Privacy Policy

Recruitment Records - Privacy Notice



This Privacy notice is intended to inform you how Young Epilepsy and St Piers School & College will use the personal data as part of the recruitment process.



If you have any queries or concerns, further guidance is available from, the Recruitment team or the Data Protection Officer using the details provided



Information Governance Standards



Please find below details of the standards Young Epilepsy and St Piers School & College meet when using personal data



Data Protection



Young Epilepsy endeavours to meet the highest standards when collecting and using personal information. We are are committed to upholding the standards and regulations embodied in the Data Protection Act 2018 (DPA 2018) and the General Data Protection Regulation (UK GDPR). Personal data will therefore at all times be:-



  • Processed lawfully, fairly and in a transparent manner;
  • Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes;
  • Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
  • Accurate and, where necessary, kept up to date;
  • Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; and
  • Processed in a manner that ensures appropriate security.


Young Epilepsy will furthermore:-



  • Be responsible for, and be able to demonstrate compliance with the DPA 2018 and the UK GDPR.


Individual Rights



Under the DPA 2018 and the UK GDPR you have the right to:



  • Be informed (the purpose of this Privacy Notice;
  • Access your information;
  • Rectify inaccurate or incomplete data;
  • Request the erasure of your information;
  • Restrict how your data is processed; and
  • To object to the use of your information.


There are two additional rights with regard to automated decision making and data portability. With regard to these Young Epilepsy will not use student information for automated decision making or profiling and will not undertake data portability.



Should you wish to exercise any of your Rights, please contact the DPO using the contact details provided.



Further information



Your information is held in a confidential manner with limited access, in accordance with the DPA 2018 and the UK GDPR. We are committed to ensuring that personal data is secure. In order to prevent unauthorised access or disclosure, data will be held on secure servers/cloud storage and we have also put in place appropriate physical, electronic and managerial safeguards to further protect hard copy records.



Information will not ordinarily be processed overseas unless there is a specific request for us to do so, such as a need to send information to an individual or organisation in another country. If information is to be sent overseas then this will be done in accordance with the DPA 2018 and the UK GDPR and under the guidance of the DPO and the IT department.



If you have any queries about how Young Epilepsy uses personal data, please contact the:



  • Recruitment team


T 01342 831234



E. recruitment@youngepilepsy.org.uk



  • Data Protection Officer:


T. 01342 832243 ext. 286



E. sturner@youngepilepsy.org.uk or dpo@youngepilepsy.org.uk



Young Epilepsy is registered with the Information Commissioner’s Office (ICO) under our legal name of the National Centre for Young People with Epilepsy. Our registration number is Z5611618.



Please note that should you be unhappy about the way we implement data protection you have the right to lodge a complaint with the ICO https://ico.org.uk/



Caldicott Principles Statement



At Young Epilepsy we apply the Caldicott Principles to health and social care data, so that every flow of identifiable confidential information is regularly justified and routinely tested against the principles developed in the Caldicott Report.



Principle 1 Justify the purpose(s) for using confidential information.



Principle 2 Only use it when necessary.



Principle 3 Use the minimum that is required.



Principle 4 Access should be on a strict need-to-know basis.



Principle 5 Everyone must understand his or her responsibilities.



Principle 6 Understand and comply with the law.



Principle 7 The duty to share information can be as important as the duty to protect patient confidentiality.



Principle 8 Inform patients and service users about how their confidential information is used



Data Security & Protection Toolkit



As an NHS Business Partner, Young Epilepsy also completes the NHS’ Data Security & Protection Toolkit, which enables organisations to measure and publish their performance against the National Data Guardian's ten Data Security Standards.



All organisations that have access to NHS patient data and systems must use this toolkit to provide assurance that they are practising good data security and that personal information is handled correctly.



Amendments



We may update this privacy notice from time-to-time by posting a new version on our website. You should occasionally check these pages to ensure you are aware of the changes. For more information about how the privacy notice is changed please contact the DPO using the details provided.



Information kept by Young Epilepsy



During the recruitment process, Young Epilepsy will process information about prospective employees as part of the normal recruitment and selection process. These records will include but are not limited to:-



  • Application forms (both digital and hard copy);
  • Shortlisting and interview documents;
  • References;
  • Pre-employment health forms; and
  • Any correspondence between you and Young Epilepsy.


This may be comprised of personal data and special categories of personal data, such as information about health.



What this information is used for?



The information is primarily used for management and administrative purposes to assess your suitability for a role. Information provided about gender, race or ethnic origin, religious beliefs and disabilities may be used, for monitoring purposes.



In accordance with Keeping Children Safe in Education 2022, Young Epilepsy may as part of the hiring process, undertake an online search as part of our due diligence on shortlisted candidates. This will be undertaken for all roles within our St Piers services, where the role holder will work alongside children and young people. The online check will be undertaken by a member of the recruitment team.



If, within 12 months of your initial application, another relevant role should become available then we may use the contact details you have provided to make you aware of this new opportunity.



Source of the personal data



You will have provided some of this information, but some may also be obtained from other people or organisations, for example, former employers or referees.



Sharing information



Routine sharing



The recruitment records will be shared internally with the Interviewing Panel, management teams and the HR department.



Inspections



Young Epilepsy is subject to a number of regulatory standards, such as the CQC, Ofsted, etc. and may therefore allow its records to be inspected as part of that process, to ensure that Young Epilepsy is meeting the necessary standards. Inspectors will be given access to records but only provided with copies in exceptional circumstances, for example, if a safeguarding concern is identified.



Legal obligations



We are also legally obliged to share certain information and, in such cases, will not seek your consent to do so. For example, all safeguarding concerns must be disclosed to the relevant organisations and individuals, such as the Local Authority.



Data Processors



We use data processors, this is an organisation responsible for processing personal data on behalf of Young Epilepsy. It does so under strict instruction from us and our contract ensures that the standards required by Young Epilepsy, the DPA 2018 and the UK GDPR are upheld at all times.



An example of a data processor is iTrent. iTrent provides the software programme used by the HR directorate to process staff and recruitment information. In order to utilise this software we have to upload and record staff and recruitment information.



The growth in cloud technology means that it is likely that the use of data processors will become more common. If you wish to know who our current data processors are please contact the DPO using the details provided.



Complaints/Reviews



Records may also be accessed by independent reviewers, such as when a complaint or other issue is independently investigated.



Anonymisation



Some of the information we hold on our applicants may be anonymised, so that we can share the results more widely. You will not be identifiable in these records.



Retention of records



Recruitment records on prospective employees are held for a period of 12 months. If you secure a job, the recruitment records will pass to the HR Department and will be held under the conditions detailed in the HR retention schedule and Staff Records privacy notice.



Lawful basis



The DPA 2018 and the UK GDPR require us to have a lawful basis for processing your data and these are outlined below.



Employment, social security and social protection law



This supports Young Epilepsy checking potential employees’ right to work in the UK, ensuring the health safety and welfare of employees, maintaining statutory sick pay and maternity pay and deducting union subscriptions from payroll.



Consent/Explicit consent



Any information you provide to our Recruitment team is processed on the basis that its provision indicates explicit consent for us to process it as outlined above.



The legitimate interests of Young Epilepsy.



It is in Young Epilepsy’s legitimate interests to process employee data for administrative and management purposes. This may include allowing your line manager access to part of your HR records in order to monitor your training and other employment activities. It is also in the legitimate interests to use personal data to measure the ethnic diversity of our workforce, absence levels, gender pay gaps etc.



Contract



This data is being processed in the context of a potential employment contract with you.



Legal claims and obligations



Where the processing is necessary to establish, defend or exercise legal claims or where ordered by a court or tribunal.



Public Interest



Where the processing meets one of the 23 conditions set out in Schedule One, paragraphs 6-28 of the DPA 2018



Public health



Where the processing is necessary for public health monitoring and statistics; or responding to new threats to public health, such as epidemics/pandemics.



If you require further information on the above, please contact the Recruitment team.