For the avoidance of doubt, where this policy refers to GSA, it applies to GSA Ltd and its subsidiaries.
The privacy and security of your personal information is extremely important to us. We are committed to ensuring that your privacy is protected, and we endeavour to use any information that you provide during the recruitment process in accordance with this privacy policy. This privacy policy describes how we collect and use personal information about you during the recruitment process, in accordance with the UK Data Protection Act 2018 and General Data Protection Regulation (GDPR) and applies to all candidates.
This Privacy Notice is for information only; it is not a contractual agreement.
Review of this privacy policy
We may update this privacy notice from time to time as necessary. If you have any questions regarding our privacy policy, please contact us.
Introduction
This privacy policy covers information that could identify you (“personal data”) and information that could not. In the context of the law and this notice, “process” means collect, store, transfer, use or otherwise act on information. It tells you about your privacy rights and how the law protects you. GSA are committed to protecting your privacy and the confidentiality of your personal information. Our policy is not just an exercise in complying with the law, but a continuation of our respect for you and your personal information. Our policy complies with the UK Data Protection Act 2018, including that required by the General Data Protection Regulation (GDPR). Except as set out below, GSA do not share, or sell, or disclose to a third party, any information collected through our website/portal.
Definitions
Data
Recorded, stored information irrespective of the medium by which it is recorded or on which it is stored. It may be on a computer or paper. Having been recorded in writing, it will still be an unlawful disclosure of data if it is subsequently given to someone directly or indirectly, verbally, on the telephone or even left on an answering machine.
Personal Data
Any information about an individual from which they can be identified, either taken on its own or combined with other information held by the data controller, or, in this case, the company. It may be factual data or an expression of opinion or intent. It may be something as simple as a telephone number or a piece of advice, such as (where X is data identifying the individual) “X is not right for this job” or “X should face disciplinary proceedings over this”. It does not have to be negative in nature and would still be personal data if it is complimentary or positive: “X is adjusting well to this difficult situation”.
Sensitive personal data
Data falling within particular categories of personal information, relating to any person’s: racial or ethnic origin; political beliefs, opinions, or affiliations; religious or some philosophical beliefs; membership or non membership of trade unions; participation in, allegations pertaining to or the progress of or sentencing for any criminal acts or proceedings.
Data subject(s)
Any person to whom the personal information relates.
Controller
Global Secure Accreditation Limited is the controller and are responsible for your personal data (collectively referred to as GSA. “we”, “us” or “our” in this privacy notice)
Processing
Any action involving data including the passive retention of it. It denotes all stages from acquiring to disposing of data and all actions in between while the data processor is in control of the data such as recording, maintaining, storing, updating, or amending, disclosing, or deleting it.
Principles
GSA will ensure that all personal data is processed in accordance with the following fundamental principles. The company will:
- Process personal data and sensitive personal data fairly and lawfully, in accordance with the data subject’s rights.
- Ensure that personal data acquired for a specific purpose is adequate for and limited to that specific purpose;
- Update personal data and instigate appropriate and proportionate procedures to keep it up to date.
- Retain personal data no longer than necessary and destroy as appropriate.
- Maintain personal data securely and instigate appropriate and proportionate procedures to prevent loss or misuse;
- Carry out appropriate risk assessments for the transportation and delivery of personal data including transfer to a third party and/or outside the jurisdiction;
- Facilitate access of all personal data held by the Company as lawful and appropriate, at no cost if information is concerning the data subject, and subject to exceptions at the request of a data which is ‘manifestly unfounded or excessive’ upon which payment of a fee will be reasonably determined by the Director of Services or Administration Head.
What information do we collect?
In connection with your application for work with us, we will collect, store, and use the following categories of personal information about you:
- The information you have provided to us in your curriculum vitae and covering letter/email;
- Any information you provide to us during an interview;
- Any information you provide to us via a survey;
- Information you provide in relation to obtaining any level of security vetting or BPSS (“Baseline Personnel Security Standard”) or similar checking; and
- Information you provide in relation to your right to work documentation
We may also collect, store and use the following “special category” of more sensitive personal information:
- Information about your criminal record. This may be obtained via a BPSS or similar screening check.
We collect this personal information from the following sources:
- You, the candidate;
- Recruitment agencies;
- Search consultants;
- Our employment background check provider,
- Our credit reference agency;
- Your named referees; and
- Data from third party publicly accessible sources
All information you provide to us is stored on our secure servers or those of our third-party data storage providers.
Why do we process personal data?
We need to process data to take steps at your request prior to entering into a contract with you. We also need to process your data to enter into a contract with you.
In some cases, we need to process data to ensure that we are complying with our legal obligations. Examples may include:
- we are required to check your eligibility to work in the UK before employment starts;
- we are required to obtain a BPSS or similar screening check which is the required level of screening for any individuals working with or on behalf of a government department before employment starts.
- We have a legitimate interest in processing personal data during the recruitment process and for keeping records of the process. Processing data from you allows us to manage the recruitment process, assess and confirm your suitability for employment and decide to whom to offer a job. We may also need to process data from you to respond to and defend against legal claims.
- We are entitled to carry out a criminal record check as part of BPSS or similar screening in order to satisfy ourselves that there is nothing in your criminal convictions history which makes you unsuitable for the role. We use a third party to do this on our behalf and may receive a copy of their report if
you have consented for us to do so. - Performance of Contract means processing your data where it is necessary for the performance of a contract to which you are a party or to take steps at your request before entering into such a contract.
- Sometimes, we must process your information to comply with a statutory obligation.
- For example, we may be required to give information to legal authorities if they so request or if they have the proper authorisation such as a search warrant or court order. This may include your personal information.
We will not use your data for any purpose other than the recruitment exercise for which you have applied.
Who has access to data?
Your information will be shared internally or to certain external parties for the purposes of the recruitment exercise.
Internally this includes members of the HR and recruitment team, interviewers involved in the recruitment process, managers in the business area with a vacancy and IT staff if access to the data is necessary for the performance of their roles.
If your application for employment is successful and we make you an offer of employment, we will then share your data with former employers to obtain references for you and our employment background check provider to obtain necessary background checks, including a criminal record check as part of BPSS or similar screening, if required. All our third-party service providers are required to take appropriate security measures to protect your personal information in line with our policies.
Your information may also be shared externally with a government entity with whom we have a contract, and where you are applying for a role within that contract. In these circumstances, the government entity may require a BPSS or similar screening check to be undertaken and/or a level of security vetting to be obtained before employment. In this situation your application for employment may be conditional on obtaining the BPSS or similar screening, and security vetting which will require us to share information with those relevant third parties.
How do we protect data?
We take the security of your data seriously. We have put in place appropriate security measures to prevent your personal information from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your personal information to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal information on our instructions, and they are subject to a duty of confidentiality. We have put in place procedures to deal with any suspected data security breach and will notify you and any applicable regulator of a suspected breach where we are legally required to do so.
For how long do we keep data?
If your application for employment is unsuccessful, we will hold your data on file for 12 months after the end of the relevant recruitment process or for 12 months after you participated in a relevant survey. After this period, we will securely destroy your personal information in accordance with our data retention policy.
If we wish to retain your personal information on file, on the basis that a further opportunity may arise in future and we may wish to consider you for that, we will write to you separately, seeking your explicit consent to retain your personal information for a fixed period on that basis. If your application for employment is successful, personal data gathered during the recruitment process will be transferred to your personnel file. The periods for which your data will be held will be in accordance with the relevant Acts.
Subject Access Requests
Under certain circumstances, all data subjects have rights under data protection laws in relation to your personal data. These include:
Request Access
All data subjects have the legal right to request details of information held about them by the company. This enables them to receive a copy of the personal data that we hold about them and to check that we are lawfully processing it. Any subject access requests received by managers or other employees should be referred to the Office Manager. The company will respond to any subject access requests promptly, and in any event within a month of the request.
Data Correction
You have the right to require us to rectify any inaccurate personal information we hold about you. You also have the right to have incomplete personal information we hold about you completed, by providing a supplementary statement to us.
Erasure of Data
This enables you to ask us to delete or remove personal data where there is no good reason for us continuing to process it. If you would like us to destroy information held about you, please let us know. However, please note that if you use any of our services which require you to provide personal information, deleting our records will mean that you will need to resubmit it to continue using such services. Note, however, that we may not always be able to comply with your request of erasure for specific legal reasons which will be notified to you, if applicable, at the time of your request.
Processing Restriction
This enables you to ask us to suspend the processing of your personal data in the following scenarios:
(a) if you want us to establish the data’s accuracy;
(b) where our use of the data is unlawful, but you do not want us to erase it.
(c) where you need us to hold the data even if we no longer require it as you need it to establish, exercise or defend legal claims; or
(d) you have objected to our use of your data, but we need to verify whether we have overriding legitimate grounds to use it.
All requests will be handled without undue delay and at the latest within one month of receipt of the request or (if later) within one month of receipt of:
- any requested information to clarify the request.
- any information requested to confirm the requester’s identity.
Data Breach Notification
GSA shall immediately inform the relevant parties/entities in writing and by e-mail of any Personal Data Breach of which the Company becomes aware, but in no case longer than twenty-four (24) hours after it becomes aware of the Personal Data Breach. The notification to the relevant parties shall include all available information regarding such Personal Data Breach, including information on:
- the nature of the Personal Data Breach including where possible, the categories and approximate number of affected Data Subjects and the categories and approximate number of affected Personal Data records;
- the likely consequences of the Personal Data Breach; and
- the measures taken or proposed to be taken to address the Personal Data Breach, including, where appropriate, measures to mitigate its possible adverse effects.
GSA shall promptly take all necessary and advisable corrective actions and shall cooperate fully with the relevant parties/entities in all reasonable and lawful efforts to prevent, mitigate or rectify such a breach.
Sale of Business
If our business is sold, we will transfer your personal information to a third party:
- if we sell or buy any business or assets, we will provide your personal information to the seller or buyer (but only to the extent we need to, and always in accordance with data protection legislation); or
- if GSA or the majority of its assets are acquired by somebody else, in which case the personal information held by GSA will be transferred to the buyer.
We process your personal information for this purpose because we have a legitimate interest to ensure our business can be continued by the buyer. If you object to our use of your personal information in this way, the relevant seller or buyer of our business may not be able to provide services to you.
In some circumstances we may also need to share your personal information if we are under a duty to disclose or share it to comply with a legal obligation.
Contact us
We welcome your views about our website and our privacy policy.
If you would like to contact us with any queries or comments, please send an e-mail to [email protected] or alternatively write to GSA, One Croydon, 12-16 Addiscombe Road, Croydon, CR0 0XT. To find out more about your rights under the GDPR, visit the Information Commissioner’s website (www.ico.org.uk)