How do we share your information?
We share your personal data in the following ways:
- Where we use third party services providers who process personal data on our behalf in order to provide services to us. This may include:
• Clients in the Healthcare sector (we will seek your consent before providing your data to a client including COVID 19 vaccination status)
• Our Occupational Health Provider
• Auditors for our clients which include; DePoel, Barchester and Neuvens
• Auto-enrolment pension provider
- We will share your personal data with third parties where we are required to do so by
- law or to comply with our regulatory obligations.
- Where it is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests
- If we sell any part of our business and/or integrate it with another organisation your details may be disclosed to our advisers and to prospective purchasers or joint venture partners and their advisers.
Where we share your personal data with third parties we ensure that we have appropriate measures in place to safeguard your personal data and to ensure that it is solely used for legitimate purposes in line with this privacy notice.
How do we keep your information secure?
All data is held on secure servers housed in a private suite within a Level(3) data centre. Access to the suite requires RFID access to the building, biometric fingerprint access to the floor the suite is on, and then a key code combination to access the private suite.
The internet breakout is secured using a Cisco firewall and we have Cyber Essentials accreditation for network security. All data is held on secure SAN nodes with RAID 10 redundancy, and data is accessible by authorised individuals only based on Active Directory and implemented windows security permissions.
All virtual servers are fully backed up nightly to a separate server within the private suite via Veeam software, and following this the backup is then replicated to a secure server housed at our Head Office in Stratford. External network access is limited to authorised users only, running Cisco AnyConnect VPN software via the Cisco ASA. All external access if via Windows RDP server access, with features such as printing to devices outside of the company network disabled.
We use the full Trend Micro Smart Protection Complete Suite, with all updates immediately deployed and enforced by our central Control Centre. All urgent windows security updates are automatically downloaded and deployed overnight by the Windows Server Update Service to GDPR Privacy Notice Sep 2021 v3 5 ensure all servers and client machines are fully protected against latest threats. Practises employed to help secure company data include (but are not limited to):
Access to all data restricted to only authorised users.
- Endpoint encryption in place for portable media ( including laptops)
- USB write blocking to prevent data being copied to personal drives
- Blocking of all web based email and data storage websites
- All users are required to change their password every 30 days
- All user passwords must meet minimum security requirements
- All machines auto lock after 10 minutes of inactivity to prevent unauthorised access to unattended machines
All hardware, backups, and data links are fully monitored 24/7 using PRTG Enterprise Console. We will ensure access to personal data is restricted to employees working within our group on a need to know basis. Training will be provided to any employees working within the group who need access to your personal data to ensure it is secured at all times.
When do we transfer your information overseas?
When data is transferred to countries outside of the UK and the European Economic Area those countries may not offer an equivalent level of protection for personal data to the laws in the UK. Where this is the case we will ensure that appropriate safeguards are put in place to protect your personal data.
The countries to which your personal data is transferred and the safeguards in place are detailed below:
If you would like to see a copy of the adequacy mechanisms that we use to protect your personal data please contact firstname.lastname@example.org
For how long do we keep your information?
As a general rule we keep personal data about candidates for the duration of the recruitment and selection process and for a period of:
- 12 months post registering
- 24 months post placement for working seeking services
- 6 years post placement for HMRC purposes
However, where we have statutory obligations to keep personal data for a longer period or where we may need your information for a longer period in case of a legal claim, then the retention period may be longer. Candidates are considered to be ‘registered’ when they have commenced the compliance process. No Personal Data will be retained for candidates that do not progress to the compliance stage.
Your rights in relation to your information
You have a number of rights in relation to your personal data, these include the right to:
- be informed about how we use your personal data;
- obtain access to your personal data that we hold;
- request that your personal data is corrected if you believe it is incorrect, incomplete or inaccurate;
- request that we erase your personal data in the following circumstances: GDPR Privacy Notice Sep 2021 v3 6
• if we are continuing to process personal data beyond the period when it is necessary to do so for the purpose for which it was originally collected;
• if we are relying on consent as the legal basis for processing and you withdraw consent;
• if we are relying on legitimate interest as the legal basis for processing and you object to this processing and there is no overriding compelling ground which enables us to continue with the processing;
• if the personal data has been processed unlawfully (i.e. in breach of the requirements of the data protection legislation);
• if it is necessary to delete the personal data to comply with a legal obligation.
• ask us to restrict our data processing activities where you consider that:
• personal data is inaccurate;
• our processing of your personal data is unlawful ;
• where we no longer need the personal data but you require us to keep it to enable you to establish, exercise or defend a legal claim;
• where you have raised an objection to our use of your personal data;
- request a copy of certain personal data that you have provided to us in a commonly used electronic format. This right relates to personal data that you have provided to us that we need in order to take steps to enter into a contract with you and personal data where we are relying on consent to process your personal data;
- object to our processing of your personal data where we are relying on legitimate interests or exercise of a public interest task to make the processing lawful. If you raise an objection we will carry out an assessment to determine whether we have an overriding legitimate ground which entitles us to continue to process your personal data;
- not be subject to automated decisions which produce legal effects or which could have a similarly significant effect on you. If you would like to exercise any of your rights or find out more, please contact email@example.com. The Table at the end of this notice provides more detail about the information that we use, the legal basis that we rely on in each case and your rights.
If you have any complaints about the way we use your personal data please contact firstname.lastname@example.org who will try to resolve the issue. If we cannot resolve your complaint, you have the right to complain to the data protection authority in your country (the Information Commissioner in the UK).