Candidate Privacy Notice

Essex Cares Limited (ECL) collects and processes personal data relating to its employees to manage the employment relationship. We are committed to being transparent about how we collect and use data and to meeting our data protection obligations. This candidate privacy notice informs you of how information is obtained, used and retained.

Last updated date: 25/01/2024

Who we are

ECL is the trading name of Essex Cares Limited, Registered in England and Wales (Company Number 06723149) with a registered office at Seax House, Victoria Road South, Chelmsford, Essex CM1 1QH.

We are registered with the information Commissioner's Office in the UK with reference number Z1801658.

We have a Data Protection Officer role, within our Quality and Corporate Assurance Team and they ensure we respect your rights and follow the law. If you have any concerns or questions about how we look after your personal information, please contact the Data Protection Officer, on the details provided in the further advice and guidance section below.

Data Protection Principles

ECL will comply with Data Protection Laws and give particular attention to the Data Protection Act 2018 (DPA) and the UK General Data Protection Regulations 2016 (UK GDPR), particularly to Article 5, which says the information we hold about you must be:

  • Used Lawfully, fairly and in a transparent way.
  • Collected only for valid purposes that we have clearly explained to you and not used in any way that is incompatible with those purposes.
  • Relevant to the purposes we have told you about and limited to only those purposes.
  • Accurate and kept up to date.
  • Kept only as long as necessary for the purposes we have told you about.
  • Kept securely and confidentially.

Personal information

The legal definition of personal data (information) is – ‘any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier’.

There are different categories of personal information.

  • Personal Information: This this will include information such as your name, identification number, contact details.
  • Sensitive (Special Category) Personal Information: This will include information such as ethnic origin, political opinions, religious beliefs, criminal information or information concerning your health and social care.

What personal information do we collect about you for recruitment?

We collect and process a range of personal and sensitive (special category) data about you.

At application stage this will be:

  • Personal details including name and contact details. We will also ask you about previous experience, education, work history, referees and for answers to questions relevant to the role. This is normally supplied from you as part of you CV.
  • We will ask about any reasonable adjustments in order to take part in the interview process, which is shared with hiring managers.
  • You will also be asked to provide equal opportunities information. This is not mandatory – if you don’t provide it, it won’t affect your application. We won’t make the information available to any staff outside our recruitment team, including hiring managers, in a way that can identify you, unless you have provided it within your CV which is shared with hiring managers.. Any information you provide will be used to produce and monitor equal opportunities statistics.

If we make a conditional offer of employment, we will carry out pre-employment checks. You must successfully complete pre-employment checks to progress to a final offer. We must confirm the identity of our staff and their right to work in the United Kingdom, and seek assurance as to their trustworthiness, integrity and reliability.

You must therefore provide:

  • Proof of your right to work in the UK as per UK Government guidelines – you will be asked to attend our office with original documents; we will take copies.
  • We will ask you to complete a questionnaire about your health to establish your fitness to work.
  • We will ask you about any reasonable adjustments you may require under the Equality Act 2010. This information will be shared with relevant ECL staff to ensure these are in place for when you start your employment.
  • We will contact your referees, using the details you provide in your application, directly to obtain references.

Depending on the role you have been offered, you may also be required to provide:

  • Proof of your identify in line with UK DBS ID checking guidelines – you will be asked to attend our office with original documents; we will take copies.
  • A criminal records declaration to declare any unspent convictions and/or pending prosecutions.
  • Proof of your qualifications and/or professional membership – you will be asked to attend our office with original documents; we will take copies.

If we make a final offer, we’ll also ask you for the following:

  • Bank details – to process salary payments
  • Information relating to any pension or employee benefits that you enter into.

What is the legal basis for using your personal information?

ECL will only process data relating to candidates as part of the recruitment process in order to fulfil our duties as an employer, or where we have a legal obligation.

The lawful basis we rely on for processing your personal data are article 6(1)(b) of the UK GDPR, which relates to processing necessary to perform a contract or to take steps at your request, before entering a contract. And article 6(1)(f) for the purpose of our legitimate interests.

If you provide us with any information about reasonable adjustments you require under the Equality Act 2010 the lawful basis we rely on for processing this information is article 6(1)(c) to comply with our legal obligations under the Act.

The lawful basis we rely on to process any information you provide as part of your application which is special category data, is Article 9(2)(b) where processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law in so far as it is authorised by Union or Member State law or a collective agreement pursuant to Member State law providing for appropriate safeguards for the fundamental rights and the interests of the data subject.

Why do we need your personal information?

We use the information you provide during the recruitment process to progress your application with a view to offering you an employment contract with us, or to fulfil legal or regulatory requirements if necessary.

We will not share any of the information you provide with any third parties for marketing purposes.

We’ll use the contact details you give us to contact you to progress your application. We may also contact you to request your feedback about our recruitment process. We’ll use the other information you provide to assess your suitability for the role.

We do not collect more information than we need to fulfil our stated purposes and will not keep it longer than necessary.

The information we ask for is used to assess your suitability for employment. You don’t have to provide what we ask for, but it may affect your application if you don’t.

We will use any feedback you provide about our recruitment process to develop and improve our future recruitment campaigns.

Who does ECL share my information with?

We will share the information which you provide during the recruitment process, including our data processors.

  • Previous employers in order to obtain pre-employment references.
  • The Home Office to confirm work permits.
  • Eploy who provides our systems used for recruitment.
  • Trust ID, who support with verification of documents.
  • Docusign, as Data Processors providing the system we need in order to offer digital signatures for documents.
  • Essex County Council and ebulk as our DBS provider.
  • We will also share data with your consent to our Occupational Health provider if necessary relating to reasonable adjustments.

We may also share your personal information when we feel there is a good reason and that is more important than protecting your privacy. This is not routine, but we may share your information to:

  • In order to find and stop crime and fraud; or if there are serious risks to the public, our staff or others.
  • To protect adults who are thought to be at risk, for example where there is a safeguard enquiry and need to inform the Local Authority and in some cases the Care Quality Commission or the Police.
  • Fulfil our statutory obligations.
  • Where we are required to by law (court order).

We will try to discuss the sharing of your information and where possible seek your permission to let others know before doing so, but in some circumstances, we will still share the information if we believe the risk is serious enough, or we may have to share information immediately without discussion where the risk is great.

Will my personal information be accessible outside the UK?

Most of our systems that store your information are based in the UK or the European Economic Area. If we need to transfer your personal data to countries outside the European Economic Area, we will ensure that such transfers are compliant with the UK GDPR. Appropriate measures will be put in place to keep your personal data secure.

How long do you keep my information?

You are able to see how long we keep different types of information as published on our retention schedule.

Protecting personal information

We are committed to ensuring that your personal data is secure, whether it is a paper record or held electronically.

In order to prevent unauthorised access or disclosure, we have put in place appropriate technical, physical and managerial procedures to safeguard and secure the information we collect from you.

We limit access to your personal information to those who have a genuine business need to know it. Those processing will do so only in an authorised manner and are subject to a duty of confidentiality.

We also have procedures in place to deal with any suspected data security breach. We will notify you and any applicable regulator of a suspected data security breach where we are legally required to do so.

Examples of how we keep our information secure include:

  • Encryption, meaning that information is hidden so that it cannot be read without special knowledge (such as a password). This is done with a secret code or what’s called a ‘cypher’. The hidden information is said to then be ‘encrypted’.
  • Controlling access to systems and networks allows us to stop people who are not allowed to view your personal information from getting access to it.
  • Annual training for all our staff to ensure they are aware how to handle information and how and when to report when something goes wrong.
  • Regular testing of our technology and ways of working including keeping up to date on the latest security updates (commonly called patches).

Most our information is stored systems in the UK. There are some occasions where your information may leave the UK either in order to get to another organisation or if it’s stored in a system outside of the EU. We have additional protections on your information if it leaves the UK ranging from secure ways of transferring data to ensuring we have a robust contract in place with that third party.

Your rights

The law gives you a number of rights to control what personal information is used by us and how it is used by us. To learn more about these rights please see the ICO website.

You can ask for access to the information we hold on you.

We would normally expect to share what we record about you with you whenever we assess your needs or provide you with services.

However, you also have the right to ask for the information we have about you and the services you receive from us. When we receive a request from, we must give you access to everything you have requested. This would apply to all personal information that is in paper or electronic records held by us.

In some cases, we will be unable to provide you with information in your records which, as there are certain exemptions which apply. This may be because the record;

  • Contains confidential information about other people,
  • Information that a professional thinks will cause serious harm to you or someone else’s physical or mental wellbeing,
  • If we think that giving you the information may stop us from preventing or detecting a crime,
  • We hold and use, but we are processing on behalf of another company or organisation where they are responsible.

Where we have applied an exemption, we will inform you of this.

You can request to have inaccurate information updated

You can ask us to change information you think is inaccurate. We may not always be able to change or remove that information but we’ll correct factual inaccuracies and may include your comments in the record to show that you disagree with it.

You can ask to erase information (right to be forgotten)

In some circumstances you can ask for your personal information to be deleted, for example:

  • Where your personal information is no longer needed for the reason why it was collected in the first place.
  • Where you have removed your consent for us to use your information, and there is no other legal reason us to use it.
  • Where there is no legal reason for the use of your information.
  • Where deleting the information is a legal requirement.

Where your personal information has been shared with others, we will do what we can to make sure those using your personal information comply with your request for erasure.

Please note that sometimes we cannot delete your information such as where:

  • We are required to have it by law.
  • It is used for public health purposes.
  • It is necessary for legal claims.

Restrict the use of your information

You can ask to limit what we use your personal data for. You have the right to ask us to restrict what we use your personal information for where:

  • You have identified inaccurate information and have told us of it.
  • Where we have no legal reason to use that information, but you want us to restrict what we use it for rather than erase the information altogether.

When information is restricted, it can’t be used other than to securely store the data and with your consent to handle legal claims and protect others, or where it’s for important public interests of the UK.

Where restriction of use has been granted, we’ll inform you before we carry on using your personal information.

You have the right to ask us to stop using your personal information. However, if this request is approved this may cause delays or prevent us delivering that service.

Where possible we’ll seek to comply with your request, but we may need to hold or use information because we are required to by law.

You can ask to have your information moved to another provider (data portability)

You have the right to ask for your personal information to be given back to you or another service provider of your choice in a commonly used format. This is called data portability.

However, this only applies if we’re using your personal information with consent (not if we’re required to by law) and if decisions were made by a computer and not a human being.

It’s likely that data portability will not apply to most of the services you receive from the ECL Trading Limited as they are provided under contract.

Other Rights

You can ask to have any computer made decisions explained to you, and details of how we may have ‘risk profiled’ you.

You have the right to question decisions made about you by a computer, unless it’s required for any contract you have entered into, required by law, or you’ve consented to it.

You also have the right to object if you are being ‘profiled’. Profiling is where decisions are made about you based on certain things in your personal information, e.g. your health conditions.

If ECL uses your personal information to profile you, in order to deliver the most appropriate service to you, you will be informed.

Policy statement

Introduction

The Data Protection Act 2018 requires us Essex Cares Limited (ECL) as a Data Controller to have an appropriate policy document in place relating to the processing of special category personal information and information about criminal offenses.

Personal data is any information by which a living individual can be identified. Individual identification can be by information alone or in conjunction with other information. Certain categories of personal data have additional legal protections when being processed. These categories are referred to in the legislation as “special category data” and are data concerning:

  • Health.
  • Racial or ethnic origin.
  • Political opinions.
  • Religious or philosophical beliefs.
  • Trade union membership.
  • Genetic data.
  • Biometric data.
  • Sex life or sexual orientation.

The processing of criminal offence data also has additional legal safeguards. Criminal offence data includes information about criminal allegations, criminal offences, criminal proceedings and criminal convictions.

The principles

The below information sets out our procedures for ensuring our compliance with the principles as detailed in Article 5 of the General Data Protection Regulation.

Principle 1: Personal data shall be processed lawfully, fairly and in a transparent manner in relation to the data subject.

We will:

  • ensure that personal data is only processed where a lawful basis applies, and where processing is otherwise lawful.
  • only process personal data fairly, and will ensure that data subjects are not misled about the purposes of any processing.
  • ensure that data subjects receive full privacy information so that any processing of personal data is transparent.

Principle 2: Personal data shall be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes.

We will:

  • only collect personal data for specified, explicit and legitimate purposes, and we will inform data subjects what those purposes are in a privacy notice.
  • not use personal data for purposes that are incompatible with the purposes for which it was collected. If we do use personal data for a new purpose that is compatible, we will inform the data subject first.

Principle 3: Personal data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.

We will:

  • only collect the minimum personal data that we need for the purpose for which it is collected.
  • ensure that the data we collect is adequate and relevant.

Principle 4: Personal data shall be accurate and, where necessary, kept up to date.

We will:

  • ensure that personal data is accurate, and kept up to date where necessary.
  • take particular care to do this where our use of the personal data has a significant impact on individuals.

Principle 5: Personal data shall be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed.

We will:

  • only keep personal data in identifiable form as long as is necessary for the purposes for which it is collected, or where we have a legal obligation to do so. Once we no longer need personal data it shall be deleted or rendered permanently anonymous.

Principle 6: Personal data shall be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.

We will:

  • ensure that there appropriate organisational and technical measures in place to protect personal data.

Accountability principle: The controller shall be responsible for and be able to demonstrate compliance with these principles. Our Data Protection Officer is responsible for ensuring that the company is compliant with these principles.

We will:

  • ensure that records are kept of all personal data processing activities, and that these are provided to the Information Commissioner on request.
  • carry out a Data Protection Impact Assessment for any high risk personal data processing, and consult the Information Commissioner if appropriate.
  • ensure that a Data Protection Officer is appointed to provide independent advice and monitoring of personal data handling, and that this person has access to report to the highest management level of the department.
  • have in place internal processes to ensure that personal data is only collected, used or handled in a way that is compliant with data protection law.

Our policies in regards retention and erasure of personal data

We will ensure, where special category or criminal convictions personal data is processed, that:

  • there is a record of that processing, and that record will set out, where possible, the envisaged time limits for erasure of the different categories of data.
  • where we no longer require special category or criminal convictions personal data for the purpose for which it was collected, we will delete it or render it permanently anonymous.
  • data subjects receive full privacy information about how their data will be handled, and that this will include the period for which the personal data will be stored, or if that is not possible, the criteria used to determine that period.

Further details

If you have any concerns or questions about how we use your personal information, you can speak with our Data Protection Officer.

You can contact them by:

Email: dataprotection@essexcares.org

Post: Data Protection Officer, Seax House, Victoria Road South, Chelmsford, Essex CM1 1QH

Phone: 03330 135 438

For independent advice about data protection, privacy and data sharing issues, you can contact the Information Commissioner’s Office (ICO) at: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF Tel: 03031 231 113 (local rate). Alternatively, visit ico.org.uk or email casework@ico.org.uk.