Data Privacy and Compliance

31 min

data privacy and compliance overview ashby provides tools to help you maintain proper compliance with local and federal data privacy regulations with regards to storing candidate data you can configure these tools in the https //app ashbyhq com/admin/organizational settings/data compliance see the table below for more information on the access roles that have the ability to configure rules in ashby to help maintain compliance access role can configure rules? limited access ❌ agency users ❌ elevated access external recruiter (not linked to an agency) ❌ elevated access analyst ❌ elevated access hiring team member ❌ elevated access hiring manager ❌ elevated access admin ❌ elevated access admin (private) ❌ organization admin ✅ on the data privacy and compliance page, you'll have access to three tabs docid\ ea7xb9exeknqhjbbytavp docid\ ea7xb9exeknqhjbbytavp docid\ ea7xb9exeknqhjbbytavp the data privacy and compliance rule configuration page in ashby the inactivity rules tab is selected data compliance inactivity and consent rules you can use a combination of inactivity and consent based rules to put a flexible policy into place that helps you keep track of which candidate data should be removed from your system inactivity rules inactivity rules are set based on when the candidate became inactive there are two types of rules inactive lead rule a rule that governs how long you should keep the data of lead candidates this is a retention rule for candidates that are seen as inactive because they have no applications or only have applications that are in lead stages inactive applicant rule a rule that governs how long you should keep the data of inactive candidates this is a retention rule for candidates who are seen as inactive because they only have applications in the archived stage amending the default inactivity based rule after clicking on one of your default inactivity based rules, you can further configure them by updating basic information like adding an internal description for reference amending the retention period, which defines the time period after which the inactive lead or inactive applicant should be marked as needing to be anonymized or deleted configure a rule filter using the add field to match option to add fields and establish criteria candidates who meet the set criteria will have the rule applied to them once you’ve reconfigured the rule, you will have the option to re evaluate your inactivity or consent based rule for candidates matching your rule filters in the danger zone section click re evaluate x candidates to take this action re evaluating the rule for candidates will not delete or anonymize candidates automatically, it will only flag those in violation of your configured rule creating an additional inactivity based rule you can create additional inactive lead and inactive application rules these allow you to set different location criteria and retention periods, meaning greater flexibility and compliance control over candidate data see docid\ ea7xb9exeknqhjbbytavp for examples of rules configurations to create a new inactivity based rule ensure you are on the inactivity rules tab of the data privacy & compliance page click + new and select either +inactive lead rule or +inactive applicant rule for additional inactivity rules, complete the following information title you can click the current title of the rule to amend and rename it description (optional) add an internal description for your rule retention period if the inactive lead or applicant matches your rule, the retention period will determine how long after the candidate was created (for an inactive lead rule) or how long after the candidate's final application was archived (for an inactive applicant rule) before they are considered in violation of your configured rules location here you can determine your location criteria global covers all locations configured in ashby please note that you can only configure one rule per type with the global location setting (to avoid conflicts) specific locations this option will include a dropdown that will allow you to specify the locations that this rule should apply to for more on configuring locations, check out docid\ acybgybzas3ymyvbo5um8 advanced switch on the advanced option and click + add field to match to set your criteria using a range of location fields and values you can also set further criteria in the additional criteria section if you do not enable the advanced toggle and specify location fields, the locations you select for data rules within the locations section refer to the locations assigned within your job's settings section once you're ready to enable your rule, switch on is enabled in the basic info section in the danger zone section, you will also have the option to re evaluate candidates who meet your rule criteria and apply the rule to them if they qualify click re evaluate x candidates to take this action re evaluating the rule for candidates will not delete or anonymize candidates automatically, it will only flag those in violation of your configured rule consent rules consent based rules are set based on the date consent was given by a candidate amending the default consent based rule after clicking into the default consent based rule, you can further configure it by adding a description for internal reference choosing the consent request period, which defines how long of a period of consent we will ask of the candidate when requesting consent via your jobs page or via automation settings create a rule filter, which restricts which candidates this rule should apply to set up consent collection on job posting pages in the jobs page settings section the consent collection option will show underneath the application form on the job posting set up docid\ ea7xb9exeknqhjbbytavp to automatically send out an email with a link to a consent form based on a set of rules this can be used to collect consent from non applicants, such as sourced candidates (for example, those added via the chrome extension) or candidates that were manually added to ashby you can also set up consent extension automation settings to automatically request a consent extension prior to the consent retention date the edit menu for the default consent based rule creating an additional consent rule you can create additional consent rules so you can set different location criteria and retention periods for examples of multiple rule configurations, check out the examples docid\ ea7xb9exeknqhjbbytavp to create a new consent rule ensure you are on the consent rules tab of the data privacy & compliance page click + new and select + consent rule for additional consent rules, complete the following information title you can click the current title of the rule to amend and rename it description (optional) add an internal description for your rule consent request period the request period defines how long of a period of consent we will ask of the candidate when when requesting consent via your jobs page or via automation settings custom consent form text optional custom consent form text specifically for this rule if this is left blank, the consent form text set within the direct consent request settings will be used instead location here you can determine your location criteria global covers all locations configured in ashby specific locations this option will include a dropdown that will allow you to specify the locations you have configured in ashby that this rule should apply to for more on configuring locations, check out docid\ acybgybzas3ymyvbo5um8 advanced switch on the advanced option and click + add field to match to set your criteria using a range of location fields and values you can also set further criteria in the additional criteria section if you do not enable the advanced toggle and specify location fields, the locations you select for data rules within the locations section refer to the locations assigned within your job's settings section the location section of the consent rule menu with the advanced toggle on, displaying the additional criteria section consent rules jobs page settings on the jobs page settings tab of your consent rule, you can enable the collect consent on jobs pages option once enabled, you can then configure criteria so only the job pages that meet the filters you set will request consent the jobs page settings section of a consent rule consent rules automation settings within the automation settings tab, you’ll see two options, initial consent and consent extension the automation settings tab of a consent rule initial consent automation settings initial consent automation settings allow you to determine the conditions in which the first consent request should be sent click create a draft configuration to create a draft the automation settings tab of a consent rule with the create a draft configuration option highlighted in the condition section, you can add filters by clicking add field to match you can then specify any criteria candidates should meet to then be sent the initial consent request email use the email template field to determine the template that should be sent to the candidate and the delay dropdown to specify when the email should be sent if you need to add an additional automation rule to create a separate set of criteria, click create new automation rule the menu to create a new automation rule once you’re ready to use your rule or rules, click activate draft configuration when a candidate meets the conditions you’ve set in your automation, they’ll receive the email you’ve specified in the email template field the activate draft configuration button consent extension automation settings consent extension automation rules allow you to determine when a consent extension request email should be sent out to the candidate click create a draft configuration to start setting up your automation rule the create a draft configuration button for consent extension automation you can use the advance notice period field to determine how far in advance the request should be sent in the pictured example, the consent extension request email will be sent 21 days prior to the data listed in the consent retention date field on the candidate’s profile you can then determine the email template and the sender email address using the email template and from email address fields if you’d like to add a filter to your rule, click add field to match in the filter section to set your criteria if this section is left blank, all candidates that the consent rule applies to will be sent an extension request prior to their consent expiring to create an additional consent extension automation rule, click create new automation rule the settings for the automation once you’re ready to use your rule, click activate draft configuration the activate draft configuration button is highlighted within the consent extension tab once you activate your draft consent extension configuration rule, it will be applied to all candidates meeting your criteria open for examples of rule configurations the below examples are purely illustrative please consult with your legal team and organization's policies when configuring your own data compliance rules within your ashby account example based on candidate location in our first example, our test company has different retention periods for inactive candidates who are located in germany as such, an additional inactive applicant rule can be created here with the appropriate retention period and the advanced option switched on in the locations section the advanced option allows them to use the candidate's location field, meaning that this is the field that is evaluated when applying the rule example based on job posting location in this second example, the test company is looking to set a different consent request period and different consent form text for job postings with their locations in the united states when configuring an additional consent rule based on job posting location, the advanced toggle should be switched on again and the candidate's job consideration's job posting's location field can be used to determine the value fields the consent period can then be clarified in the consent period request section and the alternative consent form text can be added to the custom consent form text field privacy & legal settings on the privacy & legal tab of the data privacy & compliance page, you can set the following recruiting privacy policy legal entity name automated processing legal notice the privacy and legal tab of the data privacy and compliance page in ashby recruiting privacy policy add a link to a privacy policy here that contains the details of how you will manage candidate data this link will appear on any consent forms that candidates complete you can set a recruiting privacy policy in the https //app ashbyhq com/admin/organizational settings/data compliance section of admin, under the privacy & legal section tab when you do so, a link to the policy will appear on any consent forms that candidates fill out legal entity name the legal entity name used for data consent requests, eeoc, and other legal contexts you can leave this blank to use your organization name automated processing legal notice here you can configure a legal notice to inform candidates that their data may be processed using ai for more on ashby's ai tools, check out docid\ isi4asubjjxihytbeekfa viewing data compliance status on candidate profile you can view a candidate’s data retention dates (as determined by the rules above) on the candidate profile under the summary tab you will see a section called data retention which displays the date after which the candidate will be considered in violation of your rules a candidate profile, open to the summary section if you have consent extension automation settings in place, then you’ll see the date that the consent extension request will be sent find data retention details for a candidate under the summary section on the candidate profile you can click override to get the following options override & ignore choose to ignore data retention rules for the candidate completely override date choose a date for data retention that takes precedence over any other rules if you opt to choose a new date for data retention via the override date option, then the consent extension request date will adjust to fit the new date when are candidates considered in violation? for more on reporting on data retention rules and violations, check out docid\ d 2p7dadxko j2hule31 what happens if multiple compliance rules apply to a candidate or lead? multiple compliance rules may apply to a candidate or lead if they apply to a job posting with multiple locations applied to it and one or some locations have different inactivity or consent rules configured for them if a candidate otherwise meets the criteria set for more than one inactivity and/or consent rule if you have multiple rules configured and multiple rules apply to a candidate, the rule with the longest retention period will apply to the candidate for example, if rule a says delete or anonymize data after 1 year and rule b says delete or anonymize data after 3 years, the candidate's retention date will be set by rule b (3 years) how does location hierarchy work with compliance rules? location hierarchy across jobs and job postings is supported in compliance rules for example if the rule is scoped to the united states region and the job location is set to california, the rule will match because the united states location is the region that the california location is linked to if the rule is scoped to the california location and the job location is set to the united states region, the rule will not match because california is a descendant of the united states region and the specification will be respected faq should i anonymize or delete candidates? when candidates are marked as in violation, any action taken (deleting or anonymizing) will need to be done manually anonymizing candidates will get rid of any pii, but retain enough information to provide useful data for your analytics and reporting workflows it is important to know that anonymization cannot be undone can i override a data retention date when importing candidates via csv? you can, yes once you’ve uploaded your csv file, you can map the date listed in your file to map to the data compliance override date field in ashby if you would also like to include an override reason, you can map these fields to the data compliance override reason field in ashby when importing these fields, this will be included on the candidate profile and take precedence over any other data retention dates you can find more on importing candidates via csv at bulk import options how does anonymizing a candidate work with the email events on the candidate’s feed? once a candidate has been anonymized, a record of email events will still show on the candidate’s feed (including the date and time the email was sent) however, the subject, body and the candidate’s email address will be anonymized what happens if a candidate receives an initial consent email but doesn’t click the link and follow the steps to provide consent? in this case, the consent retention rate field on the candidate profile will still show no consent collected, as the candidate has yet to provide consent i’m seeing multiple consent form completion events within the forms section of a candidate’s job consideration why? if a candidate has applied for a role multiple times, they may have also completed the consent form multiple times too as part of the application as duplicate applications are merged, only one job consideration will show on the candidate profile but each application and consent form completed will be listed within the singular job consideration for your reference more on this at docid\ rvfnqwgmp1m3vbjwr1sbb h ow are inactivity based rules and consent based rules set in ashby applied to hired candidates? candidates in the hired stage are treated as active candidates this is because hired candidates have an active employment relationship with your organization, which provides a legitimate business interest for retaining their data the employment of the hired candidate also creates a legal basis for data retention that supersedes the need for consent based or inactivity based retention rules to be applied as such, they will not be considered or marked as in violation of the rules you configure in ashby what happens when a rule is disabled? you can disable a data compliance rule by switching off the is enabled? toggle when viewing the rule details when a rule is disabled, all candidates who had that rule as their applied rule are re evaluated if another applicable rule exists, it becomes the new applied rule if no other rule applies, the candidate's retention date for that category is cleared what happens when a rule is archived? you can archive a rule by opening up the rule details and clicking the archive button a rule must be disabled before it can be archived once archived, it cannot be re enabled (it is effectively retired) the same re evaluation that happens on disable applies here as well archived rules are hidden from the active rules list but remain in the system for audit purposes w hat happens to automated consent emails when a consent rule is archived or disabled? any scheduled automated consent extension emails tied to that rule are canceled this prevents outdated or irrelevant emails from being sent to candidates i f multiple consent rules apply to the same job posting, which consent form is shown to applicants? the consent form from the rule with the longest retention period is displayed this ensures candidates are asked for consent under the most protective rule