Application-based data retention offers an optional, additional level of data retention functionality. It’s designed to automatically delete individual job application data from the overall candidate record after a predetermined period based on the application creation date.

This additional data retention functionality guarantees that application data is retained only for the necessary duration, regardless of candidate activity. Older applications will be deleted, while the candidate’s record and any 'active' job applications will remain unaffected.

With this functionality, you can efficiently manage application data without manual intervention, ensuring automatic compliance with data protection regulations and organisational policies.

What's included in this guide:

• What to consider before activating
  • Process continuity:
  • Deletion frequency:
  • Candidate awareness:
• How to activate job application-based data retention 
  • User access to data retention settings
  • Enable job application deletion
  • Deletion frequency
  • What candidate data is deleted?
  • What candidate data is retained?
• FAQs

Before making any changes, we highly recommend contacting your Continuous Improvement Consultant first to discuss any potential repercussions not yet considered.

What to consider before activating

Before activating application-based data retention there are several important considerations to keep in mind:

Process continuity:

Unlike candidate or agency data retention options, application-based data retention processes cannot be interrupted by candidate activity or excluded application statuses. Clients should be aware that once activated, the deletion process will proceed automatically based on the configured settings.

Deletion frequency:

When deciding on the deletion frequency, clients should ensure that they allow adequate time to complete all recruitment activities related to a job vacancy. Setting too short a deletion frequency may result in premature deletion of candidate data before the recruitment process is completed.

Candidate awareness:

Candidates should already be informed about the retention period for their data through the Privacy Notice/Terms and Conditions displayed at registration and the Declaration they agree to when applying for a position. However, clients may want to review these policies to ensure candidates are fully informed about how their data will be used and retained.

How to activate job application-based data retention 

User access to data retention settings

Only users with Security Role access to System Customisation have the ability to add or amend data retention settings.

Clients should ensure that only users with the authority to make such changes have access to this area of settings, as changes to data retention configuration can cause applicant data to be automatically deleted.

Once the settings are updated, an overnight process will automatically delete any candidate data that has been held for longer than the Deletion Frequency set.

In Settings > System Customisation > Data Retention

Enable job application deletion

• If set to Yes, each individual job application's data will be automatically deleted after a certain period from its creation date, based on the frequency you've set in the Deletion Frequency field. This deletion happens regardless of earlier candidate inactivity.
• If set to No, the system will keep job application data for as long as the overall candidate record remains ‘active’.

With job application-based data retention, the starting point for the data retention period is always the Creation Date of the job application.

Deletion frequency

This refers to the period upon which job application data will be automatically deleted. Options ranging from 3 months to 2 years are available for customisation.

Once deleted, the application (and any associated data such as interviews, attachments, onboarding, or compliance data) will automatically be removed.

What candidate data is deleted?

All personal identifiable data of the candidate is deleted, including their application form answers, CV, any application attachments, assessment or shortlisting forms saved against their record, and any interview, offer, onboarding or compliance data once the data retention period has elapsed.

What candidate data is retained?

Only data essential for reporting on long-term recruitment trends, such as equal opportunities data and source tracking information, is retained. However, once the candidate’s record has been deleted, it is no longer associated with an individual and is referenced only by a unique identifier.

FAQs

What about incomplete applications?

Because the deletion is related to the Creation Date of the application, even incomplete applications will automatically be deleted.

Can I reinstate deleted applications?

No, once the application data is deleted by data retention processes, the data is permanently deleted and cannot be reinstated.

What happens if the candidate applies for another job or is assigned to another job?

If a candidate applies for another job or is assigned by a system user to another job, a new Application Creation date is recorded for their new job application.  Job-based data retention processes for this application will therefore be based upon the Application Created date of the new job application.

What happens when I move a candidate to another job?

If a candidate is moved to another job, the entire application (including the original Application Creation Date) is moved over to the new job.  Applications that are moved, therefore inherit the original Application Creation data and data retention will continue on this basis.

Are candidates notified that their data is being deleted?

If the application is being deleted because it has reached the set duration after the Application Creation date, then no additional communications are sent.  Candidates should already be aware of how long their data will be from the Privacy Notice/Terms and Conditions displayed at registration and Declaration that they agree to when candidates apply.

Is application-based data retention GDPR Compliant?

Once the retention period expires, data is automatically deleted, ensuring compliance with the GDPR's requirement to limit the storage of personal data.

What about Subject Access Requests?

If a Subject Access Request is received for data that has been deleted, clients should respond promptly and transparently. The response should acknowledge the SAR, explain that the requested data has been deleted in accordance with the organisation's data retention policies, and provide any relevant information about the deletion process.  In some cases, clients may still possess relevant information from other sources other than the deleted data such as contextual information from the job description or internal screening and shortlisting processes.  If applicable, clients should provide access to any alternative sources of data that are still available and relevant to the SAR.