Data Protection
Policy
About This Policy
This Data Retention & Erasure Policy (External) relates specifically to Candidates, Referees, Client Contacts and Supplier Representatives (Data Subjects).
For information about data retention relating to Applicants and Employees, you should refer to our Data Retention Policy (Internal) which may be viewed by request to Lowenna Roe, lowenna@ethicrecruit.com
The policy is intended to ensure that EthicRecruit LTD processes its business records in accordance with the personal data protection principles, in particular that:
• Personal data must be collected only for specified, explicit and legitimate purposes. It must not be further processed in any manner incompatible with those purposes.
• Personal data must be adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed. When personal data is no longer needed for specified purposes, it is deleted or anonymised as provided by this policy.
• Personal data must be accurate and, where necessary, kept up to date. It must be corrected or deleted without delay when inaccurate.
• Personal Data must not be kept in an identifiable form for longer than is necessary for the purposes for which the data is processed.
• Personal Data must be secured by appropriate technical and organisational measures against unauthorised or unlawful processing, and against accidental loss, destruction or damage.
The Data Protection Manager (DPM) is responsible for overseeing this policy. Any questions about the operation of this policy should be submitted to the DPM.
Location of Business Records
Our business records are mainly stored within our CRM/database, Zoho and Itris. We may also store relevant information:
- On our internal network in shared folders;
- In cloud-based storage services such as OneDrive and Dropbox.
Keeping Information Up To Date
EthicRecruit LTD needs to ensure that our business records are kept up to date and accurate. Our employees are trained to update Data Subjects’ records whenever appropriate to ensure that (i) the data is up to date and (ii) all relevant employees are able to access and use such data for legitimate business purposes.
Data Retention & Erasure Policy (External)
ETHICRECRUIT LTD
May 2018
General Principles on Retention & Erasure
EthicRecruit LTD's approach to retaining business records is to ensure that it complies with the data protection principles referred to in this policy and, in particular, to ensure that:
• Business records are regularly reviewed to ensure that they remain adequate, relevant and limited to what is necessary to be used for the purpose for which they were recorded.
• Business records are kept secure and are protected against unauthorised or unlawful processing and against accidental loss, destruction or damage.
• When records are destroyed, whether held as paper records or in electronic format, EthicRecruit LTD will ensure that they are safely and permanently erased.
Standard Retention & Erasure of Business Records 1. EthicRecruit LTD’s standard data retention period is two years from the last date on which EthicRecruit LTD was in actual contact with the relevant Data Subject. If more than two years have elapsed since the EthicRecruit LTD was last in contact with the Data Subject (Expiry Date), EthicRecruit LTD’s process is to delete the personal data relating to such Data Subject, subject to paragraph 2 below.
2. If the Data Subject is a Candidate who EthicRecruit LTD has placed in a permanent or temporary role with a Client, EthicRecruit LTD will usually retain the Candidate’s personal data for a period of seven years from the date on which the Candidate was placed with the Client (Legal Retention Period). The reasons for the Legal Retention Period are:
a. That the usual contract limitation period is six years and EthicRecruit LTD could be required to defend itself against a breach of contract claim at any time during the limitation period. Certain personal data may be subject to an extended limitation period of up to twelve years in total where the relevant agreement has been executed as a Deed.
b. It is a common provision in Client agreements that EthicRecruit LTD must for a period of not less than six years retain complete records of the recruitment activities which were carried out in the course of performing the contract; and
c. Where EthicRecruit LTD has placed the Candidate in a temporary role, EthicRecruit LTD is required by HMRC to retain a full audit trail of payments and receipts in respect of such temporary supply for the remainder of the relevant financial year plus a further six years i.e. up to seven years in total.
3. Where the Expiry Date has passed but EthicRecruit LTD is required to keep relevant data for the Legal Retention Period:
a. Any personal data which is not needed for audit or legal defence purposes should be removed from the Data Subject’s record. This includes personal data which is (i) irrelevant and/or (ii) particularly confidential in nature.
b. The Data Subject’s data shall not be used in the course of usual recruitment activities but shall instead be marked as Archived/Pending Deletion for the remainder of the Legal Retention Period.
Data Retention & Erasure Policy (External)
ETHICRECRUIT LTD
May 2018
c. Contact between the Data Subject and EthicRecruit LTD may be re-established. In such event, the Data Subject’s record may be marked as Active once again but any irrelevant and/or expired data should still be removed from the business record to ensure that it remains up to date and relevant.
4. In some instances, a Data Subject’s record will not pass the Expiry Date because EthicRecruit LTD stays in regular contact with such Data Subject. Although the record itself shall not expire under these circumstances, EthicRecruit LTD shall take active steps to ensure that the personal data within the Business Record remains relevant and necessary for the purpose for which it was obtained. EthicRecruit LTD shall delete any documents, notes and other types of personal data which are no longer required.
Erasure/Right To Be Forgotten Requests
A Data Subject may submit a request for erasure of their details from time to time (Erasure Request) i.e. the right to be forgotten.
Upon receipt of an Erasure Request, EthicRecruit LTD shall first verify the identity of the Data Subject and then establish whether the Data Subject wishes (1) to be entirely deleted from EthicRecruit LTD’s business records or (2) to remain within the EthicRecruit LTD’s business records but marked as Non-Active or Do Not Contact.
(1) Erasure. If the Data Subject wishes to have their personal data erased:
a. EthicRecruit LTD shall process such request in accordance with the Data Subject’s instructions but EthicRecruit LTD shall advise the Business Record that they may have no record of the Erasure Request and may therefore contact the Data Subject again upon subsequent receipt of the Data Subject’s details from a third party source e.g. a job board, CV search or LinkedIn.
b. EthicRecruit LTD shall ensure that any (i) joint Data Controller or (ii) third party which is processing relevant Data Subject’s data on behalf of EthicRecruit LTD is informed that Data Subject has made an Erasure Request and takes appropriate steps to comply with such Erasure Request.
c. EthicRecruit LTD shall within one month of receiving the Erasure Request, confirm the outcome of such Erasure Request. Where EthicRecruit LTD has a legal right or duty to retain certain data for the Legal Retention Period set out above, EthicRecruit LTD shall confirm to the Data Subject in writing the steps which it has taken in respect of the Erasure Request and the extent to which any data has been retained.
d. If the request is manifestly unfounded or excessive, for example, because of its repetitive character, EthicRecruit LTD may charge a reasonable fee, taking into account the administrative costs of erasure, or refuse to act on the request.
e. If EthicRecruit LTD is not going to respond to the request, EthicRecruit LTD shall inform the Data Subject of the reasons for not taking action and of the possibility of lodging a complaint with the ICO.
(2) Do Not Contact. If the Data Subject wishes to have their record marked as Do Not Contact:
a. EthicRecruit LTD shall establish whether the Do Not Contact request is for a limited or indefinite period. EthicRecruit LTD shall record the Data Subject’s decision in the relevant business record.