- What is this policy about?
S3 Discovery Recruitment (“S3 Discovery/we/us”) needs to obtain and keep certain information about candidates to allow it to offer recruitment services. Laws about data protection set out rules on how personal information relating to individuals is obtained, processed, disclosed to others and transferred outside of the EU. S3 Discvoery is committed to complying with the Data Protection Act 1998 (DPA) and the General Data Protection Regulation (known as GDPR) and any subsequent national data protection laws which in due course replaces or amends the DPA and GDPR. Collectively we refer to these as the Data Protection Legislation.
This notice explains the types of information which S3 Discovery holds about candidates and your rights in relation to that information.
- What type of information is covered by data protection laws?
The law protects all information which relates to an individual i.e. personal data.
Some information is considered special information because it relates to race or ethnic origin, political opinions, religious beliefs or other beliefs of a similar nature, trade union membership, physical or mental health or sexual life or includes biometric information. Such sensitive information is given special protection. Similar additional safeguards are also applied to information about criminal allegations, proceedings and convictions and associated security measures.
- Principles of Data Protection
S3 Discovery will ensure that it complies with the data protection principles:-
- fair, lawful and transparent processing of information;
- processing for specified, explicit and legitimate purposes;
- information is adequate, relevant and limited to what’s necessary for the purpose for which it is obtained or maintained;
- information is accurate and kept up to date, with inaccurate information being corrected or deleted promptly;
- information is not kept for any longer than is necessary;
- all information is kept securely;
- information will not be transferred outside of the EU unless appropriate safeguards are in place.
“Processing” means collecting, recording, organising, structuring, storing, changing, retrieving, using, sharing, limited access to and deleting.
- Types of personal information held about you and the grounds for processing your information
Initially, we will receive details set out in your CV and contact details either directly from you or from job boards, for example, Totaljobs and CV-Library, on which you have posted your CV. If we receive information about you from someone else, such as a job board, we will send you a copy of this privacy notice as soon as possible.
Although it is not necessary or desired by us, some candidates choose to include a photograph of themselves, their marital status, their nationality, racial/ethnic origin, and/or religion on their CV. All such information is unnecessary but if you choose to include it you are choosing to include special personal data in your CV.
We will contact you to check that you wish to progress your application. We will ask you for contact details, basic information relating to the roles which you are looking for such as qualifications, availability, and details of personal transport. We will also ask you about working in the life sciences industry and about your health in terms of fitness to work. Before we ask these questions we will ask for your consent for us to process your data in accordance with this notice.
If you do not agree with your data being processed in accordance with this notice please do not upload your CV to our website or let your Recruiter know as soon as possible, in which case we will delete your information and your application will not be able to proceed.
Our recruiters shortlist applications for interview by ourselves (for temporary roles) or by our clients (for permanent employment). We will retain notes of interviews which we conduct.
Following a successful interview, further information will need to be collected about you. This includes checking that you are legally entitled to work in the UK, obtaining proof of your qualifications, undergoing a security check including a criminal records check, obtaining references from your referees and satisfying a health check. Please note that as part of the security check all sources of publically available information including social media may be searched. All types of information listed in this paragraph are necessary to assess your suitability for engagement as a temporary worker in the life science industry.
Offer of permanent work
If you are offered a permanent position with one of our clients, they will deal with you directly from this point onwards and you should refer to their privacy notice.
Offer of temporary work
If you are offered an assignment with one of our clients, you will be sent a permanent and temporary candidate agreement and asked to provide further information such as bank details and emergency contact details. You will also be sent details of your initial assignment. At this point you will be sent a further Privacy Notice which applies to the information we hold about our staff and temporary workers.
Ground of processing
We are processing the majority of your information with your consent. Health data is processed to assess your working capacity. We may also process some of your information (but not special personal data) for our legitimate interests of being able to offer recruitment services to work seekers and clients seeking workers. We will also use information where it’s relevant for actual or anticipated legal claims.
We do not make any decisions based on automated decision making i.e. an electronic system uses personal information to make a decision without any human involvement.
We will only use your personal information for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If we need to use your personal information for an unrelated purpose, we will tell you and we will explain the legal basis which allows us to do so.
- From whom is personal information about you collected?
- Storing your information
We keep all the information about our candidates in Tracker software. Here is a link to their privacy statement:
We also keep payroll and accounting information on Sage software. Here is a link to their privacy notice:
Internally at S3 Discovery we ensure that all information about candidates is stored electronically and securely (see Security below).
- Keeping your information up to date
You need to help us to ensure that the information which we hold about you is up to date and correct so as soon as any details change (such as your address, phone numbers, email addresses, details of next of kin) you should tell your recruiter immediately.
- Your Rights
You have the following rights in relation to the personal information which we hold about you:
- Right to withdraw consent
Where you have consented to us processing your personal information, you are entitled to withdraw that consent at any time. If you wish to do so please contact email@example.com [or completing the out-opt form on our website] explaining which information you are referring to. We will stop processing this particular personal information as soon as possible after receiving your withdrawal except to the extent that we need to keep the information for regulatory purposes or in connection with legal proceedings. You will not be penalised in any way for withdrawing consent to any processing of your personal information. However, we will not be able to progress your application as it will involve the processing of special data (such as biometric data and political opinions) for which we need express consent to be able to process it lawfully.
- Right to object including to direct marketing
When our clients contact us about new vacancies we may contact suitable candidates whose data is stored on our databases to establish if they are interested in the new opportunity. Even if you have agreed to us contacting you for marketing purposes, you may object to us processing your personal data for direct marketing purposes at any time. You may object to being contacted in a particular manner in which case, please let us know which ways you are happy to be contacted (e.g. by email) and which means you are not happy with us using (e.g. text message) If you do object, we will stop processing your personal information as requested immediately.
You have the right to object, for reasons relating to your particular situation, to us processing your personal information, where we are processing your personal data for reasons of our legitimate interests ((including employer profiling and statistical research into employment trends ). When we receive any objection to processing on this ground, we will restrict access to the relevant information (see paragraph e below) while we assess whether our legitimate interests override your objection. If we can demonstrate that they do or the information is needed for legal claims, we are allowed to continue to process your personal information; otherwise, we will stop processing it. Where we are processing your information for other reasons such as compliance with our regulatory obligations we will continue to hold as much information as we need to in order to satisfy those obligations.
If you wish to object to us processing information about you for any of the above purposes please contact firstname.lastname@example.org or complete the opt-out form on our website.
- Right of access – data subject access request
This is commonly known as a “data subject access request” or simply a “subject access request”. The purpose of a subject access request is for you to know about the personal information which we hold about you and to check that we are lawfully processing it.
Usually, we will not charge you a fee for providing a copy of the information which you request but we may charge an administrative fee if you ask for further copies of the information or if your request is manifestly unfounded or excessive, in particular, if it is repetitive.
Alternatively, if the request is unfounded or excessive we may refuse your request. If we refuse your request, we will explain to you why we have refused and you will have the right to complain to the Information Commissioner (whose details are set out below).
Before we provide copies of your personal information we need to be sure that the person making the request is actually you. Therefore, we may ask for further information to confirm that you are the person making the request, particularly if the request comes from a personal email account which is unfamiliar to us or by an unsigned letter or from someone who says that they are acting on your behalf.
We have to protect other people’s personal information which means that we may have to remove or cover up information in a document before we can give you a copy. We also have to protect confidential information and intellectual property and so we may remove any information for this purpose.
We will respond to any data subject access request within one month unless your request is complex or numerous in which case we may extend the timeframe for our response up to a total of 3 months from the date of your request so long as we tell you within the first month and explain why we need the extra time.
If you email us your request we will provide electronic copies of the requested information.
If you wish to make a subject access request please contact email@example.com . Please be specific in your request. If you make a very general request we may ask you to specify which information you would like to see.
- Right to request correction
If you think that any personal information about you which we hold is incorrect or incomplete you have the right to request that the information is changed. If you wish to correct any information we hold about you please contact firstname.lastname@example.org If we disagree that the information is incorrect, we will tell you why. In that scenario, we have the right to retain the information and you can ask us to add a supplementary statement.
While we are assessing whether the information is incorrect or incomplete we will restrict the information (see paragraph f below for further details).
If we have provided incorrect or incomplete information about you to someone else, we will update the information following your request to correct the information.
We will respond to your request within one month unless your request is complex in which case we will respond within 3 months.
- Right to request deletion – so called “right to be forgotten”
In the following situations you have the right to have your personal information deleted:
- Where the personal information is no longer necessary for the purpose for which it was originally collected/processed;
- When we have asked you for consent to process your information and you have withdrawn that consent;
- When you object to the processing (see paragraph d below) and there is no overriding legitimate interest for continuing the processing;
- When the personal information was unlawfully processed; or
- When the personal information has to be erased in order to comply with a legal obligation.
We can refuse your request if the information is needed for current or potential legal claims.
If we have provided the information about you which you wish to be deleted, to someone else, we will, where possible, ask them to also delete the information.
If you wish to request that some information relating to you is deleted please contact email@example.com .
- Right to restrict processing
If you tell us that you think some personal information we hold about you is incorrect or incomplete or you object to us processing your personal information for reasons of our legitimate interests (including profiling), we will restrict access to the relevant personal information while we assess whether or not it is incorrect/incomplete or whether we are allowed to continue processing your personal information. This means that we will continue to store the relevant personal information but we won’t use it for any other purposes.
If we no longer need the information but you need it for legal claims you may ask us to restrict access to it rather than delete it.
If we have previously provided the restricted information to someone else, we will, where possible, ask them to also restrict the information.
- Right to transfer of your information
Where you have provided information to us and we are processing it via automated means either based on your consent or for the performance of your employment contract/contract for services, you have the right to request that the information is provided to you, or to someone else, in a commonly used electronic form.
We will not charge you for the transfer of your information.
We have to protect other people’s personal information which means that we may have to remove some information before transferring your information.
We will respond to any request to transfer your information within one month unless your request is complex or numerous in which case we may extend the timeframe for our response up to a total of 3 months from the date of your request so long as we tell you within the first month and explain why we need the extra time.
If you wish to us to provide such information to you in this manner please contact firstname.lastname@example.org .
If we do not transfer your information following a request for you to do so, we will tell you why as soon as possible and at least within one month of your request. You would have the right to complain to the Information Commissioner (whose details are set out below).
- Sharing your personal information
Internally, we will limit access to the majority of your personal information to colleagues who need to know the information to be able to perform their role such as the recruiters.
We will share your information (without your address or contact details) with a client who has a suitable vacancy. If the client expresses an interest in taking your application forwards you may be invited to interview with the client, at which point the client will be notified of your name and contact details and you will be notified of the client’s name.
As we have explained above we share your information with Hortus and Acorn during the recruitment process and store your information on Tracker, RightSignature and Sage.
We may share some of your personal information with other people outside of S3 Discovery where this is required by law (e.g. an audit of our records), or where we have a legitimate business interest (such as with our external HR consultant or legal advisors).
Where we share your personal information with external service providers we protect it by requiring those service providers to take appropriate security measures to protect your personal information in line with our policies. We also tell our external service providers that they can only use your personal information for the purpose of providing the service to us and not for their own purposes. We only allow them to process your personal information for specified purposes and in accordance with our instructions.
We may also need to share your personal information with a regulator or to otherwise comply with the law.
- Transfer of your personal information out of the EU
Within the EU all businesses have to protect personal information in the same way as employers do in the UK. However, outside of the EU data protection laws vary from country to country, some have similar laws to the EU, others have very different laws.
Some of the providers we mentioned above (including Tracker and RightSignature) are based outside of the EU which means that your data will be transferred to the US. We will only transfer your personal information outside of the EU where there is adequate protection for your information or for legal claims.
A very important part of looking after the personal information which we hold about you is ensuring that it’s secure.
We have considered how to protect your personal information from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed inappropriately. We have put in place measures to achieve these objectives.
All information about you will be held on secure databases or in locked filing cabinets.
However, data transmission over the internet and email cannot be guaranteed to be entirely secure. As a result, we cannot guarantee the security of your information and submission of information to us is therefore at your risk.
- Breach of security
If we discover that our security measures have failed and this results in personal information being lost, destroyed, corrupted or disclosed or someone accessing the information or passing it on without proper authorisation, we will assess the risk that such a breach may have on you. If the breach will result in a high risk of a negative impact for you we will tell you and we will tell the Information Commissioner
- Deleting your personal information
If your application for a particular role is unsuccessful we would like to keep your information on our database in case a suitable vacancy arises in the future. We will therefore keep your information for 2 years from the date that it was first uploaded or the end of your last assignment whichever is the later and by using our service you agree to us doing so. If you do not wish us to retain your information, please let us know as per your right to withdraw consent explained above.
- Contact information
S3 Discovery processes personal information about you (known as the “data controller”). Address: BCM Box 1899, London WC1N 3XX, Telephone 0333 3355 470.
If you have any queries relating to your personal information or your responsibilities with respect to other people’s personal information please contact email@example.com.
The Information Commissioner is the UK supervisory authority with responsibility for data protection. Various ways of contacting the Information Commissioner are detailed on their website: https://ico.org.uk/global/contact-us/. You can complain to the Information Commissioner at any time.
- Date of and changes to this notice
This policy is dated August 2019.
We reserve the right to update this notice at any time. We will post updates to this notice on our Intranet and send you an updated copy. We may also notify you in other ways from time to time about the processing of your personal information.