Privacy Policy

INTRODUCTION

Here at Not On The High Street (NOTHS), we collect and process personal data relating to our candidates to consider your application as a candidate and decide who to employ. We’re committed to being transparent about how we collect and use personal data and also to meeting our data protection obligations.

WHAT PERSONAL DATA DO WE COLLECT?

We collect and process a range of information about candidates, including:

● name, address and contact details, including email address, telephone number, date of birth and gender;

● details of your qualifications, skills, experience and employment history;

● information about your nationality and entitlement to work in the UK;

● information about your criminal records;

● national insurance number; and

● information about medical and health conditions, including whether or not you have a disability for which we need to make reasonable adjustments.

HOW DO WE COLLECT PERSONAL DATA?

We collect your personal data in a variety of ways. We collect data through application forms, CVs, your passport and other documents. We also collect data from correspondence with you or through interviews, meetings or other assessments.

In some cases, we collect personal data about you from third parties, such as references supplied by you, former employers, information from employment background check providers and information from criminal records checks permitted by law.

Data is stored in a range of different places, including in your personnel file, in our HR system and in other

IT systems (including our email system).

All personnel files are confidential and are stored on a secure drive. Only authorised employees have access to these files using their password protected accounts. Our People team can provide a list of these authorised employees upon request. We also have network backup procedures in place to ensure that data stored on computers cannot be accidentally lost or destroyed.

WHY DO WE COLLECT PERSONAL DATA?

We need to collect your personal data for numerous reasons. We process your personal data to consider your application as a candidate and decide who to employ, to pursue our legitimate interests or to meet our legal obligations. Please see the table below for our processing activities, our reasons for processing your personal data and the legal basis for doing so.

Processing Activity | Reason for processing | Legal basis
Retaining all personal and employment related details/documents | To ensure we have accurate records for you when considering your application | Legitimate interests and/or legal obligation to retain documentation, depending on the nature of the documentation
Retaining all personal details/documents | To have access to up to date contact and emergency contact details during the application process | Legitimate interests
Reference checks | To undertake background checks before/at the beginning of your employment | Legitimate interests
Retaining the right to work(RTW) documentation | To ensure we have up to date copies of your RTW documentation | Legal obligation
Communications | To keep you updated on the progress of your application. | Legitimate interests

WHEN IS PERSONAL DATA SHARED?

Your personal data will be shared internally, including with members of the People and Experience team and Exec team, your hiring manager, other managers in the business area in which you may work and IT staff, to the extent that access to data is necessary for the performance of their roles and to consider your application.

We also share your personal data with external suppliers who process data on our behalf, for example, to undertake background checks or to arrange assessments. Please see the table below for a list of our third party partners, our reasons for sharing your personal data with them as well as information on
international data transfers and the reassurance that safeguards are in place to protect your personal data where it is transferred outside of the European Economic Area (EEA).

Name of third party | Reason for sharing personal data | Is data transferred outside EEA? | Are safeguards in place to protect international data transfer?
Docusign | To provide an efficient way of sharing and arranging signature of documents | Yes | Yes
Google Workspace | To process your application we share data and collaborate on the recruitment process using Google Workspace | Yes | Yes
Pinpoint| To provide NOTHS with an applicant tracking system for recruitment purposes | Yes | Yes
Slack | To process your application we share data and collaborate on the recruitment process using Slack | Yes | Yes
Trello | To coordinate technical assessments | Yes | Yes
Vero | To complete background checks(references) | No | N/A
Willis Tower Watson | To support us in organising any occupational health assessments | Yes | Yes

WHAT RIGHTS DO YOU HAVE?

As a data subject and a candidate of NOTHS, you have a number of rights in relation to your personal data. These include the right to rectify inaccurate data and the right to request access to your data (a subject access request). Please see the Information Security Policy for more details on these rights.

If you would like to request any of your rights, please contact a member of the legal team.

HOW LONG IS PERSONAL DATA RETAINED FOR?

Our overriding principle is to retain your personal data only for as long as is necessary for the purposes for which your personal data was originally collected. Personal data obtained as part of your application and any subsequent interview process will be retained for 12 months from the date of your application. If successful, your personal data will be processed in line with our Employee Privacy Notice accessible on our intranet.

AUTOMATED DECISION-MAKING

We do not base any decisions during your employment on automated decision-making.

IMPACT ASSESSMENTS

When considering changes that we consider may substantially impact your privacy (e.g. engaging a new benefit supplier), we will carry out a data protection impact assessment to determine the necessity and proportionality of processing. This will include considering the purposes for which the activity is carried out, the risks for you and any measures that can be put in place to mitigate those risks.

DATA BREACHES

UK GDPR requires us to notify any personal data breaches to the applicable regulator and, in certain instances, you. We have put in place procedures to deal with any suspected personal data breaches and will notify you or any applicable regulator where we are legally required to do so.

If you have any questions or concerns please reach out to the People team or your hiring manager.

YOUR RESPONSIBILITIES

You are responsible for helping us keep your personal data up to date. You should let us know if any data you have provided to us changes, for example, if you move house.

Last updated: April 2023