PRP Architects LLP - Candidate Privacy Notice
1 THIS NOTICE
1.1 This notice is provided by PRP Architects LLP (company number OC361169) whose registered office address is at Ferry Works, Summer Road, Thames Ditton, Surrey, KT7 0QJ, (“PRP”, “we”, “us” or “our”) and is addressed to all applicants who are applying to work for or with us or who are enquiring about vacancies (whether as an employee, consultant, contractor, worker, work experience student or other staff member) (together, “you”).
1.2 This notice relates to personal information about you from which you can be identified. We refer to this information throughout this notice as “personal data”. Personal data does not include data where the identity has been removed (anonymous data). There are “special categories” of more sensitive personal data which require a higher level of protection. Section 3 of this notice sets out examples of your personal data that we use.
1.3 We are the controller of your personal data. This means that we are responsible for deciding how we hold and use personal data about you during the recruitment exercise. As a controller we use (or ‘process’) the personal data we hold on you in accordance with this notice.
1.4 We take our data protection responsibilities seriously and this notice reflects the obligations set out in the General Data Protection Regulation (EU Regulation 2016/679) (“GDPR”) and any laws in England giving effect to its provisions.
1.5 This notice sets out how we collect and process your personal data. This notice also provides certain information that is legally required and lists your rights in relation to your personal data.
1.6 If you need to contact us in connection with our processing of your personal data, then you can do so by phone 0208 339 3047, by email to email@example.com or by post to Ferry Works, Summer Road, Thames Ditton, Surrey, KT7 0QJ.
1.7 Your personal data belongs to you and it is your choice whether you provide us with your personal data. However, because we require certain items of your personal data in order to consider your application (for example, evidence of qualifications or work history), please be aware that if you do not provide all of the personal data we request from you then we may not be able to consider your application further. It is important that the personal data we hold about you is accurate and current. Please keep us informed if your personal data changes during the course of the recruitment process.
1.8 Please read this notice carefully, so that you are aware of how and why we are using your data.
1.9 If you are successful in your application and commence work with us, a separate internal privacy notice will apply to the use of your personal data during your period of work.
1.10 This notice may be amended or updated from time to time. This version of our Privacy Notice was published on 23 May 2018 and is the most recent version.
2 PRINCIPLES OF DATA PROTECTION
2.1 The GDPR requires that the personal data we hold about you must be:
2.1.1 Used lawfully, fairly and in a transparent way.
2.1.2 Collected only for valid purposes that we have clearly explained to you and not used in any way that is incompatible with those purposes.
2.1.3 Relevant to the purposes we have told you about and limited only to those purposes.
2.1.4 Accurate and kept up to date.
2.1.5 Kept only as long as necessary for the purposes we have told you about.
2.1.6 Kept securely.
3 RECRUITMENT PROCESS
Having received your application (whether by way of your CV, covering letter and portfolio, or application form or otherwise), we will then process that information to decide whether you meet the requirements to be shortlisted for the role or to consider if there is a vacancy which you may be suited for. We will then decide whether your application is strong enough to invite you for an interview or to attend assessment. If we decide to call you for an interview or to attend assessments, we will use the information you provide to us at the interview(s) and during any assessments to decide whether to offer you the role. If we decide to offer you the role, we will then take up references and carry out the relevant background checks before confirming your appointment.
4 PERSONAL DATA
4.1 We may obtain personal data about you, in connection with your application to work with us or in respect of an enquiry about vacancies, including but not limited to the following:
4.1.1 Personal details: name(s), title, username or similar identifier, gender, date of birth, age, nationality, languages, marital status, passport number, national insurance number and driver’s licence number;
4.1.2 Contact details: home and work addresses; home, work and personal mobile telephone numbers and work and personal email addresses;
4.1.3 Information included in references;
4.1.4 Any other information included on CVs, application forms and covering letters including qualifications, skills (job-related and technical) and level of experience, specific project experience, education history, details of previous employment, employment dates, salary and benefits information, and professional memberships;
4.1.5 Health questionnaires, medical examination reports and personal data gathered for health and safety purposes including any accident report or claim log at one of our locations in the event of an accident at one of our locations;
4.1.6 Immigration status details including copies of your passport, biometric residence permit and other immigration documents;
4.1.7 Other personal data required as part of immigration applications including immigration history;
4.1.8 Data revealed by background checks;
4.1.9 Driving licence;
4.1.10 Other recruitment data: submissions for any assessment at interview stage and notes/results thereof, special arrangements required for interview, interview notes, notes from shortlisting exercises, assessment exercises and tests, building entry, exit records, post interview feedback and claw-back or loan agreement details;
4.1.11 “Information Technology Data”, which includes personal data which relates to your use of our website, such as your internal protocol (IP) address, login data, traffic data, weblogs and other communication data, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform and other technology on the devices you use to access our website;
4.1.12 Audio and visual data: personal data which is gathered using our CCTV or other recording systems at our locations; and
4.2 Some of the above personal data may contain or consist of more sensitive personal data known as “Special Categories of Data”.
4.3 We may process the following Special Categories of Data:
4.3.1 Information about your race or ethnicity, religious or philosophical beliefs, sexual orientation, and political opinions;
4.3.2 Trade union membership;
4.3.3 Information about your health, including any medical condition, health and sickness records; and
4.3.4 Biometric data and passport information.
4.4 We may also process information about criminal convictions and offences.
4.5 We also obtain and use certain aggregated data such as statistical or demographic data for any purpose (“Aggregated Data”). Aggregated Data may be derived from your personal data but does not directly or indirectly reveal your identity. For example, we may aggregate your Information Technology Data to calculate the percentage of users accessing a specific feature on our website such as our Careers page. However, if we re-combine or re-connect Aggregated Data with your personal data so that it can directly or indirectly identify you, we treat the combined data as personal data which will be used in accordance with this notice.
5 SOURCES OF PERSONAL DATA
5.1 We may obtain your personal data from various sources including the following:
5.1.2 Recruitment agencies, employment agencies and employment businesses including Stride, Haus, Solution, Eden Brown, Mustard, Mattinson Partnership, Deverill Smith, Highline, Bespoke, Bluetree, Adrem, Allen & York, Wild Berry and others on an ad-hoc basis from time to time;
5.1.3 Providers of background and other checking and vetting services, including Disclosure Scotland, the Disclosure and Barring Service and credit reference agencies;
5.1.4 Statutory or other official bodies such as the Home Office including UK Visas and Immigration;
5.1.5 Professional advisers;
5.1.6 Occupational health including Insight Occupational Health;
5.1.7 Other medical professionals;
5.1.8 Past employers;
5.1.10 Universities and other educational institutions;
5.1.11 Professional industry bodies such as RIBA and ARB;
5.1.12 Automated technologies, such as CCTV or other recording systems, cookies, server logs and other similar technologies;
5.1.13 Third parties, such as analytics providers (such as Google analytics); and
5.1.14 Public sources including social media.
5.2 We will also create personal data about you, such as interview documentation or, for example if you contact us by telephone to follow up on the progress of your application, for example, then we may make a written record of key details of the conversation so that we can take steps to have the relevant person respond to your query.
6 LEGAL BASIS FOR PROCESSING
6.1 To process your personal data in connection with the purposes set out in section 7 of this notice, we will rely most commonly on one or more of the following legal bases:
6.1.1 we have a legitimate interest in carrying out the processing, which is not overridden by your interests, fundamental rights, or freedoms. When we rely on this legal basis our legitimate interests may include the following:
(a) the management of the recruitment process and employment and engagement of staff in particular making decisions about who to offer employment or engagement to and on what terms;
(b) the efficient running of our business;
(c) meeting external and internal governance and regulatory obligations; and
(d) to enable us to take legal advice and to defend claims.
6.1.2 the processing is necessary for compliance with a legal obligation; or
6.1.3 the processing is necessary for the performance of a contract with us or in order to take steps at your request prior to entering into a contract.
6.2 In rare circumstances we may rely on the following legal bases:
6.2.1 the processing is necessary to protect your vital interests or the interests of someone else; or
6.2.2 the processing is necessary for the performance of a task carried out in the public interest.
6.3 We do not need your consent if we process your data under one or more of the other legal bases set out above. In some circumstances we may approach you for your written consent to allow us to process certain data.
7 PURPOSES OF PROCESSING
7.1 We need your personal data primarily to pursue our legitimate interests, provided your interests and fundamental rights do not override those interests, to enable us to comply with legal obligations and to allow us to take steps prior to entering into a contract with you.
7.2 We will use your personal data for a variety of different purposes including the following:
7.2.1 Making a decision about your recruitment or appointment;
7.2.2 Determining the terms on which you will work for us if you are offered employment or engagement with us;
7.2.3 Checking you are legally entitled to work in the UK;
7.2.4 Submitting immigration applications on your behalf or assisting you with applications and applying for and issuing certificates of sponsorship;
7.2.5 Complying with our obligations as a Tier 2 sponsor, including in relation to retaining records of the recruitment process and details of applicants who applied for the role;
7.2.6 Carrying out background checks;
7.2.7 Requesting references;
7.2.8 Communicating with you about your application and the recruitment process;
7.2.9 Assessing your skills, qualifications and suitability for a particular job or task;
7.2.10 Retaining details about you in case there are future employment opportunities for which you may be suited;
7.2.11 Assessing education, training and development requirements;
7.2.12 Dealing with legal disputes (including litigation, claims, and defence or settlement of claims) involving you, or our employees, workers and contractors, including accidents on our premises;
7.2.13 Complying with our legal or regulatory requirements;
7.2.14 Complying with health and safety obligations;
7.2.15 Equal opportunities monitoring;
7.2.16 Protecting and defending our rights or property;
7.2.17 Using your personal data in life or death situations (e.g. in the event of an accident and we have to give your personal details to medical personnel);
7.2.18 Selling, making ready for sale or disposal of our business in whole or in part including to any potential buyer or their advisers;
7.2.19 Succession and organisational planning; and
7.2.20 Administering and protecting our business, dealing with any misuse of our website and to comply with our security policies at our offices.
8 SPECIAL CATEGORIES OF DATA
8.1 Special Categories of Data require higher levels of protection. We need to have further justification for collecting, storing and using this type of data. We have in place an appropriate policy document and safeguards which we are required by law to maintain when processing such data.
8.2 Where we process Special Categories of Data, we usually rely on the following additional legal bases:
8.2.1 where such processing is necessary for the purposes of performing or exercising obligations or rights which are imposed or conferred by law on us or you in connection with employment, social security or social protection; or
8.2.2 where you have given your explicit written consent.
8.3 Subject to any applicable conditions in each case, we may also process Special Categories of Data on other additional legal bases including:
8.3.1 where it is necessary to protect your vital interests (or someone else’s interests) and you are not capable of giving your consent,
8.3.2 where it is necessary for the establishment, exercise or defence of legal claims or whenever courts are acting in their judicial capacity;
8.3.3 where you have already made the information public;
8.3.4 where it is necessary for archiving, scientific, historical research or statistical purposes and is in the public interest; or
8.3.5 where it is necessary for reasons of substantial public interest and it is necessary for the purpose of identifying or keeping under review the existence or absence of equality of opportunity or treatment between groups with a view to enabling such equality to be promoted or maintained.
8.4 We may lawfully process Special Categories of Data in certain ways, including for the following purposes:
8.4.1 We will use data about your physical or mental health or disability status to consider if we need to provide any adjustments for the recruitment process, to determine whether you are suitable for the role or to consider if we need to make any adjustments to the role you are applying for.
8.4.2 We will use our knowledge of your health-related personal data in the event of illness or injury or some other related emergency.
8.4.3 We may use some Special Categories of Data when bringing or defending a legal claim.
8.4.4 We will use data about your race or national or ethnic origin, religious or philosophical beliefs, health or your sexual orientation, to ensure meaningful equal opportunity monitoring and reporting.
8.4.5 We will use data about your race or national or ethnic origin as well as data relating to your immigration history, passport and biometric residence permit and other immigration documentation when carrying out right to work checks (including checks using the Employer Checking Service), retaining immigration documents, complying with our obligations as a Tier 2 sponsor, applying for and assigning certificates of sponsorship, and submitting immigration applications.
9 INFORMATION ABOUT CRIMINAL CONVICTIONS
9.1 We may in limited circumstances process data about criminal convictions and offences (including personal data relating to the alleged commission of offences).
9.2 We will only collect information about criminal convictions if it is appropriate given the nature of the role that you apply for. In some cases we may be notified of such information directly by you in the course of you applying for a role or working for us.
9.3 We will only use data relating to criminal convictions where we have a legal basis to do so. This will usually be where such processing is necessary for the purposes of performing or exercising obligations or rights which are imposed or conferred by law on us or you in connection with employment, social security or social protection.
9.4 Subject to any applicable conditions in each case, we may also use data relating to criminal convictions on other lawful bases including:
9.4.1 where you have given your explicit written consent;
9.4.2 where it is necessary for the purpose of, or in connection with, any legal proceedings (including prospective legal proceedings) or where it is necessary for obtaining legal advice or for the purpose of establishing, exercising or defending legal rights;
9.4.3 where it is necessary when a court or tribunal is acting in its judicial capacity;
9.4.4 where you have already made the information public; or
9.4.5 where it is necessary for reasons of substantial public interest and is necessary for the purposes of:
(a) the prevention or detection of an unlawful act; or
(b) the purposes of complying with, or assisting other persons to comply with, a regulatory requirement (a requirement imposed by legislation or a requirement forming part of generally accepted principles of good practice relating to a type of body or an activity) which involves a person taking steps to establish whether another person has committed an unlawful act, or been involved in dishonesty, malpractice or other seriously improper conduct.
9.5 We may use information about criminal convictions and offences in a number of ways including:
9.5.1 to determine whether to employ or engage you, including background checks, such as Disclosure Scotland or the Disclosure and Barring Service; and
9.5.2 when submitting immigration applications to the Home Office.
9.6 We have in place an appropriate policy and safeguards which we are required by law to maintain when processing such data.
10 RECIPIENTS OF PERSONAL DATA
10.1 Your information will be shared internally for the purposes of the recruitment exercise. This includes members of the HR and recruitment team, interviewers involved in the recruitment process, senior staff within PRP and IT staff if access to the data is necessary for the performance of their roles.
10.2 We may also share your personal data with the following recipients:
10.2.1 Your named referees when requesting a reference;
10.2.2 Background checking companies including Disclosure Scotland, the Disclosure and Barring Service and credit reference agencies;
10.2.3 The Home Office (including UK Visas and Immigration);
10.2.4 Occupational health advisers, including Insight Occupational Health, and other medical professionals;
10.2.5 Third parties operating plugins or content (such as Twitter) on our website or other social media platforms which you choose to interact with;
10.2.6 Legal and regulatory authorities, on request, or for the purposes of reporting any actual or suspected breach of law or regulation;
10.2.7 External professional advisers such as accountants, auditors, lawyers and other outside professional advisers, subject to binding obligations of confidentiality;
10.2.8 Any relevant party, law enforcement agency, tribunal or court, to the extent necessary for the establishment, exercise or defence of legal rights;
10.2.9 Any relevant party for the purposes of prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties; and
10.2.10 Any relevant third party acquirer(s), potential acquirers or bidders and their advisers in the event that we sell or transfer, or propose to sell or transfer all or any portion of our business or assets (including in the event of a reorganisation, outsourcing, service provision change, dissolution or liquidation).
10.3 In addition, we may disclose the personal data you provide to us to our group companies and affiliates or third party data processers who may process data on our behalf to enable us to carry out our usual business practices. Any such disclosure will only be so that we can process your personal data for the purposes set out in this notice.
10.4 All our third-party service providers and other entities in the group are required to take appropriate security measures to protect your personal information in line with our policies. We do not allow our third-party service providers to use your personal data for their own purposes. We only permit them to process your personal data for specified purposes and in accordance with our instructions.
11 TRANSFERS OF PERSONAL DATA OVERSEAS
11.1 Personal data we collect from you may be transferred, stored and/or processed outside the European Economic Area (“EEA”).
11.2 Subject to any applicable conditions in each case, such transfers of personal data may be made on the following bases:
11.2.1 there are EU Model Clauses between us and the recipient, and, to the extent applicable, a copy can be obtained by using the contact details set out in paragraph 1.6; or
11.2.2 there is an adequacy decision, namely:
(a) Privacy Shield for transfers to the US; or
(b) the European Commission has decided that the relevant non-EU country ensures an adequate level of protection;
11.2.3 where the transfer is necessary for:
(a) the establishment, exercise or defence of legal claims;
(b) to protect your vital interests (or someone else’s interests) and you are not capable of giving your consent,
(c) the performance of your employment contract or any other contract with us or the implementation of pre-contractual measures taken at your request;
(d) for important reasons of public interest;
(e) the conclusion or performance of a contract concluded in your interests between us and another party; or
11.2.4 where you have given your explicit written consent.
11.3 You can request further information by contacting us as specified in section 1.6.
12 RETENTION OF PERSONAL DATA
12.1 Personal data will be stored in a range of different places, including on your application record, in HR management systems and on other IT systems (including email).
12.2 We take the security of your personal data seriously. We have internal policies and controls in place to ensure that your personal data is not lost, accidentally destroyed, misused or disclosed, and is not accessed except by members of staff in the proper performance of their duties.
12.3 We will usually retain the personal data of unsuccessful candidates for a period of one year after we have communicated to you the decision not to offer you a role.
12.4 After this period, our policy is, in most circumstances to delete your personal data from our system. This is subject to any legal or regulatory obligation to keep personal data for a longer period of time (for example it is subject to our obligations as a Tier 2 sponsor. We will also hold your personal data for a longer period if it is required in connection with legal proceedings.
12.5 If we wish to retain your personal information on file, on the basis that a further opportunity may arise in future and we may wish to consider you for that, we will write to you separately, seeking your explicit consent to retain your personal information for a fixed period on that basis. At the end of that period your personal data will usually be deleted or destroyed (subject to any legal or regulatory obligation to keep personal data for a longer period of time).
12.6 If you are successful and are offered a role, you will be provided with our Data Retention Policy which sets out in detail the periods for which we will retain your personal data. Any personal data provided that is not relevant for your ongoing employment or engagement will be deleted.
13 AUTOMATED DECISION MAKING
13.1 Automated decision-making takes place when an electronic system uses personal data to make a decision without human intervention.
13.2 We do not envisage that any decisions will be taken about you using automated means during the recruitment process, however we will notify you in writing if this position changes.
14 YOUR RIGHTS IN RELATION TO YOUR PERSONAL DATA
14.1 You have a number of rights in connection with the processing of your personal data, subject to certain conditions set out in the GDPR and in UK law, including the right to:
14.1.1 Request access to your personal data (commonly known as a “data subject access request”). This enables you to receive a copy of the personal data we hold about you and to check that we are lawfully processing it.
14.1.2 Request the correction of the personal data that we hold about you. This enables you to have incomplete or inaccurate data we hold about you corrected.
14.1.3 Request the erasure of your personal data. This enables you to ask us to delete or remove personal data where there is no good reason for us continuing to process it.
14.1.4 Ask us to stop processing personal data where we are relying on a legitimate interest and there is something about your particular situation which makes you want to object to processing on this ground.
14.1.5 Request the restriction of processing of your personal data. This enables you to ask us to suspend the processing of personal data about you, for example if you want us to establish its accuracy or the reason for processing it.
14.1.6 Request the transfer of your personal data to another party.
14.1.7 Lodge a complaint regarding the processing of your data with the Information Commissioner’s Office.
14.2 In the limited circumstances where you have provided your consent to the collection, processing and transfer of your personal data for a specific purpose, you have the right to withdraw your consent for that specific processing at any time. To withdraw your consent, please contact the Head of Human Resources and Learning and Development in writing in accordance with section 1.6. After we have received notification that you have withdrawn your consent in relation to a particular purpose we will no longer process your information for that purpose, unless we have another legitimate basis for doing so in law.
14.3 If you want to review, verify, correct or request erasure of your personal data, object to the processing of your personal data, or request that we transfer a copy of your personal data to another party, please contact the Head of Human Resources and Learning and Development in writing in accordance with section 1.6.