Non-Disclosure Agreements In Hiring

Background checks. Sensitive data. Zero DPDP compliance. The most sensitive personal data comes from your hiring process. 📌 Criminal records. 📌 Financial history. 📌 Past employment. 📌 Address verification. 📌 Education certificates. And almost no Indian company has a DPDP-compliant process for any of it. Here is the legal reality your HR team doesn't know: Your company = Data Fiduciary. Your BGV vendor = Data Processor. Your candidate = Data Principal with enforceable rights under DPDP. Every obligation that applies to your customer data — applies here too. The 5 gaps I find in almost every BGV process I review: 1️⃣ Consent was never properly obtained. Most companies collect a generic clause inside the offer letter. Under DPDP — consent for a background check must be specific to that purpose, informed about what will be verified and with which sources, and separate from the employment acceptance. "I accept this offer" is not consent to a criminal record check. 2️⃣ No signed DPA with the BGV vendor. You have a commercial agreement with your BGV vendor. Under DPDP — that vendor relationship requires a Data Processing Agreement with breach notification timelines, deletion obligations, sub-processor controls, and Data Principal rights flowing down. A commercial agreement and a DPA are not the same document. 3️⃣ Candidate rights are completely unaddressed. Under DPDP, your candidate has the right to access what data was collected about them, from which sources, and what the report concluded. Most HR teams have no process for this. No one has asked before — but it is now a legal right, not a courtesy. 4️⃣ BGV reports are retained indefinitely. The candidate joined — or didn't. The report is still in your HRMS, your email, your recruiter's drive — years later. Under DPDP — personal data must be deleted once the purpose is fulfilled. The purpose of a background check is the hiring decision. Once made — the legal basis for retaining the report ends. 5️⃣ Cross-border transfers nobody mapped. Most BGV vendors verify employment and academic records through international databases. That is a cross-border data transfer. Under DPDP Section 16 — your company is responsible for it. Not your vendor. Does your BGV vendor's contract specify which countries your candidate's data flows to? _____________________________ The background verification industry processes thousands of sensitive personal data records every month in India. Almost none of it is DPDP-compliant. And the liability doesn't sit with the BGV vendor. It sits with the company that initiated the check and is the Data Fiduciary. Does your company have a signed DPA with your BGV vendor? ___________________ I help companies build DPDP-compliant hiring data processes — from candidate consent to vendor DPAs to rights response frameworks. Book 1:1 call to find out where you stand. (Link in comment.)

Today, a recruiter invited me to a call about a potential role I was very interested in learning more about. But, less than an hour before the meeting, I received a sudden calendar update: “Fred from Fireflies will join to record and transcribe the conversation.” - No prior request for consent. - No explanation of how the recording would be stored. - No clear details on how my data might be used. What should have been a straightforward conversation instantly shifted into a scramble to protect my privacy (voice, image, and data). Recording an interview, without clear, advance permission, erodes trust before the first question is even asked. Consent is a deliberate agreement that lets everyone show up prepared and comfortable. This is an ethical issue. No doubt, an AI note-taker could be valuable to this recruiter. But, they also raise questions about data retention, confidentiality, and intellectual property. A candidate discussing career history, research, or sensitive client details deserves to know exactly how those records will be used and who will have access. If you truly aim to build an inclusive hiring process, plan for ethical recording practices from the first email. - State your intentions. - Outline how the file will be stored and data retention policies. - Offer alternative accommodations. - Secure explicit consent well before the call. Anything less feels like surveillance disguised as efficiency. How are you making sure your use of AI tools in interviews respects privacy, consent, and accessibility? *Note, I am fortunate to be able to walk away from situations that violate my privacy, and I did exactly that in this case. I recognize that many candidates cannot afford to decline and must navigate similar scenarios without the option to stay no. If you are in that position, I see you and stand with you. #CyberSecurity #DataPrivacy #Consent

I always LOVE getting guidance from regulators...this time it comes from the Commission d’accès à l’information du Québec (CAI)! 🎉 The CAI has shared new guidelines on what personal information #employers can collect during #recruitment. Here's the scoop: Recruitment: *Employers can't just collect any PI they want, even if candidates provide consent. 🚫 *Recruiters should ask, "Do we really need this PI to evaluate the application?" 🤔 *At this stage, you can ask for the following: name, phone number, email, academic details, professional achievements, skills, and interests. 📋 *Keep application forms simple and avoid asking for too much. Consider different forms for different positions ✍️ *Don't ask for references before the interview. 🛑 *These apply to the employer (direct recruiter) and third-party recruitment agencies. Interview: *You can check ID but you can't make a copy. 🆔 *Avoid questions about age, gender, religion, ethnic origin, marital status, pregnancy, sexual orientation, etc., unless it's crucial for the job. ❌ *#Psychometric tests should be valid and job-related. Protect this info and only use it if necessary! 🧠 Artificial Intelligence: *Let candidates know if #AI is used to sort applications or assess them. 🤖 *Ensure staff using AI are trained and know its limits. 📚 *Give candidates a chance to review AI-based decisions. 📝 *Do a Privacy Impact Assessment (#PIA) before using AI. 🔍 *Don't use AI to assess emotional or psychological states during video interviews. 🎥 Background Check: *#Criminal background checks must be job-related and need explicit consent. 🕵️♂️ *Don't keep copies of criminal records if the offence isn't related to the job. 🗑️ Hiring: *Now you can collect necessary PI like date of birth, social insurance numbers, address, bank info, and a photo for benefits, pay, and other employment-related activities. 🏦 *Remember to #delete or anonymize the data of unsuccessful candidates when you no longer need it or as per legal requirements. 🗂️ Plus, the CAI has given strict guidance on collecting employee #biometrics for identity verification. 🛡️

It started with one resume. A mid-sized company was hiring. As usual, HR created a shared Google Drive folder—“HR_CVs_2024”—and began storing every resume that came in. No passwords. No expiry. No consent. During a pitch presentation, someone accidentally copied the Drive link and pasted it into the client's briefing deck. That link made it to 30 inboxes. Within two days, 150+ resumes were accessed by people outside the organization. Names, phone numbers, home addresses, academic history—everything was out there. Panic set in. Applicants began writing in, angry and confused. One even sent a legal notice. Why? Because those resumes contain personal data. And under the Digital Personal Data Protection Act, 2023 (DPDPA), even just storing that data counts as “processing” (Section 2(x)). Here’s what companies often miss: Collecting resumes = Collection of personal data Saving them on cloud = Storage Forwarding internally = Disclosure Searching later = Retrieval Each of these requires valid, informed consent under the law. Simple fix? Add a clause in your HR emails like this: "By submitting your resume, you consent to the collection, processing, and storage of your personal data for recruitment purposes by [Company Name]. Your data will be retained only for as long as necessary and will not be shared without your prior consent." This isn’t about making hiring harder. It’s about making it respectful, secure, and lawful. If you're storing resumes for "future use" without a clear policy, it’s time to rethink the process. #DPDPA #DataPrivacy #HRCompliance #ResumeHandling #HiringPractices #IndianLaw #PrivacyByDesign #LegalForBusiness #Recruitment

Protect Your Privacy: Why Sharing Aadhar and PAN Card Photos with Recruiters Isn't Safe:- As job seekers, we often encounter requests from recruiters for sensitive personal information, such as Aadhar and PAN card photos, during the interview process. While it may seem like a routine procedure, it's crucial to pause and consider the implications of sharing such data. First and foremost, Aadhar is a repository of highly sensitive personal information, including biometric data, linked to various government services. PAN cards, on the other hand, contain vital financial details. Revealing these documents to recruiters poses significant privacy risks, as there's no guarantee of how this data will be handled or stored. Confidentiality is paramount when it comes to personal information. However, once shared, we relinquish control over how it's used and who has access to it. Recruiters may not always have robust data protection measures in place, leaving our sensitive data vulnerable to breaches or misuse. Moreover, the necessity of Aadhar and PAN card photos for the interview process is questionable. While verifying identity is important, there are alternative methods available, such as providing identification documents in person or through secure channels. Insisting on Aadhar and PAN card photos raises red flags and warrants scrutiny. So, what can job seekers do to safeguard their privacy? 1. Exercise Caution: Before sharing any personal information, carefully evaluate the legitimacy of the request and the necessity of the documents. 2. Limit Disclosure: If asked for Aadhar or PAN card photos, consider providing only non-sensitive information, such as your name and photo on Aadhar, while concealing other details. 3. Ask Questions: Don't hesitate to inquire about the recruiter's data protection policies and how your information will be handled. Transparency is key in establishing trust. 4. Report Suspicious Activity: If you encounter any concerning behavior or requests for unnecessary personal information, report it to relevant authorities or platforms. In conclusion, protecting our privacy in the digital age requires vigilance and discernment. While job hunting can be daunting, it's essential to prioritize data security and only share information with trusted parties through secure channels. Let's advocate for greater awareness and respect for privacy rights in the recruitment process. Your privacy is non-negotiable – don't compromise it for a job. Stay safe and informed.

I had a legal executive in my network reach out recently about a recruiter who was being a bit cagey. They (the recruiter) would not share the company name. They would not share a job description. He wanted my take on whether that was a red flag. My view: it depends 😏… it is not automatically a bad situation. The right move is usually to ask more questions and have the conversation. Here is what is often happening behind the scenes. -The recruiter is still vetting fit and does not want to share confidential information before they know you are a serious candidate. -They do not have an exclusive and are worried about being circumvented in the process. -The situation requires delicate handling. They may be replacing someone on the team, navigating a business challenge, or managing a search that should not be broadly visible in the market. There can be a long list of legitimate reasons. That said, at some point transparency has to show up. In my opinion, the company name should be shared before the recruiter asks to present your resume to the client. Not necessarily when you first share your resume. Early resume sharing can be part of the vetting process. But you should absolutely know where your profile is going before it is submitted. It works both ways. You do not want your resume being forwarded to the golfing buddy of your CEO without your knowledge. That creates awkward and potentially damaging situations. Trust in the search process is mutual. Candidates need clarity. Recruiters need confidence that they are not being cut out. Firms also need to protect sensitive client dynamics. At our firm, we tend to err on the side of transparency and trust (unless it’s a truly delicate situation - then we are just up front about it). We also have the luxury to work on exclusive engagements and walk away from the contingent work. But I also understand why some recruiters hesitate early in the process. The key is simple. Ask direct questions and understand the situation. Decide whether the level of transparency matches your comfort level.

Important Advice to Job Seekers and My Professional Network Hi everyone, I would like to share an important message regarding your CV and personal professional documents. Your Curriculum Vitae (CV) is a confidential document. It contains your personal details, employment history, qualifications, contact information, and other sensitive information about your professional background. Because of this, it should always be handled carefully and shared only with trusted and legitimate employers. Recently, I have seen situations where some individuals or agents request job seekers to send their CVs for “registration” or “submission purposes.” In many cases, these requests are not always connected to a real job opportunity. Some may even ask for money to “forward” your CV to a hiring manager. My advice to all job seekers is simple: • Do not send your CV to unknown agents or individuals who claim they will submit it on your behalf. • Avoid sending your CV just for “registration” purposes, especially when there is no official job vacancy. • Remember that your CV is a confidential professional document, and you should keep it secure. • Always send your CV directly to the company’s official email address, recruitment portal, or a verified hiring manager. • Be cautious of anyone asking for payment in order to send your CV to an employer. From a recruitment and hiring perspective, companies prefer to receive applications directly from the candidate or through official recruitment channels. This ensures transparency and trust in the hiring process. Please protect your professional information and avoid sharing your CV with people who are not part of a verified recruitment process. Stay informed, stay professional, and always protect your personal documents. Thank you. #JobSeekers #CareerAdvice #CVTips #ProfessionalDevelopment #RecruitmentProcess #JobSearchTips

Dear HR Professionals and Recruiters, Contacting a job applicant’s current or former employer without their explicit consent is not just unethical — in many cases, it’s illegal. In Kenya, the Data Protection Act (2019) mandates that personal data be processed lawfully, fairly, and transparently. Reaching out to a third party without consent may violate this law — particularly Sections 25–30. The Employment Act (2007) also protects employees from actions that could harm their current job. 🌍 Globally, laws like the GDPR (EU), CCPA (US), and POPIA (South Africa) all require explicit consent before sharing or collecting personal information. Doing otherwise risks: Breaching privacy laws Jeopardizing someone’s job Damaging your professional reputation ✅ Unless someone is listed as a reference, you are not authorized to contact their employer. This is about more than compliance — it’s about respect, trust, and ethics. Recruit responsibly. Respect privacy. People’s livelihoods are not background check shortcuts. #HR #RecruitmentEthics #DataProtection #KenyaHR #GDPR #RespectPrivacy #FairHiring

Over the past 12 months, we’ve taken on more confidential searches than in previous years. These types of headhunt search require a different approach, one that allows you to attract talent without the entire market knowing your business. The first hurdle? Some candidates, especially in niche tech or product spaces, need to know who the role is with before they’re even willing to talk. There’s a fine balance between sharing just enough to spark interest, without revealing too much too soon. Here’s a few things that can help keep recruitment effective and discreet: ✅ Align on messaging early From initial outreach to first screening, recruiter and employer must agree exactly how the position, company, and technology will be described at every touchpoint. ✅ Stage-gate information sharing Once a candidate passes initial screening and shows genuine interest, the recruiter can share further detail; key objectives, role expectations, and scope - without sharing the company name. ✅ Candidate commits The candidate reviews this info, and if still interested, sends back their CV and a signed NDA. ✅ Full disclosure Only after this stage are full company details shared. ✅ Use anonymised employer branding assets Create a one pager or landing page that outlines the vision, values, and mission of the company, without naming it. This builds engagement while protecting identity. ✅ Leverage trusted personal networks Tap into warm, vetted referrals through people you trust. These low noise channels are often the safest way to reach highly relevant profiles discreetly. This approach ensures that only genuinely and qualified candidates are engaged and the process remains discreet throughout. Strong collaboration between recruiter and employer is key. The employer plays an active approval role in how the role and company are presented, which helps minimise the risk of leaks. What other steps have worked for you when handling confidential hires?

One area of hiring I’ve always found both challenging and rewarding is Confidential hires. We do a lot of them. And it’s always a privilege when a client trusts us with one. Because confidential hiring usually means one thing - the stakes are higher. Internal sensitivities Leadership changes New acquisitions Location strategy Replacement hires Business change And with that comes more risk. Not just around getting the hire right. But around protecting the process itself. Because one leak, one wrong conversation, one badly handled candidate interaction can create problems far beyond the hire. The challenge with confidential hiring is this: You still need to create curiosity. Build trust. Maintain momentum. Deliver quality. But without revealing everything upfront. That balance matters. So, for anyone working on confidential hires - here are 10 things I think matter most: 1️⃣ Be crystal clear on what is confidential - not everything is equally sensitive 2️⃣ Align internally first - mixed messages create risk 3️⃣ Control the narrative - decide what can be shared and when 4️⃣ Qualify trust early - not every candidate is right for confidential processes 5️⃣ Protect documents - job specs and company info need handling carefully 6️⃣ Manage candidate expectations well - lack of information creates uncertainty 7️⃣ Keep hiring manager discipline high - confidentiality can break internally too 8️⃣ Move quickly - slow confidential processes create more exposure 9️⃣ Keep communication tight - less noise, more clarity 🔟 Never compromise candidate experience - confidential shouldn’t mean cold Because in confidential hiring discretion matters. But so does trust. And trust is what keeps the whole process moving.