Recruitment Records - Privacy Notice
This Privacy notice is intended to inform you how Young Epilepsy and St Piers School & College will use the personal data as part of the recruitment process.
If you have any queries or concerns, further guidance is available from, the Recruitment team or the Data Protection Officer using the details provided
Information Governance Standards
Please find below details of the standards Young Epilepsy and St Piers School & College meet when using personal data
Data Protection
Young Epilepsy endeavours to meet the highest standards when collecting and using personal information. We are are committed to upholding the standards and regulations embodied in the Data Protection Act 2018 (DPA 2018) and the General Data Protection Regulation (UK GDPR). Personal data will therefore at all times be:-
Young Epilepsy will furthermore:-
Individual Rights
Under the DPA 2018 and the UK GDPR you have the right to:
There are two additional rights with regard to automated decision making and data portability. With regard to these Young Epilepsy will not use student information for automated decision making or profiling and will not undertake data portability.
Should you wish to exercise any of your Rights, please contact the DPO using the contact details provided.
Further information
Your information is held in a confidential manner with limited access, in accordance with the DPA 2018 and the UK GDPR. We are committed to ensuring that personal data is secure. In order to prevent unauthorised access or disclosure, data will be held on secure servers/cloud storage and we have also put in place appropriate physical, electronic and managerial safeguards to further protect hard copy records.
Information will not ordinarily be processed overseas unless there is a specific request for us to do so, such as a need to send information to an individual or organisation in another country. If information is to be sent overseas then this will be done in accordance with the DPA 2018 and the UK GDPR and under the guidance of the DPO and the IT department.
If you have any queries about how Young Epilepsy uses personal data, please contact the:
T 01342 831234
E. recruitment@youngepilepsy.org.uk
T. 01342 832243 ext. 286
E. sturner@youngepilepsy.org.uk or dpo@youngepilepsy.org.uk
Young Epilepsy is registered with the Information Commissioner’s Office (ICO) under our legal name of the National Centre for Young People with Epilepsy. Our registration number is Z5611618.
Please note that should you be unhappy about the way we implement data protection you have the right to lodge a complaint with the ICO https://ico.org.uk/
Caldicott Principles Statement
At Young Epilepsy we apply the Caldicott Principles to health and social care data, so that every flow of identifiable confidential information is regularly justified and routinely tested against the principles developed in the Caldicott Report.
Principle 1 Justify the purpose(s) for using confidential information.
Principle 2 Only use it when necessary.
Principle 3 Use the minimum that is required.
Principle 4 Access should be on a strict need-to-know basis.
Principle 5 Everyone must understand his or her responsibilities.
Principle 6 Understand and comply with the law.
Principle 7 The duty to share information can be as important as the duty to protect patient confidentiality.
Principle 8 Inform patients and service users about how their confidential information is used
Data Security & Protection Toolkit
As an NHS Business Partner, Young Epilepsy also completes the NHS’ Data Security & Protection Toolkit, which enables organisations to measure and publish their performance against the National Data Guardian's ten Data Security Standards.
All organisations that have access to NHS patient data and systems must use this toolkit to provide assurance that they are practising good data security and that personal information is handled correctly.
Amendments
We may update this privacy notice from time-to-time by posting a new version on our website. You should occasionally check these pages to ensure you are aware of the changes. For more information about how the privacy notice is changed please contact the DPO using the details provided.
Information kept by Young Epilepsy
During the recruitment process, Young Epilepsy will process information about prospective employees as part of the normal recruitment and selection process. These records will include but are not limited to:-
This may be comprised of personal data and special categories of personal data, such as information about health.
What this information is used for?
The information is primarily used for management and administrative purposes to assess your suitability for a role. Information provided about gender, race or ethnic origin, religious beliefs and disabilities may be used, for monitoring purposes.
In accordance with Keeping Children Safe in Education 2022, Young Epilepsy may as part of the hiring process, undertake an online search as part of our due diligence on shortlisted candidates. This will be undertaken for all roles within our St Piers services, where the role holder will work alongside children and young people. The online check will be undertaken by a member of the recruitment team.
If, within 12 months of your initial application, another relevant role should become available then we may use the contact details you have provided to make you aware of this new opportunity.
Source of the personal data
You will have provided some of this information, but some may also be obtained from other people or organisations, for example, former employers or referees.
Sharing information
Routine sharing
The recruitment records will be shared internally with the Interviewing Panel, management teams and the HR department.
Inspections
Young Epilepsy is subject to a number of regulatory standards, such as the CQC, Ofsted, etc. and may therefore allow its records to be inspected as part of that process, to ensure that Young Epilepsy is meeting the necessary standards. Inspectors will be given access to records but only provided with copies in exceptional circumstances, for example, if a safeguarding concern is identified.
Legal obligations
We are also legally obliged to share certain information and, in such cases, will not seek your consent to do so. For example, all safeguarding concerns must be disclosed to the relevant organisations and individuals, such as the Local Authority.
Data Processors
We use data processors, this is an organisation responsible for processing personal data on behalf of Young Epilepsy. It does so under strict instruction from us and our contract ensures that the standards required by Young Epilepsy, the DPA 2018 and the UK GDPR are upheld at all times.
An example of a data processor is iTrent. iTrent provides the software programme used by the HR directorate to process staff and recruitment information. In order to utilise this software we have to upload and record staff and recruitment information.
The growth in cloud technology means that it is likely that the use of data processors will become more common. If you wish to know who our current data processors are please contact the DPO using the details provided.
Complaints/Reviews
Records may also be accessed by independent reviewers, such as when a complaint or other issue is independently investigated.
Anonymisation
Some of the information we hold on our applicants may be anonymised, so that we can share the results more widely. You will not be identifiable in these records.
Retention of records
Recruitment records on prospective employees are held for a period of 12 months. If you secure a job, the recruitment records will pass to the HR Department and will be held under the conditions detailed in the HR retention schedule and Staff Records privacy notice.
Lawful basis
The DPA 2018 and the UK GDPR require us to have a lawful basis for processing your data and these are outlined below.
Employment, social security and social protection law
This supports Young Epilepsy checking potential employees’ right to work in the UK, ensuring the health safety and welfare of employees, maintaining statutory sick pay and maternity pay and deducting union subscriptions from payroll.
Consent/Explicit consent
Any information you provide to our Recruitment team is processed on the basis that its provision indicates explicit consent for us to process it as outlined above.
The legitimate interests of Young Epilepsy.
It is in Young Epilepsy’s legitimate interests to process employee data for administrative and management purposes. This may include allowing your line manager access to part of your HR records in order to monitor your training and other employment activities. It is also in the legitimate interests to use personal data to measure the ethnic diversity of our workforce, absence levels, gender pay gaps etc.
Contract
This data is being processed in the context of a potential employment contract with you.
Legal claims and obligations
Where the processing is necessary to establish, defend or exercise legal claims or where ordered by a court or tribunal.
Public Interest
Where the processing meets one of the 23 conditions set out in Schedule One, paragraphs 6-28 of the DPA 2018
Public health
Where the processing is necessary for public health monitoring and statistics; or responding to new threats to public health, such as epidemics/pandemics.
If you require further information on the above, please contact the Recruitment team.