NHS Digital Candidate Privacy Notice

Effective 30th April 2019

As part of our application and recruitment process NHS Digital collects, processes and stores personal information about you. This notice describes how at NHS Digital we handle and protect the data to which you provide us with access to in connection with the recruiting process.

1. What personal information do we collect and process?

Here are some examples of the type of information that we may process. There’s a full list in the schedule at the end of the notice.

• Personal details such as name, address, date of birth, nationality, gender; • Information to enable us to contact you such as telephone number and email address; • Information to identify you such as National Insurance number, passport, driving licence; • Information about your skills and experience such as work history, qualifications, training; • Information about your suitability to work for us such as references, interview notes, criminal record, assessment results, occupational health screening results; • Information about your terms of employment such as salary, job title, location and hours; • Information about what you thought of your experience through the recruitment process. This particular data is captured confidentially & anonymously.

2. Why do we need to collect and process your personal data?

The purpose of the data capture and processing is primarily to enable you to register for our job alerts or to apply for a job vacancy at NHS Digital, have your suitability assessed for the role and ensure that all the necessary information is obtained for an offer of employment, where applicable, and onboarding to be progressed without delay. This includes:

• Administering your application; • Assessing your skills, qualifications and interests against our job opportunities; • Verifying your information and carrying out pre-employment checks including reference checks, occupational health screening and conducting criminal record (DBS) checks if you are offered a job; • Communications with you about the recruitment process and/or your application(s), including, where you have given prior consent, informing you of other potential career opportunities at NHS Digital; • Where requested by you, assisting you with obtaining an immigration visa or work permit where required; • In the legitimate interests of NHS Digital such as making improvements to our advertising approaches, application and/or recruitment process including improving diversity in recruitment practices; and/or • Complying with applicable laws, regulations, legal processes or enforceable governmental requests.

The processing will always be fair and lawful and in the case of sensitive personal information your express consent will be obtained. We do undertake candidate assessment and screening however decision making is not automated. If you are offered and accept employment with NHS Digital, the information collected during the application and recruitment process will become part of your employment record.

3. Screening Checks

As part of pre-employment checking, NHS Digital performs screening checks to check suitability for roles, where permitted by local law. These checks include basic disclosure and barring service (DBS) checks and occupational health screening and are only performed on candidates who have been selected for a role. Your consent will be requested in line with the relevant laws before screening checks are performed.

4. Who has access to your data?

Your personal information may be shared internally and externally, with the below people, to enable the recruitment process to take place. The information shared is limited to what is required by each individual to perform their role in the recruitment process. We may need to share your information with parties internally including:

• Employees who have responsibility for assessing suitability for the vacancy either during the application, assessment or pre-employment checking stages and for ensuring your successful onboarding; • Employees in HR and Workforce who have responsibility for recruitment processes (for example attraction, assessment, pre-employment screening) or for administering recruitment processes; • Employees in Legal, HR, and Fraud with responsibility for investigating issues of non-compliance with laws and regulations, policies and contractual requirements; • Employees in IT and system owners who manage user access; • Audit and Investigations employees in relation to specific audits/investigations; and • Security managers for facilities/premises. We also may also need to share your information confidentially with external third parties including: • Your previous employers and/or academic institutions in seeking references and in validating information that you’ve provided; • Companies who provide candidate assessment and applicant tracking services to NHS Digital; • Suppliers who undertake background screening on behalf of NHS Digital (e.g. criminal record checking agencies, occupational health screening); and • Other third-party suppliers (or potential suppliers), who provide services on our behalf.

5. How is your data protected?

We take the security of your data very seriously. We have internal policies and controls in place to ensure that your data is not lost, accidentally destroyed, misused or disclosed, and is not accessed except by our employees in the performance of their duties. Where we use 3rd parties to process personal data on our behalf, they do so on the basis of guaranteeing the same level of protection as provided by NHS Digital. Your personal data will be retained in accordance with our retention schedule for candidate records. This means that we will retain some data after your application to NHS Digital is complete. Our retention periods do not exceed 12-months with much of the data being retained for lesser periods. However, we will provide you with the opportunity to request that we retain your job application for a longer period to save you time with future job applications as well as your job alert registration. Our Data Protection Officer, Catherine Nicholson, is responsible for ensuring that NHS Digital complies with data protection legislation and is the first point of contact on data protection issues.

6. Your Rights

You are entitled to see or request a copy of the information NHS Digital holds about you. You can request changes to be made to incorrect information. You can ask for information to be deleted or blocked if you legitimately think that NHS Digital shouldn’t be processing that information or is processing it incorrectly. If you have any queries about this notice or your personal information generally, including questions about accessing your personal information or correcting it, you should contact NHSdigitalrecruitment@nhs.net in the first instance. Alternatively, there is information available on our internet about accessing your personal information, please search for “subject access requests”. It is your responsibility to keep your personal information up to date so that accurate application records can be maintained. You can manage all of your applicant data by accessing and updating your profile in the applicant tracking system used by NHS Digital. If you have a complaint regarding the way in which your data has been handled, if you believe it is inaccurate, held for too long or it is not secure you can contact our Data Protection Officer. You also have the right to complain to the Information Commissioner’s Office (ICO) which is the regulator for data protection legislation and upholds information rights. More information is available on the ICO website https://ico.org.uk/.

7. Changes to this Notice

We may make changes to this notice from time to time. We will post any changes on this page and the version of the notice is identified at the top of the page by its effective date. Please note, we now obtain feedback on overall recruitment experience.

Schedule 1: Information we may process

• Name and address • Contact telephone number(s) and email address • Date of birth and national insurance number • Work history, employer name and address, job title, years worked and reason for leaving • Education, results, educational establishment and year • Professional training and awards, awarding establishments, results and year • Previous salary and expectations • Physical/mental health and condition(s) requiring adaptations to the work environment • Relations and/or relationships with NHS Digital employee(s), whom and type of relationship • Where an applicant has heard about a vacancy to enable advertising success to be identified • Unspent criminal convictions and details • Referee details, job title, employer and relationship • Gaps in employment, dates and reason • Whether an applicant is a current NHS ALB member of staff at risk of redundancy • Individual demographic information in compliance with legal requirements (such as national insurance number, passport/visa information, nationality, citizenship, work permit, disability and gender) • Individual demographic information for equal opportunities monitoring purposes and to enable rights and obligations to be identified (including ethnic origin, age, gender etc.) • Employment contract related information (including job title, salary, location, hours of work, reporting relationship etc.) • Bank account details for salary payment purposes • Reference details such as disciplinary record • Interview and assessment results, reports and notes • Photograph/image from video interviewing technology • Building CCTV images