Company Name: ScotNursing Limited (‘the Company’)
Company Contact details:
Paula Lickrish (firstname.lastname@example.org) or Charlotte Rushforth (email@example.com)
0141 255 1222
Privacy Notice (including for use on the company website)
The Company is a recruitment business which provides work-finding services to its clients and work-seekers. The Company must process personal data (including sensitive personal data) so that it can provide these services – in doing so, the Company acts as a data controller.
You may give your personal details to the Company directly, such as on an application or registration form or via our website, or we may collect them from another source such as a jobs board. The Company must have a legal basis for processing your personal data. For the purposes of providing you with work-finding services and/or information relating to roles relevant to you we will only use your personal data in accordance with this privacy statement. At all times we will comply with current data protection laws.
1. Collection and use of personal data
a. Purpose of processing and legal basis
b. Legitimate interest
c. Statutory/contractual requirement
d. Recipients of data
2. Information to be provided when data is not collected directly from the data subject
a. Categories of data
b. Sources of data
3. Overseas transfers
4. Data retention
5. Your rights
6. Automated decision making
8. Login files
9. Links to external sites
10. Sale of the business
11. Data security
12. Changes to this privacy statement
13. Complaints or queries
1. Collection and use of personal data
a. Purpose of processing and legal basis
The Company will collect your personal data (which may include sensitive personal data) and will process your personal data for the purposes of providing you with work-finding services. This includes for example, contacting you about job opportunities, assessing your suitability for those opportunities, updating our databases, putting you forward for job opportunities, arranging payments to you and developing and managing our services and relationship with you and our clients.
If you have opted-in we may also send you marketing information and news via email/ text. You can opt-out from receiving these at any time by clicking “unsubscribe” when you receive these communications from us.
In some cases we may be required to use your data for the purpose of investigating, reporting and detecting crime and also to comply with laws that apply to us. We may also use your information during the course of internal audits to demonstrate our compliance with certain industry standards.
We must have a legal basis to process your personal data. The legal bases we rely upon to offer our work-finding services to you are:
• Your consent
• Where we have a legitimate interest
• To comply with a legal obligation that we have
• To fulfil a contractual obligation that we have with you
b. Legitimate interest
This is where the Company has a legitimate reason to process your data provided it is reasonable and does not go against what you would reasonably expect from us. Where the Company has relied on a legitimate interest to process your personal data our legitimate interests is/are as follows:
• Managing our database and keeping work-seeker records up to date;
• Providing work-finding services to you and our clients;
• Contacting you to seek your consent where we need it;
• Giving you information about similar products or services that you have used from us recently.
c. Statutory/contractual requirement
The Company has certain legal and contractual requirements to collect personal data (e.g. to comply with the Conduct of Employment Agencies and Employment Businesses Regulations 2003, immigration and tax legislation, and in some circumstances safeguarding requirements.) Our clients may also require this personal data, and/or we may need your data to enter into a contract with you. If you do not give us personal data we need to collect we may not be able to continue to provide work-finding services to you.
d. Recipient/s of data
The Company will process your personal data and/or sensitive personal data with the following recipients:
• Clients (whom we may introduce or supply you to);
• Former employers whom we may seek references from;
• Payroll service providers who manage payroll on our behalf or other payment intermediaries whom we may introduce you to;
• Other recruitment agencies in the supply chain;
• The Company’s Insurers and legal advisors;
• Public information sources including the NMC and SSSC;
• Government, law enforcement agencies and other regulators eg the Police, HMRC;
• Trade Unions (where applicable)
2. Information to be provided when data collected not from the data subject
Categories of data: The Company has collected the following personal data on you:
• Date of birth;
• Contact details, including telephone number, email address and postal address;
• Experience, training and qualifications;
• CV; and
• National insurance number.
Sensitive personal data:
• Disability/health condition relevant to the role;
• Convictions on a PVG;
• Gender, (only for the purposes where a particular gender has been requested by a client ie. Female nurse/carer required for an elderly female client);
• Religious beliefs (only for the situation where a client has requested a nurse/carer with a particular religious belief).
Source of the personal data: The Company sourced your personal data/sensitive personal data:
• From Gumtree, s1, Indeed jobs boards, LinkedIn, Facebook, Instagram, Twitter;
• A former employer;
• A referee whose details you previously provided to us;
• Software providers who we use to support our services including Eclipse and Microsoft Office;
• Cookies listed in section 7
3. Data retention
The Company will retain your personal data only for as long as is necessary for the purpose we collect it. Different laws may also require us to keep different data for different periods of time. For example, the Conduct of Employment Agencies and Employment Businesses Regulations 2003, require us to keep work-seeker records for at least one year from (a) the date of their creation or (b) after the date on which we last provide you with work-finding services.
We must also keep your payroll records, holiday pay, sick pay and pensions auto-enrolment records for as long as is legally required by HMRC and associated national minimum wage, social security and tax legislation. This is currently 3 to 6 years.
Where the Company has obtained your consent to process your personal/ sensitive personal data, we will do so in line with our retention policy (a copy of which is attached). Upon expiry of that period the Company will seek further consent from you. Where consent is not granted the Company will cease to process your personal data/ sensitive personal data.
4. Your rights
Please be aware that you have the following data protection rights:
• The right to be informed about the personal data the Company processes on you;
• The right of access to the personal data the Company processes on you;
• The right to rectification of your personal data;
• The right to erasure of your personal data in certain circumstances;
• The right to restrict processing of your personal data;
• The right to data portability in certain circumstances;
• The right to object to the processing of your personal data that was based on a public or legitimate interest;
• The right not to be subjected to automated decision making and profiling; and
• The right to withdraw consent at any time.
Where you have consented to the Company processing your personal data/sensitive personal data you have the right to withdraw that consent at any time by contacting Paula Lickrish (firstname.lastname@example.org). Please note that if you withdraw your consent to further processing that does not affect any processing done prior to the withdrawal of that consent, or which is done according to another legal basis.
There may be circumstances where the Company will still need to process your data for legal or official reasons. Where this is the case, we will tell you and we will restrict the data to only what is necessary for those specific reasons.
If you believe that any of your data that the Company processes is incorrect or incomplete, please contact us using the details above and we will take reasonable steps to check its accuracy and correct it where necessary.
You can also contact us using the above details if you want us to restrict the type or amount of data we process for you, access your personal data or exercise any of the other rights listed above.
We may obtain data about you from cookies. These are are small text files that are placed on your computer by websites that you visit. They are widely used in order to make websites work, or work more efficiently, as well as to provide information to the owners of the site. Cookies also enable us to deliver more personalised content.
The table below explains the cookies we use and why.
Cookie Name Purpose More information
Most web browsers allow some control of most cookies through the browser settings.
6. Log Files
We use IP addresses to analyse trends, administer the site, track users’ movements, and to gather broad demographic information for aggregate use. IP addresses are not linked to personally identifiable information.
7. Links to external websites
The Company’s website may contains links to other external websites. Please be aware that the Company is not responsible for the privacy practices of such other sites. When you leave our site we encourage you to read the privacy statements of each and every website that collects personally identifiable information. This privacy statement applies solely to information collected by the Company’s website.
8. Sale of business
If the Company’s business is sold or integrated with another business your details may be disclosed to our advisers and any prospective purchasers and their advisers and will be passed on to the new owners of the business.
9. Data Security
The Company takes every precaution to protect our users’ information. Our password policy can be found in Quality System Management or at our Head Office, we have a firewall that limits internet access to sites other than ones that are required to do your job, we limit user access to files so that all users cannot access all documents that they may not need access to.
Only employees who need the information to perform a specific job (for example, consultants, our accounts clerk or a marketing assistant) are granted access to your information.
The Company uses all reasonable efforts to safeguard your personal information. However, you should be aware that the use of email/ the Internet is not entirely secure and for this reason the Company cannot guarantee the security or integrity of any personal information which is transferred from you or to you via email/ the Internet.
If you share a device with others we recommend that you do not select the “remember my details” function when that option is offered.
If you have any questions about the security at our website, you can email email@example.com.
10. Changes to this privacy statement
We will update this privacy statement from time to time. We will post any changes on the statement with revision dates. If we make any material changes, we will notify you.
11. Complaints or queries
If you wish to complain about this privacy notice or any of the procedures set out in it please contact: Paula Lickrish, Call Centre Manager (firstname.lastname@example.org).
You also have the right to raise concerns with Information Commissioner’s Office on 0303 123 1113 or at https://ico.org.uk/concerns/, or any other relevant supervisory authority should your personal data be processed outside of the UK, if you believe that your data protection rights have not been adhered to.
NOTES – delete these notes from the privacy notice when published
Section no. Explanation
1. Company name/contact details You must include the identity and contact details of your company, any of the controller’s representatives and the data protection officer where applicable.
A “representative” for this purpose is an external individual or company based in the EU who you have appointed to represent your organisation with regard to your obligations under the GDPR.
2. Purpose of processing You must confirm why you will process the personal data and the legal basis you have for processing. The six lawful bases to process personal data and sensitive personal data can be found at Annex A.
N.B. Annex A is for reference purposes only, it does not need to be included in the privacy notice and can be deleted from this document.
The ICO have produced a legal basis interactive tool which may assist you.
3. Marketing information See the DP8 Marketing Procedure for detailed information on sending marketing communications to individuals. In brief, you can send marketing information to individuals if:
1. You have their consent to send these communications; or
2. You can rely on the “soft opt-in” exception where you have had a previous commercial relationship i.e. sold them a service or product (which may not apply to work-seekers where you have only provided a work-finding service).
Other rules apply to marketing to organisations.
4. Consent Consent is just one of six legal bases for processing personal data. To be valid, consent must be freely given, informed, specific and by affirmative action (i.e. not silence or pre-ticked boxes). Individuals can withdraw their consent at any time which would prevent the organisation further processing any data collected by consent. It will not always be appropriate to rely on consent and so organisations should consider if there is a more appropriate legal basis such as legitimate interests or performance of a contract.
For more detailed advice please see the ICO guidance on consent.
If you wish to rely on consent use Model Document DP6 to obtain consent.
5. Legitimate interest Where the processing of an individual’s personal data is based on a legitimate interest then the Company must set out the legitimate interests that they or a third party have pursued to process the data.
This can include for example:
• Managing your database and keeping work-seeker records up to date;
• Contacting the individual to seek your consent where you need it;
• Providing work-finding services to the individual, including sending their information to your clients where they have demonstrated an interest in doing that particular type of work but not expressly consented to you passing on their cv;
• Contacting the individual with information about similar products or services that they have used from you recently; and
• Passing work-seeker’s information to debt collection agencies.
Legitimate interests is quite broad and therefore flexible. However this does not mean it should be used without proper consideration and so organisations that wish to use legitimate interests should carry out an legitimate interests impact assessment.
Please note that legitimate interests cannot be used to process sensitive personal data.
Please see the new ICO guidance on legitimate interests. We copy below an extract from that guidance:
What is the ‘legitimate interests’ basis?
Article 6(1)(f) gives you a lawful basis for processing where:
“processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.”
This can be broken down into a three-part test:
1. Purpose test: are you pursuing a legitimate interest?
2. Necessity test: is the processing necessary for that purpose?
3. Balancing test: do the individual’s interests override the legitimate interest?
A wide range of interests may be legitimate interests. They can be your own interests or the interests of third parties, and commercial interests as well as wider societal benefits. They may be compelling or trivial, but trivial interests may be more easily overridden in the balancing test.
The GDPR specifically mentions use of client or employee data, marketing, fraud prevention, intra-group transfers, or IT security as potential legitimate interests, but this is not an exhaustive list. It also says that you have a legitimate interest in disclosing information about possible criminal acts or security threats to the authorities.
‘Necessary’ means that the processing must be a targeted and proportionate way of achieving your purpose. You cannot rely on legitimate interests if there is another reasonable and less intrusive way to achieve the same result.
You must balance your interests against the individual’s interests. In particular, if they would not reasonably expect you to use data in that way, or it would cause them unwarranted harm, their interests are likely to override yours. However, your interests do not always have to align with the individual’s interests. If there is a conflict, your interests can still prevail as long as there is a clear justification for the impact on the individual.
contractual requirement You need to inform the individual if the provision of personal data is a statutory or contractual requirement, or a requirement necessary to enter into a contract. Recruitment businesses must collect certain personal data to meet statutory obligations, such as the Conduct of Employment Agencies and Employment Businesses Regulations 2003 – for example, they have to check identity, right to work, suitability for the role, qualifications and experience.
You will also need to inform the individual whether they are obliged to provide the personal data and the possible consequences of failure to provide such data. In reality, if a recruitment business does not or cannot do all of these checks it may not be able to introduce or supply a work seeker to a client.
7. Recipient of data Where you have processed the individual’s data with a third party you will be obliged to inform the individual who such recipients or categories of recipients of that data are.
These can include for example:
• Clients that you introduce or supply individuals to (if you supply into a particular sector, you can choose give examples e.g. schools, nurseries, hospitals, care homes, local authorities, warehouses. You do not need to name each individual client.
• Candidates’ former or prospective new employers that you obtain or provide references to
• The Recruitment and Employment Confederation (and any other trade body that you are a member of who may have access to your candidates’ data)
• Any other third parties who carry out audits to ensure that you run your business correctly or line with your
• Payroll service providers who manage your payroll on your behalf
• Any umbrella companies that you pass candidate data to
• Other recruitment agencies in the supply chain (e.g. master/neutral vendors and second tier suppliers);
• Your insurers
• Your legal advisers
• Social networks
• Your IT and CRM providers
• Any public information sources and third party organisations that you may use to carry out suitability checks on work-seekers e.g. Companies House, the Disclosure and Barring Service (DBS), National College for Teaching and Leadership (NCTL), Nursing and Midwifery Council (NMC), General Medical Council (GMC), DVLA, credit reference agencies
• Government, law enforcement agencies and other regulators e.g the Police, Home Office, HMRC, Employment Agencies Standards Inspectorate (EASI), Local Authority Designated Officers (LADOs), GLAA,
• Trade unions;
• Any of your group companies; and
• Any other organisations an individual asks you to share their data with. Please note that this is not an exhaustive list. You will need to examine your recruitment practices and identify any parties that you process personal data with.
8. Section 2 – Categories and sources of data Where you collect data from the individual directly you must give them the privacy notice at the time you collect the data.
Section 2 – If you collect data from other sources you must give the individual information on both the categories and the sources of personal data you hold. You must do this within one month of collecting the data, or when you first communicate with the data subject if that is before one month expires. If you disclose the personal data to a third party and that disclosure happens before the one month expires, then you must give the transparency information no later than the first disclosure.
You can include the information set out in section 2 in your privacy statement to all if you wish (and if it is easier) but you must make sure to keep the individual informed if and when you collect other data from other sources.
9. Use of jobs boars and LinkedIn Please see the ICO Guidance on legitimate interests for an explanation of how recruiters can legitimately continue to use jobs boards and networking sites such as LinkedIn.
10. Overseas transfers The GDPR only allows the transfer of personal data to countries outside of the EU/EEA in specific circumstances:
1. The European Commission decides that a country can ensure an ‘adequate level of protection’ of personal data. A list of the third countries and territories/international organisations to which the European Commission has decided, has an adequate level of protection is available on the European Commission’s website. The countries currently listed include Andorra, Argentina, Canada (commercial organisations), Faroe Islands, Guernsey, Israel, Isle of Man, Jersey, New Zealand, Switzerland, Uruguay and the US.
2. In the absence of an adequacy decision, a data controller and data processor have provided appropriate safeguards and have made available to data subjects enforceable data subject rights and effective legal remedies. ‘Appropriate safeguards’ may include the following:
• a legally binding agreement between public authorities or bodies;
• binding corporate rules;
• standard data protection clauses adopted by the European Commission;
• standard data protection clauses adopted by a supervisory authority and approved by the European Commission;
• subject to authorisation from the competent supervisory authority, appropriate safeguards may also include:
o Contractual clauses between the controller or processor and the controller, processor or the recipient of the personal data in the third country or international organisation that have been authorised by a competent supervisory authority;
o Provisions to be inserted into administrative arrangements between public authorities or bodies which include enforceable and effective data subject rights.
3. In the absence of an adequacy decision or appropriate safeguards, the:
• data subject has given his/her explicit consent to the proposed transfer, after having been informed of the possible risks of such transfers for the data subject due to the absence of an adequacy decision ad appropriate safeguards;
• transfer is necessary for the performance of a contract between the data subject and the controller or the implementation of pre-contractual measures taken at the data subject’s request;
• transfer is necessary for the conclusion or performance of a contract concluded in the interest of the data subject between the controller and another legal person;
• transfer is necessary for important reasons of public interest;
• transfer is necessary for the establishment, exercise or defence of legal claims;
• transfer is necessary in order to protect the vital interests of the data subject or of other persons, where the data subject is physically or legally incapable of giving consent;
• transfer is made from a register which according to Union or Member State law is intended to provide information to the public and which is open to consultation either by the public in general or by any person who can demonstrate a legitimate interest, but only to the extent that the conditions laid down by Union or Member State law for consultations are fulfilled in the particular case.
Further information on can be found in Articles 44 – 50 of the General Data Protection Regulation (GDPR).
Please speak with your IT team/ provider to check if data is transferred outside the EEA.
11. Data retention You must set out how long you will store personal data for, or if that is not possible, how you decide how long to store the data.
As a recruitment business you must keep specific data for certain time periods for the purposes of the Conduct Regulations and tax legislation etc. If you process data for specified periods not already listed in this section then add this here.
The REC has produced a record keeping table that you may find useful in helping you determine how long you intend to retain data.
Please note that the REC Legal team will not produce a retention policy for members. You will need to determine your own retention policy based on your business needs and any specific sector requirements.
12. Data retention – “do not supply lists”
Recruiters sometimes keep lists of work seekers they no longer wish to supply or introduce to clients i.e. a “do not supply list”. The GDPR does not expressly prevent keeping such a list but recruiters must have a legal basis for processing the data on that list (be aware though that there may be other reasons for not keeping a list such as potentially breaching the Equality Act 2010 if individuals with protected characteristics as included on the list for no reason other than those protected characteristic). For example, the recruitment business will have a legitimate interest in recording safeguarding issues (there would also be a public interest in that) but this is quite different to recording someone’s state of dress which someone objected to or the fact that a client merely did not like them. If allegations were ever made against an individual were those allegations properly investigated prior to their inclusion on such a list?
If the recruitment business receives a subject access request, it would have to reveal if an individual was on a “do not supply list”. So, be careful about who and what is put on those lists and why – you must be able to justify keeping such a list and justify an individual’s inclusion on that list.
13. Your rights You must tell the individual of their rights under current data protection laws, as well as their right to withdraw their consent to processing their personal data at any time.
REC has produced an infographic “Jobseekers – know your data protection rights” which you can also give to individuals.
14. Automated decision-making An individual will have the right to know of the existence of any automated decision making processes, including profiling, which produces legal effects on him or her or similarly significant affects him on her.
If you have subjected the individual to automated decision making or profiling, then you will need to provide meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the individual.
If you have not subjected the individual to automated decision making or profiling you can either delete this section or include a statement to confirm that you do not use automated decision making.
For more information on automated decision making processes please refer to the Article 29 Working Party guidance on automated decision making and profiling.
REC Legal cannot advise you whether any particular software or process that you use is automated decision making or profiling. Please speak with your IT team or software provider for more information.
1. Cookies Although there are different types of cookie, the Information Commissioner defines a cookie as ‘a small file, typically of letters and numbers, downloaded on to a device when the user accesses certain websites. Cookies are then sent back to originating websites on each subsequent visit. They are widely used in order to make websites work, or work more efficiently, as well as to provide information to the owners of the site.’
The Privacy and Electronic Communications Regulations 2003 were implemented as a result of the Directive 2002/58/EC which sets out the rights of EU citizens when using electronic communications. The 2002 Directive was amended in 2009 and Article 5(3) now states that you must provide clear and comprehensive information about any cookies you are using and you must also obtain consent to store a cookie on a user or subscriber’s device. This was implemented into UK law on 26 May 2012.
Further information can be found on the ICO website and in the ICO Guidance.
16. Complaints The Company must inform the individual of their right to raise a complaint with the relevant supervisory authority (which is the ICO in the UK). However, it is a good idea to ask individuals to make a complaint to the Company so that you can try to resolve the issue internally.
a) The lawfulness of processing conditions for personal data are:
1. Consent of the individual for one or more specific purposes.
2. Processing is necessary for the performance of a contract with the individual or in order to take steps at the request of the individual to enter into a contract.
3. Processing is necessary for compliance with a legal obligation that the controller is subject to.
4. Processing is necessary to protect the vital interests of the individual or another person.
5. Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the data controller.
6. Processing is necessary for the purposes of legitimate interests pursued by the controller or a third party, except where such interests are overridden by the interests or fundamental rights or freedoms of the individual which require protection of personal data, in particular where the individual is a child.
b) The lawfulness of processing conditions for sensitive personal data are:
1. Explicit consent of the individual for one or more specified purposes, unless reliance on consent is prohibited by EU or Member State law.
2. Processing is necessary for carrying out data controller’s obligations under employment, social security or social protection law, or a collective agreement, providing for appropriate safeguards for the fundamental rights and interests of the individual.
3. Processing is necessary to protect the vital interests of the individual or another individual where the individual is physically or legally incapable of giving consent.
4. In the course of its legitimate activities, processing is carried out with appropriate safeguards by a foundation, association or any other not-for-profit body, with a political, philosophical, religious or trade union aim and on condition that the processing relates only to members or former members (or those who have regular contact with it in connection with those purposes) and provided there is no disclosure to a third party without the consent of the individual.
5. Processing relates to personal data which are manifestly made public by the individual.
6. Processing is necessary for the establishment, exercise or defence of legal claims or whenever courts are acting in their judicial capacity.
7. Processing is necessary for reasons of substantial public interest on the basis of EU or Member State law which shall be proportionate to the aim pursued, respects the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and interests of the individual.
8. Processing is necessary for the purposes of preventative or occupational medicine, for assessing the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of EU or Member State law or a contract with a health professional and subject to the necessary conditions and safeguards.
9. Processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of healthcare and of medicinal products or medical devices, on the basis of EU or Member State law which provides for suitable and specific measures to safeguard the rights and freedoms of the individual, in particular professional secrecy.
10. Processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard fundamental rights and interests of the individual.