Guidance

Recruitment privacy notice

Updated 3 July 2025

© Crown copyright 2025

This publication is licensed under the terms of the Open Government Licence v3.0 except where otherwise stated. To view this licence, visit nationalarchives.gov.uk/doc/open-government-licence/version/3 or write to the Information Policy Team, The National Archives, Kew, London TW9 4DU, or email: psi@nationalarchives.gov.uk.

Where we have identified any third party copyright information you will need to obtain permission from the copyright holders concerned.

This publication is available at https://www.gov.uk/government/publications/government-digital-service-recruitment-privacy-notice/recruitment-privacy-notice

This privacy notice covers the Government Digital Service (GDS), part of the Department for Science, Innovation and Technology (DSIT), and sets out how we handle your personal data when you apply for a job.

The data controller is DSIT, as the parent organisation for GDS. A data controller determines how and why personal data is processed.  Read DSIT’s registration details with the Information Commissioner’s Office for more information.

The software we use for recruitment is called Oleeo. This means that your personal data is processed by Oleeo (the ‘data processor’) on behalf of GDS, following the instructions GDS sets out.

If you have questions about how Oleeo processes personal data, you can read Oleeo’s privacy notice.

GDS is also present on platforms such as LinkedIn to promote employment opportunities. GDS uses the built in analytics functions on these platforms to look at de-identified data, with a view to improving our pages. If you have questions about how LinkedIn processes personal data, you can read LinkedIn’s privacy notice.

The data we collect

The personal data we may collect from you includes:

  • contact details such as name, title, addresses, telephone numbers, and personal email addresses
  • copies of driving licence, passport, birth certificates and proof of current address, such as bank statements and council tax bills
  • evidence of how you meet the requirements of the job, including CVs and references
  • evidence of how you meet the Civil Service nationality rules and confirmation of your security clearance – this can include nationality details and information about convictions, allegations and offences as part of Baseline Personnel Security Standard checks
  • evidence of your right to work in the UK and immigration status
  • diversity and equal opportunities monitoring information – this can include information about your race or ethnicity, religious beliefs, sexual orientation, disability and other ‘special category data’
  • information about your health, including any medical needs or conditions
  • other information required for some applications
  • if you contact us regarding your application, a record of that correspondence
  • details of your use of our recruitment tools and services, such as your candidate profile and alerts for vacancies
  • the status of your application and updates on how it moves forward

We process personal data throughout the application on different legal bases.

Contract

Processing your data is necessary to move your application forward before signing a contract of work. This concerns employment or pre-employment checks.

The law requires GDS to check that candidates are entitled to work in the UK.

Public task

When we carry out National Security vetting for some roles, we have to process personal data to perform a task that’s in the public interest or in the exercise of our official authority.

Processing criminal convictions and sensitive information

We collect, use and hold sensitive information such as criminal convictions on the lawful bases of contract, legal obligation and public task.

Processing special category data

Personal data is defined as ‘special category’ when it reveals racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership. It includes:

  • genetic data
  • biometric data that uniquely identifies a person
  • data concerning health
  • data concerning someone’s sex life or sexual orientation

We process this data when it’s necessary for reasons of substantial public interest for the exercise of our functions. This applies to information about criminal convictions, allegations and offences during baseline security clearance checks.

Why we need your data

We need your data in order to:

  • move your application forward
  • check that you’re the right candidate for the role
  • get in contact with you
  • send you notifications for vacancy roles or job alerts

How your personal information is collected

We usually collect your personal information when you enter it in Oleeo. We might also collect information from third parties.

These include:

  • former employers and people named by candidates as references
  • credit reference agencies
  • the Disclosure and Barring Service (DBS)
  • UK Shared Business Services (UKSBS)
  • other background check agencies
  • other government departments

Applications automatically declined

During the application process you’ll be asked eligibility questions. You will not have to disclose sensitive information, and everyone still has an equal opportunity to apply. The system will automatically decline your application if you don’t meet the eligibility criteria.

Reserve lists

We maintain a reserve list of candidates who met our requirements but were not successful in securing the specific post they applied for. We’ll ask for your consent to be added to this list. We will refer to the list when other roles are advertised and will contact you if you match the role. We will ask for your consent before putting you forward for the role.

Data sharing

Personal information you provide in the recruitment process will be made available to GDS and our processors. If you are successfully recruited, we will upload your details to our HR system. As a member of staff you will sign a contract of employment and agree to additional terms on how your data is handled and stored.

We will also share your data for statistical analysis (it will be anonymised first) if we are required to do so by law – for example, by court order, or to prevent fraud or other crime.

Where GDS is managing the recruitment on behalf of another government department, we will share your information with that government department, who will be the data controller.

Transferring information outside the EU

Our data processor Oleeo is based in the UK, so your data is not processed or stored outside the UK.

LinkedIn may processes personal data outside the UK. It provides data protections through the application of Model Contract Clauses, which meet GDPR data processing requirements.

Data security

We have put in place measures to protect the security of your information.

Third parties will only process your personal information on our instructions and where they have agreed to treat the information confidentially and to keep it secure.

We have put in place appropriate security measures to prevent your personal information from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we only give access to your personal information to those employees, agents, contractors and other third parties who need to work on your recruitment process.

We have put in place procedures to deal with any suspected data security breach and will notify you and any applicable regulator of a suspected breach where we are legally required to do so.

Data retention

We will only retain your personal information for as long as necessary to fulfil the purposes we collected it for - including legal, accounting, or reporting requirements.

This will depend on:

  • the amount, nature, and sensitivity of the personal data
  • the potential risk of harm from unauthorised use or disclosure of your personal data
  • the purposes for which we process it
  • whether we can achieve those purposes in other ways

For documents supporting recruitment, application and sifting the retention period is 3 years.

For our Oleeo recruitment system, the retention period is 1 year after the period for the recruitment process.

If you are unsuccessful, personally identifiable data is removed 12 months after your most recent application.

Your rights

You have the right to:

  • request access to your personal information (known as a ‘data subject access request’) - you’ll receive a copy of the personal information we hold about you, so you can check that we are lawfully processing it. It also allows you to request an electronic copy of any data you have provided in a structured, commonly used and machine-readable format
  • request that we correct incomplete or inaccurate personal information that we hold about you
  • request we delete or remove your personal information - you can do this when there is no good reason for us to keep it - you can ask us to delete or remove your personal information where you have exercised your right to object to processing (see below)
  • withdraw your consent for any data processed under the lawful basis of consent (see below)
  • object to the processing of your personal information where we are relying on the legal basis that we are carrying out our public task (see legal bases above)
  • request we restrict the processing of your personal information - you can ask us to stop processing your personal information, for example if you want us to establish its accuracy or the reason for processing it

To make any of these requests or to ask us to transfer a copy of your personal information to another party, contact the GDS Data Protection Team: gds.data.protection@dsit.gov.uk.

Accessing your data

You will not have to pay a fee to access your personal information or to exercise any of the other rights. However, if your request for access is clearly unfounded or excessive we may:

  • charge a reasonable fee
  • refuse the request

In some cases we will need some information to confirm your identity. This is to ensure that your personal information is not disclosed to someone who has no right to access it.

Questions and complaints

The data controller for your personal data is DSIT.

If you have any questions about this privacy notice contact the GDS Data Protection Team: gds.data.protection@dsit.gov.uk.

The Data Protection Officer provides advice and monitors DSIT’s use of personal information. If you have any concerns about how your personal data has been handled, please contact the DPO:

Data Protection Officer
Email: dataprotection@dsit.gov.uk

If you have a complaint, you can also contact the Information Commissioner, who is an independent regulator set up to uphold information rights.

Information Commissioner's Office

Email icocasework@ico.org.uk

Telephone 0303 123 1113

Textphone 01625 545 860

Changes to this privacy notice

We may change this privacy notice. When we make changes to this notice, the ‘last updated’ date at the top of this page will also change. Any changes to this privacy notice will apply to you and your data immediately. If these changes affect how your personal data is processed, we will take reasonable steps to let you know.

Back to top