Data Privacy and Compliance

ashby provides tools to help you maintain proper compliance with local and federal data privacy regulations with regards to storing candidate data you can configure these tools in the https //app ashbyhq com/admin/organizational settings/data compliance data privacy and compliance overview the data privacy and compliance features allow you to configure rules to help maintain compliance with data privacy laws and regulations see the table below for more information on the access roles that have the ability to configure rules in ashby to help maintain compliance access role can configure rules? limited access ❌ agency users ❌ elevated access external recruiter (not linked to an agency) ❌ elevated access analyst ❌ elevated access hiring team member ❌ elevated access hiring manager ❌ elevated access admin ❌ elevated access admin (private) ❌ organization admin ✅ recruiting privacy policy you can set a recruiting privacy policy in the https //app ashbyhq com/admin/organizational settings/data compliance section of admin when you do so, a link to the policy will appear on any consent forms that candidates fill out data compliance rules ashby provides mechanisms for configuring how you’d like to maintain candidate data through inactivity based rules and consent based rules you can use a combination of these two types of rules to put a flexible policy into place that helps you keep track of which candidate data should be removed from your system you can configure inactivity based and consent based rules in the admin > data management > https //app ashbyhq com/admin/organizational settings/data compliance section of ashby inactivity based rules inactivity based rules are set based on when the candidate became inactive you can configure inactivity based rules in the admin section of the app there are two types of rules inactive lead rule a rule that governs how long you should keep the data of lead candidates these are candidates that have no applications or only have applications that are in lead stages inactive applicant rule a rule that governs how long you should keep the data of inactive candidates these are candidates who only have archived applications after clicking on one of the rules, you can further configure them by choosing the retention period, which defines the time period after which the inactive lead or inactive applicant should be marked as needing to be anonymized or deleted choose a rule filter using the add field to match option, which further restricts which candidates this rule should apply to once you’ve enabled the rule, it will be evaluated whenever a candidate is created or an application changes stages if a candidate matches the rule filter then ashby will mark down a date after which the candidate needs to be deleted based on the retention period consent based rules consent based rules are set based on the date consent was given by a candidate after clicking into the rule, you can further configure it by choosing the consent request period, which defines how long of a period of consent we will ask of the candidate when consent is asked for on a jobs page or via automation settings create a rule filter, which restricts which candidates this rule should apply to set up consent collection on job posting pages in the jobs page settings section the consent collection option will show underneath the application form on the job posting set up automation rules to automatically send out an email with a link to a consent form based on a set of rules this can be used to collect consent from non applicants, such as sourced candidates (for example, those added via the chrome extension) or candidates that were manually added to the ats you can also set up consent extension automation settings to automatically request a consent extension prior to the consent retention date automation settings within the automation settings tab, you’ll see two options, initial consent and consent extension initial consent initial consent automation settings allow you to determine the conditions in which the first consent request should be sent click create a draft configuration to create a draft in the condition section, you can add filters by clicking add field to match you can then specify any criteria candidates should meet to then be sent the initial consent request email use the email template field to determine the template that should be sent to the candidate and the delay dropdown to specify when the email should be sent if you need to add an additional automation rule to create a separate set of criteria, click create new automation rule once you’re ready to use your rule or rules, click activate draft configuration when a candidate meets the conditions you’ve set in your automation, they’ll receive the email you’ve specified in the email template field consent extension consent extension automation rules allow you to determine when a consent extension request email should be sent out to the candidate click create a draft configuration to start setting up your automation rule you can use the advance notice period field to determine how far in advance the request should be sent in this example, the consent extension request email will be sent 21 days prior to the data listed in the consent retention date field on the candidate’s profile you can then determine the email template and the sender email address using the email template and from email address fields if you’d like to add a filter to your rule, click add field to match in the filter section to set your criteria if this section is left blank, all candidates that the consent rule applies to will be sent an extension request prior to their consent expiring to create an additional consent extension automation rule, click create new automation rule once you’re ready to use your rule, click activate draft configuration once you activate your draft consent extension configuration rule, it will be applied to all candidates meeting your criteria viewing data compliance status on candidate profile you can view a candidate’s data retention dates (as determined by the rules above) on the candidate profile under the summary tab you will see a section called data retention which displays the date after which the candidate will be considered in violation of your rules if you have consent extension automation settings in place, then you’ll see the date that the consent extension request will be sent find data retention details for a candidate under the summary section on the candidate profile you can click override to get the following options override & ignore choose to ignore data retention rules for the candidate completely override date choose a date for data retention that takes precedence over any other rules find data retention details for a candidate under the summary section on the candidate profile if you opt to choose a new date for data retention via the override date option, then the consent extension request date will adjust to fit the new date when are candidates considered in violation? candidates are considered in violation of data retention policies if they violate an enabled rule and they aren’t passing another enabled rule for example a candidate that has an inactivity date in the past (and is thus violating an inactivity based retention rule), is not in violation if they have submitted consent a candidate who has not submitted consent (and is thus violating a consent based retention rule) is not in violation if they have an inactivity date set in the future (by an inactivity based rule) this allows for you to flexibly combine the two types of rules to have a rule keep a candidate out of violation, even if they violate a different rule candidates additionally are never in violation while they have an application in an active stage analytics and reporting you can also quickly find candidates that are in violation of your rules using ashby’s reporting functionality here is a candidate search that finds those candidates using the is in violation of data compliance field to quickly find candidates that are in violation other reporting fields you can use to either filter results when reporting or show on a custom list report include last automated consent extension request sent at and next automated consent extension request scheduled at you can use these to show when the last consent extension request email was sent and when the next one is due to be sent respectively faq should i anonymize or delete candidates? when candidates are marked as in violation, any action taken (deleting or anonymizing) will need to be done manually anonymizing candidates will get rid of any pii, but retain enough information to provide useful data for your analytics and reporting workflows it is important to know that anonymization cannot be undone can i override a data retention date when importing candidates via csv? you can, yes once you’ve uploaded your csv file, you can map the date listed in your file to map to the data compliance override date field in ashby if you would also like to include an override reason, you can map these fields to the data compliance override reason field in ashby when importing these fields, this will be included on the candidate profile and take precedence over any other data retention dates you can find more on importing candidates via csv at bulk import options how does anonymizing a candidate work with the email events on the candidate’s feed? once a candidate has been anonymized, a record of email events will still show on the candidate’s feed (including the date and time the email was sent) however, the subject, body and the candidate’s email address will be anonymized what happens if a candidate receives an initial consent email but doesn’t click the link and follow the steps to provide consent? in this case, the consent retention rate field on the candidate profile will still show no consent collected, as the candidate has yet to provide consent i’m seeing multiple consent form completion events within the forms section of a candidate’s job consideration why? if a candidate has applied for a role multiple times, they may have also completed the consent form multiple times too as part of the application as duplicate applications are merged, only one job consideration will show on the candidate profile but each application and consent form completed will be listed within the singular job consideration for your reference more on this at docid\ rvfnqwgmp1m3vbjwr1sbb i see a retroactively apply to candidates option when configuring my rules what does this option do? you can click retroactively apply to candidates to retroactively apply your configured rule across the candidates in your ashby account that match the criteria set by your rule any candidates meeting the criteria set by the filters in your configured rule will be flagged as in violation of said rule you can then take action on them as needed retroactively applying the rule to candidates will not delete or anonymize candidates, it will only flag those in violation of your configured rules for more on actions you can take on flagged candidates, check out anonymizing and deleting candidates h ow are inactivity based rules and consent based rules set in ashby applied to hired candidates? candidates in the hired stage are treated as active candidates this is because hired candidates have an active employment relationship with your organization, which provides a legitimate business interest for retaining their data the employment of the hired candidate also creates a legal basis for data retention that supersedes the need for consent based or inactivity based retention rules to be applied as such, they will not be considered or marked as in violation of the rules you configure in ashby