Smart Recruit Online Limited (SRO) is required to keep and process certain information about its staff members, clients and applicants in accordance with its legal obligations under the General Data Protection Regulation (GDPR).
This policy is in place to ensure all staff and system users are aware of their responsibilities and outlines how SRO complies with the following core principles of the GDPR.
Organisational methods for keeping data secure are imperative, and SRO believes that it is good practice to keep clear practical policies, backed up by written procedures.
This policy complies with the requirements set out in the GDPR, which will come into effect on 25 May 2018.
This data protection policy ensures Smart Recruit Online Limited:
This policy has due regard to legislation, including, but not limited to the following:
This policy will also have regard to the following guidance:
This policy will be implemented in conjunction with the following other policies:
This policy applies to:
It applies to all data that the company holds relating to identifiable individuals. This can include:
This policy helps to protect Smart Recruit Online LTD from some very real data security risks, including:
Everyone who works for or with Smart Recruit Online LTD has some responsibility for ensuring data is collected, stored and handled appropriately.
Each team that handles personal data must ensure that it is handled and processed in line with this policy and data protection principles.
A DPO will be appointed in order to:
An existing employee will be appointed to the role of DPO provided that their duties are compatible with the duties of the DPO and do not lead to a conflict of interests. The individual appointed as DPO will have professional experience and knowledge of data protection law, particularly that in relation to recruitment.
The DPO will report to the highest level of management at SRO, which is the Chief Executive Officer.
The DPO will operate independently and will not be dismissed or penalised for performing their tasks.
Sufficient resources will be provided to the DPO to enable them to meet their GDPR obligations.
However, these people have key areas of responsibility:
The Board of Directors is ultimately responsible for ensuring that Smart Recruit Online LTD meets its legal obligations.
The Data Protection Officer, Simon Billsberry, is responsible for:
General Staff Guidelines
For the purpose of this policy, personal data refers to information that relates to an identifiable, living individual, including information such as an online identifier, such as an IP address.
GDPR applies to both automated personal data and to manual filing systems, where personal data is accessible according to specific criteria, as well as to chronologically ordered data and pseudonymised data, e.g. key-coded.
Sensitive personal data is referred to in the GDPR as ‘special categories of personal data’, which are broadly the same as those in the Data Protection Act (DPA) 1998. These specifically include the processing of genetic data, biometric data and data concerning health matters.
In accordance with the requirements outlined in the GDPR, personal data will be:
SRO will implement appropriate technical and organisational measures to demonstrate that data is processed in line with the principles set out in the GDPR.
SRO will provide comprehensive, clear and transparent privacy policies.
Records of activities relating to higher risk processing will be maintained, such as the processing of special categories data or that in relation to criminal convictions and offences.
Internal records of processing activities will include the following:
SRO will implement measures that meet the principles of data protection by design and data protection by default, such as:
The legal basis for processing data will be identified and documented prior to data being processed.
Under the GDPR, data will be lawfully processed under the following conditions:
Sensitive data will only be processed under the following conditions:
Where appropriate (with the example of webinars that have multiple hosts) we will apply the rules of contact by ‘legitimate interest’. This will cover communications with a candidate where it is in the individual’s interest to receive a communication from SRO or a prospective client contact, where we have reasonable cause to believe of their involvement with recruitment related activities for a given organisation. In each instance where legitimate interest is applied we will follow the ICO guidelines and ensure that the individual is offered the opportunity to opt out of further communications with us.
The privacy notice supplied to individuals in regards to the processing of their personal data will be written in clear, plain language which is concise, transparent, easily accessible and free of charge.
In relation to data obtained both directly from the data subject and not obtained directly from the data subject, the following information will be supplied within the privacy notice:
Where data is obtained directly from the data subject, information regarding whether the provision of personal data is part of a statutory or contractual requirement and the details of the categories of personal data, as well as any possible consequences of failing to provide the personal data, will be provided.
Where data is not obtained directly from the data subject, information regarding the source the personal data originates from and whether it came from publicly accessible sources, will be provided.
For data obtained directly from the data subject, this information will be supplied at the time the data is obtained.
In relation to data that is not obtained directly from the data subject, this information will be supplied:
Individuals have the right to obtain confirmation that their data is being processed.
Individuals have the right to submit a subject access request (SAR) to gain access to their personal data in order to verify the lawfulness of the processing.
SRO will verify the identity of the person making the request before any information is supplied.
A copy of the information will be supplied to the individual free of charge.
Where a SAR has been made electronically, the information will be provided in a commonly used electronic format.
Where a request is manifestly unfounded, excessive or repetitive, a reasonable fee will be charged.
All fees will be based on the administrative cost of providing the information.
All requests will be responded to without delay and at the latest, within one month of receipt.
In the event of numerous or complex requests, the period of compliance will be extended by a further two months.
The individual will be informed of this extension, and will receive an explanation of why the extension is necessary, within one month of the receipt of the request.
Where a request is manifestly unfounded or excessive, SRO holds the right to refuse to respond to the request.
The individual will be informed of this decision and the reasoning behind it, as well as their right to complain to the supervisory authority and to a judicial remedy, within one month of the refusal.
In the event that a large quantity of information is being processed about an individual, SRO will ask the individual to specify the information the request is in relation to.
Individuals are entitled to have any inaccurate or incomplete personal data rectified.
Where the personal data in question has been disclosed to third parties, SRO will inform them of the rectification where possible.
Where appropriate, SRO will inform the individual about the third parties that the data has been disclosed to.
Requests for rectification will be responded to within one month; this will be extended by two months where the request for rectification is complex.
Where no action is being taken in response to a request for rectification, SRO will explain the reason for this to the individual, and will inform them of their right to complain to the supervisory authority and to a judicial remedy.
Individuals hold the right to request the deletion or removal of personal data where there is no compelling reason for its continued processing.
Individuals have the right to erasure in the following circumstances:
SRO has the right to refuse a request for erasure where the personal data is being processed for the following reasons:
Where personal data has been disclosed to third parties, they will be informed about the erasure of the personal data, unless it is impossible or involves disproportionate effort to do so.
Where personal data has been made public within an online environment, SRO will inform other organisations who process the personal data to erase links to and copies of the personal data in question.
Individuals have the right to block or suppress processing of their personal data. In the event that processing is restricted, SRO will store the personal data, but not further process it, guaranteeing that just enough information about the individual has been retained to ensure that the restriction is respected in future.
SRO will restrict the processing of personal data in the following circumstances:
If the personal data in question has been disclosed to third parties, SRO will inform them about the restriction on the processing of the personal data, unless it is impossible or involves disproportionate effort to do so.
SRO will inform individuals when a restriction on processing has been lifted.
Individuals have the right to obtain and reuse their personal data for their own purposes across different services.
Personal data can be easily moved, copied or transferred from one IT environment to another in a safe and secure manner, without hindrance to usability.
The right to data portability only applies in the following cases:
When processing is carried out by automated means personal data will be provided in a structured, commonly used and machine-readable form.
SRO will provide the information free of charge.
Where feasible, data will be transmitted directly to another organisation at the request of the individual.
SRO is not required to adopt or maintain processing systems that are technically compatible with other organisations.
In the event that the personal data concerns more than one individual, SRO will consider whether providing the information would prejudice the rights of any other individual.
SRO will respond to any requests for portability within one month.
Where the request is complex, or a number of requests have been received, the timeframe can be extended by two months, ensuring that the individual is informed of the extension and the reasoning behind it within one month of the receipt of the request.
Where no action is being taken in response to a request, SRO will, without delay and at the latest within one month, explain to the individual the reason for this and will inform them of their right to complain to the supervisory authority and to a judicial remedy.
The Right to Object
Should an individual wish to object to their data being processed they will need to contact SRO directly via email@example.com
Individuals have the right to object to the following:
Where personal data is processed for the performance of a legal task or legitimate interests:
Where personal data is processed for direct marketing purposes:
Where personal data is processed for research purposes:
Where the processing of personal data is necessary for the performance of a public interest task, SRO is not required to comply with an objection to the processing of the data.
Where the processing activity is outlined above, but is carried out online, SRO will offer a method for individuals to object online.
SRO will act in accordance with the GDPR by adopting a privacy by design approach and implementing technical and organisational measures which demonstrate how SRO has considered and integrated data protection into processing activities.
Data protection impact assessments (DPIAs) will be used to identify the most effective method of complying with SRO’s data protection obligations and meeting individuals’ expectations of privacy. DPIAs will allow SRO to identify and resolve problems at an early stage, thus reducing associated costs and preventing damage from being caused to SRO’s reputation which might otherwise occur.
A DPIA will be used when using new technologies or when the processing is likely to result in a high risk to the rights and freedoms of individuals.
A DPIA will be used for more than one project, where necessary. High risk processing includes, but is not limited to, the following:
SRO will ensure that all DPIAs include the following information:
Where a DPIA indicates high risk data processing, SRO will consult the ICO to seek its opinion as to whether the processing operation complies with the GDPR.
The term ‘personal data breach’ refers to a breach of security which has led to the destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.
The DPO will ensure that all staff members are made aware of, and understand, what constitutes as a data breach as part of their continuous development training.
A full Data Breach Policy is available from the DPO.
Confidential paper records will be kept in a locked filing cabinet, drawer or safe, with restricted access.
Confidential paper records will not be left unattended or in clear view anywhere with general access.
Digital data is coded, encrypted or password-protected, both on a local hard drive and on a network drive that is regularly backed up off-site.
Where data is saved on removable storage or a portable device, the device will be kept in a locked filing cabinet, drawer or safe when not in use.
Memory sticks will not be used to hold personal information unless they are password-protected and fully encrypted.
All electronic devices are password-protected to protect the information on the device in case of theft.
All necessary members of staff are provided with their own secure login and password.
Where personal information that could be considered private or confidential is taken off the premises, either in electronic or paper format, staff will take extra care to follow the same procedures for security.
The person taking the information from SRO premises accepts full responsibility for the security of the data.
Before sharing data, all staff members will ensure:
Under no circumstances are visitors allowed access to confidential or personal information. Visitors to areas of SRO containing sensitive information are supervised at all times.
The physical security of SRO’s buildings and storage systems, and access to them is reviewed on an annual basis. If an increased risk in vandalism/burglary/theft is identified, extra measures to secure data storage will be put in place.
SRO’s takes their duties under the GDPR seriously and any unauthorised disclosure may result in disciplinary action.
The Data Protection Officer is responsible for continuity and recovery measures are in place to ensure the security of protected data.
Data will not be kept for longer than is necessary. Where appropriate we will only retain personal data where it has not been used or has any further significance or purpose for a maximum period of time of 2 years.
How long we retain your Personal Data depends on the type of data and the purpose for which we process the data. We will retain your Personal Information for the period necessary to fulfill the purposes outlined in this Privacy Notice unless a longer retention period is required or permitted by law.
Unrequired data will be deleted as soon as practicable. Some records relating to former employees of SRO may be kept for an extended period for legal reasons, but also to enable the provision of references.
Paper documents will be shredded or pulped, and electronic memories scrubbed clean or destroyed, once the data should no longer be retained.