Grade A Recruitment processes many types of data for HR purposes concerning job applicants, employees, former employees, workers and contractors or various reasons. It is fully aware of its obligations under the General Data Protection Regulation (GDPR) to process data lawfully and to ensure that the rights of data subjects, as set out in GDPR, are observed correctly. This policy sets out the rights of the aforementioned individuals as data subjects and the processes which should be followed in the event that the data subject wishes to exercise any such right.
Data Subject Rights
Under GDPR, you have rights in relation to your data, including the right:
- To be informed
- Of access
- For any inaccuracies to be corrected
- To have information deleted
- To restrict the processing of the data
- To portability
- To object to the inclusion of any information
- To regulate any automated decision-making and profiling of personal data.
The right to be informed
You have the right to be told how Grade A Recruitment processes your data and the reasons for the processing. In order to provide this information to you, Grade A Recruitment has a privacy notice to explain what data we collect about you, how we collect and process it, what we process it for and the lawful basis which permits us to process it. You can obtain a copy of the privacy notice, at no cost, from Tina Watson, Director.
If Grade A Recruitment intends to use data already collected from you for a different reason than that already communicated, you will be informed of the new reason in advance.
The right of access
You have the right to access your personal data which is held by Grade A Recruitment. More information on this is available in the Grade A Recruitment Subject Access Request policy which is available from Tina Watson, Director.
The right for data to be corrected
One of the fundamental principles underpinning data protection is that the data Grade A Recruitment processes about you will be accurate and up to date. You have the right to have your data corrected if it is inaccurate or incomplete.
If you wish to have your data rectified, you should do so by completing the Data Rectification Form which is available from Tina Watson, Director
Grade A Recruitment will respond to a data rectification request within one month. Where the data rectification request is complex, Grade A Recruitment may extend the timescale for response from one month to three months. If this is the case, the Company will write to you within one month of receipt of the request explaining the reason for the extension.
If the response to your request is that Grade A Recruitment will take no action, you will be informed of the reasons for this and of your right to complain to the Information Commissioner and to a judicial remedy.
Where any data which has been rectified was disclosed to third parties in its unrectified form, Grade A Recruitment will inform the third party of the rectification where possible. Grade A Recruitment will also inform you of the third parties to whom the data was disclosed.
The right to have information deleted
You have the right to have your data deleted and removed from our systems where there is no compelling business reason for Grade A Recruitment to continue to process it.
You have a right to have your data deleted in the following circumstances:
- where the personal data is no longer necessary in relation to the purpose for which Grade A Recruitment originally collected or processed it
- where you have withdrawn your consent to the continued processing of the data and there is no other lawful basis for Grade A Recruitment to continue processing the data
- where you object to the processing and it has no overriding legitimate interest to continue the processing
- the personal data has been unlawfully processed
- the personal data has to be deleted due to a legal obligation.
If you wish to make a request for data deletion, you should complete the Data Deletion Request form which is available from Tina Watson, Director
Upon receipt of a request, Grade A Recruitment will delete the data unless it is processed for one of the following reasons:
- to exercise the rights of freedom of expression and information
- for Grade A Recruitment to comply with a legal requirement
- the performance of a task carried out in the public interest or exercise of official authority
- for public health purposes in the public interest
- archiving purposes in the public interest, scientific historical research or statistical purposes or
- the defence of legal claims.
Where your request is not complied with because of the one of the above reasons, you will be informed of the reason. Where your request is to be complied with, you will be informed when the data has been deleted.
Where the data which is to be deleted has been shared with third parties, Grade A Recruitment will inform those third parties where this is possible. However, where this notification will cause a disproportionate effect on Grade A Recruitment, this notification may not be carried out.
The right to restrict the processing of data
You have the right to restrict the processing of your data in certain circumstances. Restricting Grade A Recruitment from processing your data means that we will continue to hold the data but will stop processing it.
Grade A Recruitment will be required to restrict the processing of your personal data in the following circumstances:
- where you tell Grade A Recruitment that the data it holds on you is not accurate. Where this is the case, we will stop processing the data until it has taken steps to ensure that the data is accurate
- where the data is processed for the performance of a public interest task or because of Grade A Recruitment’s legitimate interests and you have objected to the processing of data. In these circumstances, the processing may be restricted whilst Grade A Recruitment considers whether its legitimate interests mean it is appropriate to continue to process it
- when the data has been processed unlawfully
- where Grade A Recruitment no longer needs to process the data but you need the data in relation to a legal claim.
If you wish to make a request for data restriction, you should complete the Data Restriction Request form which is available from Tina Watson, Director
Where data processing is restricted, Grade A Recruitment will continue to hold the data but will not process it unless:
- you consent to the processing
- processing is required in relation to a legal claim.
Where the data to be restricted has been shared with third parties, Grade A Recruitment will inform those third parties where this is possible. However, where this notification will cause a disproportionate effect on Grade A Recruitment, this notification may not be carried out.
Where Grade A Recruitment is to lift any restriction on processing, you will be informed in advance.
The right to data portability
You have the right to obtain the data that Grade A Recruitment processes on you and use it for your own purposes. This means you have the right to receive the personal data that you have provided to Grade A Recruitment in a structured machine readable format and to transmit the data to a different data controller.
This right applies in the following circumstances:
- where you have provided the data to Grade A Recruitment
- where the processing is carried out because you have given Grade A Recruitment your consent to do so
- where the processing is carried out in order to perform the employment contract between you and Grade A Recruitment
- where processing is carried out by automated means.
If you wish to exercise this right, please speak to Tina Watson, Director.
Where a request for data portability is received, Grade A Recruitment will respond without undue delay, and within one month at the latest. Where the request is complex or Grade A Recruitment receives a number of requests, we may extend the timescale for response from one month to three months. If this is the case, we will write to you within one month of receipt of the request explaining the reason for the extension.
Where Grade A Recruitment is to comply with your request, you will receive the data in a structured and machine readable form. You will not be charged for the provision of this data. Upon request, we will transmit the data directly to another organisation if our IT systems are compatible with those of the recipient.
If the response to your request is that Grade A Recruitment will take no action, you will be informed of the reasons for this and of your right to complain to the Information Commissioner and to a judicial remedy.
The right to portability is different from the right to access. Although both involve a right to access your personal data, the personal data to be accessed is not the same. The right to access your data under the right to portability includes only personal data as described above. Access to data under the right of access includes all personal data relating to you, including that which has not been provided to the Company by you.
The right to object to the inclusion of data
You have a right to object to the processing of your data in certain circumstances. This means that you have the right to require Grade A Recruitment to stop processing your data. In relation to your employment with us, you may object to processing where it is carried out:
- in relation to the Grade A Recruitment’s legitimate interests
- for the performance of a task in the public interest
- in the exercise of official authority or
- for profiling purposes.
If you wish to object, you should do so by completing the Data Processing Objection form which is available from Tina Watson, Director
Where you object to processing, Grade A Recruitment will stop the processing activity objected to unless:
- Grade A Recruitment can demonstrate compelling legitimate reasons for the processing which are believed to be more important than your rights or
- the processing is required in relation to legal claims made by, or against, Grade A Recruitment.
If the response to your request is that Grade A Recruitment will take no action, you will be informed of the reasons.
Rights in relation to automated decision making
You have the right not to have decisions made about you solely on the basis of automated decision making processes where there is no human intervention, where such decisions will have a significant effect on you. However, Grade A Recruitment does not make any decisions based on such processes.
However, we may at our discretion carry out automated decision making with no human intervention in the following circumstances:
- when it is needed for entering into or the carrying out of a contract with you
- when the process is permitted by law
- when you have given explicit consent.
In circumstances where we use special category data, for example, data about your health, sex life, sexual orientation, race, ethnic origin, political opinion, religion, and trade union membership Grade A Recruitment will ensure that one of the following applies to the processing:
- you have given your explicit consent to the processing or
- the processing is necessary for reasons of substantial public interest.
In the event that you have any questions regarding GDPR regulations or our responsibilities to you, please speak directly to Tina Watson, Director.
Aim and scope of policy
This policy applies to the processing of personal data in manual and electronic records kept by Grade A Recruitment in connection with its human resources function (outsourced to HR Your Business Matters Ltd) as described below. It also covers Grade A Recruitment’s response to any data breach and other rights under the General Data Protection Regulation.
This policy applies to the personal data of job applicants, existing and former employees, apprentices, volunteers, placement students, workers and self-employed contractors. These are referred to in this policy as relevant individuals.
“Personal data” is information that relates to an identifiable person who can be directly or indirectly identified from that information, for example, a person’s name, identification number, location, online identifier. It can also include pseudonymised data, which is data that has been anonymised to minimise risk of identification.
“Special categories of personal data” is data which relates to an individual’s health, sex life, sexual orientation, race, ethnic origin, political opinion, religion, and trade union membership. It also includes genetic and biometric data (where used for ID purposes).
“Criminal offence data” is data relating to an individual’s criminal convictions and offences.
“Data processing” is any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
Grade A Recruitment makes a commitment to ensuring that personal data, including special categories of personal data and criminal offence data (where appropriate) is processed in line with GDPR and domestic laws and all its employees conduct themselves in line with this, and other related, policies. Where third parties process data on behalf of Grade A Recruitment, the Company will ensure that the third party takes such measures in order to maintain the Company’s commitment to protecting data. In line with GDPR, the Company understands that it will be accountable for the processing, management and regulation, and storage and retention of all personal data held in the form of manual records and on computers.
Types of data held
Personal data is kept in personnel files or within Grade A Recruitment, HR systems. The following types of data may be held, as appropriate, on relevant individuals:
- name, address, phone numbers – for individual and next of kin
- CVs and other information gathered during recruitment
- references from former employers
- National Insurance numbers
- job title, job descriptions and pay grades
- conduct issues such as letters of concern, disciplinary proceedings
- holiday records
- internal performance information
- medical or health information
- sickness absence records
- tax codes
- terms and conditions of employment
- training details.
Relevant individuals should refer to the Company’s privacy notice for more information on the reasons for its processing activities, the lawful bases it relies on for the processing and data retention periods.
Data protection principles
All personal data obtained and held by the Company will:
- be processed fairly, lawfully and in a transparent manner
- be collected for specific, explicit, and legitimate purposes
- be adequate, relevant and limited to what is necessary for the purposes of processing
- be kept accurate and up to date. Every reasonable effort will be made to ensure that inaccurate data is rectified or erased without delay
- not be kept for longer than is necessary for its given purpose
- be processed in a manner that ensures appropriate security of personal data including protection against unauthorised or unlawful processing, accidental loss, destruction or damage by using appropriate technical or organisation measures
- comply with the relevant GDPR procedures for international transferring of personal data.
In addition, personal data will be processed in recognition of an individuals’ data protection rights, as follows:
- the right to be informed
- the right of access
- the right for any inaccuracies to be corrected (rectification)
- the right to have information deleted (erasure)
- the right to restrict the processing of the data
- the right to portability
- the right to object to the inclusion of any information
- the right to regulate any automated decision-making and profiling of personal data.
Grade A Recruitment has taken the following steps to protect the personal data of relevant individuals, which it holds or to which it has access:
- it appoints or employs employees with specific responsibilities for:
- the processing and controlling of data
- the comprehensive reviewing and auditing of its data protection systems and procedures
- overviewing the effectiveness and integrity of all the data that must be protected.
There are clear lines of responsibility and accountability for these different roles.
- it provides information to its employees on their data protection rights, how it uses their personal data, and how it protects it. The information includes the actions relevant individuals can take if they think that their data has been compromised in any way
- it provides its employees with information to make them aware of the importance of protecting personal data, to teach them how to do this, and to understand how to treat information confidentially
- it can account for all personal data it holds, where it comes from, who it is shared with and also who it might be shared with
- it carries out risk assessments as part of its reviewing activities to identify any vulnerabilities in its personal data handling and processing, and to take measures to reduce the risks of mishandling and potential breaches of data security. The procedure includes an assessment of the impact of both use and potential misuse of personal data in and by Grade A Recruitment
- it recognises the importance of seeking individuals’ consent for obtaining, recording, using, sharing, storing and retaining their personal data, and regularly reviews its procedures for doing so, including the audit trails that are needed and are followed for all consent decisions. Grade A Recruitment understands that consent must be freely given, specific, informed and unambiguous. The Company will seek consent on a specific and individual basis where appropriate. Full information will be given regarding the activities about which consent is sought. Relevant individuals have the absolute and unimpeded right to withdraw that consent at any time
- it has the appropriate mechanisms for detecting, reporting and investigating suspected or actual personal data breaches, including security breaches. It is aware of its duty to report significant breaches that cause significant harm to the affected individuals to the Information Commissioner, and is aware of the possible consequences
- it is aware of the implications international transfer of personal data internationally.
Access to data
Relevant individuals have a right to be informed whether Grade A Recruitment processes personal data relating to them and to access the data that Grade A Recruitment holds about them. Requests for access to this data will be dealt with under the following summary guidelines:
- a form on which to make a subject access request is available from [insert name]. The request should be made to [insert details]
- the Company will not charge for the supply of data unless the request is manifestly unfounded, excessive or repetitive, or unless a request is made for duplicate copies to be provided to parties other than the employee making the request
- the Company will respond to a request without delay. Access to data will be provided, subject to legally permitted exemptions, within one month as a maximum. This may be extended by a further two months where requests are complex or numerous.
Relevant individuals must inform Grade A Recruitment immediately if they believe that the data is inaccurate, either as a result of a subject access request or otherwise. Grade A Recruitment will take immediate steps to rectify the information.
For further information on making a subject access request, employees should refer to our subject access request policy, available from Tina Watson, Director
Grade A Recruitment may be required to disclose certain data/information to any person. The circumstances leading to such disclosures include:
- any employee benefits operated by third parties
- disabled individuals – whether any reasonable adjustments are required to assist them at work
- individuals’ health data – to comply with health and safety or occupational health obligations towards the employee
- for Statutory Sick Pay purposes
- HR management and administration – to consider how an individual’s health affects his or her ability to do their job
- the smooth operation of any employee insurance policies or pension plans.
These kinds of disclosures will only be made when strictly necessary for the purpose.
Grade A Recruitment adopts procedures designed to maintain the security of data when it is stored and transported. More information can be found in the data transfer security policy, available from Tina Watson, Director.
In addition, employees must:
- ensure that all files or written information of a confidential nature are stored in a secure manner and are only accessed by people who have a need and a right to access them
- ensure that all files or written information of a confidential nature are not left where they can be read by unauthorised people
- check regularly on the accuracy of data being entered into computers
- always use the passwords provided to access the computer system and not abuse them by passing them on to people who should not have them
- use computer screen blanking to ensure that personal data is not left on screen when not in use.
Personal data relating to employees should not be kept or transported on laptops, USB sticks, or similar devices, unless authorised by Tina Watson, Director. Where personal data is recorded on any such device it should be protected by:
- ensuring that data is recorded on such devices only where absolutely necessary
- using an encrypted system — a folder should be created to store the files that need extra protection and all files created or moved to this folder should be automatically encrypted
- ensuring that laptops or USB drives are not left lying around where they can be stolen.
Failure to follow Grade A Recruitment’s rules on data security may be dealt with via the disciplinary procedure. Appropriate sanctions include dismissal with or without notice dependent on the severity of the failure.
International data transfers
The Company does not transfer personal data to any recipients outside of the EEA.
Where a data breach is likely to result in a risk to the rights and freedoms of individuals, it will be reported to the Information Commissioner within 72 hours of Grade A Recruitment becoming aware of it and may be reported in more than one instalment.
Individuals will be informed directly in the event that the breach is likely to result in a high risk to the rights and freedoms of that individual. If the breach is sufficient to warrant notification to the public, Grade A Recruitment will do so without undue delay.
New employees must read and understand the policies on data protection as part of their induction. All employees receive training covering basic information about confidentiality, data protection and the actions to take upon identifying a potential data breach.
Grade A Recruitment does not warrant a specific Data Officer, due to the size of the business however, full responsibility is taken by Tina Watson, Director for the control and processing of data.
All employees who need to use the computer system are trained to protect individuals’ private data, to ensure data security, and to understand the consequences to them as individuals and Grade A Recruitment of any potential lapses and breaches of the Company’s policies and procedures.
Grade A Recruitment keeps records of its processing activities including the purpose for the processing and retention periods in its HR Data Record. These records will be kept up to date so that they reflect current processing activities.