Candidate Privacy Policy

INTRODUCTION

Here at Not On The High Street (NOTHS), we collect and process personal data relating to our candidates to consider your application as a candidate and decide who to employ. We’re committed to being transparent about how we collect and use personal data and also to meeting our data protection obligations.

WHAT PERSONAL DATA DO WE COLLECT?

We collect and process a range of information about candidates, including:

● name, address and contact details, including email address, telephone number, date of birth and gender;

● details of your qualifications, skills, experience and employment history;

● information about your nationality and entitlement to work in the UK;

● information about your criminal records;

● national insurance number; and

● information about medical and health conditions, including whether or not you have a disability for which we need to make reasonable adjustments.

HOW DO WE COLLECT PERSONAL DATA?

We collect your personal data in a variety of ways. We collect data through application forms, CVs, your passport and other documents. We also collect data from correspondence with you or through interviews, meetings or other assessments.

In some cases, we collect personal data about you from third parties, such as references supplied by you, former employers, information from employment background check providers and information from criminal records checks permitted by law.

Data is stored in a range of different places, including in your personnel file, in our HR system and in other

IT systems (including our email system).

All personnel files are confidential and are stored on a secure drive. Only authorised employees have access to these files using their password protected accounts. Our People team can provide a list of these authorised employees upon request. We also have network backup procedures in place to ensure that data stored on computers cannot be accidentally lost or destroyed.

WHY DO WE COLLECT PERSONAL DATA?

We need to collect your personal data for numerous reasons. We process your personal data to consider your application as a candidate and decide who to employ, to pursue our legitimate interests or to meet our legal obligations. Please see the table below for our processing activities, our reasons for processing your personal data and the legal basis for doing so.

Processing Activity

Reason for processing

Legal basis

Retaining all personal and employment related details/documents

To ensure we have accurate records for you when considering your application

Legitimate interests and/or legal obligation to retain documentation, depending on the nature of the documentation

Retaining all personal details/documents

To have access to up to date contact and emergency contact details during the application process

Legitimate interests

Reference checks

To undertake background checks before/at the beginning of your employment

Legitimate interests

Retaining the right to work

(RTW) documentation

To ensure we have up to date copies of your RTW documentation

Legal obligation

Communications

To keep you updated on the progress of your application.

Legitimate interests


WHEN IS PERSONAL DATA SHARED?

Your personal data will be shared internally, including with members of the People and Experience team and Exec team, your hiring manager, other managers in the business area in which you may work and IT staff, to the extent that access to data is necessary for the performance of their roles and to consider your application.

We also share your personal data with external suppliers who process data on our behalf, for example, to undertake background checks or to arrange assessments. Please see the table below for a list of our third party partners, our reasons for sharing your personal data with them as well as information on
international data transfers and the reassurance that safeguards are in place to protect your personal data where it is transferred outside of the European Economic Area (EEA).

Name of third party

Reason for sharing personal data

Is data transferred outside EEA?

Are safeguards in place to protect international data transfer?

Docusign

To provide an efficient way of sharing and arranging signature of documents

Yes

Yes

Google Workspace

To process your application we share data and collaborate on the recruitment process using Google Workspace

Yes

Yes

Lever

To provide NOTHS with an applicant tracking system for recruitment purposes

Yes

Yes

Slack

To process your application we share data and collaborate on the recruitment process using Slack

Yes

Yes

Trello

To coordinate technical assessments

Yes

Yes

Vero

To complete background checks

(references)

No

N/A

Willis Tower Watson

To support us in organising any occupational health assessments

Yes

Yes


WHAT RIGHTS DO YOU HAVE?

As a data subject and a candidate of NOTHS, you have a number of rights in relation to your personal data. These include the right to rectify inaccurate data and the right to request access to your data (a subject access request). Please see the Information Security Policy for more details on these rights.

If you would like to request any of your rights, please contact a member of the legal team.

HOW LONG IS PERSONAL DATA RETAINED FOR?

Our overriding principle is to retain your personal data only for as long as is necessary for the purposes for which your personal data was originally collected. Personal data obtained as part of your application and any subsequent interview process will be retained for 12 months from the date of your application. If successful, your personal data will be processed in line with our Employee Privacy Notice accessible on our intranet.


AUTOMATED DECISION-MAKING

We do not base any decisions during your employment on automated decision-making.

IMPACT ASSESSMENTS

When considering changes that we consider may substantially impact your privacy (e.g. engaging a new benefit supplier), we will carry out a data protection impact assessment to determine the necessity and proportionality of processing. This will include considering the purposes for which the activity is carried out, the risks for you and any measures that can be put in place to mitigate those risks.

DATA BREACHES

UK GDPR requires us to notify any personal data breaches to the applicable regulator and, in certain instances, you. We have put in place procedures to deal with any suspected personal data breaches and will notify you or any applicable regulator where we are legally required to do so.

If you have any questions or concerns please reach out to the People team or your hiring manager.

YOUR RESPONSIBILITIES

You are responsible for helping us keep your personal data up to date. You should let us know if any data you have provided to us changes, for example, if you move house.

Last updated: April 2023