Employee recruitment requires HR departments to manage substantial amounts of personal data from job applicants. To ensure this process complies with the Personal Data Protection Act (PDPA), this article provides comprehensive guidelines and a practical checklist that HR professionals must understand. The content covers essential legal documentation and procedures, as well as considerations for determining necessary versus unnecessary data collection in job applications.
1. Planning Before Collecting Personal Data
During the recruitment process, organizations must comply with the Data Minimization principle under Section 22 of the Personal Data Protection Act B.E. 2562 (2019). This section requires data controllers to collect only necessary, adequate, and relevant personal data for the specified purpose. In the context of recruitment, HR departments must be careful not to collect excessive data that is unrelated to evaluating candidates' qualifications.
- Data Necessity Assessment
HR should evaluate each type of personal data by asking: "If this information is missing, will it affect the candidate selection decision?" If the answer is no, then this data should not be collected.
- Special Precautions for Sensitive Data
Sensitive personal data under Section 26 of the Personal Data Protection Act requires special protection due to high risks of discrimination or violation of data subjects' rights and freedoms. Therefore, unless there is genuine necessity directly related to job requirements, HR should not collect such information.
• Identity data (name, contact information)
• Educational background relevant to the position
• Work history and relevant experience
• Health information (except for positions required by law)
• Religious beliefs
• Political opinions
• Criminal records (except for security-related positions)
• Customizing Job Application Forms.
• Request only information necessary for qualification assessment.
• Avoid questions that may constitute discrimination.
• Allow candidates to choose whether to disclose sensitive personal information.
• Request ID card copies with religious information covered.
• Collect only necessary parts of documents.
• Let candidates redact unnecessary information themselves.
Following this principle not only helps organizations comply with the law but also builds trust with the applicants, reduces data breach risks, and makes the recruitment process more efficient by focusing on truly important information.
2. Collection of Sensitive Personal Data
Despite the data minimization principle requiring minimal data collection and avoiding sensitive data, certain job characteristics necessitate collecting sensitive personal data to determine if candidates have appropriate qualifications matching the working conditions, such as:
• Justice-related occupations (e.g., police officers): These positions must collect criminal record information according to Royal Thai Police regulations on qualifications and prohibited characteristics for police officers
• Logistic occupations (e.g., truck drivers, bus drivers, commercial pilots, maritime workers): These positions require verification of criminal records and health information
These example occupations involve the lives and property of service users. Therefore, to build confidence among service users and society overall, collecting sensitive data for such positions helps prevent individuals with risky behaviors from entering safety-critical roles and assures employers that candidates are ready to work effectively.
3. Recruitment and Interview Process
At this stage, organizations must prepare both documentation and processes to comply with personal data protection principles, including preparing necessary documents and maintaining data security.
3.1 Preparing Necessary Documents
• Privacy Notice:
Organizations as data controllers must inform applicants about the details of collecting, using, and protecting personal data. This can be announced from the job posting stage and attached the privacy notice with job application or publish on the website.
• Job Application Form:
Modify the job application form to collect only necessary data and mark which information is required or optional for applicants.
• Consent Form:
Required for cases where personal data is used in other processes unrelated to recruitment and the organization cannot rely on other legal bases under Section 24 for such data processing, or when collecting sensitive data without legal authorization or exemption under Section 26.
3.2 Data Security Measures
Throughout the recruitment process, organizations must implement appropriate security systems for the types of applicant data collected, such as:
• Locking document cabinets
• Setting computer passwords
• Restricting access rights to only relevant personnel involved in the evaluation process
4. Data Management After Recruitment Process Completion
Once the recruitment process is complete, a crucial issue organization must decide is managing applicant data, especially data of unsuccessful candidates. There are two main approaches:
4.1 Immediate Data Deletion
The fundamental principle is that organizations must have clear policies for deleting data of unsuccessful candidates by:
• Considering immediate deletion upon completion of evaluation
• Establishing clear deletion procedures
4.2 Data Retention for Future Use
If organizations want to retain data of unsuccessful candidates for future consideration, they must follow proper procedures:
Step 1: Privacy Notice clearly states data retention detail that:
• The applicant data will continue to be retained even if the candidate is not selected, with an appropriate retention period established to ensure data subjects can reasonably anticipate such retention.
• The applicant data will continue to retained for the purpose of consideration when the company opens suitable positions in the future.
Step 2: Informing Applicants of their personal data’s rights to:
• Right to request correction, modification, or data updates
• Right to request deletion of their personal data at any time
Criminal record data retention has special time limits according to the Personal Data Protection Committee Office announcement:
• The criminal record data may be retained for no more than 6 months from the completion of the evaluation process, unless there is legal authorization or requirement to retain criminal record data longer than 6 months, or the organization has obtained consent from the data subject to retain data longer than 6 months.
• After this period, the criminal record data must be deleted, destroyed, or made non-identifiable.
This demonstrates that implementing the aforementioned checklist makes PDPA-compliant recruitment entirely manageable. Personnel are a crucial component of every organization. Properly managing personal data of personnel from the outset is one aspect that can provide competitive advantages in the business competition for attracting talented individuals to join the organization. Should you have any questions regarding compliance with personal data protection laws, Athentic Consulting is pleased to provide services to support your business operations.
