Privacy Policy - Recruitment

Personal information will only be processed when there is a lawful basis for doing so. Most commonly, the Institute will use personal information in the following circumstances:

• when it is needed to perform applicants’ contracts of employment;
• when it is needed to comply with a legal obligation; or
• when it is necessary for the Institute’s legitimate interests (or those of a third party) and applicants’ interests and fundamental rights do not override those interests.

The Institute may also use personal information in the following situations, which are likely to be rare:

• when it is necessary to protect applicants’ interests (or someone else’s interests); or
• when it is necessary in the public interest [or for official purposes].

The Institute may process special categories of personal information in the following circumstances:

• In limited circumstances, with explicit written consent;

• in order to meet legal obligations;
• when it is needed in the public interest, such as for equal opportunities monitoring [or in relation to the Institute’s occupational pension scheme]; or
• when it is needed to assess working capacity on health grounds, subject to appropriate confidentiality safeguards.

Less commonly, the Institute may process this type of information where it is needed in relation to legal claims or where it is needed to protect an applicant’s interests (or someone else’s interests) and the applicant is not capable of giving consent, or where an applicant has already made the information public. The Institute may use particularly sensitive personal information in the following ways:

• information relating to leaves of absence, which may include sickness absence or family related leaves, may be used to comply with employment and other laws;
• information about applicants’ physical or mental health, or disability status, may be used to ensure health and safety in the workplace and to assess fitness to work, to provide appropriate workplace adjustments, to monitor and manage sickness absence and to administer benefits;
• information about race or national or ethnic origin, religious, philosophical or moral beliefs, or sexual life or sexual orientation, may be used to ensure meaningful equal opportunity monitoring and reporting; and
• information about trade union membership may be used to pay trade union premiums, register the status of a protected applicant and to comply with employment law obligations.

The Institute envisages that it will hold information about criminal convictions. If it becomes necessary to do so, the Institute will only use this information where it has a legal basis for processing the information. This will usually be where such processing is necessary to carry out the Institute’s obligations. Less commonly, the Institute may use information relating to criminal convictions where it is necessary in relation to legal claims, where it is necessary to protect an applicant’s interests (or someone else’s interests) and the applicant is not capable of giving consent, or where the applicant has already made the information public.

The Institute does not require consent from applicants to process most types of applicant data. In addition, the Institute will not usually need consent to use special categories of personal information in order to carry out legal obligations or exercise specific rights in the field of employment law.

In limited circumstances, applicants may be asked for written consent to process sensitive data. In those circumstances, applicants will be provided with full details of the information that sought and the reason it is needed, so that applicants can carefully consider whether to consent.

Where applicants have provided consent to the collection, processing and transfer of personal information for a specific purpose, they have the right to withdraw consent for that specific processing at any time. Once the Institute has received notification of withdrawal of consent it will no longer process information for the purpose or purposes originally agreed to, unless it has another legitimate basis for doing so in law.

The Institute does not envisage that any decisions will be taken about applicants using automated means, however applicants will be notified if this position changes.

The Institute will collect personal information about applicants through the application and recruitment process, either directly from candidates or sometimes from an employment agency or background check provider. The Institute may sometimes collect additional information from third parties including former employers, credit reference agencies or the background agency used by the Institute, Hire Right. 

From time to time, the Institute may collect additional personal information from an applicant. IIf the Institute requires to obtain additional personal information this policy will be updated or applicants will receive a separate privacy notice setting out the purpose and lawful basis for processing the data.

The Institute will only retain applicants’ personal information for as long as necessary to fulfil the purposes it was collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements. Details of retention periods for different aspects of personal information are set out in the table of applicant data appended to this policy.

When determining the appropriate retention period for personal data, the Institute will consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of personal data, the purposes for which the personal data is processed, whether the Institute can achieve those purposes through other means, and the applicable legal requirements.

In some circumstances the Institute may anonymise personal information so that it can no longer be associated with individual applicants, in which case the Institute may use such information without further notice to applicants. After the data retention period has expired, the Institute will securely destroy applicants’ personal information.

The Institute has put in place appropriate security measures to prevent personal information from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. Details of these measures are available upon request.

The Institute may share personal information with third parties. The Institute requires third parties to respect the security of applicant data and to treat it in accordance with the law. The Institute may also need to share personal information with a regulator or to otherwise comply with the law.

The Institute may also share applicant data with third-party service providers where it is necessary to administer the working relationship with applicants or where the Institute has a legitimate interest in doing so.  The following activities are carried out by third-party service providers: payroll, pension administration, benefits provision and administration.

The Institute will conduct regular reviews of the information held by it to ensure the relevancy of the information it holds. Applicants are under a duty to inform the Institute of any changes to their current circumstances. Where an Applicant has concerns regarding the accuracy of personal data held by the Institute, the Applicant should contact the HR and People Communication Manager to request an amendment to the data.

Under certain circumstances, applicants have the right to:

• Request access to personal information (commonly known as a “data subject access request”).

• Request erasure of personal information.

• Object to processing of personal information where the Institute is relying on a legitimate interest (or those of a third party) to lawfully process it.

• Request the restriction of processing of personal information.

• Request the transfer of personal information to another party.

If an applicant wishes to make a request on any of the above grounds, they should contact the HR and People Communication Manager in writing. Please note that, depending on the nature of the request, the Institute may have good grounds for refusing to comply. If that is the case, the applicant will be given an explanation by the Institute.

Applicants will not normally have to pay a fee to access personal information (or to exercise any of the other rights). However, the Institute may charge a reasonable fee if the request for access is clearly unfounded or excessive. Alternatively, the Institute may refuse to comply with the request in such circumstances.

The Institute may need to request specific information from the applicant to help confirm their identity and ensure the right to access the information (or to exercise any of the other rights). This is another appropriate security measure to ensure that personal information is not disclosed to any person who has no right to receive it.

Applicants have the right to make a complaint at any time to the Information Commissioner’s Office (ICO), the UK supervisory authority for data protection issues.

The Institute has put in place procedures to deal with any data security breach and will notify applicants and any applicable regulator of a suspected breach where legally required to do so. Details of these measures are available upon request.