GDPR - General Data Protection Regulation


Under the new General Data Protection Regulation (GDPR) you are entitled to be informed about the processing of personal data we request from you, hold on you, use or need to share.

Candidate Information

The Principals

Personal data is information relating to an identifiable living individual. Whenever personal data is processed, collected, recorded, stored or disposed of it must be done within the terms of the General Data Protection Regulation (GDPR).

All data must be collected under one of the 6 lawful reasons:

Consent: the individual has given clear consent for you to process their personal data for a specific purpose.
Contract: the processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract.
Legal obligation: the processing is necessary for you to comply with the law (not including contractual obligations).
Vital interests: the processing is necessary to protect someone's life.
Public task: the processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law.
Legitimate interests: the processing is necessary for your legitimate interests or the legitimate interests of a third party.

As a normal part of our activities The Clever Fish Recruitment Ltd has to keep personal data, the data we collect is limited to:

  1. Data relating to candidates (for temporary and permanent placements) and their contracts of employment/contracts for services.
  2. Data relating to the contracts we undertake (our customers).

This data will be held and processed in accordance with the requirements of the GDPR.

The information we collect on our 'candidates', will be collected under the following lawful reasons:

  1. Contract: information necessary for us to identify a suitable temporary or permanent employment contract to be formed such as name, address, contact telephone numbers, qualifications.
  2. Legal obligations: information necessary to comply with legislation, for example for immigration, payroll and HMRC records.
  3. Vital interests: Information we feel we need to protect the health and safety of an individual such as previous medical history.

The information we collect on customers and other persons relevant to placement of a candidate for employment will be under the following lawful reasons:

  1. Contract: information necessary for the employment (temporary or permanent) Contract to be formed such as names, addresses, contact numbers.
  2. Legal obligations: information necessary to comply with legislation, for example for invoicing, accounts, umbrella companies, Home Office, and HMRC records.
  3. Vital interests: Information we feel we need to protect the health and safety of any individuals whilst working with them or in their place of work or home.

How we will do it:

When requesting data we will ensure we are compliant with the GDPR, and we undertake the following principles:

  1. Personal data shall be processed fairly and lawfully.
  2. Personal data shall be obtained only for necessary and lawful purposes and shall not be further processed in any manner incompatible with that purpose.
  3. Where we want to process your data for a reason not falling under a necessary and lawful purpose, we will seek your consent for the processing of your data.
  4. Personal data shall be adequate, relevant and not excessive.
  5. Personal data shall be accurate and, where necessary and appropriate, kept up to date.
  6. Personal data processed for any purpose shall not be kept for longer than is necessary for the purpose it was processed.
  7. We shall take appropriate measures against unauthorised or unlawful processing of personal data, and against accidental loss or destruction of, or damage to, personal data. This might include disciplinary action if the breach was internal.
  8. Individuals have the right to be informed about the collection and use of their personal data and so we will provide details of why we are collecting the data, how long we need to keep it, and who we will share it with. This information will be given to the individual when we ask for the personal data.
  9. If we change the use of your personal data we will let you know beforehand.
  10. Where we employ an external HR advisor who has access to your details, we will inform you.

Whilst we will apply the same principals to all data, we have defined procedures on how we deal with the data according to the reason we need to have / use it. We will therefore identify:

  • What we need the data for.
  • What data we actually need.
  • How we will use it.
  • How we will keep it safe.
  • Who it needs to be shared with.
  • How long we must keep it.
  • How we will destroy it once it is no longer lawful or necessary to keep it.

Your Rights

In collecting and processing data, we will consider and comply with the following individual rights:

  • The right to be informed – we will provide you with 'privacy information'. This will include our purposes for processing your personal data, our retention periods for that personal data, and who it will be shared with.
  • The right of access - access to your personal data so that you are aware of and can verify the lawfulness of the processing.
  • The right to rectification - a right for you to have inaccurate personal data rectified, or completed if it is incomplete.
  • The right to erasure – also known as the 'right to be forgotten', this gives you the right to have your data erased (where circumstances allow).
  • The right to restrict processing - gives individuals the right to restrict the processing of their personal data (in certain circumstances).
  • The right to data portability - allows individuals to obtain and reuse their personal data for their own purposes across different services, allowing data to be moved, copied or transferred easily from one IT environment to another in a safe and secure way.
  • The right to object – a right for you to object to certain processing and/marketing.
  • Rights in relation to automated decision making and profiling.

Subject Access Request (SAR)

Candidates and customers

All candidates / customers are entitled to ask for, in writing, what information on them the recruitment company holds, and ask to see it (subject access request).

The Management (or any other nominated 'Data Controller') will usually provide the information without delay and in any case within 28 days. If the request or data is complex and we cannot do this within that timescale then we will advise you in writing as to the reason for the delay and provide the information not later than a further 2 months in duration.

Candidates may challenge the accuracy of the information and also update information where it is found to be incorrect.

We will not usually charge you for any information, however we may charge a "reasonable fee" based on the actual administrative cost of providing you with the information where your request is 'manifestly unfounded, excessive or repetitive'.

Responsibilities

Anyone giving us information whether that is a candidate or a company seeking a candidate should make sure that the data they provide is accurate and inform us when it changes. Where our employees collect, process or use personal information about other people (for example customers) they must follow these guidelines:

  1. Our procedures must be followed.
  2. Proposals to collect or use personal data in a new way should always be discussed with management before proceeding.
  3. Any personal data that they hold is kept securely i.e. so that access is restricted to those authorised and is protected from loss or damage - this means by physical means such as a locked office or filing cabinet and by electronic means such as computer passwords and access systems.
  4. Personal information must not be disclosed to any unauthorised third party. Great care must be taken not to discuss such information face-to-face or over the telephone nor to disclose information in writing or in other ways such as via email.
  5. Personal information should be collected or used with the approval of the subject. In many cases this is obtained through general consent but in the case of sensitive data such as information concerning health or race, express consent must be obtained to use the data. Note: The company may use such information to monitor its Equal Opportunities Policy.

Recruitment

When we are recruiting we will:

  • Advise potential applicants of the data we require and what we need it for.
  • Inform how we will process the data and the period it will be kept.
  • Seek permission where we might want to keep that data in case a suitable role comes available at a later date.
  • Seek permission to share this data across potential employers.
  • Not use the data to make automated decisions.

Destroying data (the right to be forgotten)

We will always keep track of where any data has been shared or stored (or made public) enabling us to destroy that data effectively when it is no longer appropriate to keep.

We will only share data with suitable, trustworthy and necessary persons or organisations.

When a request is made to destroy data, or that data is no longer valid to keep, we will ensure it is destroyed from all the places it was shared. We will advise any third party that had access to that data to also destroy it.

This will apply to all forms of data including electronic data.

Sharing Data

We will only share data with other persons who also have a legitimate reason for requiring that data. In sharing data we will ensure that the person(s) / organisations requiring the data can also provide details to us on:

  • What they need the data for.
  • The extent of the data they need.
  • How they will use it.
  • How they will keep it safe.
  • That they will not further share it.
  • How they will destroy it once it is no longer lawful or necessary to keep it.

If we share your data with an external consultant – for example a HR Consultant, we will let you know.

Controlling the Data

We have appointed a Data Controller, this person determines the purposes for which, and the manner in which any personal data is to be processed. We will work with other bodies on this, such as HMRC. This person within our organisation is: Victoria Dyson. She may take advice and support from any professional person or organisation in fulfilling her duties in this role.

Currently our processing of data does not warrant the appointment of a Data Protection Officer. The only category we envisage we may in future fall under which would necessitate a DPO would be the processing of data relating to criminal convictions. Should our business grow to an extent that we a) need to process data relating to criminal convictions, and b) that this is large scale processing, then we would at that time appoint a DPO.

Information Notice For Candidates

Under the new General Data Protection Regulation (GDPR) you (our employee) are entitled to be informed about the processing of personal data we request from you, hold on you, use or need to share. The following is intended as a full explanation to satisfy this requirement.

The identity and contact details of us. Clever Fish Recruitment Ltd
5 Manor Close, Whitby, North Yorkshire, YO21 1HR. Telephone: 01484 513333
The purposes and legal bases for the data processing.

Categories under Law:

  1. Contract: information necessary for the placing of an employment candidate to be formed
  2. Legal obligations: information necessary to comply with legislation.
  3. Vital interests: Information we feel we need to protect the health and safety of an individual.

Types of Information we require:

  1. Name, Address, Contact Telephone Numbers, your Qualifications.
  2. HMRC information: NI number, Tax details, Immigration information (right to employment in the UK).
  3. Previous Medical History, GP details, Next of Kin details, Medication information.
Details of any recipients of the data.
  • Potential employers (temporary or permanent).
  • HMRC.
  • Home Office.
  • Any Outsourced payroll or umbrella company.
  • Our Accountant.
  • Any Outsourced HR Advisor.
  • Any Outsourced H&S Advisor.
Details of any transfer outside the EEA. NONE.
The period for which the data will be stored.

Our records will be destroyed within a reasonable time following placement of any candidate, unless other legislation dictates (for example HMRC or Home Office recording.

Personal data such as payroll, HMRC and Home Office information will be kept for the duration dictated by appropriate legislation.

Information relating to H&S will be kept for a minimum period of 3 years and where appropriate for future health monitoring will be kept for a period of 40 years.
The right of access to data
All persons are entitled to ask for, in writing, what information on them the company holds, and ask to see it (subject access request).

The Management (or any other nominated 'Data Controller') will usually provide the information without delay and in any case within 28 days. If the request or data is complex and we cannot do this within that timescale then we will advise you in writing as to the reason for the delay and provide the information not later than a further 2 months in duration. We will not usually charge you for this unless your request is 'manifestly unfounded, excessive or repetitive'
The right to request data rectification or erasure.

You (the candidate) may challenge the accuracy of the data we hold, and also update information where it is found to be incorrect. If you change your details, or if you notice a mistake through a subject access request, please advise us immediately so that we can rectify that data and ensure we hold the correct data on you.
The right to withdraw consent (when the legal basis for processing is consent).

If the legal basis for processing your data was only on the basis that you gave consent (for example signing up to marketing material, or giving us access to 3rd party contact details etc.), you have the right to withdraw this consent at any time. If you wish to withdraw consent you must do this in writing, when we receive your withdrawal of consent we will confirm this to you along with the ways we will remove your data.
The source of the Data (where we might get this data from).

For employment purposes we will get your data from:

  • You – on application, and throughout the employment.
  • Your previous employer(s).
  • HMRC.
  • Home Office.
  • Any other appropriate government body (such as criminal record checks).

Type a keyword and press enter to search.

May We Suggest?