Understanding the Time-Based and Job-Based Consent Data Privacy Feature

Overview

The iCIMS Talent Cloud is capable of supporting customer efforts to maintain compliance with applicable laws and regulations (e.g., GDPR, CCPA, etc.). For organizations using iCIMS Applicant Tracking (ATS) and related iCIMS systems, the system includes a set of configurations that enable a customer to display a privacy notice to its candidates, capture acceptance or consent to the notice if desired, and manage data subject or privacy requests. 

iCIMS ATS, iCIMS Offer Management portal, and iCIMS Connect (Legacy CRM) support an optional time-based and job-based consent feature which builds upon other privacy functionality in the system. If enabled, the feature requires that any candidate who is asked to provide consent to an organization's privacy notice provide either time-based or job-based consent to the use of their data.

• Time-based consent is meant to convey that an organization can only use a candidate’s data for a specified duration. Time-based consent is automatically calculated based off the candidate’s last login date by default, but can be calculated based off the candidate's extension of their consent, if so enabled by a customer. If configured by a customer to request time-based consent to processing from candidates, that time limitation will be automatically provided in the ATS with the candidate’s application. Additionally,  time-based consent can be enabled for candidates who are entered into ATS either manually or through an integration with another product and who have not yet provided consent; this feature prompts candidates to provide such consent, and purges their data if they do not within 30 days.
  • Note: The candidate’s email address and country of residence must be entered in order for this to prompt to occur.
• Job-based consent is meant to convey that an organization can only use a candidate’s data for the job they applied for and while the job is active. Accordingly, this consent type prevents users from submitting candidates to other jobs themselves.
  • Note: Some exceptions may apply in the case of a single, long-term “evergreen” job posting used to attract candidates for a frequently-needed role, where recruiters can then transfer candidates from the evergreen posting to individual open requisitions. For more on this functionality, review the Transferring Candidate Activity Between Application Profiles article.
     

Candidates may provide this consent when they apply for a job on an iCIMS-hosted career site or when they first log in to an iCIMS-hosted career site, iCIMS Offer Management portal, or iCIMS Connect (Legacy CRM) portal after the feature has been enabled. These candidates may also update their selection in the Data Subject Request section of the candidate dashboard. 


Notes: ​​​​

• The iCIMS Onboarding product’s new hire onboarding portal does not support the same privacy notice settings as iCIMS ATS, iCIMS Offer Management, and iCIMS Connect (Legacy CRM) because the candidate experience across these products is connected, and typically candidate information is captured prior to the onboarding stage. Should a new hire be required to review a privacy notice or access a mechanism to exercise any applicable privacy rights without doing so through the candidate-facing interface for one of the other aforementioned solutions (e.g., if a customer does not collect candidate information from candidates through an iCIMS ATS career site), it is the responsibility of the customer to determine any processes required to ensure that any information stored in the iCIMS Talent Cloud is in compliance with the customer's relevant privacy obligations.  
• For customers with data syncing between iCIMS ATS and iCIMS Candidate Relationship Management (CRM), time-based and job-based consent applies to data imported to and from CRM. For more information on this integration, review the Understanding Data Syncing Between iCIMS Applicant Tracking (ATS) and iCIMS Candidate Relationship Management (CRM) article.
• After the time-based and job-based consent feature has been enabled and candidates have begun providing time-based and job-based consent, the feature will only function as designed if it remains enabled.
• Time-based and job-based consent configuration options are only available for candidates that apply through iCIMS-hosted career sites and related systems, or once they reach those systems in the application process. External job boards will not automatically enable this feature.

 

Note: The information contained in this resource is not legal advice and is for informational and/or educational purposes only. The information is provided "as is" without any express or implied warranty of any kind.

 

Additional Resources

More information about system data privacy functionality and configurations can be found on the iCIMS Data Protection, Privacy, & Security Updates page. For links and other resources regarding how iCIMS ATS can support customer privacy and data protection efforts, review the following resources:

• Understanding How the iCIMS Talent Cloud Can Support GDPR Compliance
• Understanding How the iCIMS Talent Cloud Can Support CCPA Compliance
• Understanding the Privacy Notice Feature & Data Request Messaging Options
• Understanding Personal Data Request Reporting
• Downloading and Sending a Candidate Personal File
• Purging Person Profiles

 

Article Contents

• Preparing to Configure the Time-Based and Job-Based Consent Feature
• Messaging for Time-Based and Job-Based Consent in Context
• Purge & Restrict Processing Folder Access

 

Preparing to Configure the Time-Based and Job-Based Consent Feature

In consultation with their organization’s legal resource, as applicable, an organization's user admin may wish to make the following configuration decisions prior to requesting that the time-based and job-based consent feature be enabled:

1. Determine your organization's data privacy processes and how iCIMS systems fit into those processes.
2. Make all necessary configurations to the privacy notice and data request messaging feature (described in the Understanding the Privacy Notice Feature & Data Request Messaging Options article). 
   • The following configurations are required for the time-based and job-based consent feature to function:
     • All messaging described in the Understanding the Privacy Notice Feature & Data Request Messaging Options article must be configured per the organization's policies. 
     • Enable Data Privacy Notice (Full text) must be enabled.
     • GDPR Consent Capture Type For New Candidates must be set to either Only Capture Consent for EU/UK Residents or Capture Consent for Everyone, as applicable.
     • GDPR Consent Capture Type For Existing Candidates must be set to either Only Capture Consent for EU/UK Residents or Capture Consent for Everyone, as applicable.
     • GDPR Consent Capture Type For New Candidates and GDPR Consent Capture Type For Existing Candidates should be set to the same value. Other scenarios are not recommended.
3. Prepare configuration information for the time-based and job-based consent feature for each relevant career site/portal (described in the Messaging for Time-Based and Job-Based Consent section below).
   • Time-based consent configuration information:
     1. Brief language for time-based consent/acknowledgement (required).
     2. How time-based consent duration will be calculated: (a) automatically by the amount of time since a candidate’s last log in (options: 6 months; 1, 2, 3, or 4 years); or (b) manually by requiring candidates to explicitly extend their time-based consent (required).
     3. Whether an email should be sent to warn candidates 30 days before expiration that their consent is expiring (and inform them that they can choose to log in to the career site/portal to automatically or manually extend their consent); if so, subject and message for time-based consent expiration warning email (optional).
   • Restriction of candidates without consent configuration information:
     1. Which countries this feature should be configured for (required).
     2. One or more templates for emails to collect consent from candidates (required, can be configured per country).
   • Job-based consent configuration information:
     1. Determination as to whether job-based consent selection can be overwritten by the Transfer Candidate Activity option (e.g. if a customer wishes to move a candidate into a similar open role, or if the customer has an “evergreen” position that they would like to move the candidate into).  As noted below, customers should clarify in the acknowledgment form that job-based consent preferences may be overwritten in such cases.
     2. Brief language for job-based consent/acknowledgement (required).
        1. Note: Customers who wish to configure job-based consent so that candidates may be transferred to a similar open role (e.g. as in the case of “evergreen jobs”), even if the candidate has enabled and configured job-based consent, must note this in the job-based consent acknowledgment form so that candidates are aware that their application may still be considered for another job.
     3. List of job folders that are considered "active" for the purpose of job-based consent (required).
     4. Whether an email should be sent to warn candidates when the job is placed in an inactive folder that their consent is expiring; if so, subject and message for job-based consent expiration warning email (optional).
   • If applicable, automated Person profile purge information:
   1. Retention period (in days) for candidates per specified countries. Organizations should choose the retention period in consultation with their legal resource.
   • If applicable, iCIMS Connect (Legacy CRM) configuration information:
     1. Request to enable the Default to Time Based Consent on Connect Portal setting, if desired.
     2. The Connect Message: Consent text that should display on the iCIMS Connect (Legacy CRM) portal, if different from the Message: Consent text. 
        • Notes:
          • Job-based consent is not compatible with iCIMS Connect (Legacy CRM). 
          • If the time-based and job-based consent feature is enabled and the Default to Time Based Consent on Connect Portal setting is enabled, all candidates that enter the system through iCIMS Connect (Legacy CRM) are treated as having provided time-based consent.
4. Submit a case to iCIMS Technical Support with the following information:
   1. Request to enable the time-based and job-based consent feature.
   2. Whether time-based and job-based consent options should display on all career sites/portals or only specific career sites/portals.
   3. For each applicable career site/portal:
      • Choose between time-based consent duration automatic or manual options: (a) the amount of time since a candidate’s last log in (6 months; 1, 2, 3, or 4 years); or (b) the manual extension of time-based consent from candidates.
      • Whether an email should be sent to warn candidates 30 days before expiration that their consent is expiring and inform them that they can choose to log in to the career site/portal to automatically or manually extend their consent; if so, subject and message for time-based consent expiration warning email.
      • List of job folders that are considered "active" for the purpose of job-based consent.
      • Whether an email should be sent to warn candidates when the job is placed in an inactive folder that their consent is expiring; if so, subject and message for job-based consent expiration warning email.
   4. For each iCIMS Connect (Legacy CRM) portal:
      • Request to enable the Default to Time Based Consent on Connect Portal setting, if desired.
   5. Request to enable purge permissions for user admins, if not yet enabled and if applicable to the organization's data privacy processes. For more information about purge, refer to the Purge & Restrict Processing Folder Access section of this article and the Purging Person Profiles article.
5. Complete feature configuration within System Configuration
   1. To add your organization's brief language for time-based consent/acknowledgement and brief language for job-based consent/acknowledgement to each relevant dropdown option in rcf3335 (Which consent type are you agreeing to?) (required):
      • Navigate to Admin > System Configuration > System > Person > Platform > Contact > rcf3335 (Which consent type are you agreeing to?). Select the down arrow to the right of the row, then select Edit Field Properties > Edit.
      • To update the text for all career sites/portals, select User Group > Career Portals. (To update the text for individual career sites/portals, select User Group > [Career Site Name].)
      • Select (Enter language for time-based consent) and update the Label with your organization's text.
      • Select (Enter language for job-based consent) and update the Label with your organization's text.
      • Unhide the field and if desired, mark as required.
      • Select Save.
   2. 2. To edit the text of the label that displays above the rcf3335 dropdown menu (optional; only displays on career site/portal when manual time-based consent option is enabled):
      • Navigate to Admin > System Configuration > Applicant Tracking > Configure > Pages > Label: Type of Consent (under Data Privacy Compliance Configuration Page (e.g., GDPR, CCPA).
      • Update the label with your organization’s text. If applicable, update the desired career sites/portals and select Save.
   3. 3. To add a consent date field (optional; only displays on career site/portal when manual time-based consent option is enabled):
   • •  

• Navigate to Admin > System Configuration > System > Person > Platform > Contact > rcf3550 (GDPR Consent Date). 
• Update the Field Label with your organization’s text.
• Unhide the field and if desired, mark as required.
• Select Save.

1. 4. To edit the text of additional time-based consent labels (optional; only displays on career site/portal when manual time-based consent option is enabled):

• • Navigate to Admin > System Configuration > Applicant Tracking > Configure > Pages (under Data Privacy Compliance Configuration Page (e.g., GDPR, CCPA).
  • Update the label(s) with your organization’s text as desired:
    • Label: Last Date of Consent
    • Label: Date of Consent Expiration
  • If applicable, update the desired career sites/portals and select Save.
• 5. To edit the text of additional success messages and button labels (optional; only displays on career site/portal when manual time-based consent option is enabled):
  • Navigate to Admin > System Configuration > Applicant Tracking > Configure > Pages (under Data Subject Requests Page (e.g., GDPR, CCPA).
  • Update the success message(s) and button label(s) with your organization’s text as desired:
    • Extent Consent Success Message
    • Consent type change Success Message
    • Label: Extend Consent Button
    • Label: Change Consent Button
  • If applicable, update the desired career sites/portals and select Save.

6. To add a specific iCIMS Connect (Legacy CRM) consent message, if applicable:
   • Navigate to Admin > System Configuration > Applicant Tracking > Configure > Pages > Connect Message: Consent.
   • Enter your organization's text.
   • Select Save.

 

Messaging for Time-Based and Job-Based Consent in Context

Career Site/Portal Messaging

In consultation with their organization’s legal resource, as applicable, the user admin should prepare text for the time-based and job-based consent options for all applicable career sites/portals prior to requesting that iCIMS Technical Support enable the time-based and job-based consent feature.

When this feature is enabled, candidates are asked to select a job-based or time-based consent type from a dropdown menu.

• For new candidates, the consent type question displays on the Ask Email page.
  • Note: For new iCIMS Connect (Legacy CRM) candidates, the system behavior is different. For more information refer to the iCIMS Connect (Legacy CRM) Portal Messaging section below.
• For existing candidates who have not yet selected a consent type, the question displays after logging in to the career site/portal for iCIMS ATS, iCIMS Offer Management, or iCIMS Connect (Legacy CRM).

The time-based and job-based consent feature displays the rcf3335 (Which consent type are you agreeing to?) dropdown beneath the Message: Consent field: 

A new candidate may encounter the rcf3335 (Which consent type are you agreeing to?) dropdown on the Ask Email First page.
 

The candidate must select one of these two options and provide an affirmation of consent (not pictured) to progress. Candidates will only be presented with this question once; however, candidates can access the Data Subject Requests page on their dashboard to change their response, if desired.

Configuration Notes: 

• After the overall feature has been enabled by iCIMS Technical Support, the user admin will replace the default text values in the rcf3335 (Which consent type are you agreeing to?) Person profile field dropdown by following the steps described in the Complete feature configuration within System Configuration sub-section in the Preparing to Configure the Time-Based and Job-Based Consent Feature section of this article. 
• When configuring the rcf3335 (Which consent type are you agreeing to?), the user admin must ensure that the options retain their original meaning (i.e., the time-based consent option must be used for time-based consent and the job-based consent option must be used for job-based consent). There is automated backend functionality tied to this feature that requires the options to retain the same meaning, and user admins should check that they are consistent when replacing the default text values.
• Additional fields, messages, and buttons related to manual time-based consent display for candidates to view consent details, change consent, and extend consent based on the configurations set by your organization. These configurations are described in the Complete feature configuration within System Configuration sub-section in the Preparing to Configure the Time-Based and Job-Based Consent Feature section of this article.

 

iCIMS Connect (Legacy CRM) Portal Messaging

For organizations that use iCIMS Connect (Legacy CRM), user admins are recommended to request that iCIMS Technical Support enable the Default to Time Based Consent on Connect Portal setting, as job-based consent is not compatible with this solution. If this setting is enabled, the rcf3335 (Which consent type are you agreeing to?) dropdown does not display on the iCIMS Connect (Legacy CRM) portal and the system treats all applicants as having provided time-based consent.
   

Automated Email Messaging

In consultation with their organization’s legal resource, as applicable, the user admin can choose to have candidates be automatically notified via email that their profile will be purged per their chosen consent option. If desired, the user admin should prepare automated email messaging for the time-based and job-based consent dropdown options for all applicable career sites/portals prior to requesting that iCIMS Technical Support enable this feature.

If email notifications are enabled:

• For time-based consent, the email is sent 30 days before expiration.
• For job-based consent, the email is sent once the job is placed in an inactive folder.

Unique email templates can be created per-portal and per-consent-type. Sender and recipient variables can be utilized in the email templates as desired.

Configuration Note: To enable or update the text or parameters of these email notifications, submit a case to iCIMS Technical Support that includes all relevant information described in the Submit a Case to iCIMS Technical Support sub-section in the Preparing to Configure the Time-Based and Job-Based Consent Feature section of this article. 

 

Purge & Restrict Processing Folder Access

After reaching the limit of a candidate's chosen consent type or the time limit for storing data without consent, the system automatically moves the candidate to a designated Restrict Processing folder. This occurs 30 days after the job is no longer active for job-based consent or when the time expires for time-based consent. 

Note: When the time-based and job-based consent feature is enabled, the system also automatically moves candidates who submit a Request Deletion request via the Data Subject Request page to the designated Restrict Processing folder.

After candidate profiles are automatically placed in the designated Restrict Processing folder, they can be manually purged from the system, which irreversibly deletes those profiles. Organizations can also choose to schedule automated purges of designated Person profiles. This can address right to erasure (‘right to be forgotten’) requests, removal or withdrawal of consent requests, or attempts to address data retention requirements. The user admin must ensure that the organization's specific purging and data retention processes and any other relevant regulations, as applicable, are reviewed prior to scheduling a purge.

A user admin can manually schedule a purge via Admin > Tools > Purge Archives if they have permissions to do so. Three feature-specific purge options display on the Purge Archives page for organizations who have configured job-based and time-based consent: 

• Person Restrict Processing Time Based: Profiles marked for deletion per time-based consent 
• Person Restrict Processing Job Based: Profiles marked for deletion per job-based consent 
• Person Restrict Processing Portal: Profiles marked for deletion because of a Request Deletion request

A user admin can automatically schedule a purge by initially submitting a case to iCIMS Technical Support and providing the retention period (in days) for candidates per specified countries. Organizations should choose the retention period in consultation with their legal resource. 

After reaching the limit of the candidate's chosen consent type, the Person profile is placed in a designated Restrict Processing folder. The Person profile will then automatically be scheduled to purge when the Person profile within the designated Restrict Processing folder matches its associated country’s retention period. 

Once scheduled, the purge occurs during low system usage hours. Purge requests take place during low usage hours to avoid affecting performance of the system. They cannot be scheduled for a specific time or window. It may take some time for all profiles to purge based on system usage. User admins (with appropriate permissions) can check the progress of a purge by visiting the Purge Archives page.

Configuration Notes: 

• By default, system users can see candidate information for candidates in the Restrict Processing folder. Search locks may be added to restrict login groups from accessing candidates in the system who are in the Restrict Processing folder. A user admin can configure search locks within the ATS by submitting a case to iCIMS Technical Support. A user admin can configure search locks within the CRM directly from their user interface.
• If an organization's user admins do not have purge permissions, the organization's decision-making user admin may submit a case to iCIMS Technical Support to request this permission. 
• For automatic purges, the retention period per country corresponds to the Regulatory Country field in Person profiles. If the Regulatory Country field is blank, it corresponds to the Address Country field in Person profiles.
• Person profiles associated with countries where the retention duration has not been configured will not be automatically scheduled for purge. These profiles must be manually scheduled for purge.
• Automatic purges do not apply to profiles that are within the Job, Person, or Location folders in Purge Archives. 

Excluding Person Folders from Deletion

Organizations can choose Person folders to exclude from being automatically placed in the designated Restrict Processing folder based on the Person profile’s consent type limit. Person profiles which either are currently in a chosen Person folder or were previously in that folder would be excluded from automatic placement in the Restrict Processing folder.

This option may be applicable if organizations wish to prevent current employees from being placed in the Restrict Processing folder. However, organizations who choose to utilize this configuration will have to manage the purging of profiles currently or previously in the chosen folder(s) manually, as they will no longer be automatically placed in the Restrict Processing folder after reaching the consent type limit.

If interested in utilizing this new option as part of your organization’s data protection and privacy configurations, your user admin should submit a case to iCIMS Technical Support and provide the names of the applicable Person folders.