Privacy Notice for Job Applicants
Korian UK Ltd and Korian UK Estates Ltd (“we” or “Company”) are each a ‘controller’. This means that we are responsible for deciding how we hold and use personal information about you. In accordance with and as required by the General Data Protection Regulation (EU) 2016/679 (“GDPR”), as transposed into United Kingdom national law by operation of section 3 of the European Union (Withdrawal) Act 2018 and as amended by the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019 (the “UK GDPR”) and the Data Protection Act 2018, we have implemented this privacy notice to inform you, as prospective employees of our Company, of the types of data we process about you. We also include within this notice the reasons for processing your data, the lawful basis that permits us to process it, how long we keep your data for and your rights regarding your data.
This notice applies to current and former applicants. This notice does not form part of any contract of employment or other contract to provide services. We may (and reserve the right to) update this notice at any time but if we do so, we will provide you with an updated copy of this notice as soon as reasonably practical. We may also notify you in other ways from time to time about the processing of your personal information.
Data Protection Principles
Under the UK GDPR, all personal data obtained and held by us must be processed according to a set of core principles. In accordance with these principles, we will ensure that:
a) processing is fair, lawful and transparent
b) data is collected for specific, explicit, and legitimate purposes that we have clearly explained to you and not used in any way that is incompatible with those purposes
c) data collected is adequate, relevant and limited to what is necessary for the purposes of processing
d) data is kept accurate and up to date. Data which is found to be inaccurate will be rectified or erased without delay
e) data is not kept for longer than is necessary for its given purpose
f) data is processed in a manner that ensures appropriate security of personal data including protection against unauthorised or unlawful processing, accidental loss, destruction or damage by using appropriate technical or organisation measures
g) we comply with the relevant UK GDPR procedures for international transferring of personal data
Types Of Data Held
Personal data, or personal information, means any information about an individual from which that person can be identified. It does not include data where the identity has been
removed (anonymous data).
There are certain types of more sensitive personal data which require a higher level of protection, such as information about a person’s health or sexual orientation. Information about criminal convictions also warrants this higher level of protection. This is covered in a
later section of this privacy notice.
We keep several categories of personal data on our prospective employees in order to carry out effective and efficient processes. We keep this data in recruitment files relating to each vacancy and we also hold the data within our computer systems, for example, recruitment logs.
Specifically, we collect, hold and use the following types of data about you:
a) personal details such as name, title, address, phone numbers, personal email address and date of birth (if you have chosen to include this in your application/CV);
b) your photograph or photographic ID if you have chosen to include this in your application/CV;
c) your gender, marital status and dependents, information of any disability you have or other medical information including vaccinations if you have chosen to include this in your application/CV;
d) right to work documentation;
e) Nurse PIN number;
f) information on your race and ethnicity, religion or religious beliefs and sexual orientation for equality monitoring purposes;
g) information gathered via the recruitment process such as that entered into a CV, application form or included in a CV cover letter;
h) references from former employers or personal referees;
i) details on your education and employment history;
j) driving licence information
k) criminal convictions and offences;
l) information relating to your possible employment by us, including:
• job title and job description;
• proposed salary; and
m)CCTV footage (if attending one of our sites in person for interview)
n) building access records (if attending one of our sites in person for interview).
Collecting Your Data
You provide several pieces of data to us directly during the recruitment exercise. In some cases, we will collect data about you from third parties, such as employment agencies, former employers when gathering references or credit reference agencies.
Should you be successful in your job application, we will gather further information from you, for example, your bank details, tax codes and National Insurance number, medical information and next of kin details, once your employment begins. We will also provide you with a copy of our Employee and Worker Privacy Notice, which will set out in more detail the types of data we process about you, the reasons for processing your data, the lawful basis that permits us to process it, how long we keep your data for and your rights regarding your data. Personal data is kept in files or within the Company’s HR and IT systems.
Lawful Basis for Processing
The law on data protection allows us to process your data for certain reasons only. In the main, we process your data in order to comply with a legal requirement; where it is necessary for legitimate interests pursued by us or a third party and your interests and fundamental rights do not override those interests; in order to perform the contract we have with you or in pursuit of our legitimate interests. We may also use your personal data where we need to protect you (or someone else’s) interests; or where it is needed in the public interest or for an official purpose. The information below categorises the types of data processing we undertake and the lawful basis we rely on.
|Activity requiring your data||Lawful Basis|
|Your job application/CV information, which may be administered on social media, Job Boards, Care Friends, or our Applicant Tracking System||Our legitimate interests (to operate applicant tracking systems for the recruitment of the workforce)|
|Carrying out checks in relation to your right to work in the UK||Legal obligation|
|Making reasonable adjustments for disabled employees||employees Legal obligation|
|Making recruitment decisions in relation to both initial and subsequent employment including onboarding checks and references||Our legitimate interests (recruitment and promotion of employees and workers)|
|Making decisions about salary and other benefits||Our legitimate interests (to ensure that prospective employees and workers will receive the pay or other benefits to which they are entitled)|
|Making decisions about contractual benefits to provide to you||Our legitimate interests (to ensure that prospective employees and workers will receive the pay or other benefits to which they are entitled)|
|Using Docusign or other electronic system to send/receive documents and information to your personal email address relating to the recruitment process documentation and employment documents||Our legitimate interests (recruitment of employees and workers to provide support, care and assistance to both residents and the business as a whole)|
|Assessing training needs||Our legitimate interests(operate and keep a record of employee performance and related processes, to plan for career development, and for succession planning and workforce management)|
|Gaining expert medical opinion when making decisions about your fitness for work||Our legitimate interests (operate occupational health advice, to ensure that it complies with duties in relation to individuals with disabilities, meet our obligations under health and safety law and ensure that employees are receiving the pay or other benefits to which they are entitled).|
|Business planning and restructuring exercises||Our legitimate interests (for business efficacy, succession planning and workforce management)|
|Dealing with legal claims made against us||Our legitimate interests (respond to and defend against legal claims)|
|Preventing fraud||Our legitimate interests (to prevent fraud and other illegal activity)|
|Carrying out Disclosure and Barring Service (DBS) and Nursing and Midwifery Council (NMC) checks, and where needed making referrals to the Disclosure and Barring Service (DBS), Nursing and Midwifery Council (NMC), Local Safeguarding Authorities and the Care Quality Commission (CQC), when required||Legal obligation|
|Complying with health and safety obligations||Legal obligation|
Where we rely upon legitimate interest as a reason for processing personal data, we have considered whether or not those interests are overridden by the rights and freedoms of the contractor and have concluded that they are not.
Special Categories of Personal Data
Special categories of personal data are data relating to your:
i) sex life
j) sexual orientation
l) ethnic origin
o) trade union membership
p) genetic and biometric data.
These special categories of personal data require higher levels of protection. We need to have further justification for collecting, storing and using this type of personal information.
We may process special categories of data when the following applies:
a) in limited circumstances, where you have given explicit consent to the processing.
b) we must process the data in order to carry out our legal obligations or exercise rights in connection with employment.
c) we must process data for reasons of substantial public interest, such as for equal opportunities monitoring or in relation to an occupational pension scheme.
d) where it is necessary to protect you or another person from harm.
e) where it is needed in relation to legal claims.
f) where it is needed to protect your interests (or someone else’s interests) and you are not capable of giving your consent.
g) you have already made the data public.
In general, we will not process particularly sensitive personal data about you unless it is necessary for performing or exercising obligations or rights in connection with employment. On rare occasions, there may be other reasons for processing, such as it is in the public interest to do so. The situations in which we may process your particularly sensitive personal information are listed below:
a) We may use information about your race or national or ethnic origin, religious, philosophical or moral beliefs, or your sexual orientation, to ensure meaningful equal opportunity monitoring and reporting, and to maintain and promote equality in the workplace.
b) We may use information about your physical or mental health, or disability status, to ensure your health and safety in the workplace and to assess your fitness to work, to and to arrange appropriate workplace adjustments. We need to process this information to exercise rights and perform obligations in connection with your prospective employment.
c) If we reasonably believe that you or another person are at risk of harm and the processing is necessary to protect you or them from physical, mental or emotional harm or to protect physical, mental or emotional well-being.
We do not need your consent if we use special categories of your personal information to carry out our legal obligations or exercise specific rights in the field of employment law. In limited circumstances, we may approach you for your written consent to allow us to process certain particularly sensitive data. If we do so, we will provide you with full details of the information that we would like and the reason we need it, so that you can carefully consider whether you wish to consent. You should be aware that it is not a condition of your contract with us that you agree to any request for consent from us.
In most cases, special category personal data will not be given at the job application stage, however you may have chosen to give us information relating to these categories during the application stage in which case the above may apply.
Failure To Provide Data
Your failure to provide us with data may mean that we are unable to fulfil our requirements for entering into a contract of employment with you. This could include being unable to offer you employment or administer contractual benefits should the Company make you an offer of employment. We may also be prevented from complying with our legal obligations, such as to ensure the health and safety of our employees and workers.
Criminal Conviction Data
We envisage that we will hold information about criminal convictions. We will only collect criminal conviction data where it is appropriate given the nature of your role and where the law permits us. This data will be collected at the recruitment stage, however, may also be collected during your employment. We use criminal conviction data to determine your suitability, or your continued suitability for the role. We rely on the lawful basis of our legal obligation and legitimate interests (to ensure that our engagement practices help us attract and retain suitable contractors to provide care and support to our residents and their families) to process this data. We have in place appropriate safeguards which we are required by law to maintain when processing such data.
Change of Purpose
We will only use your personal data for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If we need to use your personal information for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so.
Please note that we may process your personal information without your knowledge or consent, in compliance with the above rules, where this is required or permitted by law.
Who We Share Your Data With
We will share your personal data where required by law, where it is necessary to administer the working relationship with you or where we have another legitimate interest in doing so.
Employees within our company who have responsibility for recruitment will have access to your data which is relevant to their function. All employees with such responsibility have been trained in ensuring data is processing in line with GDPR.
Data is shared with third parties for the following reasons:
• With our Employment Law and Health and Safety advisors to advise us on employmentlaw and health and safety related matters (legitimate interests)
• With our Occupational Health Advisors in order to assess and seek guidance on health and wellbeing of individuals where appropriate (legitimate interest)
• With CQC inspectors, Local Authority Safeguarding Teams, the Police, the Disclosure and Barring Service (DBS) and Nursing and Midwifery Council (NMC) in order to comply with a legal obligation upon us.
• For audit purposes, the Company Statutory Auditors will review information containing personal information in order to comply with a legal obligation upon us
• With Insurance companies for any claims made (legitimate interests)
We may also share your data with third parties as part of a Company sale or restructure, or for other reasons to comply with a legal obligation upon us. Where your personal data is shared in the context of a Company sale or restructure, we will, so far as possible, share anonymised data with the other parties before the transaction completes. Once the transaction is completed, we will share your personal data with the other parties if and to the extent required under the terms of the transaction. We have a data processing agreement in place with such third parties to ensure data is not compromised. Third parties must implement appropriate technical and organisational measures to ensure the security of your data.
We will share your personal information with other entities in our group as part of our regular reporting activities on company performance, in the context of a business reorganisation or group restructuring exercise, or in order to provide services to us.
All our third-party service providers and other entities in the Company group are required to take appropriate security measures to protect your personal information in line with our policies. We do not allow our third-party service providers to use your personal data for their own purposes. We only permit them to process your personal data for specified purposes and in accordance with our instructions.
We will transfer the personal information we collect about you to countries within the European Economic Area in order to perform our contract with you. There are adequacy regulations in respect of those countries within the European Economic Area. This means that the countries to which we transfer your data are deemed to provide an adequate level of protection for your personal information.
Protecting Your Data
We have put in place appropriate security measures to prevent your personal information from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your personal information to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal information on our instructions and they are subject to a duty of confidentiality. Details of these measures may be obtained from the Data Protection Officer.
We have put in place procedures to deal with any suspected data security breach and will notify you and any applicable regulator of a suspected breach where we are legally required to do so. This notification will be made without undue delay and may, dependent on the circumstances, be made after the supervisory authority is notified.
The following information will be provided when a breach is notified to the affected individuals:
a) A description of the nature of the breach
b) The name and contact details of the data protection officer where more information can be obtained
c) A description of the likely consequences of the personal data breach
d) A description of the measures taken, or proposed to be taken, to deal with the personal data breach, including, where appropriate, the measures taken to mitigate any possible adverse effects.
Third parties will only process your personal information on our instructions and where they have agreed to treat the information confidentially and to keep it secure.
We only keep your data for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements, which will be for at least six months and up to a period of up to one year following completion of the recruitment exercise and hiring process.
If your application is not successful and we have not sought consent, or you have not provided consent upon our request to keep your data for the purpose of future suitable job vacancies, we will keep your data for six months once the recruitment exercise ends (or, if you were to bring a discrimination claim against the Company, until such time as the outcome of the claim has been resolved).
If we have sought your consent to keep your data on file for future job vacancies, and you have provided consent, we will keep your data for one year once the recruitment exercise ends. At the end of this period, we will delete or destroy your data, unless you have already withdrawn your consent to our processing of your data in which case it will be deleted or destroyed upon your withdrawal of consent.
Where you have provided consent to our use of your data, you also have the right to withdraw that consent at any time. This means that we will stop processing your data and there will be no consequences of withdrawing consent.
If your application is successful, your data will be kept and transferred to the systems we administer for employees. We have a separate privacy notice for employees and workers, which (as noted elsewhere in this Notice) will be provided to you.
Automated Decision Making
Automated decision-making means making decision about you using no human involvement e.g. using computerised filtering equipment. We are allowed to use automated decision-making in the following circumstances:
1. Where we have notified you of the decision and given you 21 days to request a reconsideration.
2. Where it is necessary to perform the contract with you and appropriate measures are in place to safeguard your rights.
3. In limited circumstances, with your explicit written consent and where appropriate measures are in place to safeguard your rights
If we make an automated decision on the basis of any particularly sensitive personal information, we must have either your explicit written consent or it must be justified in the public interest, and we must also put in place appropriate measures to safeguard your rights. No decision will be made about you solely on the basis of automated decision making (where a decision is taken about you using an electronic system without human involvement) which has a significant impact on you, unless we have a lawful basis for doing so and we have notified you.
We do not envisage that any decisions will be taken about you using automated means, however we will notify you in writing if this position changes.
Under certain circumstance, you have the following rights in relation to the personal data we hold on you:
a) the right to be informed about the personal data we hold on you and what we do with it;
b) the right of access to the personal data we hold on you (commonly known as a “data subject access request”). This enables you to receive a copy of the personal information we hold about you and to check that we are lawfully processing it;
c) the right for any inaccuracies in the personal data we hold on you, however they come to light, to be corrected. This is also known as ‘rectification’;
d) the right to have personal data deleted or removed in certain circumstances. This enables you to ask us to delete or remove personal information where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal information where you have exercised your right to object to processing. This is also known as ‘erasure’;
e) the right to restrict the processing of the personal data. This enables you to ask us to suspend the processing of personal information about you, for example if you want us to establish its accuracy or the reason for processing it;
f) the right to transfer the data we hold on you to another party. This is also known as ‘portability’;
g) the right to object to the inclusion of any personal information where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground.
You also have the right to object where we are processing your personal information for direct marketing purposes; and h) the right to regulate any automated decision-making and profiling of personal data.
If you want to review, verify, correct or request erasure of your personal information, object to the processing of your personal data, or request that we transfer a copy of your personal information to another party, please contact the Data Protection Officer in writing.
Although subject access requests may be made verbally, we would advise that a request may be dealt with more efficiently and effectively if it is made in writing. If you wish to make a request, please use the Subject Access Request form.
Usually, we will comply with your request without delay and at the latest within one month. Where requests are complex or numerous, we may contact you to inform you that an extension of time is required. The maximum extension period is two months.
You will not have to pay a fee to access your personal information (or to exercise any of the other rights). However, we may charge a reasonable fee if your request for access is clearly unfounded or excessive. Alternatively, we may refuse to comply with the request in such circumstances.
We may need to request specific information from you to help us confirm your identity and ensure your right to access the information (or to exercise any of your other rights). This is another appropriate security measure to eensure that personal information is not disclosed to any person who has no right to receive it.
We may refuse to deal with your subject access request if it is manifestly unfounded or excessive, or if it is repetitive. Where it is our decision to refuse your request, we will contact you without undue delay, and at the latest within one month of receipt, to inform you of this and to provide an explanation. You will be informed of your right to complain to the Information Commissioner and to a judicial remedy.
We may also refuse to deal with your request, or part of it, because of the types of information requested. For example, information which is subject to legal privilege or relates to management planning is not required to be disclosed. Where this is the case, we will inform you that your request cannot be complied with, and an explanation of the reason will be provided.
If you wish to exercise any of the rights explained above, please contact our Data Protection Officer, details of which are at the end of this policy.
Where you have provided consent to our collection, processing or transfer of your personal data for a specific purpose, you also have the right to withdraw that consent at any time. To withdraw your consent, please contact the Data Protection Officer. Once we have received notification that you have withdrawn your consent, we will stop processing your personal data for the purpose or purposes you originally agreed to, unless we have another legitimate basis for doing so in law.
Making A Complaint
If you think your data rights have been breached, you are able to raise a complaint with the Information Commissioner (ICO). You can contact the ICO at Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF or by telephone on 0303 123 1113 (local rate) or 01625 545 745.
Data Protection Compliance
We have appointed a Data Protection Officer to oversee compliance with this privacy notice. If you have any questions about this privacy notice or how we handle your personal information, please contact the Data Protection Officer.