# DPDP-ready recruitment automation policy

## Description

Use this policy when recruitment automation processes resumes, candidate profiles, interview notes, assessment results, background-check metadata, or automated shortlist recommendations.

## Placeholder fields

- Company name: [COMPANY_NAME]
- Recruitment system name: [RECRUITMENT_SYSTEM_NAME]
- Talent owner: [TALENT_OWNER]
- Hiring compliance owner: [COMPLIANCE_OWNER]
- Security owner: [SECURITY_OWNER]
- Privacy contact: [PRIVACY_CONTACT_EMAIL]
- Effective date: [EFFECTIVE_DATE]

## Approved purposes

[RECRUITMENT_SYSTEM_NAME] may process candidate data only for application intake, resume parsing, skills matching, interview scheduling, assessment summarization, hiring-team collaboration, and candidate communication.

Candidate data must not be reused for unrelated employee profiling, advertising, or model training unless clear notice, lawful basis, and approval are documented.

## Data categories

The system may encounter candidate name, email, phone number, resume, work history, education, portfolio links, compensation expectations, interview notes, assessment results, and recruiter feedback. Government identifiers, exact home address, health data, caste, religion, political opinion, biometric data, and family details must be blocked or redacted unless legally required and approved.

## DPDP controls

- Notify candidates that AI may assist resume parsing, matching, and recruiter summaries.
- Collect only data relevant to the role and hiring stage.
- Avoid automated rejection without human recruiter review.
- Keep explainable records for shortlist or rejection support where AI materially contributed.
- Restrict candidate records to authorised hiring roles.
- Provide access, correction, withdrawal, grievance, and deletion request paths through [PRIVACY_CONTACT_EMAIL].
- Delete or de-identify candidate data after [RETENTION_PERIOD] unless the candidate opts into future opportunities.

## Automated decision safeguards

The system must not make final hiring, rejection, compensation, or background-check decisions without documented human review by [TALENT_OWNER] or an authorised hiring manager.

## Incident response

Suspected candidate-data leakage must be escalated to [SECURITY_OWNER] and [COMPLIANCE_OWNER] under [COMPANY_NAME]'s DPDP incident response process.

This template was reviewed by CrewCheck and aligns with the DPDP Act 2023 obligations.