Data Protection Privacy Notice
1.1 Filshill Group takes the security and privacy of your data seriously. We need to gather and use information or ‘data’ about you as part of our recruitment process. We intend to comply with our legal obligations under the Data Protection Act 2018 (the ‘2018 Act’) and the EU General Data Protection Regulation (‘GDPR’) in respect of data privacy and security. We have a duty to notify you of the information contained in this policy.
1.2 This policy applies to all job applicants, whether they apply for a role directly or indirectly through an employment agency. It is non-contractual.
1.3 We have separate policies and privacy notices in place in respect of employees, workers and contractors and customers.
1.4 We have measures in place to protect the security of your data in accordance with our Data Protection Policy. A copy of this can be attained by contacting us at firstname.lastname@example.org.
1.5 The Company is a ‘data controller’ for the purposes of your personal data. This means that we determine the purpose and means of the processing of your personal data.
1.6 This policy explains how and why the Company will hold and process your information.
2 Data Protection Principles
2.1 Personal data must be processed in accordance with six ‘Data Protection Principles.’ It must:
- be processed fairly, lawfully and transparently;
- be collected and processed only for specified, explicit and legitimate purposes;
- be adequate, relevant and limited to what is necessary for the purposes for which it is processed;
- be accurate and kept up to date;
- not be kept for longer than is necessary for the purposes for which it is processed; and
- be processed securely.
We are accountable for these principles and must be able to show that we are compliant.
3 Data collected for the purposes of recruitment activities
3.1 ‘Personal data’ means information which relates to a living person who can be identified from that data (a ‘data subject’) on its own, or when taken together with other information which is likely to come into our possession. It includes any expression of opinion about the person and an indication of the intentions of us or others, in respect of that person. It does not include anonymised data.
3.2 This policy applies to all personal data whether it is stored electronically, on paper or on other materials.
3.3 Personal data might be provided to us by you, or someone else (such as a former employer, a recruitment or credit reference agency and criminal record checks from the Disclosure and Barring Service), or it could be created by us. Other than employment agencies, we will only seek personal information from third parties during the recruitment process once an offer of employment or engagement has been made to you and we will inform you that we are doing so. You are under no statutory or contractual obligation to provide personal information to the Company during the recruitment process, however, it may hamper your application if you cannot provide reasonably requested information.
3.4 We will collect and use the following types of personal data about you as part of our recruitment process:
- your contact details, including your name, address, telephone number and personal e-mail address
- personal information included in a CV, any application form, cover letter or interview notes
- information about your right to work in the UK and copies of proof of right to work documentation
- copies of qualification certificates
- copy of driving licence or other vehicle licences relevant to the role
- other background check documentation
- details of your skills, qualifications, experience and work history with previous employers
- information about your current salary level, including benefits and pension entitlements
- your professional memberships
- your identification documents including passport and driving licence and information in relation to your immigration status and right to work for us;
- your images (whether captured on CCTV, by photograph or video); and
- any other category of personal data which we may notify you of from time to time.
3.5 The Company may also collect, use and process the following special categories of your personal information during the recruitment process (as applicable):
- whether or not you have a disability for which the Company needs to make reasonable adjustments during the recruitment process
- information about your racial or ethnic origin, religious or philosophical beliefs and sexual orientation
- information about criminal convictions and offences.
4 How we define processing
4.1 ‘Processing’ means any operation which is performed on personal data such as:
- collection, recording, organisation, structuring or storage;
- adaption or alteration;
- retrieval, consultation or use;
- disclosure by transmission, dissemination or otherwise making available;
- alignment or combination; and
- restriction, destruction or erasure.
This includes processing personal data which forms part of a filing system and any automated processing.
5 How will we process your personal data?
5.1 The Company will process your personal data (including special categories of personal data) in accordance with our obligations under the 2018 Act and the GDPR.
5.2 We will use your personal information in one or more of the following circumstances:
- where we need to do so to take steps prior to entering into a contract with you, or to enter into a contract with you
- where we need to comply with a legal obligation
- where it is necessary for our legitimate interests (or those of a third party), and your interests or your fundamental rights and freedoms do not override our interests.
5.3 We need all the types of personal information listed under section 3.3 above, to enable us to take steps to enter into a contract with you, and to enable us to comply with our legal obligations. In some cases, we may also use your personal information where it is necessary to pursue our legitimate interests (or those of a third party), provided that your interests or your fundamental rights and freedoms do not override our interests. Our legitimate interests include: pursuing our business by employing employees, workers and contractors; managing the recruitment process; conducting due diligence on prospective staff and performing effective internal administration.
We can process your personal data for these purposes without your knowledge or consent. We will not use your personal data for an unrelated purpose without telling you about it and the legal basis that we intend to rely on for processing it.
If you choose not to provide certain personal information when requested, we may not be able to process your job application properly or at all, we may not be able to enter into a contract with you, or we may be prevented from complying with our legal obligations. You may also be unable to exercise your statutory rights.
6 Examples of when we might process your personal data
6.1 The purposes for which we are processing, or will process, your personal information are to:
- manage the recruitment process and assess your suitability for employment or engagement
- decide to whom to offer a job
- comply with statutory and/or regulatory requirements and obligations, e.g. checking your right to work in the UK
- comply with the duty to make reasonable adjustments for disabled job applicants and with other disability discrimination obligations
- ensure compliance with your statutory rights
- ensure effective HR, personnel management and business administration
- monitor equal opportunities
- enable us to establish, exercise or defend possible legal claims
6.2 We will only process special categories of your personal data in certain situations in accordance with the law. For example, we may use information about your disability status to consider whether we need to provide appropriate adjustments during the recruitment process, for example whether adjustments need to be made during a test or interview or should you be successfully employed.
6.3 We can process special categories of your personal data if we have your explicit consent. If we asked for your consent to process a special category of personal data then we would explain the reasons for our request prior to any processing of the special categories of your personal data taking place. You do not need to consent and can withdraw consent later if you choose by contacting by contacting us at email@example.com.
6.4 We do not need your consent to process special categories of your personal data when we are processing it for the following purposes, which we may do:
- where it is necessary for carrying out rights and obligations under employment law;
- where it is necessary to protect your vital interests or those of another person where you/they are physically or legally incapable of giving consent;
- where you have made the data public;
- where processing is necessary for the establishment, exercise or defence of legal claims; and
- where processing is necessary for the purposes of occupational medicine or for the assessment of your working capacity.
6.5 We may process information about your health and information about any criminal convictions and offences where we have your explicit written consent. In this case, we will first provide you with full details of the personal information we would like and the reason we need it, so that you can properly consider whether you wish to consent or not. It is your choice whether to consent and you may withdraw your consent at any time.
6.6 Where the Company processes other special categories of personal information, i.e. information about your racial or ethnic origin, religious or philosophical beliefs and sexual orientation, this is done only for the purpose of equal opportunities monitoring in recruitment and in line with our Data Protection Policy. Personal information that the Company uses for these purposes is either anonymised or is collected with your explicit written consent, which can be withdrawn at any time. It is your choice whether to provide such personal information.
6.7 We may also occasionally use your special categories of personal information, and information about any criminal convictions and offences, where it is needed for the establishment, exercise or defence of legal claims.
6.8 We do not take automated decisions about you using your personal data or use profiling in relation to you.
6.9 We will retain your personal information for as long as is necessary to fulfil the purposes for which it was collected and processed. If your application for employment or engagement is unsuccessful, the Company will generally hold your personal information for 6 to 18 months after the end of the relevant recruitment exercise or receipt of a speculative application. But this is subject to: (a) any minimum statutory or other legal, tax, health and safety, reporting or accounting requirements for particular data or records, and (b) the retention of some types of personal information for up to six years to protect against legal risk, e.g. if they could be relevant to a possible legal claim in a tribunal, or civil court.
6.10 If your application for employment or engagement is successful, personal information gathered during the recruitment process will be retained for the duration of your employment or engagement and thereafter in accordance with our Data Protection Policy for Employees, Workers and Contractors.
6.11 Personal information which is no longer to be retained will be securely and effectively destroyed or permanently erased from our IT systems and we will also require third parties to destroy or erase such personal information where applicable.
6.12 In some circumstances we may anonymise your personal information so that it no longer permits your identification. In this case, we may retain such information for a longer period.
7 Sharing your personal data
7.1 Your personal data may be shared internally for the purposes of the recruitment exercise with the HR Department, members of the recruitment team, managers within the department that has the vacancy and IT staff, if access to your personal information is necessary for the performance of their roles.
7.2 Sometimes we might share your personal data with group companies or our contractors and agents to carry out our obligations under our contract with you or for our legitimate interests.
7.3 We require those companies to keep your personal data confidential and secure and to protect it in accordance with the law and our policies. They are only permitted to process your data for the lawful purpose for which it has been shared and in accordance with our instructions.
7.4 We may utilise / contact external parties to;
- Conduct pre employment reference and employment background checks
- Obtain a Criminal Record Check
- Obtain an employment reference
- Undertake substance screening
- Obtain professional advice such as legal and occupational health advice
- Comply with Regulatory and external audit services
7.5 We do not send your personal data outside the European Economic Area. If this changes you will be notified of this and the protections which are in place to protect the security of your data will be explained.
8 Protecting your personal information
8.1 The Company has in place, measures to protect the security of your personal information. It has internal policies, procedures and controls in place to try and prevent your personal information from being accidentally lost or destroyed, altered, disclosed or used or accessed in an unauthorised way. In addition, we limit access to your personal information to those employees, workers, agents, contractors and other third parties who have a business need to know in order to perform their job duties and responsibilities.
8.2 Where your personal information is shared with third parties, we require all third parties to take appropriate technical and organisational security measures to protect your personal information and to treat it subject to a duty of confidentiality and in accordance with data protection law. We only allow them to process your personal information for specified purposes and in accordance with our written instructions and we do not allow them to use your personal information for their own purposes.
8.3 The Company also has in place procedures to deal with a suspected data security breach and we will notify the Information Commissioner’s Office (or any other applicable supervisory authority or regulator) and you of a suspected breach where we are legally required to do so.
9 Your rights in connection with your personal information
9.1 As a data subject, you have a number of statutory rights. Subject to certain conditions, and in certain circumstances, you have the right to:
- request access to your personal information – this is usually known as making a data subject access request
- request rectification of your personal information – this enables you to have any inaccurate or incomplete personal information we hold about you corrected
- request the erasure of your personal information – this enables you to ask us to delete or remove your personal information where there’s no compelling reason for its continued processing, e.g. it’s no longer necessary in relation to the purpose for which it was originally collected
- restrict the processing of your personal information – this enables you to ask us to suspend the processing of your personal information, e.g. if you contest its accuracy you can apply for its use to be restricted while the application is made.
- object to the processing of your personal information – this enables you to ask us to stop processing your personal information where we are relying on the legitimate interests of the business as our legal basis for processing and there is something relating to your particular situation which makes you decide to object to processing on this ground
- data portability – this gives you the right to request a copy of your data and to transfer your personal information to another data controller.
9.2 If you wish to exercise any of these rights, please contact us at firstname.lastname@example.org. We may need to request specific information from you in order to verify your identity and check your right to access the personal information or to exercise any of your other rights. This is a security measure to ensure that your personal information is not disclosed to any person who has no right to receive it.
9.3 In the limited circumstances where you have provided your consent to the processing of your personal information for a specific purpose, you have the right to withdraw your consent for that specific processing at any time. This will not, however, affect the lawfulness of processing based on your consent before its withdrawal. If you wish to withdraw your consent, please email email@example.com.
9.4 If you believe that the Company has not complied with your data protection rights, you have the right to make a complaint to the Information Commissioner’s Office (ICO) at any time. The ICO is the UK supervisory authority for data protection issues. Full contact details including a helpline number can be found on the Information Commissioner’s Office website (www.ico.org.uk). This website has further information on your rights and obligations.