General Data Protection Regulation (GDPR) May 2018
As part of any recruitment process, the VPS Group collects and processes personal data relating to potential employees. We are committed to being transparent about how we collect and use that data and to meeting our data protection obligations. You have been directed to this privacy notice because you are applying to work for a company in the VPS Group. In this privacy notice, we describe the VPS Group as “the organisation” or “VPS”.
What information does the organisation collect?
The organisation collects a range of information about you. This includes the following:
- your name, address and contact details, including home address, email address and telephone number;
- details of your qualifications, skills, experience and employment history;
- information about your current level of remuneration, including benefit entitlements;
- whether or not you have a disability for which the organisation needs to make reasonable adjustments during the recruitment process;
- information about your entitlement to work in the UK; and
- equal opportunities monitoring information, including information about your ethnic origin, sexual orientation, health and religion or belief (this information is held separately and is not provided to interviewing managers).
VPS may collect this information in a variety of ways. For example, data might be contained in application forms, CVs or resumes, obtained from your passport or other identity documents, or collected through interviews or other forms of interview or assessment, including online tests.
We may also collect personal data about you from third parties, such as references supplied by former employers, information from employment background check providers and information from criminal records checks. We will seek information from third parties only once a job offer to you has been made and will inform you that we are doing so.
Data will be stored in a range of different places, including on your application record, in HR management systems and on other IT systems (including email). All of our third party service providers are required to take appropriate security measures to protect your personal information. We only permit them to process your personal data for specified purposes and in accordance with our instructions.
Why does the organisation process personal data?
The organisation needs to process data prior to entering into a contract with you. In some cases, we need to process data to ensure that we are complying with our legal obligations. For example, we are required to check a successful applicant's eligibility to work in the UK before their employment starts.
We have a legitimate interest in processing personal data during the recruitment process and for keeping records of the process. Processing data from job applicants allows the organisation to manage the recruitment process, assess and confirm a candidate's suitability for employment and decide to whom to offer a job. The organisation may also need to process data from job applications to respond to and defend against legal claims.
The organisation may process information about whether or not applicants are disabled to make reasonable adjustments for candidates who have a disability. This is to carry out our obligations and exercise specific rights in relation to employment.
Where the organisation processes other special categories of data, such as information about ethnic origin, sexual orientation, health or religion or belief, this is for equal opportunities monitoring purposes. This practice is recommended by the Equality and Human Rights Commission. It is an important tool which enables VPS to ascertain at an early stage whether or not there appear to be any areas of our work from which certain groups are excluded. This data is valuable to VPS when considering positive action or revising relevant policies or decision-making processes. Employers will clearly be liable if they treat an employee less favourably because of any of the "protected characteristics" specified in the Equality Act 2010, in respect of which discrimination in employment is unlawful.
For some roles, we are obliged to seek information about criminal convictions and offences. Where the organisation seeks this information, it does so because it is necessary for it to carry out its obligations and exercise specific rights in relation to employment. By law, specific levels of DBS clearance are required to work in specific locations, with access to sensitive information or in close proximity with specific groups of people e.g. vulnerable adults or children.
If your application is unsuccessful, the organisation may keep your personal data on file in case there are future employment opportunities for which you may be suited. The organisation will ask for your consent before it keeps your data for this purpose and you are free to withdraw your consent at any time.
Who has access to my data?
In order to process your application and assess your suitability for a role, information may be shared internally for the purposes of the recruitment exercise. The information is only shared on a strict, need to know basis, and is limited to what is required by each individual to perform their role in the recruitment process. This includes members of HR and Recruitment, who have responsibility for certain HR processes (for example recruitment, assessment, pre-employment screening).
If it is necessary for the performance of their roles, your personal information may also be shared internally with the following members of staff:
- Employees who would have managerial responsibility for you or are acting on their behalf
- Interviewing employees who are directly involved in the recruitment process
- Employees in IT and system owners who manage user access
- Audit and Investigations employees in relation to specific audits and/or investigations
- Security managers for facilities and/or premises
- Health & Safety personnel, should you require any reasonable adjustments in order to attend interview
This information sharing may also be with other companies in the VPS Group for administrative purposes only.
The organisation will not share your data with third parties, unless your application for employment is successful and it makes you an offer of employment, or we are required to do so for legal or regulatory purposes. The organisation will then share your data with former employers to obtain references for you, employment background check providers to obtain necessary background checks and the Disclosure and Barring Service to obtain necessary criminal records checks. The organisation will not transfer your data outside the European Economic Area.
How does the organisation protect data?
The organisation takes the security of your data seriously. We have internal policies and controls in place to ensure that data is not lost, accidentally destroyed, misused or disclosed, and is not accessed except by our employees as strictly required in the proper performance of their duties. We use a combination of physical and digital security measures to protect your data throughout the recruitment process. Swipe card systems protect areas where personal information is held. Swipe cards can be obtained by designated personnel only and must be programmed to allow access to specific areas of the business. Confidential waste bins are locked at all times and their contents are confidentially disposed of on a weekly basis. All Company computers are password protected, and personal information is held on secure drives with restricted access. VPS’s recruitment records can only be accessed by authorised personnel, for legitimate business purposes only.
Our branches and service centres are audited on a regular basis to ensure that recruitment paperwork is not retained locally once a campaign has been concluded. When we process your data, we do so on the basis of written instructions, and are under a duty of confidentiality. We are obliged to implement appropriate technical and organisational measures to ensure the security of your data, in accordance with our Group IT Policy.
How long does the organisation retain applicant data?
Your applicant information will be retained by VPS for a period of 6 months at the end of the relevant recruitment process. The purpose of this retention period is to respond to, or defend against, any appeals or claims that may be brought against VPS once the outcome of a recruitment campaign has been delivered.
An applicant can bring a claim against an organisation up to 3 months from the conclusion of the campaign to which they applied. Under certain circumstances, this time limit can be extended to 6 months.
If your application for employment is unsuccessful, we may contact you if a suitable role arises in the future. We will only keep your information on record for this purpose with your explicit consent for us to do so. Six months from the conclusion of the campaign for which you originally applied, or if you choose to withdraw your consent sooner, your data will be deleted or destroyed. If you do not provide consent for us to retain your information for this purpose, we will not be able to contact you if a suitable vacancy becomes available.
If your application for employment is successful, personal data gathered during the recruitment process will be transferred to your personnel file and retained during your employment. The periods for which your data will be held will be provided to you in a new privacy notice.
Withdrawing your consent
In the limited circumstances where you have provided your consent to the collection, processing and transfer of your personal information for a specific purpose, you have the right to withdraw your consent for that specific processing at any time. Once we have received notification that you have withdrawn your consent, we will no longer process your information for the purpose or purposes you originally agreed to, unless we have another legitimate basis for doing so in law.
In order to withdraw your consent, please email Recruitment@vps.evander.com. Please ensure that your email contains your name, address and explicitly states that you wish to withdraw your consent for your data to be processed.
If you believe that the organisation has not complied with your data protection rights, you have the right to complain to the Information Commissioner, the UK supervisory authority for data protection issues.
As a data subject, you have a number of rights. You can:
- access and obtain a copy of your data on request;
- require the organisation to change incorrect or incomplete data;
- require the organisation to delete or stop processing your data, for example where the data is no longer necessary for the purposes of processing; and
- object to the processing of your data where the organisation is relying on its legitimate interests as the legal ground for processing.
If you believe that the organisation has not complied with your data protection rights, you can complain to the Information Commissioner.
Changing your personal information
It is very important that you notify us of any relevant changes to your personal information during the recruitment process, so that we can effectively manage your application. It is your responsibility to ensure that the information you provide as part of your application is accurate and up to date. If any of your details change during the recruitment process, please email the Human Resources Shared Services Department: HRSS@vps.evander.com, as soon as reasonably possible. The team can then update our recruitment records to reflect any changes.
If your application is unsuccessful, and you give permission for VPS to retain your recruitment information for the purposes of future vacancies, then you should notify VPS of any changes that may impact upon our ability to process your application, e.g. a change of telephone number. You can advise us of such changes by emailing HRSS@vps.evander.com. Your information will be retained for a period of 6 months only, from the end of the recruitment campaign to which you originally applied. Thereafter, your information will be confidentially destroyed, and there is no need for you to continue to update us in respect of your personal information.
What if you do not provide personal data?
You are under no statutory or contractual obligation to provide data to the organisation during the recruitment process. However, if you do not provide the information, the organisation may not be able to process your application properly or at all.
Recruitment processes are not based solely on automated decision-making. We do not envisage that any decisions will be taken about you using automated means, however we will notify you in writing if this position changes.
APPENDIX A & B
Appendix A: Subject Access Requests
The General Data Protection Regulation (GDPR) allows individuals to access information from organisations that process their personal data. The process for obtaining this information is known as a “Subject Access Request”. For a subject access request to be valid, it should be made in writing. A request sent by email or fax is as valid as one sent in hard copy.
In response to a valid subject access request, you are entitled to receive the following information:
- Confirmation of whether your personal data is being processed;
- A description of the personal data, the reasons it is being processed, and whether it will be given to any other organisations or people;
- A copy of the information comprising the data; and details of the source of the data (where this is available)
Under the GDPR, the time limit for responding to a subject access request is one month from the date of receipt. However, if a request is complex, we may extend the time period for response by a further two months. If we need to extend the time period, we will inform you of this within one month of receipt of the subject access request and explain the reasons for the delay in responding.
We may need to verify your identity to ensure that your personal data is not inadvertently disclosed to a third party. As a result, we may need to ask for identification to check that a request is from a particular individual. This is less likely in the context of an ongoing employment relationship. However, appropriate data protections measures will be taken to confirm your identity prior to the disclosure of any personal data.
You will not have to pay a fee to access your personal information. However, we may charge a reasonable fee if your request for access is clearly unfounded or excessive. Alternatively, we may refuse to comply with the request under such circumstances. We may charge a reasonable fee to comply with requests for further copies of the same information. However, this does not mean that we will charge for all subsequent access requests. Any fee will be based on the administrative cost of providing the information.
The current data protection legislation contains exemptions to the information that must be disclosed in response to a subject access request. These include where data is subject to legal professional privilege, is processed for the purpose of management planning, relates to intentions in negotiations with an individual, or consists of a confidential reference that the employer has given. We may also restrict disclosure where, for example, the information contains third-party personal data. Without explicit consent, it is likely that we will be unable to comply with a request that would involve disclosing information about another individual who could be identified from that information.
Appendix B: The Right to be Forgotten / The Right to Erasure
The Right to be Forgotten is also known as the “Right to Erasure”. The principle underpinning this right is to enable an individual to request the deletion or removal of their personal data, where there is no compelling reason for its continued processing. Under the GDPR, this right is not limited to processing that causes unwarranted and substantial damage or distress. If the processing does cause damage or distress, this is likely to make the case for erasure stronger.
Individuals may have personal data erased and to prevent processing under the following, specific circumstances:
- The personal data is no longer necessary in relation to the purpose for which it was originally collected or processed.
- The individual withdraws consent, where VPS relies on consent as the legal basis for processing employee personal data.
- The individual objects to the processing and there is no overriding legitimate interest for continuing the processing.
- The personal data was unlawfully processed (in breach of GDPR).
- The personal data has to be erased in order to comply with a legal obligation.
If one of the above conditions applies, then it is the responsibility of the “data controller” to delete and remove the data without undue delay. Your data will be removed within one month, unless special circumstances apply.
If the personal data in question has been disclosed to third parties, we must contact each recipient and inform them of the erasure of the personal data, unless this involves disproportionate effort. If asked to, we must also inform you about these recipients. The GDPR dictates that it is the data controller’s responsibility to take ‘all reasonable steps’ to inform other outlets of the request for erasure and request that they comply with deletion or removal.
However, the right to be forgotten is not absolute. There are specific circumstances where the right to be forgotten does not apply and VPS can refuse to comply with a request. Specifically, where data is processed for the following reasons:
- To exercise the right of freedom of expression and information.
- To comply with a legal obligation for the performance of a public interest task or exercise of official authority.
- For public health purposes in the public interest;
- Archiving purposes in the public interest or statistical purposes.
- The exercise or defence of legal claims.
In some cases, the restriction of personal data may be more applicable, and this could be used an alternative option to erasure.
For further information on Subject Access Requests or The Right to be Forgotten, please contact ERSS@vps.evander.com.
To submit a subject access request or an erasure request, please contact ERSS@vps.evander.com.