How to Redact CVs and Candidate Documents: GDPR for Recruiters

This guide is for general informational purposes only and does not constitute legal advice. Recruitment data obligations vary by jurisdiction and change over time. Consult your DPO or a qualified legal professional before acting on anything here.

A recruitment agency in Bristol places around 40 contractors a month. Before any CV goes to a client, a resourcer manually opens each one in Word, deletes the phone number and email address, and saves a copy. It takes about four minutes per document. Nobody has audited whether the process works consistently, and last quarter a CV went out with the candidate's personal email still in a header. Nobody noticed until the candidate did.

That's the CV redaction problem in miniature. The task itself - removing contact details - is simple enough that most agencies handle it without dedicated tools. But it's not the only document type recruiters touch, and the other ones are a different matter entirely.

The documents that actually matter

CVs sit at one end of the risk spectrum. A missed email address is an embarrassment. The candidate might get contacted directly; the client has a contact they shouldn't. Annoying, not catastrophic.

Right-to-work checks sit at the other end. These involve passports, visas, Biometric Residence Permits (BRPs), and other official identity documents. They contain full names, dates of birth, nationality, document numbers, and photographs. Under UK law, employers are generally required to retain copies of right-to-work documents for the duration of employment and for two years after it ends. During that period, the data needs to be protected, access-controlled, and - when shared internally or with a third party - appropriately redacted.

DBS certificates sit somewhere between the two. The Disclosure and Barring Service's own guidance states that certificate information should generally be destroyed after six months once a recruitment decision has been made. Crucially, organisations must not retain photocopies or images of the certificate itself - only a note of the issue date, certificate type, reference number, and the recruitment decision taken. Sharing DBS certificate content with anyone who doesn't need to see it is a handling error. Sharing a scan with a third party is a data breach.

References are the fourth category worth thinking about. A written reference contains the referee's personal views and is usually given in confidence. Before forwarding it to anyone - the candidate, another hiring manager, a client - the convention and, in many cases, the expectation is that the referee intended it to be read by a specific person for a specific purpose. Redacting the referee's identity before any onward sharing is a reasonable default.

What UK GDPR actually requires of recruiters

The ICO's guidance on recruitment and selection (published and updated through 2024-2025) is clear that candidate data is personal data and that the data minimisation principle under Article 5(1)(c) of UK GDPR applies throughout the recruitment lifecycle. Organisations are generally expected to collect only what is necessary for the purpose and to retain it only for as long as needed.

For unsuccessful candidates, the ICO indicates that recruitment records should generally not be kept beyond the statutory period in which an employment-related claim might be brought - which, for most claims, is three months from the date of the alleged act. Some agencies retain records for up to six months to allow for recontact with strong candidates. Whatever period you choose, it should be documented in a retention policy and applied consistently.

Where candidate data is shared with clients - as it almost always is in agency recruitment - the data sharing arrangement is a joint controllership or controller-to-controller transfer. Both parties are responsible for handling the data appropriately. If a client receives a CV with personal contact details that they then use to recruit the candidate directly, the agency has facilitated a data use it wasn't authorised for.

For a deeper look at what counts as personal data and why it matters, see our guide to what is PII.

Removing names and photos to reduce bias

A growing number of firms strip names, addresses, and photos from CVs before they reach hiring managers - not for data protection reasons, but to reduce unconscious bias. Some use this as a structured part of blind-shortlisting; others do it selectively for roles where diversity outcomes have been poor.

The process is similar whether the goal is compliance or bias reduction, but the scope is wider. You're removing identifying information (name, address, photo, links to personal social profiles) while preserving everything that's relevant to the hiring decision: qualifications, employment history, skills, and any other material the hiring manager is supposed to assess.

Manual approaches in Word are unreliable for this. A candidate's name appears in the filename, in a header, in the body, and sometimes in the document properties. Removing it from the visible text while leaving it in the file metadata is a common mistake. RedactProof applies pixel-burn redaction - which permanently destroys the text layer, not just obscures it - and processes the full document including any OCR layer, so the name doesn't survive as selectable text in the output.

RedactProof processes documents in your browser - files are not uploaded to our servers.

Right-to-work checks and DBS certificates: the compliance detail

Employers are generally required under the Immigration, Asylum and Nationality Act 2006 (as amended) to carry out right-to-work checks before employment begins. The specific documents that satisfy a right-to-work check are set out in the Home Office guidance and include List A documents (which give indefinite right to work) and List B documents (time-limited, requiring follow-up checks).

When a right-to-work document needs to be shared - for internal onboarding systems, payroll, or a third-party employer-of-record arrangement - the sharing should cover only what the recipient needs. A payroll provider needs confirmation of right-to-work status and a reference; they do not need a full passport scan. An internal HR system might need the document reference number and expiry date; not necessarily the full biometric data page.

For DBS certificate handling specifically, the Home Office and DBS guidance is explicit: the certificate is for the employer's use in making a recruitment decision. It should be stored separately from the main personnel file, in a locked, non-portable container with restricted access. Most importantly, it must not be shared externally except in very limited circumstances. Once the recruitment decision is taken and any relevant waiting period has passed, the certificate information should generally be destroyed. The record that remains is the date, type, reference number, and outcome - not the certificate content.

These are documents where a redaction error is not just an inconvenience. A DBS certificate shared with the wrong person could expose criminal record information. A right-to-work document sent to an unauthorised recipient contains biometric and nationality data. Both categories carry significant risk under UK GDPR, and both carry specific handling requirements beyond general data protection law.

Recruiters handling these documents alongside standard HR records may find our guide to document redaction for HR teams useful for the broader employee records context.

Word edits vs dedicated redaction: an honest comparison

For CV contact-detail removal in a low-volume agency, manual editing in Word is probably adequate. If you're doing five CVs a day and you have a clear process, the marginal benefit of a dedicated tool over careful Word editing is not dramatic. The main risks are inconsistency (the process depends on who's doing it) and metadata (Word files retain document history and hidden data that the edit doesn't remove).

The calculus changes for right-to-work documents and DBS certificates. These are typically PDFs or scanned images, not Word files. Editing a PDF in Word is lossy and unreliable - content reflows, layouts break, and it's easy to miss something. The documents also carry higher stakes: a missed redaction is a breach of sensitive personal data, not just a minor slip.

The other issue is volume. Agencies running bulk permanent placements or multi-site contractor operations may process dozens of right-to-work documents a week. Manual processing doesn't scale, and fatigue-related errors are more likely at volume. Automated detection across a batch of passport scans - which RedactProof handles in bulk - is faster and more consistent than working through them one by one.

For a full walkthrough of redacting PDFs specifically, see our guide to how to redact a PDF.

Common questions

Where to start

If you're not currently redacting CVs before client submission, the first step is to build it into the workflow - even a manual one. If you're already doing that but handling right-to-work documents and DBS certificates without a clear protocol, that's the higher-priority gap to close.

The Core plan includes on-device AI detection for 40+ PII types, pixel-burn redaction, and tamper-evident export certificates. No installation, no upload.