CANDIDATE PRIVACY NOTICE

INTRODUCTION

Here at notonthehighstreet.com (NOTHS), we collect and process personal data relating to our candidates to consider your application as a candidate and decide who to employ. We’re committed to being transparent about how we collect and use personal data and also to meeting our data protection obligations.

WHAT PERSONAL DATA DO WE COLLECT?

We collect and process a range of information about candidates, including:

● name, address and contact details, including email address, telephone number, date of birth and gender;

● details of your qualifications, skills, experience and employment history;

● information about your nationality and entitlement to work in the UK;

● information about your criminal records;

● national insurance number; and

● information about medical and health conditions, including whether or not you have a disability for which we need to make reasonable adjustments.

HOW DO WE COLLECT PERSONAL DATA?

We collect your personal data in a variety of ways. We collect data through application forms, CVs, your passport and other documents. We also collect data from correspondence with you or through interviews, meetings or other assessments.

In some cases, we collect personal data about you from third parties, such as references supplied by you, former employers, information from employment background check providers and information from criminal records checks permitted by law.

Data is stored in a range of different places, including in your personnel file, in our HR system and in other

IT systems (including our email system).

All personnel files are confidential and are stored on a secure drive. Only authorised employees have access to these files using their password protected accounts. Our People team can provide a list of these authorised employees upon request. We also have network backup procedures in place to ensure that data stored on computers cannot be accidentally lost or destroyed.

WHY DO WE COLLECT PERSONAL DATA?

We need to collect your personal data for numerous reasons. We process your personal data to consider your application as a candidate and decide who to employ,, to pursue our legitimate interests or to meet our legal obligations. Please see the table below for our processing activities, our reasons for processing your personal data and the legal basis for doing so.


Processing Activity


Reason for processing


Legal basis


Retaining all personal and employment related details/documents


To ensure we have accurate records for you when considering your application


Legitimate interests and/or legal obligation to retain documentation, depending on the nature of the documentation


Retaining all personal details/documents


To have access to up to date contact and emergency contact details during the application process


Legitimate interests


Reference checks


To undertake background checks before/at the beginning of your employment


Legitimate interests


Retaining right to work

(RTW) documentation


To ensure we have up to date copies of your RTW documentation


Legal obligation


Communications


To keep you updated on the progress of your application.


Legitimate interests

WHEN IS PERSONAL DATA SHARED?

Your personal data will be shared internally, including with members of the People and Experience team and Exec team, your hiring manager, other managers in the business area in which you may work and IT staff, to the extent that access to data is necessary for the performance of their roles and to consider your application.

We also share your personal data with external suppliers who process data on our behalf, for example to undertake background checks or to arrange assessments.. Please see the table below for a list of our third party partners, our reasons for sharing your personal data with them as well as information on international data transfers and the reassurance that safeguards are in place to protect your personal data where it is transferred outside of the European Economic Area (EEA).



Name of third party


Reason for sharing personal data


Is data transferred outside EEA?


Are safeguards in place to protect international data transfer?


Docusign


To provide an efficient way of sharing and arranging signature of documents


Yes


Yes


Google Workspace


To process your application we share data and collaborate on the recruitment process using Google Workspace


Yes


Yes


Lever


To provide NOTHS with an applicant tracking system for recruitment purposes


Yes


Yes


Slack


To process your application we share data and collaborate on the recruitment process using Slack


Yes


Yes

Trello

To coordinate technical assessments


Yes


Yes


Vero


To complete background checks

(references)


No


N/A


Willis Tower Watson


To support us in organising any occupational health assessments


Yes


Yes

WHAT RIGHTS DO YOU HAVE?

As a data subject and a candidate of NOTHS, you have a number of rights in relation to your personal data. These include the right to rectify inaccurate data and the right to request access to your data (a subject access request). Please see the Information Security Policy for more details on these rights.

If you would like to request any of your rights, please contact a member of the legal team.

HOW LONG IS PERSONAL DATA RETAINED FOR?

Your personal data will be retained for different periods of time, depending on the nature of the data. Our overriding principle is to retain your personal data only for as long as is necessary for the purposes for which your personal data was originally collected. Please see the table below, which states our retention periods for certain types of personal data:


Category of your personal data


Retention period


Identifiable information on your personnel file


6 years

AUTOMATED DECISION-MAKING

We do not base any decisions during your employment on automated decision-making.

IMPACT ASSESSMENTS

When considering changes that we consider may substantially impact your privacy (e.g. engaging a new benefit supplier), we will carry out a data protection impact assessment to determine the necessity and proportionality of processing. This will include considering the purposes for which the activity is carried out, the risks for you and any measures that can be put in place to mitigate those risks.

DATA BREACHES

UK GDPR requires us to notify any personal data breaches to the applicable regulator and, in certain instances, you. We have put in place procedures to deal with any suspected personal data breaches and will notify you or any applicable regulator where we are legally required to do so.

If you have any questions or concerns please reach out to the People team or your hiring manager.

YOUR RESPONSIBILITIES

You are responsible for helping us keep your personal data up to date. You should let us know if any data you have provided to us changes, for example if you move house.

Last updated: 6 May 2021