Privacy Policy

Recruitment Privacy Notice for

Applicants & Candidates

At Rowcroft Hospice we are committed to acting within our values of Honesty & Integrity, Generosity of Spirit, and Respect and as Team Players. We believe we are all responsible for delivering our purpose to make every day the best day possible for our patients and those closest to them, living with life-limiting illnesses in South Devon, and for ensuring we behave in an ethical, values driven, and patient focused way.

At the very centre of this are our employees, volunteers, and supporters, who give so much. As an Applicant we take your privacy very seriously and are committed to ensuring that your associated rights are protected.

1. What is the purpose of this document?

This notice applies to applicants & candidates of employed or volunteer roles with Rowcroft Hospice. It explains how we collect and use any information about you, and how we have put procedures in place to meet our legal obligations and ensure that we protect your privacy. This notice does not form part of any contract of employment or other contract to provide services. We may update this notice at any time, we may also notify you from time to time about the processing of your personal data.

For the purposes of recruitment, Rowcroft Hospice is a “data controller”. This means that we are responsible for deciding how we hold and use personal information about you. It is important that you read and retain this notice, along with any other notice we may provide on specific occasions when we are collecting or processing personal information about you, so that you are aware of how and why we are using such information and what your rights are under data protection legislation.

We use a software called Tribepad to manage our recruitment process. This means that your personal data is processed by Tribepad Limited the “data processor” on behalf of and instructed by Rowcroft Hospice the “data controller”.

2. Data Protection Principles

We will comply with data protection law. This says that the personal information we hold about you must be:

used lawfully, fairly and in a transparent way
collected only for valid purposes that we have clearly explained to you and not used in any way that is incompatible with those purposes
relevant to the purposes we have told you about and limited only to those purposes
accurate and kept up to date
kept only as long as necessary for the purposes we have told you about
kept securely.

3. The kind of information we hold about you

As part of the recruitment and on-boarding process we will collect, store, and use the following categories of personal information about you:

personal contact details such as name, title, addresses, telephone numbers, and personal email addresses
date of birth
Equality, Diversity & Inclusion monitoring information, including gender, ethnic origin, religion or belief, sexual orientation and identification
Whether or not you have a disability and any reasonable adjustment requested for the recruitment process
next of kin and emergency contact information
national insurance number
bank account details, payroll records and tax status information
location of employment or workplace
Proof of eligibility to work in the UK
copy of ID for the purposes of DBS (if applicable to your role)
copies of relevant vehicle insurance documentation (if using your own vehicle in the course of your work with us) and vehicle registration number
recruitment information (including copies of relevant qualifications, interview notes, references and other information included in an application form, CV or cover letter or as part of the application process)
details of professional memberships (if applicable to your role)
photograph

4. How is your personal information collected?

We collect personal data about employees, workers, and volunteers through the application and recruitment process, either directly from candidates or sometimes from an employment agency or background check provider (such as the Disclosure & Barring Service). We may sometimes collect additional information from third parties including former employers, including the NHS.

We will continue to collect and create relevant additional personal information throughout the period you are working for us.

5. How we will use information about you

We will only use your personal data when the law allows us to. Most commonly, we will use your personal data in the following circumstances:

to process your application to work with us
assess skills, qualifications, and suitability for the role
communicate with you about the recruitment process
to perform background & pre-employment checks
where we need to perform the contract we have entered into with you
where we need to comply with a legal obligation
where it is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests.

Situations in which we will use your personal information

We need all the categories of information in the list above (see Section 3) primarily to allow us to process your application to work with us, and to enable us to comply with legal obligations. The situations in which we will process your personal data are listed below.

Information	to allow us to perform our contract with you	to enable us to comply with legal obligations	to pursue legitimate interests of our own or those of third parties
Making a decision about your recruitment or appointment			X
Determining the terms on which you work for us			X
Checking that you are legally entitled to work in the UK		X
Conducting pre-employment checks (such as psychometric screening or DBS checks) – applicable roles only		X (where a statutory requirement exists)	X
Paying you if you become an employee	X
Administering the contract we have entered into with you	X
Memberships of professional bodies		X (where legally required)	X (where of benefit to the organisation)
Equal opportunities monitoring		X

Some of the above grounds for processing will overlap and there may be several grounds which justify our use of your personal information.

If you fail to provide personal information

If you fail to provide certain information when requested, we may not be able to process your application or perform the contract we may enter into with you (such as paying you or providing a benefit), or we may be prevented from complying with our legal obligations.

6. How we use particularly sensitive personal information

‘Special categories’ of particularly sensitive personal information require higher levels of protection. We need to have further justification for collecting, storing, and using this type of personal data. We have in place appropriate safeguards which are required by law when processing such data. We may process special categories of personal information in the following circumstances:

where it is needed to complete your onboarding and pre-employment checks if your application is successful
where we need to carry out our legal obligations or exercise rights in connection with employment
where it is needed in the public interest, such as for equal opportunities monitoring, in relation to our occupational pension scheme or in the interest of public health.

7. Information about criminal convictions

We will only collect information about criminal convictions if it is appropriate given the nature of the role and where we are legally able to do so.

Where appropriate, we will collect information about criminal convictions as part of the recruitment process or we may be notified of such information directly by you during your onboarding.

We will use information about criminal convictions and offences in the following ways:

To identify your suitability for the role you are applying for
To ensure you are not automatically disqualified (in law) to undertake the role for which you are applying.

We are allowed to use your personal information in this way to carry out our obligations and safeguard the public and organisation from potential harm. We have in place appropriate policy and safeguards which we are required by law to maintain when processing such data.

8. Automated decision-making

Automated decision-making takes place when an electronic system uses personal information to make a decision without human intervention, for example through psychometric screening. We are allowed to use automated decision-making during the recruitment process where you:

say you do not have the right to work within the UK
say you do not have the qualification or professional registration required for the role.

9.Data Sharing

Why might you share my personal information with third parties?
We will share your personal information with third parties where it is necessary for the processing of your application or onboarding, or where required by law.

‘Third parties’ include third-party service providers (including contractors and designated agents) and other entities within our wider organisation. This can include:

Reference requesting
The Disclosure and Barring Service (DBS)
Pre-employment health-check agency
Torbay & South Devon NHS Foundation Trust (where we share an obligation; they undertake a DBS check on our behalf; or the provision of mandatory training)
Our audit partner as part of the routine audit or control checks
Our legal advisors where we require their assistance in a relevant matter.

We may also need to share your personal information with a regulator, professional body or to otherwise comply with the law. This may include HMRC, Companies House, the Charity Commission, the Health & Safety Executive (HSE) or the Care Quality Commission.

How secure is my information with third party service providers?
All our third-party service providers are required to take appropriate security measures to protect your personal data in line with our policies. We do not allow our third-party service providers to use your personal data for their own purposes. We only permit them to process your personal data for specified purposes and in accordance with our instructions.

10. Transferring personal information outside the EU

Some of our third-party service providers (identified in section 9 above), particularly software providers, may transfer or store personal data outside of the European Economic Area (EEA) so their processing of your personal information will involve a transfer of data outside the EEA.

Whenever we transfer your personal data out of the EEA, we ensure an adequate level of protection is afforded to it by ensuring at least one of the following safeguards is implemented:

We will only transfer your personal data to countries that have been deemed to provide an adequate level of protection for personal data by the European Commission.
Where we use certain service providers, we will use specific contractual clauses approved by the European Commission which give personal data the same protection it has in Europe.
Where we use providers based in the US, we may transfer data to them if they are part of the Privacy Shield (or similar) framework which requires them to provide similar protection to personal data shared between the Europe and the US.

If you require further information about these protective measures, you can request it from our Data Protection Officer (see section 14 below).

11. Data security

We have put in place appropriate security measures to prevent your personal data from being accidentally lost, used, or accessed in an unauthorised way, altered, or disclosed. In addition, we limit access to your personal data to those employees, agents, contractors and other third parties who have a business requirement to know. They will only process your personal data on our instructions, and they are subject to a duty of confidentiality.

We have put in place procedures to deal with any suspected data security breach and will notify you and any applicable regulator of a suspected breach where we are legally required to do so.

12. Data retention

How long will you use my information for?
We will only retain your personal data for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements.

To determine the appropriate retention period for personal data, we consider the amount, nature and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.

If your application to work with us is unsuccessful we will hold your personal information for a period of 6 months, unless you request us to hold it for longer for the purposes of applying for further roles with us.

If your application is successful your personal information will be transferred out of Tribepad into your employee file and retained for the duration of your employment with us and 7 years thereafter.

In some circumstances we may anonymise your personal data so that it can no longer be associated with you, in which case we may use such information without further notice to you. For example, equal opportunities monitoring.

Once the retention period of any personal data is reached, we will securely destroy it.

13. Rights of access, correction, erasure, and restriction

Your duty to inform us of changes
It is important that the personal data we hold about you is accurate and current. Please keep us informed if your personal information changes during your application period.

Your rights in connection with personal information
Under certain circumstances, by law you have the right to:

Request access to your personal information (commonly known as a ‘data subject access request’). This enables you to receive a copy of the personal data we hold about you and to check that we are processing it lawfully.
Request correction of the personal information we hold about you. This enables you to have any incomplete or inaccurate information we hold about you corrected.
Request erasure of your personal information. This enables you to ask us to delete or remove personal data where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal data where you have successfully exercised your right to object to processing (see below), where we may have processed your information unlawfully or where we are required to erase your personal data to comply with local law. Note, however, that we may not always be able to comply with your request of erasure for specific legal reasons which will be notified to you, if applicable, at the time of your request
Object to processing of your personal information. Where we are relying on a legitimate interest (or those of a third party) and you have the right to object to processing if you feel it impacts on your fundamental rights and freedoms. You also have the right to object where we are processing your personal data for direct marketing purposes. In some cases, we may demonstrate that we have compelling legitimate grounds to process your information which override your rights and freedoms.
Request the restriction of processing of your personal information. This enables you to ask us to suspend the processing of your personal data in the following scenarios:
1. if you want us to establish the data’s accuracy
2. where our use of the data is unlawful but you do not want us to erase it
3. where you need us to hold the data even if we no longer require it as you need it to establish, exercise or defend legal claims
4. you have objected to our use of your data but we need to verify whether we have overriding legitimate grounds to use it.
Request the transfer of your personal information to you or to a third party. We will provide to you, or a third party you have chosen, your personal data in a structured, commonly used, machine-readable format. Note that this right only applies to automated information which you initially provided consent for us to use or where we used the information to perform a contract with you.
Right to withdraw consent. In the limited circumstances where you may have provided your consent for the collection, processing, and transfer of your personal data for a specific purpose, you have the right to withdraw your consent for that specific processing at any time. Once we have received notification that you have withdrawn your consent, we will no longer process your information for the purpose or purposes you originally agreed to, unless we have another legitimate basis for doing so in law.

If you wish to exercise any of these rights please contact our Data Protection Officer in writing (see section 14 below).

Fee
You will not usually have to pay a fee to access your personal data (or to exercise any of the other rights). However, we may charge a reasonable fee if your request for access is clearly unfounded, repetitive, or excessive. Alternatively, we may refuse to comply with the request in such circumstances.

What we may need from you
We may need to request specific information from you to help us confirm your identity and ensure your right to access the information (or to exercise any of your other rights). This is a necessary security measure to ensure that personal data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response.

14. Data Protection Officer

We have appointed a Data Protection Officer (DPO) to oversee compliance with this privacy notice. If you have any questions about this privacy notice or how we handle your personal information, please contact the DPO.

DPO Details

Jonathan Hill, Director of Finance & Commercial
Email: jonathan.hill@rowcrofthospice.org.uk
Rowcroft Hospice
Avenue Road
Torquay
TQ2 5LS

The Information Commissioner

You have the right to make a complaint at any time to the Information Commissioner’s Office (ICO), the UK supervisory authority for data protection issues (www.ico.org.uk). We would, however, appreciate the chance to deal with your concerns before you approach the ICO.