Personal data is information relating to an identifiable living individual. Whenever personal data is processed, collected, recorded, stored or disposed of it must be done within the terms of the General Data Protection Regulation (GDPR)
All data must be collected under one of the 6 lawful reasons:
Consent: the individual has given clear consent for you to process their personal data for a specific purpose.
Contract: the processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract.
Legal obligation: the processing is necessary for you to comply with the law (not including contractual obligations).
Vital interests: the processing is necessary to protect someone’s life.
Public task: the processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law.
Legitimate interests: the processing is necessary for your legitimate interests or the legitimate interests of a third party
As a normal part of our activities Davinci skilled and technical LTD has to keep personal data, the data we collect is limited to:
- data relating to candidates (for permanent placements) during the application process
- data relating to the contracts we undertake (our customers)
This data will be held and processed in accordance with the requirements of the GDPR
The information we collect on our ‘candidates’, will be collected under the following lawful reasons:
- Contract: information necessary for us to identify a suitable permanent employment contract to be formed such as name, address, contact telephone numbers, qualifications
- Legal obligations: information necessary to comply with legislation, for example for immigration, Right to work.
- Vital interests: Information we feel we need to protect the health and safety of an individual such as previous medical history
The information we collect on customers and other persons relevant to placement of a candidate for employment will be under the following lawful reasons:
- Contract: information necessary for the employment (permanent) Contract to be formed such as names, addresses, contact numbers
- Legal obligations: information necessary to comply with legislation, for example for invoicing, accounts, Home Office.
- Vital interests: Information we feel we need to protect the health and safety of any individuals whilst working with them or in their place of work or home
How we will do it:
When requesting data we will ensure we are compliant with the GDPR, and we undertake the following principles:
- Personal data shall be processed fairly and lawfully.
- Personal data shall be obtained only for necessary and lawful purposes and shall not be further processed in any manner incompatible with that purpose.
- Where we want to process your data for a reason not falling under a necessary and lawful purpose, we will seek your consent for the processing of your data.
- Personal data shall be adequate, relevant and not excessive.
- Personal data shall be accurate and, where necessary and appropriate, kept up to date.
- Personal data processed for any purpose shall not be kept for longer than is necessary for the purpose it was processed.
- We shall take appropriate measures against unauthorised or unlawful processing of personal data, and against accidental loss or destruction of, or damage to, personal data. This might include disciplinary action if the breach was internal.
- Individuals have the right to be informed about the collection and use of their personal data and so we will provide details of why we are collecting the data, how long we need to keep it, and who we will share it with. This information will be given to the individual when we ask for the personal data.
- If we change the use of your personal data we will let you know beforehand.
- Where we employ an external HR advisor who has access to your details, we will inform you.
Whilst we will apply the same principals to all data, we have defined procedures on how we deal with the data according to the reason we need to have / use it.
We will therefore identify:
- What we need the data for
- What data we actually need
- How we will use it
- How we will keep it safe
- Who it needs to be shared with
- How long we must keep it
- How we will destroy it once it is no longer lawful or necessary to keep it
In collecting and processing data, we will consider and comply with the following individual rights:
- The right to be informed – we will provide you with ‘privacy information’. This will include our purposes for processing your personal data, our retention periods for that personal data, and who it will be shared with
- The right of access – access to your personal data so that you are aware of and can verify the lawfulness of the processing
- The right to rectification – a right for you to have inaccurate personal data rectified, or completed if it is incomplete
- The right to erasure – also known as the ‘right to be forgotten’, this gives you the right to have your data erased (where circumstances allow)
- The right to restrict processing – gives individuals the right to restrict the processing of their personal data (in certain circumstances)
- The right to data portability – allows individuals to obtain and reuse their personal data for their own purposes across different services, allowing data to be moved, copied or transferred easily from one IT environment to another in a safe and secure way.
- The right to object – a right for you to object to certain processing and/marketing
- Rights in relation to automated decision making and profiling
Subject Access Request (SAR)
Candidates and customers
All candidates / customers are entitled to ask for, in writing, what information on them the recruitment company holds, and ask to see it (subject access request).
The Management (or any other nominated ‘Data Controller’) will usually provide the information without delay and in any case within 28 days. If the request or data is complex and we cannot do this within that timescale then we will advise you in writing as to the reason for the delay and provide the information not later than a further 2 months in duration.
Candidates may challenge the accuracy of the information and also update information where it is found to be incorrect.
We will not usually charge you for any information, however we may charge a “reasonable fee” based on the actual administrative cost of providing you with the information where your request is ‘manifestly unfounded, excessive or repetitive’.
Anyone giving us information whether that is a candidate or a company seeking a candidate should make sure that the data they provide is accurate and inform us when it changes. Where our employees collect, process or use personal information about other people (for example customers) they must follow these guidelines:
- Our procedures must be followed
- Proposals to collect or use personal data in a new way should always be discussed with management before proceeding.
- Any personal data that they hold is kept securely i.e. so that access is restricted to those authorised and is protected from loss or damage – this means by physical means such as a locked office or filing cabinet and by electronic means such as computer passwords and access systems.
- Personal information must not be disclosed to any unauthorised third party. Great care must be taken not to discuss such information face-to-face or over the telephone nor to disclose information in writing or in other ways such as via e-mail.
- Personal information should be collected or used with the approval of the subject. In many cases this is obtained through general consent but in the case of sensitive data such as information concerning health or race, express consent must be obtained to use the data. Note: The company may use such information to monitor its Equal Opportunities Policy.
When we are recruiting we will:
- Advise potential applicants of the data we require and what we need it for
- Inform how we will process the data and the period it will be kept
- Seek permission where we might want to keep that data in case a suitable role comes available at a later date
- Seek permission to share this data across potential employers
- Not use the data to make automated decisions
Destroying data (the right to be forgotten):
We will always keep track of where any data has been shared or stored (or made public) enabling us to destroy that data effectively when it is no longer appropriate to keep.
We will only share data with suitable, trustworthy and necessary persons or organisations.
When a request is made to destroy data, or that data is no longer valid to keep, we will ensure it is destroyed from all the places it was shared. We will advise any third party that had access to that data to also destroy it.
This will apply to all forms of data including electronic data.
We will only share data with other persons who also have a legitimate reason for requiring that data.
In sharing data we will ensure that the person(s) / organisations requiring the data can also provide details to us on:
- What they need the data for
- The extent of the data they need
- How they will use it
- How they will keep it safe
- That they will not further share it
- How they will destroy it once it is no longer lawful or necessary to keep it
If we share your data with an external consultant – for example a HR Consultant, we will let you know.
Controlling the Data:
We have appointed a Data Controller, this person determines the purposes for which, and the manner in which any personal data is to be processed. We will work with other bodies on this, such as HMRC.
This person within our organisation is: David Dodd
He may take advice and support from any professional person or organisation in fulfilling her duties in this role.
Currently our processing of data does not warrant the appointment of a Data Protection Officer. The only category we envisage we may in future fall under which would necessitate a DPO would be the processing of data relating to criminal convictions. Should our business grow to an extent that we a/ need to process data relating to criminal convictions, and b/ that this is large scale processing, then we would at that time appoint a DPO.