Why do we have this privacy notice?
The controller of your personal information
Your duty to inform us of changes
What if you do not provide personal information?
If you have queries or concerns just ask!
Changes to this notice
Data protection principles
- Used lawfully, fairly and in a transparent way.
- Collected only for valid purposes that we have clearly explained to you and not used in any way that is incompatible with those purposes.
- Relevant to the purposes we have told you about and limited only to those purposes.
- Accurate and kept up to date.
- Kept only as long as necessary for the purposes we have told you about.
- Kept securely.
What personal information do we collect?
In connection with your relationship or interactions with us, we may collect and process a wide range of personal information about you. This includes:
- Personal contact details such as name, title, address, email address and telephone number(s).
- Information about your date of birth, age, gender, marital status, next of kin, dependants, family members and emergency contacts.
- Any information provided by you or a recruitment agency or created by us as part of the recruitment process, e.g. your CV, any application form, during any assessment tests, during any telephone/video calls and during an interview, and this information may cover for example your past work history, your current and past remuneration, tax status, right to work, national insurance number, qualifications and experience, professional memberships, personality characteristics, references, job offers, proposed terms and other information relevant to recruitment.
- Bank account details, financial transactions, payments.
- Any terms and conditions relating to your relationship with us.
- Any communications between ourselves and you.
- Details of services carried out by you in connection with our relationship with you, details of your interest in and connection with any organisation which supplies any services to us, details of any products or services supplied to us.
- Details of services supplied by us in connection with our relationship with you or your organisation, details of your interest in and connection with any organisation which we supply any services, and information linked with any services supplied by us.
- Business related information, such as where you are a sole trader, a partner or a company director or a key member of staff of a business we have a relationship with.
- Performance information related to our relationship with you or a business we have a relationship with.
- Publicly available personal information, including any which you have shared via a public platform, online or on social media and also non-public personal information where you have followed or linked to any of our social media.
- Details of your education or work history including organisations, positions, roles, responsibilities.
- Creditworthiness as we may undertake investigations in order to establish whether to enter into or continue a business relationship with you or your organisation.
- Your usage of any of our IT systems we make available to visitors to our premises, e.g. visitor Wi-Fi.
- Identification information including your driving license and/or passport and background checks.
- Details of any queries, complaints, claims and cases involving both us and yourself including any related communications.
- Information obtained through electronic means such as swipe card records and access control systems if you visit our premises.
- Usage Data collected automatically when you use any application or web service from us. Usage Data may include information such as Your Device's Internet Protocol address (e.g. IP address), browser type, browser version, the pages or services that you visit, the time and date of your visit, the time spent on those pages, unique device identifiers and other diagnostic data.
- When you access our applications and web services through a mobile device, we may collect certain information automatically, including, but not limited to, the type of mobile device you use, your mobile device unique ID, the IP address of your mobile device, your mobile operating system, the type of mobile Internet browser you use, unique device identifiers and other diagnostic data. We may also collect information that your browser sends.
- Photographs, video footage, audio recordings, and other content, for example when you leave a voicemail message, or when you are involved in creating content for a marketing, promotional or educational programmes, or which you may provide to us.
- Information about you and non-public details of shareholdings, investments or other interests you may have and any dealings you may have in any of them.
- Any other personal information you provide to us.
We may also in some cases collect and process more sensitive special category personal information including:
- Information about your health including any medical condition, health, and sickness records, including:
- where you have a disability or medical condition for which we need to make reasonable adjustments, including where you visit our premises.
- here you inform us about any ill-health, injury, or disability.
- information about your health, for example as part of the recruitment process in relation to benefits as part of your remuneration.
In cases where it is relevant, we may also collect criminal records information about you, for example an offence committed by you or alleged to have been committed by you that impacts on your relationship with us or your position in an organisation regulated by us or it affects your ability to work for us.
We aim not to collect personal information about children
Where do we collect your personal information from?
- Usage of applications or web services delivered from us.
- Often most of your personal information is collected directly from you, for example through contact with you, through your applications, CVs or resumes, memberships, from your passport or other identity documents such as your driving licence; from forms completed by you during the recruitment process (such as forms to obtain some remuneration benefits); when we provide services to you, when you visit our premises, from correspondence with you or through interviews, meetings or other interactions with us or other personal information you provide to us.
- If you work for an organisation that has a relationship with us, then we may collect some of your personal information from them.
- If you are a client or customer of an organisation that we provide services to, then we may collect all personal information about you from that organisation, and not directly from you.
From our website, other websites, the internet, social media or other platforms including public sources of information.
- Third parties such as organisations you have worked for in the past, referees whose details you provide to us, recruitment agencies, temporary worker agencies, recruitment websites or platforms, company registration authorities, professional or trade organisations.
- From our website(s) and information technology and communications systems, access control systems and suppliers we use in connection with them.
- From third parties appointed by you, for example any agency you work with or any financial or legal advisors.
- From third parties appointed by us, for example legal advisors appointed by us or credit reference agencies, identity or background check providers, data cleansing service providers or market/data research providers, analysis service providers.
- From government or government related bodies, regulators, the police, law enforcement authorities, the security services and Disclosure and Barring Service in respect of criminal convictions.
We store personal information relating to you in a range of different places, such as information technology systems (including our email system).
What are our bases for processing your personal information?
- Where we need to perform the contract we have entered into with you which covers your relationship with us or to take steps to enter into that contract.
- Where we need to comply with a legal obligation which applies to us, for example complying with health and safety laws for visitors.
- Where it is necessary for legitimate interests pursued by us or a third party and your interests and fundamental rights do not override those interests. We have set out in the section below how we use your personal information together with more details on our legitimate interests.
- Where you have given your consent. Generally, we do not rely on or need your consent for almost all uses we make of your personal information.
- Where we have your explicit consent to do so.
- Where it is necessary for us to comply with our obligations and exercising our rights in the field of employment law, social security law and social protection law.
- Where we need to protect your vital interests (or someone else's vital interests).
- Where you have already made public the personal information.
- In establishing, exercising or defending legal claims, whether those claims are against us or by us.
- Where it is necessary in the public interest.
How will we use your personal information?
- We may process your personal information to conduct any business or other relationship we have with you or an organisation you work for or an organisation of which you are a client or customer. This may relate to the entry into or performance of a contract with you or your organisation either directly or indirectly, which will be in our legitimate interests and we may also have legal obligations or be exercising a legal right to do this. We may also in some limited cases rely on your consent.
- We may also need to monitor, manage or record our relationship with you or an organisation which you work for, which may involve meetings, assessments, communications with you, decisions regarding your relationship with us. As well as relating to the entry into or the performance of a contract with you either directly or indirectly, this will also be in our legitimate interests.
- We may also need to process your personal information during the recruitment process to decide whether to enter into working relationship with you, to enter into that relationship, to meet our obligations under that relationship and to enforce our rights. For example, we need to process your personal information to assess your skills, qualification and suitability for the role and communicate with you about the recruitment process. It is in our legitimate interests to process your personal information and decide whether to appoint you to a role and whether to enter into a contract with you for that purpose. We may also need to do it in order to enter into a contract with you.
- We may need to process your personal information in order to hold or conduct promotions or campaigns and educational programmes. This may relate to the entry into or performance of a contract with you either directly or indirectly, it may be in our legitimate interests, and in some cases we may rely on your consent to do this.
We may need to carry out background, identity or other checks in relation to you and an organisation you want to register with us or to carry out credit checks to decide whether to enter into a business relationship with you. This will be in our legitimate interests, and in some cases we may have a legal obligation to do so. In some cases we may need to rely on your consent to do this.
- As a business we may have many legal obligations connected to our relationship with you, for example to comply with health and safety laws when visiting our premises, to comply with data protection laws, to make filings at Companies House, to ensure equality and equal opportunities or to invoke other legal rights.
- We will also need to keep and maintain proper records relating to your relationship with us or an organisation you work for and information about you which is relevant to that relationship. As well as relating to the entry into or performance of a contract with you either directly or indirectly, this will also be in our legitimate interests, and we may also have legal obligations to do this.
- In some cases we may need to process your personal information to prevent, detect or prosecute criminal activity. This will also be in our legitimate interests, we may also have legal obligations or be exercising a legal right to do this and it will also be in the public interest.
- You may have contacted us about a query, complaint or enquiry and we need to be able to respond to you and deal with the points you have raised. This will also be in our legitimate interests, we may also have legal obligations or be exercising a legal right to do this.
- We may need to gather evidence for and be involved in possible legal cases. As well as relating to the entry into a contract with you or an organisation you work for either directly or indirectly, this will also be in our legitimate interests, we may also have legal obligations or be exercising a legal right to do this and it may also be needed to establish, bring or defend legal claims.
- To ensure effective general business administration and to manage our business. As well as relating to the entry into or performance of a contract with you either directly or indirectly, this will also be in our legitimate interests, and we may also have legal obligations or be exercising a legal right to do this.
- To obtain referrals from other organisations you have worked for or with. As well as relating to the entry into or performance of a contract with you either directly or indirectly, this will also be in our legitimate interests, and we may also have legal obligations or be exercising a legal right to do this.
- To monitor any use you make of our information and communication systems and our website and social media accounts and our applications and web services to ensure compliance with our information technology policies, ensure network and information security, including preventing unauthorised access to our computer and electronic communications systems and preventing malicious software distribution and also to monitor your use of our website and social media. As well as relating to the entry into or performance of a contract with you either directly or indirectly, this will also be in our legitimate interests, and we may also have legal obligations or be exercising a legal right to do this. In relation to social media you may also have already made the personal information public.
- To conduct data analytics and analysis studies and improve our business, use of our website(s) and social media which relates to us. This will also be in our legitimate interests, and we may also have legal obligations or be exercising a legal right to do this.
- We may carry out market research, so that we can better understand the organisations we regulate or provide services to. This will also be in our legitimate interests, and we may also have legal obligations or be exercising a legal right to do this.
Change of purpose
Who has internal access to your personal information?
Who do we share your personal information with externally?
- Any third party approved by you or where we need to do so to enter into or perform a contract with you.
- An organisation you work for or that represents you if that organisation has a relationship with us.
- Customers of our business, usually when you have a relationship with them as a member of their staff or as a client or customer of theirs.
- Service or product providers to our business, for example information technology services suppliers, credit reference agencies, marketing and public relations service providers.
- If you represent one of our suppliers, to other companies in the supply chain so they can contact you about any supply chain issues.
- Third parties that process personal information on our behalf and in accordance with our instructions, usually suppliers of services to us.
- Purchasers, investors, funders and their advisers if a business we provide services to or regulate sells all or part of its business, assets or shares or restructures whether by merger, re-organisation or in another way.
- To any successor regulator or provider of services in relation to the regulatory functions or services we provide.
- Our legal and other professional advisers, including our auditors or any professional advisors appointed by you, for example a legal advisor or an agency you work with.
- Third party record keepers, for example to make filings at Companies House.
- Social media and other online platforms where relevant to our relationship with you.
- Governmental bodies, other regulators, police, law enforcement agencies, security services, courts/tribunals.
- We may also use other service providers for marketing purposes.
We do not disclose personal information to anyone else except as set out above unless we are legally entitled to do so.
How do we protect your personal information?
- Encryption of personal information where appropriate.
- Regular planning and assessments to ensure we are ready to respond to cyber security attacks and data security incidents.
- Regular penetration testing of systems.
- Security controls which protect our information technology systems infrastructure and our premises from external attack and unauthorised access.
- Aiming to use best in class security systems implemented across our networks and hardware to ensure access and information are protected.
- Regular backups of information technology systems data.
- Internal policies setting out our information security rules for our staff.
- Regular training for our staff to ensure staff understand the appropriate use and processing of personal information.
- Where we engage third parties to process personal information on our behalf, they do so on the basis of our written instructions, they are under a duty of confidentiality and are obliged to implement appropriate technical and organisational measures to ensure the security of personal information.
For how long do we keep your personal information?
- Withdraw any consent you have given to us, although this will only be relevant where we are relying on your consent as a basis to use your personal information, but it is an absolute right. Once we have received notification that you have withdrawn your consent, we will no longer process your personal information for the purpose or purposes for which you originally gave your consent, unless we have another legal basis for doing so, but withdrawing consent will not affect use that has already happened.
- Request details about how your personal information is being used. This right is linked with the right of access mentioned below.
- Request access and obtain details of your personal information that we hold (this is commonly known as a “data subject access request”). This enables you to receive a copy of the personal information we hold about you and to check that we are lawfully processing it.
- Request correction of the personal information that we hold about you. This enables you to have any incomplete or inaccurate information we hold about you corrected.
- Request erasure of your personal information. This means that you can ask us to delete or stop processing your personal information, for example where we no longer have a reason to process it. You also have the right to ask us to delete or remove your personal information where you have exercised your right to object to processing (set out below). The right to have data erased does not apply in all circumstances.
- Object to the processing of your personal information where we are relying on a legitimate interest (ours or that of a third party) and there is something about your particular situation which makes you want to object to processing on this ground.
- Object to direct marketing where we are processing your personal information for direct marketing purposes. This is an absolute right.
- Request the restriction of processing of your personal information. This enables you to ask us to stop processing your personal information for a period if data is inaccurate or there is a dispute about whether or not your interests override our legitimate grounds for processing your personal information.
- Request the transfer of your personal information to another party in certain circumstances.
- Object to certain automated decision-making processes using your personal information.
We may need to request specific information from you to help us confirm your identity and ensure your right to access the information (or to exercise any of your other rights). This is another appropriate security measure to ensure that personal information is not disclosed to any person or dealt with by a person who has no right to do so.