As part of our recruitment process, we collect and process personal data relating to job applicants. This personal data may be held by us on paper or in electronic format.
We are committed to being transparent about how we handle your personal data, to protecting the privacy and security of your personal data and to meeting our data protection obligations under the General Data Protection Regulation (“GDPR”). The purpose of this privacy notice is to make you aware of how and why we will collect and use your personal data during the recruitment process. We are required under the GDPR to notify you of the information contained in this privacy notice.
This privacy notice applies to all job applicants, whether you apply for a role directly or indirectly through an employment agency.
Unless we inform you otherwise during the recruitment process, we will be your data controller.
We comply with the principles of data protection (the Principles) enumerated in the EU General Data Protection Regulation. We will make every effort possible in everything we do to comply with these principles. The Principles are:
1. Lawful, fair and transparent
Data collection must be fair, for a legal purpose and we must be open and transparent as to how the data will be used.
2. Limited for its purpose
Data can only be collected for a specific purpose.
3. Data minimisation
Any data collected must be necessary and not excessive for its purpose.
The data we hold must be accurate and kept up to date.
We cannot store data longer than necessary.
6. Integrity and confidentiality
The data we hold must be kept safe and secure.
How do we collect your personal data?
We collect personal data about you during the recruitment process either directly from you or sometimes from a third party such as an employment agency. We may also collect personal information from other external third parties, such as references from current and former employers.
You are under no statutory or contractual obligation to provide personal data during the recruitment process.
Your personal data may be stored in different places, including on your application record, in our HR management system and in other IT systems, such as the email system.
What types of personal information do we collect about you and process?
‘Personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly. We collect and process personal data about you when you apply for a job with us.
We collect, use and process a range of personal data about you (where you provide this data to us) during the recruitment process. This includes (as applicable):
- your contact details, including your name, address, telephone number and email address (1), (2), (3)
- personal information included in a CV, cover letter or interview notes (1), (2), (3)
- references and assessments relating to your work for previous employers (1)
- information about your right to work in the UK and copies of proof of right to work documentation (2)
- copies of qualification certificates (1)
- details of your skills, qualifications, experience and work history with previous employers (1), (2), (3)
- information about your current salary level, including benefits and pension entitlements (1), (2), (3)
- your professional memberships (1), (2), (3)
We may also collect, use and process the following special categories of your personal information (where you provide this data to us) during the recruitment process:
- whether or not you have a disability for which we need to make reasonable adjustments during the recruitment process (1), (2), (3)
- information about your racial or ethnic origin, religious or philosophical beliefs and sexual orientation (1), (2)
Why and how do we use your personal information?
We will only use your personal information when the law allows us to. This is known as the legal basis for processing. We will use your personal information in one or more of the following circumstances:
- where we need to do so to take steps at your request prior to entering into a contract with you, or to enter into a contract with you (1)
- where we need to comply with a legal obligation (2)
- where it is necessary for our legitimate interests (or those of a third party), and your interests or your fundamental rights and freedoms do not override our interests (3).
We need all the types of personal information listed under “What types of personal information do we collect about you?” primarily to enable us to take steps at your request to enter into a contract with you, or to enter into a contract with you (1), and to enable us to comply with our legal obligations (2). In some cases, we may also use your personal information where it is necessary to pursue our legitimate interests (or those of a third party), provided that your interests or your fundamental rights and freedoms do not override our interests (3). Our legitimate interests include: pursuing our business by employing employees; managing the recruitment process; conducting due diligence on prospective employees and performing effective internal administration. We have indicated, by using (1), (2) or (3) next to each type of personal information listed above, what lawful basis we are relying on to process that particular type of personal information.
The purposes for which we are processing, or will process, your personal information are to:
- manage the recruitment process and assess your suitability for employment or engagement;
- decide to whom to offer a job;
- comply with statutory and/or regulatory requirements and obligations, e.g. checking your right to work in the UK;
- comply with the duty to make reasonable adjustments for disabled job applicants and with other disability discrimination obligations;
- ensure compliance with your statutory rights;
- ensure effective HR, personnel management and business administration;
- monitor equal opportunities;
- enable us to establish, exercise or defend possible legal claims;
Please note that we may process your personal information without your consent, in compliance with these rules, where this is required or permitted by law.
What if you fail to provide personal data?
If you fail to provide certain personal information when requested, we may not be able to process your job application properly or at all, we may not be able to enter into a contract with you, or we may be prevented from complying with our legal obligations. You may also be unable to exercise your statutory rights.
Change of purpose
We will only use your personal information for the purposes for which we collected it, i.e. for the recruitment exercise for which you have applied.
However, if your job application is unsuccessful, we may wish to keep your personal information on file for in case there are future suitable employment opportunities with us. We will ask for your consent before we keep your personal information on file for this purpose. Your consent can be withdrawn at any time.
Who has access to your personal information?
Your personal information may be shared internally for the purposes of the recruitment exercise.
We will not share your personal information with third parties during the recruitment process unless your job application is successful and we make you an offer of employment or engagement. At that stage, we may also share your personal information with third parties (and their designated agents), including:
- external organisations for the purposes of conducting pre-employment reference and employment background checks;
- former employers, to obtain references;
- professional advisors, such as legal advisors;
- government officials and systems, such as the Points Based System.
We may also need to share your personal information to comply with the law.
We may share your personal information with third parties where it is necessary to take steps at your request to enter into a contract with you, or to enter into a contract with you, where we need to comply with a legal obligation, or where it is necessary for our legitimate interests (or those of a third party).
After the recruitment exercise we may share your personal data with our professional advisors such as our external legal advisors if needed for legal protection of our legitimate interests in compliance with applicable laws.
In the event that any part of our business is sold or integrated with another business, your details may be disclosed to our advisors and those of any prospective purchaser and would be passed to the new owners of the business.
How long will you keep my personal data?
We will not keep your personal information for longer than is necessary and will only retain the personal information that is necessary to fulfil the purpose. We are also required to retain certain information by law or if it is reasonably necessary to meet regulatory requirements, resolve disputes or enforce our terms and conditions.
If a job applicant’s application for employment is unsuccessful, we will generally hold your personal data, which may include special categories of personal data, for 12 months after the end of the relevant recruitment exercise or until you withdraw your consent.
If your application is successful and you become an employee we will provide you with a copy of the Privacy Notice for Employees. The retention periods referred to therein will apply to your personal data during your employment.
How do we protect your personal information?
We have put in place measures to protect the security of your personal information. We have internal policies, procedures and controls in place to try and prevent your personal information from being accidentally lost or destroyed, altered, disclosed or used or accessed in an unauthorised way. In addition, we limit access to your personal information to those employees and other third parties who have a business need to know in order to perform their job duties and responsibilities. You can obtain further information about these measures from our Privacy Team using this email address firstname.lastname@example.org
Where your personal information is shared with third parties, we require all third parties to take appropriate technical and organisational security measures to protect your personal information and to treat it subject to a duty of confidentiality and in accordance with data protection law. We only allow them to process your personal information for specified purposes and in accordance with our written instructions and we do not allow them to use your personal information for their own purposes.
We also have in place a policy and process to deal with a suspected data security breach and we will notify the Information Commissioner’s Office (or any other applicable supervisory authority or regulator) and you of a suspected breach where we are legally required to do so.
Transferring personal information outside the European Economic Area
We will not transfer your personal information to countries outside the European Economic Area.
What are my rights in relation to my personal data?
If the information we hold about you is inaccurate or incomplete, you can notify us and ask us to correct or supplement it.
You also have the right, with some exceptions, to ask us to provide a copy of any personal data we hold about you.
If you have a complaint about how we have handled your personal data, you may be able to ask us to restrict how we use your personal data while your complaint is resolved. In some circumstances you can ask us to erase your personal data:-
- by withdrawing your consent for us to use it;
- if it is no longer necessary for us to use your personal data;
- you object to the use of your personal data and we don’t have a good reason to continue to use it; or
- we haven’t handled your personal data in accordance with our obligations.
If you wish to exercise any of these rights, please contact our Privacy Team using this email address email@example.com We may need to request specific information from you in order to verify your identity and check your right to access the personal information or to exercise any of your other rights. This is a security measure to ensure that your personal information is not disclosed to any person who has no right to receive it.
In the limited circumstances where you have provided your consent to the processing of your personal information for a specific purpose, you have the right to withdraw your consent for that specific processing at any time. This will not, however, affect the lawfulness of processing based on your consent before its withdrawal. If you wish to withdraw your consent, please contact our Privacy Team using this email address firstname.lastname@example.org
If you believe that we haven’t complied with your data protection rights, you have the right to make a complaint to the Information Commissioner’s Office (ICO) https://ico.org.uk/ at any time. The ICO is the UK supervisory authority for data protection issues.
Where can I find more information about how we handle your data?
Should you have any queries regarding this Privacy Notice, about how we process your personal data or wish to exercise your rights you can contact our Privacy Team using this email address email@example.com If you are not happy with our response, you can contact the Information Commissioner’s Office: https://ico.org.uk/
Changes to this privacy notice
We reserve the right to update or amend this privacy notice at any time. Updated versions will be available on our website.