Choices and Rights Disability Coalition
ICO registration number Z2602583
This Privacy Policy tells you what to expect of Choices and Rights Disability Coalition in relation to the collection and use of your personal data in accordance with the Data Protection Act (DPA)/ General Data Protection Regulation (GDPR).
Data Controller
Our General Data Protection Regulation Officers contact details are:
The GDPR officer
Choices and Rights Disability Coalition
Jude Lodge
Tiverton House
Tiverton Road
Hull HU7 4DQ
Tel (01482) 878778
Email: GDPR@choicesandrights.org.uk
Introduction
Choices and Rights needs to hold and process Personal Data about individuals applying for jobs via the PA database. Your application is not shared with any other individual or organisation unless there is a legitimate reason for doing so. When you apply for a vacancy, your application is then shared with the service user/s (or representative/s) who are recruiting.
What is Personal Data?
Personal data is that which relates to a living individual who can be identified from the data or from a combination of that data with other information in the possession or likely to come into the possession of the holder. Data does not have to be private or sensitive in order to constitute personal data and includes information such as name, address and telephone numbers. The GDPR has increased the scope of the definition of personal data to include identifiers such as location data, online identifiers and now genetic (do you mean generic?) data.
This can include information contained in a job application or CV.
Data relates to any information held on a computer including email or manually held paper records that have been stored in a structured way so that information can be found easily (or manual records which are due to be stored).
Data protection principles
There are six data protection principles that are central to the GDPR. In brief they say that personal data must be:
Processed fairly and lawfully and in a transparent manner in relation to the data subject;
Collected for specific, explicit and legitimate purposes and not further processed in any manner incompatible with those purposes;
Adequate relevant, and limited to what is necessary in relation to the purposes for which they are processed;
Accurate and, when necessary, kept up–to–date;
Kept in a form which permits the identification of data subjects for no longer than is necessary for the purpose for which the personal data is processed;
Processed in a manner that ensures the appropriate security of the personal data including protection against unauthorised or unlawful processing, and against accidental loss, destruction or damage, using the appropriate technical and organisational measures.
Categories of data collected are:
Email
Forename
Surname
Date of Birth
Full Address
Telephone number
Education and Employment experience
Other personal information such as if you have a driving licence, criminal convictions, linguistic skills and hobbies.
We also process special categories of personal data:
Racial or ethnic origin;
Physical or mental health conditions/diagnoses;
Gender;
Criminal convictions.
Legal basis for processing
Personal data and special categories of personal data must only be processed where a legal basis for processing that data exists.
Consent: The data subject has freely given consent for their information to be processed for a specific purpose.
Contract: Processing is necessary due to the fulfilment of a contract.
Legal Obligation: Processing is necessary to comply with the law.
Vital Interest: Processing is necessary to save or protect an individual’s life.
Public Tasks: Processing is necessary to perform a public interest in official functions (primarily applies to governmental agencies/entities).
Legitimate Interests: Processing is necessary to the legitimate interests of an organization or a third-party affiliate.
In respect of your PA application, we rely on your consent to hold this information and to share it with your prospective service user/s (or their representative/s).
The reasons why we process your personal data are:
When you apply for a job with one of our service users, we need all the categories of information (as listed above) primarily to enable CARDC to fulfil our contract with you as well as our service users, and to enable us to comply with any legal obligations. In some cases we may use your personal information to pursue legitimate interests of our own, or those of third parties. The circumstances in which we will process your personal information are listed below.
Sending your application to service users, so that they can be supported to make a decision about your recruitment or appointment.
Determining the terms on which you work for our service users.
Checking that you are legally entitled to work in the UK.
If you are successfully appointed, addition information will be required. A separate privacy statement is available in respect of your employment.
Criminal Convictions
Under the GDPR, employers are allowed to carry out criminal records checks on prospective employees but only if this is specifically authorised by law; for example, where a Disclosure and Barring Service check is required for a role involving work with vulnerable adults or children. Information on the application form about criminal convictions is not shared with service users, but will be used by the organisation to recommend a Disclosure and Barring Service check before commencement of employment.
With whom we share your personal data
Normally, your personal data would only be shared with the service user (or their representative) who is looking to appoint a PA and where you have specifically applied for that role. During shortlisting or interviewing, however, the service user (or representative) may be accompanied by others such as Health and Social Care Professionals or other representatives.
Using your personal information for other purposes
We will not process your personal data for any other purpose than that for which it was collected, without first providing you with information on that other purpose, and seeking your consent if applicable. The only exception being that we are required to disclose your personal data in accordance with legislation (for example) in relation to the prevention and detection of crime, counter terrorism, safeguarding, legal proceedings, or to protect the interests of you or another/others.
Data security
Choices and Rights Disability Coalition will ensure that appropriate technical and organisational measures are taken to safeguard personal data. All personal data will be password protected and only accessed by staff who have an operational need to do so.
All members of Choices and Rights Disability Coalition have a personal responsibility to ensure that any information of a personal or sensitive nature, to which they have access in the course of their work, is kept secure.
In particular staff must observe the following rules:
Electronic storage of such material must have limited access.
Take responsibility for their workstation and keeping their password safe.
Label information sent by post as ‘private and confidential’.
Write ‘private and confidential’ on emails when sending personal information.
To not disclose any personal information about individuals, other than in the course of the correct performance of duties, to authorised colleagues and service users.
Take particular care when exchanging information with third parties.
To not use information for any other purpose than that which is intended.
All Choices and Rights Disability Coalition employees are required to undergo GDPR training
Taking data off site
Personal Information will never be taken home by employees of Choices and Rights Disability Coalition, emailed to a personal account, or stored on a personal computer. If personal data needs to be transported to another location, it is the responsibility of the employee to ensure it is stored securely at all times. Service Users are also aware of their responsibly to keep your details confidential.
Retention of personal data
Personal data must not be retained for longer than is necessary. Information must only be retained where there is a genuine organisational need to do so. Where data is retained, it must be stored securely and have restricted access. If a former PA database member requests their information to be removed from the database, then it must be removed or anonymised so it cannot be traced to that individual. If a PA/Potential PA asks for information to be deleted because they believe it to be incorrect, it must be looked at by the General Data Protection Regulation Officer who will determine if this is the case.
We will only retain your personal data:
• for as long as you wish to remain on the PA database;
• for as long as you might legally bring a claim against our company or service users; and
• in accordance with legal and regulatory requirements.
Individuals should be aware that the disclosure of information in contravention of this policy, will be treated by Choices and Rights Disability Coalition as a serious disciplinary offence which may result in dismissal for gross misconduct.
Individual data rights
Under the GDPR, individuals whose data is held by Choices and Rights Disability Coalition have a right to:
• Be informed about us processing your personal data;
• Have your personal data corrected if it’s inaccurate, and to have incomplete personal data completed.
• To object to the processing of your personal data;
• To restrict the processing of your personal data;
• To have your personal data erased (the “right to be forgotten”);
• To request access to your personal data and information about how we process it;
• To move, copy and transfer your personal data (“data portability”).
Consent – where processing is carried out on the basis of consent, individuals can withdraw their consent at any time.
Subject access – individuals can make a request to view or have a copy of their personal data.
We need your personal data to allow us to provide you with the services listed above. If you do not provide us with your personal details or you withdraw your consent for us to process your personal data, then this may mean that we may no longer be able to provide the services for you. If you wish to withdraw your consent, you can do so by contacting the General Data Protection Regulation Officer’s via the contact details above.
Data portability – under the GDPR, individuals have a right to be provided with, or have another organisation provided with, a copy of any data. This will need to be in a structured commonly used and machine readable form, where the lawful ground for processing is consent, or where processing is necessary for the performance of contract, and the processing is carried out by automated means.
The General Data Protection Regulation Officer should keep a log of all requests made and all responses to these requests.
Informal requests
Any current PA Database member can request to see all data that Choices and Rights Disability Coalition has on them by requesting this from the admin team. The staff member must put this request forward to the General Data Protection Regulation Officer who must make an arrangement with the PA data base member to show this information to them.
Formal requests
Requests by any individual who has had dealings with Choices and Rights Disability Coalition, but who is not a current PA Database member, must always be considered as a formal request.
If an individual wants to make a formal request for access to any information held on Choices and Rights Disability Coalition PA Database systems, the individual should be advised to put a request in writing to the General Data Protection Regulation Officer.
On receipt of this letter the General Data Protection Regulation Officer will ensure that the individual is who they claim to be, validate their right to gain access to the data, and consider the appropriateness of the request in line with the GDPR Act.
The General Data Protection Regulation Officer will contact the appropriate individuals within Choices and Rights Disability Coalition, and request access to, or copies of, the relevant information held on the individual within any system or manual file.
The information, once collected, must be made available within in one calendar month of the date the individual requesting their data.
Deleting data
Any individual has the right to ask that their data is no longer used by Choices and Rights Disability Coalition, or that the reasons for which their data is used are amended. The right to erasure, however, is limited and any such requests should be considered by the General Data Protection Regulation Officer.
Changing contact preferences
A PA Database member has the right to change their contact preferences at any time. This can be done by contacting our General Data Protection Regulation Officer via the contact details listed above. Any request to change contact preferences will be made within 7 working days.
Please note, these rights do not apply in all circumstances and may be restricted as required by law.
More information on your rights can be found on the Information Commissioner Website: https://ico.org.uk/for-the-public/
If I am dissatisfied, to whom do I complain?
If you are dissatisfied with how we have processed your personal data, please contact our Data Protection Officer to request an internal review.
If you are dissatisfied with the outcome of the internal review, you have the right to appeal directly to the Information Commissioner for an independent review. https://ico.org.uk/concerns/
Changes to our Privacy Policy
Choices and Rights Disability Coalition may amend this Privacy Policy from time–to–time, and we encourage you to regularly check our website page to review any changes we might make in accordance with this Privacy Policy. If we make material changes in the way we use your data, we will notify you by email.
Automated emails – ‘Mail Chimp’
The administrator of your personal data will be Choices and Rights Disability Coalition, and detailed information on the processing of your personal data can be found above in our privacy policy.
It should be noted, however, that CARDC use a third party app called ‘Mail Chimp’ as our email platform.
When you apply to be on the PA database, you are consenting that your email be used to send you an automated email from ‘Mail Chimp’. This email will include a link to a sign–up page, which enables you to receive our mail–outs through this service.
If you do not fill out the subscriber email sent by CARDC through ‘Mail Chimp’, you will not receive copies of the monthly vacancies list.
The ‘Mail Chimp’ application collects some personal data from users and, subsequently, users may be subject to different protection standards and therefore broader standards may apply.
In order to learn more about the protection criteria, users can refer to the ‘Mail Chimp’ privacy policy available at: www.mailchimp.com. ‘Mail Chimp’ takes data privacy seriously. Their privacy policy explains who they are, how they collect, share, and use personal information, and how you can exercise your privacy rights. We recommend that you read this privacy policy in full to ensure you are fully informed.
Every email campaign sent through ‘Mail Chimp’ is required by law to include an unsubscribe link. You can unsubscribe from this service, at any time, by clicking the unsubscribe link at the bottom of any email received via ‘Mail Chimp’. You will need to enter your name and email address. Choices and Rights will be notified by ‘Mail Chimp’ that have you have updated your subscription preferences. Your application form which is held on the database, will be removed in line with our documentation retention and removal policies and you will not receive details of further PA vacancies.