection, processing and use of data from the recruitment of applicants.
Although the code is not legally binding, it indicates how the Information Commissioner interprets the 1998 Data Protection Act.
Companies that fail to comply with the Act can be required to change their procedures or face a criminal prosecution or fines. Employees who can prove that damage has been suffered can seek compensation from their employer.
Dave Clancy, policy officer at the Information Commission, explained that the objective of the code is to safeguard the rights of individuals. "Anyone who uses online recruitment has to consider the confidentiality of that information," he said.
Not informing candidates about how their personal information will be used, collecting excessive data when it is not relevant to the job, and keeping candidate records on file in case other opportunities crop up, are common misuses of personal data, said Clancy.
The code advises when it is appropriate to store certain data on employees, such as membership of a trade union, and provides a checklist for procedures to follow in advertising jobs, handling applications and conducting interviews.
It also warns that electronic applications must be held securely, using passwords and other technical security measures, and should only be accessed by those involved in the recruitment process.
However, the code fails to offer advice on the level of security required or the nature of the encryption.
"If you're using basic forms online, most people would agree that it isn't a secure method of transmission," said Struan Robertson, a solicitor at IT law firm Masons.
He pointed out that companies could comply with the code by hosting online recruitment forms on a secure system, or offering a public key that applicants could use to encrypt transmissions.
"The problem for many businesses is that the use of public key cryptography is still in its infancy, and a lack of understanding may scare away potential applicants," said Robertson.
"High profile legal cases are often what spurs people into action. Until someone suffers financially, action is often slow."
The code and additional information can be downloaded from the Information Commissioner's website here.
Cotton seedling freezes to death as Chang'e-4 shuts down for the Moon's 14-day lunar night
Fortnite easily out-earns PUBG, Assassin's Creed Odyssey and Red Dead Redemption 2 in 2018
Meteor showers as a service will be visible for about 100 kilometres in all directions
Saturn's rings only formed in the past 100 million years, suggests analysis of Cassini space probe data
New findings contradict conventional belief that Saturn's rings were formed along with the planet about 4.5 billion years ago