Recruitment Records - Privacy Notice

This Privacy notice is intended to inform you how Young Epilepsy and St Piers School & College will use the personal data as part of the recruitment process.

If you have any queries or concerns, further guidance is available from, the Recruitment team or the Data Protection Officer using the details provided

Information Governance Standards

Please find below details of the standards Young Epilepsy and St Piers School & College meet when using personal data

Data Protection

Young Epilepsy endeavours to meet the highest standards when collecting and using personal information. We are are committed to upholding the standards and regulations embodied in the Data Protection Act 2018 (DPA 2018) and the General Data Protection Regulation (UK GDPR). Personal data will therefore at all times be:-

Processed lawfully, fairly and in a transparent manner;
Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes;
Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
Accurate and, where necessary, kept up to date;
Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; and
Processed in a manner that ensures appropriate security.

Young Epilepsy will furthermore:-

Be responsible for, and be able to demonstrate compliance with the DPA 2018 and the UK GDPR.

Individual Rights

Under the DPA 2018 and the UK GDPR you have the right to:

Be informed (the purpose of this Privacy Notice;
Access your information;
Rectify inaccurate or incomplete data;
Request the erasure of your information;
Restrict how your data is processed; and
To object to the use of your information.

There are two additional rights with regard to automated decision making and data portability. With regard to these Young Epilepsy will not use student information for automated decision making or profiling and will not undertake data portability.

Should you wish to exercise any of your Rights, please contact the DPO using the contact details provided.

Further information

Your information is held in a confidential manner with limited access, in accordance with the DPA 2018 and the UK GDPR. We are committed to ensuring that personal data is secure. In order to prevent unauthorised access or disclosure, data will be held on secure servers/cloud storage and we have also put in place appropriate physical, electronic and managerial safeguards to further protect hard copy records.

Information will not ordinarily be processed overseas unless there is a specific request for us to do so, such as a need to send information to an individual or organisation in another country. If information is to be sent overseas then this will be done in accordance with the DPA 2018 and the UK GDPR and under the guidance of the DPO and the IT department.

If you have any queries about how Young Epilepsy uses personal data, please contact the:

Recruitment team

T 01342 831234

E. recruitment@youngepilepsy.org.uk

Data Protection Officer:

T. 01342 832243 ext. 286

E. sturner@youngepilepsy.org.uk or dpo@youngepilepsy.org.uk

Young Epilepsy is registered with the Information Commissioner’s Office (ICO) under our legal name of the National Centre for Young People with Epilepsy. Our registration number is Z5611618.

Please note that should you be unhappy about the way we implement data protection you have the right to lodge a complaint with the ICO https://ico.org.uk/

Caldicott Principles Statement

At Young Epilepsy we apply the Caldicott Principles to health and social care data, so that every flow of identifiable confidential information is regularly justified and routinely tested against the principles developed in the Caldicott Report.

Principle 1 Justify the purpose(s) for using confidential information.

Principle 2 Only use it when necessary.

Principle 3 Use the minimum that is required.

Principle 4 Access should be on a strict need-to-know basis.

Principle 5 Everyone must understand his or her responsibilities.

Principle 6 Understand and comply with the law.

Principle 7 The duty to share information can be as important as the duty to protect patient confidentiality.

Principle 8 Inform patients and service users about how their confidential information is used

Data Security & Protection Toolkit

As an NHS Business Partner, Young Epilepsy also completes the NHS’ Data Security & Protection Toolkit, which enables organisations to measure and publish their performance against the National Data Guardian's ten Data Security Standards.

All organisations that have access to NHS patient data and systems must use this toolkit to provide assurance that they are practising good data security and that personal information is handled correctly.

Amendments

We may update this privacy notice from time-to-time by posting a new version on our website. You should occasionally check these pages to ensure you are aware of the changes. For more information about how the privacy notice is changed please contact the DPO using the details provided.

Information kept by Young Epilepsy

During the recruitment process, Young Epilepsy will process information about prospective employees as part of the normal recruitment and selection process. These records will include but are not limited to:-

Application forms (both digital and hard copy);
Shortlisting and interview documents;
References;
Pre-employment health forms; and
Any correspondence between you and Young Epilepsy.

This may be comprised of personal data and special categories of personal data, such as information about health.

What this information is used for?

The information is primarily used for management and administrative purposes to assess your suitability for a role. Information provided about gender, race or ethnic origin, religious beliefs and disabilities may be used, for monitoring purposes.

In accordance with Keeping Children Safe in Education 2022, Young Epilepsy may as part of the hiring process, undertake an online search as part of our due diligence on shortlisted candidates. This will be undertaken for all roles within our St Piers services, where the role holder will work alongside children and young people. The online check will be undertaken by a member of the recruitment team.

If, within 12 months of your initial application, another relevant role should become available then we may use the contact details you have provided to make you aware of this new opportunity.

Source of the personal data

You will have provided some of this information, but some may also be obtained from other people or organisations, for example, former employers or referees.

Sharing information

Routine sharing

The recruitment records will be shared internally with the Interviewing Panel, management teams and the HR department.

Inspections

Young Epilepsy is subject to a number of regulatory standards, such as the CQC, Ofsted, etc. and may therefore allow its records to be inspected as part of that process, to ensure that Young Epilepsy is meeting the necessary standards. Inspectors will be given access to records but only provided with copies in exceptional circumstances, for example, if a safeguarding concern is identified.

Legal obligations

We are also legally obliged to share certain information and, in such cases, will not seek your consent to do so. For example, all safeguarding concerns must be disclosed to the relevant organisations and individuals, such as the Local Authority.

Data Processors

We use data processors, this is an organisation responsible for processing personal data on behalf of Young Epilepsy. It does so under strict instruction from us and our contract ensures that the standards required by Young Epilepsy, the DPA 2018 and the UK GDPR are upheld at all times.

An example of a data processor is iTrent. iTrent provides the software programme used by the HR directorate to process staff and recruitment information. In order to utilise this software we have to upload and record staff and recruitment information.

The growth in cloud technology means that it is likely that the use of data processors will become more common. If you wish to know who our current data processors are please contact the DPO using the details provided.

Complaints/Reviews

Records may also be accessed by independent reviewers, such as when a complaint or other issue is independently investigated.

Anonymisation

Some of the information we hold on our applicants may be anonymised, so that we can share the results more widely. You will not be identifiable in these records.

Retention of records

Recruitment records on prospective employees are held for a period of 12 months. If you secure a job, the recruitment records will pass to the HR Department and will be held under the conditions detailed in the HR retention schedule and Staff Records privacy notice.

Lawful basis

The DPA 2018 and the UK GDPR require us to have a lawful basis for processing your data and these are outlined below.

Employment, social security and social protection law

This supports Young Epilepsy checking potential employees’ right to work in the UK, ensuring the health safety and welfare of employees, maintaining statutory sick pay and maternity pay and deducting union subscriptions from payroll.

Consent/Explicit consent

Any information you provide to our Recruitment team is processed on the basis that its provision indicates explicit consent for us to process it as outlined above.

The legitimate interests of Young Epilepsy.

It is in Young Epilepsy’s legitimate interests to process employee data for administrative and management purposes. This may include allowing your line manager access to part of your HR records in order to monitor your training and other employment activities. It is also in the legitimate interests to use personal data to measure the ethnic diversity of our workforce, absence levels, gender pay gaps etc.

Contract

This data is being processed in the context of a potential employment contract with you.

Legal claims and obligations

Where the processing is necessary to establish, defend or exercise legal claims or where ordered by a court or tribunal.

Public Interest

Where the processing meets one of the 23 conditions set out in Schedule One, paragraphs 6-28 of the DPA 2018

Public health

Where the processing is necessary for public health monitoring and statistics; or responding to new threats to public health, such as epidemics/pandemics.

If you require further information on the above, please contact the Recruitment team.