General Data Protection Regulation (GDPR) Privacy Statement of
Industry Resource Services Ltd and its subsidiary and associated companies (IRS Group)
The Company Secretary
31 New Market
Last Update: July 2019
The IRS Group is committed to protecting the privacy and security of all personal information we hold. It's very important to us to ensure the personal information you provide to us is treated with the utmost respect and your data privacy rights are safeguarded, all in accordance with this GDPR Privacy Statement.
This GDPR Privacy Statement explains how personal information about you may be collected, what we do with your data, the measures we take to keep it secure as well as the rights and choices you have over your personal information. It applies to the personal data of all candidates, clients, work seekers, suppliers, website users and other people whose details we may hold in the course of us carrying out our business.
Within the IRS Group we have a recruitment business that provides work-finding services to its work seekers and candidates. It is necessary for us to process personal data (which may include sensitive personal data – now known as "special data") so that it can provide these services – in doing so, the IRS Group acts as a Data Controller so we are obliged to ensure we only process personal data where we have legitimate grounds to do so.
You may give your personal details to IRS Recruitment directly, such as on an application or registration form or via our website, or we may collect them from another source such as a job board. For the purposes of providing you with work-finding services and/or information relating to roles relevant to you we will only use your personal data in accordance with this GDPR Privacy Statement.
We also have HR and Payroll divisions that support other companies in managing and dealing with these functional aspects of their business. This may include advising or handling employment issues such as recruitment, training, disciplinary, absences, or dismissal, as well as pay-related matters, including pensions and other pay benefits. There is also a Project Services Division that assists organisations with a tailored service and, in doing so will likely require us to hold some personal information on those persons involved with the relevant project. With regard to personal data we hold when providing Project Services, HR and/or Payroll Services for our clients we act in the capacity of a Data Processor – so we process personal data on behalf of a third-party Data Controller who we have entered into a contract with.
We take care to protect the privacy of all personal data we hold which will be in compliance with current data protection laws.
1. Collection and use of personal data
The information we have set out below is additional to any personal data we are required by law to process in certain scenarios. We may also hold other relevant personal data that you have provided to us, or information that other parties, such as our client or your referees have provided to us, so this is not an exhaustive list. However, we will ensure the processing of any other data remains consistent with the purpose and legal basis that we already rely on under our GDPR Privacy Statement.
a. Purpose of processing and legal basis
Our recruitment business will collect your personal data (which may include special data) and will process your personal data for the purposes of providing you with work-finding services. This includes for example, contacting you about job opportunities, assessing your suitability for those opportunities, updating our databases, putting you forward for job opportunities, arranging payments to you and developing and managing our services and relationship with you and our clients.
In some cases, we may be required to use your data for the purpose of investigating, reporting and detecting crime and also to comply with laws that apply to us. Sometimes it may be necessary for us to process personal data and, where appropriate and legally required, special data in connection with exercising or defending a legal claim. We may also use your information during the course of internal and external audits to demonstrate our compliance with certain industry standards. Our telephone systems have the facility to record calls and on occasion we may utilise this facility for the purpose of quality, security and training.
As a Data Controller, we must have a legal basis to process your personal data. The legal grounds we rely upon are either:
- Where we have a legitimate interest, or
- To comply with a legal obligation that we have, or
- To fulfil a contractual obligation that we have with you, or
- With regard to the recording of telephone calls your consent will be required.
b. Legitimate interest
This is where the IRS Group has a legitimate reason to process your data provided it is reasonable and does not go against what you would reasonably expect. Where the IRS Group has relied on a legitimate interest to process your personal data our legitimate interests is/are as follows:
- Managing our database and keeping work-seeker records up to date;
- Providing work-finding services to you and our clients;
- Contacting you to seek your consent where we need it;
- Giving you information about similar products or services that you have used from us.
c. Statutory/contractual requirement
The IRS Group has certain legal and contractual requirements to collect personal data (e.g. to comply with the Conduct of Employment Agencies and Employment Businesses Regulations 2003, immigration and tax legislation, and in some circumstances safeguarding requirements). Our clients may also require this personal data, and/or we may need your data to enter into a contract with you.
For incoming calls, we inform you prior to us answering your call that calls maybe recorded. If you object to this then please make this clear to us when we answer your call.
For outgoing calls at the time of a phone call that we wish to record we will ask for your consent to continue to do so. If you do not wish to have the call recorded, please tell us.
If you advise that you do not wish to have your call recorded our staff member will determine whether the call can be continued without recording or, in some circumstances, the call may need to be terminated.
Some call recordings are retained in an electronic format and stored with your other personal data in our database.
e. Recipients of data
The IRS Group will process some/all of your personal data and/or special data, as necessary, with the following recipients:
- Clients (whom we may introduce you to)
- Referees who may include former employers, or other persons whom we may seek references from (generally this is to help you to find work, whereby we wish to verify their previous employment details, qualifications and experience)
- Other recruitment agencies in the supply chain
- Our bank if we need to process payments to you
- Pension providers
- HMRC or other tax/government authorities, as appropriate, where we have made payments to you
- Our own third-party service providers including but not limited to our accountants, insurers, auditors, legal advisors and IT service providers
- Your nominated emergency contacts, whether you are a candidate or one of our staff. Also, in the event of an important or emergency situation, we may pass on the nominated emergency contacts details to the emergency services if necessary and appropriate at the time.
We take great care to ensure your information is kept securely and all appropriate checks are carried out by us to ensure those third parties have and maintain similar standards of data protection.
2. Information collected
Categories of data:
The IRS Group collects some or all of the following personal data on you:
- Personal details: full name, gender, marital/family status, date of birth/age
- Images of you
- Contact details: postal address, personal email address, home and mobile telephone numbers, IP address if you are a website user
- Immigration status: nationality/citizenship/place of birth/ID Confirmation (usually by means of obtaining copies of your full Birth Certificate, Passport, Visas and/or Identity Card)
- Other ID information such as Driving Licence
- Education, qualifications, certificates and employment history, including your work performance, absence and disciplinary record
- Current remuneration & benefits, along with your expectation of any future pay and benefit package
- Information on your interests and desired job roles and any other needs or wishes concerning your future employment
- Lifestyle/leisure activities
- National Insurance number
- Bank details
- Third-party contact information, specifically your emergency contacts and referee details
- Correspondence, including meeting notes, contemporaneous note of conversations and feedback
- For limited company contractors we will also collect certain information about your business including your VAT registration certificate (if applicable), Certificate of Incorporation, bank details and personal data of your representative(s)
- If you are a client of any of our services, or a supplier of services to us, we need to collect, maintain and use information about your company, and in the context of personal data, this will include details of individuals in your organisation. We generally only collect the names, contact details and position of those individuals. We may also hold other information about those individuals that you or they have passed to us in the course of our business relationship, or that we have obtained from other sources, such as finance or banking information collected in the course of our due diligence process.
- If you are a Data Subject of one of our clients using our HR, Payroll or Project services, the information we collect is only ever provided to us by our client, or from other parties as agreed with them, such as benefit providers or HMRC, as necessary and at appropriate times during the provision of our services.
- If you are a third party whose data we have received from candidates or staff including referees and emergency contacts we may collect and hold your basic contact details – name, postal or email address, work/home/mobile telephone numbers
Special categories of data & information on Criminal Convictions/Offences:
- Health or fitness information including whether you have a disability
- Details of unspent convictions or spent convictions that must be declared for specific roles you have applied for
Where we hold special data – we are bound by stricter rules. This could be information about your gender, age, sexual orientation, religion, social-economic background and other information such as health-related data. We currently only collect and process such special data where there are legal grounds to do so (e.g., Health & Safety measures, in compliance with the Equality Act with reference to disability access rights). If there is any other wish or need during the course of our working relationship for us to process your special data, we will only do so with your explicit consent.
Source of the personal data:
The IRS Group sources your personal / special data from:
- You directly, by means of your CV or other forms that you have provided to us
- From job boards or other professional job search networking sites, such as LinkedIn that you have signed up
- From an agent/third party acting on your behalf
- A client who you are working/have worked for or where you are known to our client
- A referee whose details you have provided to us
- A friend, colleague, or employer
- Appropriate authorities to verify details you have provided, check qualifications, rights to work, and to check your suitability for the roles you have applied for (this includes work references and DBS checks)
- HMRC or other government bodies
3. Overseas Transfers
The IRS Group does not transfer the information you provide to us to countries outside the European Economic Area ('EEA') for the purposes of providing you with work-finding services. The EEA comprises the EU member states plus Norway, Iceland and Liechtenstein.
In some cases, personal data may be saved on storage solutions that have servers outside the EEA (for example, Dropbox, Google) however only those storage solutions that provide secure services with adequate relevant safeguards will be used.
In the event we do need to transfer your data outside the EU/EEA we will only do so when we are adequately satisfied that the level of data protection, as required by that Country's laws, is at least to that which we adopt.
4. Data Retention
The IRS Group will retain your personal data only for as long as is necessary for the purpose we collect it. Different laws may also require us to keep different data for different periods of time.
If we have not had any meaningful contact (involving two-way communication, either verbal or written, with you) for a period of six years we will delete your personal data from our recruitment database and associated systems in the subsequent January or July (as such your records may remain on our database for a total of 78 months). The exception to this is where we believe in good faith that the law or other regulation requires us to preserve it (or specific personal data) for longer (e.g., some work-related medical examination data will be retained for 40 years (statutory requirement) following the end of the work assignment period and associated data subject information will be retained alongside this).
When we get your data from online applications for vacancies the information is channelled through our Applicant Tracking System and is temporarily stored there while we work through the registration process. Data held within our Applicant Tracking System will be automatically deleted after 90 days.
We must also keep your payroll records, holiday pay, sick pay and pensions auto-enrolment records for as long as is legally required by HMRC and associated national minimum wage, social security and tax legislation. Our payroll, including holiday and sick pay, and pension records are held for 6 full tax years plus the current tax year.
Any personal data relating to individuals we deal with in our clients or suppliers organisations are retained for a period of 4 years from the date following any meaningful contact with that client or supplier. After that we will delete this information in the following January or July whichever comes first.
Despite our best endeavours some of your data may still exist within our system (e.g., backups), however, we have structured our systems so that your data is not readily accessible by any of our operational systems, processes or staff beyond our stated Data Retention periods.
5. Your rights
Please be aware that you have the following data protection rights:
- The right to be informed about the personal data the IRS Group processes on you
Achieved by means of this GDPR Privacy Statement
- The right of access to the personal data the IRS Group processes on you
If you make a Data Subject Access Request under your access rights, you should note that we may ask you for more information to verify your identity and provide greater detail about your request before we comply. If we are legally permitted to do so we may decline your request, in which case we will explain to you why
- The right to rectification of your personal data
You can ask us to rectify any inaccurate information we hold. Where you are engaged on a temporary work assignment or are engaging via us with one of our clients about a permanent vacancy, we will notify the client about the rectification. Where appropriate we will also tell you which third parties we have disclosed the inaccurate or incomplete personal data to, so you can take action to inform them of any rectification you require
- The right to erasure of your personal data in certain circumstances
Where we agree with the request we will delete your data securely but will generally assume that you would prefer us to keep a note of your name and date of birth on our register of individuals that would prefer not to be contacted (this is aimed at minimising the chances of you being contacted in the future where your data is collected in some other unconnected circumstances). If you disagree with us holding your name for this purpose you are free to write to us at the address shown at the top of this GDPR Privacy Statement and say so
- The right to restrict processing of your personal data
Your rights apply in the event you dispute the accuracy of the personal data or you object to our processing of your personal data on the grounds of our legitimate interests or if you consider our processing of your data unlawful
- The right to data portability in certain circumstances, this being in the event that your personal data:
o Has been provided to us by you, and,
o Has been processed automatically, and,
o Has been processed by us based on your consent or in order to fulfil the requirements of a contract;
- The right to object to the processing of your personal data that was based on a public or legitimate interest
Generally, we will only disagree with you if certain limited conditions apply, being that we can show compelling grounds for processing that overrides your interests, or we are processing your data for the establishment, exercise or in defence of a legal claim.
- The right to withdraw consent at any time where we have relied on consent as a legal basis for processing your data
Where you have consented to the IRS Group processing your personal data/special data you have the right to withdraw that consent at any time by contacting the person stated at the top of this GDPR Privacy Statement. Please note that if you withdraw your consent to further processing that does not affect any processing done prior to the withdrawal of that consent, or which is done according to another legal basis.
There may be circumstances where the IRS Group will still need to process your data for legal or official reasons. Where this is the case, we will tell you and we will restrict the data to only what is necessary for those specific reasons.
If you believe that any of your data that the IRS Group processes is incorrect or incomplete, please contact us using the details above and we will take reasonable steps to check its accuracy and correct it where necessary.
You can also contact us using the above details if you want us to restrict the type or amount of data we process for you, access your personal data or exercise any of the other rights listed above.
We will seek to deal with your request as quickly as we can and within 30 days (unless we have reason and are allowed to extend this period).
6. Automated decision-making
We store your details on our database and for work seekers we will assess data we hold about you against the vacancies we have been asked to fill. Whilst we will categorise your record to specific job functions and/or trades to help us in the search and assessment process none of our recruitment activities involve automated decision-making tools – there is always human interaction and/or intervention in this process.
8. Log Files
9. Links to external websites
10. Sale of business
If the IRS Group's business is sold or integrated with another business your details may be disclosed to our advisers and any prospective purchasers and their advisers and will be passed on to the new owners of the business. We will ensure that all such parties are GDPR compliant prior to such disclosure.
11. Data Security
We are passionate about protecting your information, so we have put in place appropriate measures that are designed to prevent unauthorised access to and/or misuse and/or loss of your personal data.
We have done this by putting in place sound technical and organisational measures which include a process on how we deal with any suspected breach, ensuring firewalls, anti-virus, encryption and limited access by means of secure passwords apply to our systems. We also endeavour to use secure electronic methods of transferring documents between us, for example the forms that we use to collect and store your personal data.
Only employees who need the information to perform a specific job (for example, consultants, our accounts and payroll team or our marketing personnel) are granted access to some/all of your information, as appropriate.
The IRS Group uses all reasonable efforts to safeguard your personal information. However, you should be aware that the use of email/the Internet is not entirely secure and for this reason the IRS Group cannot guarantee the security or integrity of any personal information which is transferred from you or to you via such media.
If you share a device with others, we recommend that you do not select the "remember my details" function when that option is offered.
If you have any questions about the security measures on our website, you can email the person stated at the top of this GDPR Privacy Statement.
12. Changes to this privacy statement
We will update this GDPR Privacy Statement from time to time. We will post any changes to the statement with revision dates on our website(s). If we make any material changes, we will notify you.
13. Complaints or queries
If you wish to complain about this GDPR Privacy Statement or any of the procedures set out in it, please contact us using the contact details above.
You also have the right to raise concerns with Information Commissioner's Office on 0303 123 1113 or at https://ico.org.uk/concerns/, or any other relevant supervisory authority should your personal data be processed outside of the UK, if you believe that your data protection rights have not been adhered to.