Globe Locums acts both as a recruitment business and recruitment agency as defined under The Conduct of Employment Agencies and Employment Business Regulations 2003 and provides work-finding services to its clients and work-seekers. We must process personal data including sensitive personal data so we can provide these services - in doing so, we act as a data controller.
You may give your personal details to us directly, such as on an application or registration form, emailing your CV, via our website, or we may collect them from another source such as a jobs board, social media sites or professional networking sites or referrals from friends or colleagues. We must have a legal basis for processing your personal data. For the purposes of providing you with work-finding services and/or information relating to roles relevant to you we will only use your personal data in accordance with this privacy notice.
At all times we are committed to protecting and safeguarding the privacy and security of your personal information and complying with current data protection laws.
1. Collection and use of personal data
a. Purpose of processing
As a candidate or prospect candidate we will collect your personal data which may include sensitive personal data and will process your personal data for the purposes of providing you with work-finding services, in doing so, we act as a data controller.
Work-finding services include for example, contacting you about job opportunities, assessing your suitability for those opportunities, updating our databases, putting you forward for job opportunities, arranging payments to you and developing and managing our services and relationship with you and our clients.
The greater the information we have about you regards your skills, expertise, qualifications, type of work you are seeking, work preferences, the better placed we are to provide our service to you.
As a candidate if you have opted-in we may also send you marketing information and news via email/text. You can opt-out from receiving these at any time by clicking "unsubscribe" when you receive these communications from us and/or requesting this by emailing [email protected].
As a client or prospect client we may need to collect personal data about you or individuals at your organisation in the course of providing services to you.
As a supplier we need contact details of relevant individuals at your organisation so we can communicate with you and ensure contractual arrangements between us can be properly implemented.
We may also collect third party data, such as emergency contacts and referees. We use referees' personal data to help our candidates find suitable work best matched to their skills, qualifications, experience and preferences. We may also use referees' personal data to contact them in relation to recruitment activities that may be of interest. We use nominated emergency personal contacts of a candidate or employee in the event of an accident or emergency affecting that individual.
Please note that should you decline to provide us with personal data and depending on the grounds on which we may be processing it, we may not be able to fulfil our contractual requirements or potentially continue to provide services to you.
In some cases we may be required to use your data for the purpose of investigating, reporting and detecting crime and also to comply with laws that apply to us. We may also use your information during the course of internal audits to demonstrate our compliance with certain industry standards.
Legal basis for processing your data
We must have a legal basis to process your personal data. The legal bases we rely on are:
- Your consent
- Where we have a legitimate interest
- To comply with a legal obligation that we have
- To fulfil a contractual obligation that we have with you
b. Legitimate interest
This is where we have a legitimate reason to process your data provided it is reasonable and does not go against what you would reasonably expect from us. Where we have relied on a legitimate interest to process your personal data our legitimate interests are as follows:
- Managing our database and keeping work-seeker records up to date
- Providing work-finding services to you and our clients
- Contacting you to seek your consent where we need it
- Giving you information about similar products or services that you have used from us recently
c. Statutory/contractual requirement
Globe Locums has certain legal and contractual requirements to collect personal data (e.g. to comply with the Conduct of Employment Agencies and Employment Businesses Regulations 2003, immigration and tax legislation, and in some circumstances safeguarding requirements.) Our clients may also require this personal data, and/or we may need your data to enter into a contract with you. If you do not give us personal data we need to collect we may not be able to continue to provide work-finding services to you.
d. Recipients of data - who your data may be data shared with
We may process your personal data and/or sensitive personal data with the following recipients:
- Clients (whom we may introduce or supply you to) e.g. NHS Hospitals and Trusts, Private Healthcare Providers, Health Sector Frameworks
- Former employers whom we may seek references from
- Any third parties who carry out audits to ensure operational compliance
- Payroll service providers who manage payroll on our behalf or other payment intermediaries whom we may introduce you to
- Any umbrella companies that we pass your data to, for payroll purposes
- Pension providers
- Other recruitment agencies in the supply chain e.g. master/neutral vendors and second tier suppliers
- Thirty party suppliers and outsourced service providers in Globe Locums' supply chain - IMS and QX, supporting the delivery of services, business operations and functions
- Public information sources and third party organisations - the Disclosure and Barring Service (DBS), Disclosure Scotland, Nursing and Midwifery Council (NMC), General Medical Council (GMC) and other professional bodies
- Training and immunisation providers to enable ‘fitness to work' certificates and compliance
- Recruitment and Employment Confederation (REC)
- Government, law enforcement agencies and other regulators e.g. the Police, Home Office, HMRC, Employment Agencies Standards Inspectorate (EASI)
- Any group companies
- Our insurers and legal advisers
- Providers of web analytics services, marketing automation platforms and social media services to ensure any advertising you receive is targeted to you.
2. Categories of data
We may collect the following personal data on you:
- Contact information - name, postal address, telephone/mobile number, email address
- CV - education, experience, employment, qualification, training history
- Language proficiencies and other work related skills
- Professional registration checks/records
- Information on your interests and needs regards future work opportunities
- Nationality/citizenship/place of birth (through right to work check)
- Immigration status
- Social Security / National insurance number
- Bank account information
- Tax related information
- Details about your current remuneration, pensions or benefits arrangements
- Credit checks
- Information you choose to tell us
- Information your referees choose to tell us about you
- Information that our clients may tell us about you or that we find from other third party sources such as job sites or professional networking sites
- Referee details
- Emergency contact details
- Telephone recordings
- Internet Protocol address
- Dates, times and frequency with which you access our services
- CCTV footage if you attend our premises
Sensitive personal data:
- Date of birth
- Marital status
- Health information including whether you have a disability
- Criminal convictions and cautions, if required for a role you are interested in applying for
- Immunisation history
- Special categories of data such as information about ethnic origin, sexual orientation or religion or belief in order to monitor diversity
Source of the personal data
We may source your personal data/sensitive personal data by the following means:
- From yourself directly either through our website, advertisements on third party sites, application or registration form, CV, email or telephone communications
- From jobs boards, where you have provided your personal information
- From a publically accessible source such as social media including but not limited to Facebook and LinkedIn
- From third parties and colleagues who have shared your data with us e.g. former employer or referral
Some information may come from a publically accessible source.
3. Overseas Transfers
We may transfer the information you provide to us to countries outside the European Economic Area (‘EEA') for the purposes of providing you with work-finding services. We will take steps to ensure adequate protections are in place to ensure the security of your information. The EEA comprises the EU member states plus Norway, Iceland and Liechtenstein.
Should we transfer personal information from within the EEA to countries outside of the EEA, the transfer takes place on the basis of adequacy decision by the European Commission or in the absence of any adequacy decision other legally permitted grounds for example:
- Legally binding and enforceable instrument between public authorities or bodies
- Binding corporate rules
- Standard contractual clauses (‘SCCs' or ‘Model Clauses') adopted by the Commission
- An approved code of conduct
- Certification under an approved certification scheme
- Contractual clauses authorised by the ICO
If you would like more information about the methods used to transfer your personal data outside of the EEA, please contact us at [email protected].
4. Data retention
We will retain your personal data only for as long as is necessary for the purpose we collect it. Different laws may also require us to keep different data for different periods of time.
As a candidate, if we have not had ‘meaningful contact' with you for a period of over two years, we will delete your personal data from our systems unless we believe in good faith that the law or other regulations require us to preserve it, for example due to our obligations to tax authorities or in connection with any anticipated litigation.
For candidates whose services are provided via a third party company or other entity, ‘meaningful contact' means meaningful contact with the company or entity which supplies your services.
By ‘meaningful contact' we refer to communication between us, either electronic, verbal or written, where you are actively engaging with our services. If you are a candidate we will consider there to be meaningful contact with you if you submit your updated CV, communicate with us about potential roles, update us on your work preferences either by verbal or written communication or click through from any of our marketing communications. Your receipt, opening or reading of an email or other digital message from us will not count as meaningful contact, this will only count if you click-through or reply directly.
As a candidate, if there has been no contact whatsoever, we will delete your data after six months.
As a candidate, if you have been deployed for work by Globe Locums, to comply with Framework Agreements we are required to keep secure and maintain records for six years, therefore we will retain your records for six years after the date last worked and/or two years after meaningful contact, whichever is the later.
The Conduct of Employment Agencies and Employment Businesses Regulations 2003, require us to keep work-seeker records for at least one year from (a) the date of their creation or (b) after the date on which we last provide you with work-finding services.
We must also keep your payroll records, holiday pay, sick pay and pensions auto-enrolment records for as long as is legally required by HMRC and associated national minimum wage, social security and tax legislation.
Where we have obtained your consent to process your personal and sensitive personal data, we will do so in line with our retention policy. Upon expiry of that period we will seek further consent from you. Where consent is not granted we will cease to process your personal data and sensitive personal data.
5. Your rights as a Data Subject
Please be aware that you have the following data protection rights:
- The right to be informed about the personal data we process on you
- The right of access to the personal data we process on you
- The right to rectification of your personal data
- The right to erasure of your personal data in certain circumstances
- The right to restrict processing of your personal data
- The right to data portability in certain circumstances
- The right to object to the processing of your personal data that was based on a public or legitimate interest
- The right not to be subjected to automated decision making and profiling
- The right to withdraw consent at any time.
6. Automated decision-making
We do not use automated decision-making, including profiling.
8. Log Files
We use Internet Protocol (IP) addresses to analyse trends, administer the site, track users' movements, and to gather broad demographic information for aggregate use. IP addresses are not linked to personally identifiable information.
9. Links to external websites
Our website may contains links to other external websites. Please be aware that we are not responsible for the privacy practices of such other sites. When you leave our site we encourage you to read the privacy statements of each and every website that collects personally identifiable information. This privacy statement applies solely to information collected by our website.
10. Sale of business
If Globe Locums' business is sold or integrated with another business your details may be disclosed to our advisers and any prospective purchasers and their advisers and will be passed on to the new owners of the business.
11. Data Security
We takes every precaution to protect our users' information, through a number of measures including:
- Appropriate IT hardware and software implementation such as firewalls, antivirus and filtering measures
- Controlled access to our systems through appropriate passwords and physical restrictions
Only employees who need the information to perform a specific job (for example, consultants, compliance or accounts personnel) are granted access to your information as appropriate.
We use all reasonable efforts to safeguard your personal information. However, you should be aware that the use of email/the Internet is not entirely secure and for this reason we cannot guarantee the security or integrity of any personal information which is transferred from you or to you via email/the Internet.
If you share a device with others we recommend that you do not select the "remember my details" function when that option is offered.
If you have any questions about the security at our website, please email the Data Protection Team at [email protected].
12. Changes to this privacy statement
We will update this privacy statement from time to time. We will post any changes on the statement with revision dates. If we make any material changes, we will notify you. This Privacy Notice was last updated 6th January 2022.
13. Complaints or queries
If you wish to complain about this privacy notice or any of the procedures set out in it please contact the Data Protection Team at [email protected].
You also have the right to raise concerns with Information Commissioner's Office on 0303 123 1113 or at https://ico.org.uk/concerns/, or any other relevant supervisory authority should your personal data be processed outside of the UK, if you believe that your data protection rights have not been adhered to.
Data Protection Policy
We process personal data and therefore are required to comply with data protection legislation. This includes in particular the Data Protection Act 2018 and the UK General Data Protection Regulation (together the ‘Data Protection Laws'). The Data Protection Laws give individuals (known as ‘data subjects') certain rights over their personal data whilst imposing certain obligations on the organisations that process their data.
As a recruitment business and recruitment agency we collect and process both personal data and sensitive personal data so we can provide these services. We are required to comply with other legislation and it is also required to keep this data for different periods depending on the nature of data.
This Data Protection Policy sets out how we implement the Data Protection Laws.
Data processing under the Data Protection Laws
We process personal data in relation to our own staff, work-seekers and individual client contacts and we are a data controller for the purposes of the Data Protection Laws. We have registered with the ICO and our registration number is ZA141933.
We may hold personal data on individuals for the following purposes:
- Staff administration
- Advertising, marketing and public relations
- Accounts and records
- Administration and processing of work-seekers' personal data for the purposes of providing work-finding services, including processing using software solution providers and back office support
- Administration and processing of clients' personal data for the purposes of supplying/introducing work-seekers.
Data protection principles
The Data Protection Laws require us acting as either data controller or data processor to process data in accordance with the principles of data protection. These require that personal data is:
- Processed lawfully, fairly and in a transparent manner
- Collected for specified and legitimate purposes and not further processed in a manner that is incompatible with those purposes
- Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed
- Accurate and kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay
- Kept for no longer than is necessary for the purposes for which the personal data are processed;
- Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures
- The data controller shall be responsible for, and be able to demonstrate, compliance with the principles.
Legal bases for processing
We will only process personal data where we have a legal basis for doing so. The processing conditions are:
- Consent of the individual for one or more specific purposes
- Processing is necessary for the performance of a contract with the individual or in order to take steps at the request of the individual to enter into a contract
- Processing is necessary for compliance with a legal obligation that the controller is subject to
- Processing is necessary to protect the vital interests of the individual or another person
- Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the data controller
- Processing is necessary for the purposes of legitimate interests pursued by the controller or a third party, except where such interests are overridden by the interests or fundamental rights or freedoms of the individual which require protection of personal data, in particular where the individual is a child.
Where we do not have a legal reason for processing personal data any processing will be a breach of the Data Protection Laws.
Our Data Protection Team review the personal data we hold on a regular basis to ensure it is being lawfully processed and it is accurate, relevant and up to date.
Before transferring personal data to any third party (such as past, current or prospective employers, suppliers, customers and clients, intermediaries such as umbrella companies, persons making an enquiry or complaint and any other third party (such as software solutions providers, back office support, outsourced administrative service providers)), we will establish that we have a legal reason for making the transfer.
Privacy by design and by default
We have implemented measures and procedures that adequately protect the privacy of individuals and ensure that data protection is integral to all processing activities. This includes implementing measures such as, data minimisation i.e. not keeping data for longer than is necessary, pseudonymisation, anonymization, cyber security and staff training.
Data Subject Rights
We shall provide any information relating to data processing to an individual in a concise, transparent, intelligible and easily accessible form, using clear and plain language. The information shall be provided in writing, or by other means, including, where appropriate, by electronic means. We may provide this information orally if requested to do so by the individual.
1. Right to be informed
Where we collect personal data from you, we will give you a privacy notice at the time when we first obtain the personal data.
Where we collect personal data other than from you directly, we will give you a privacy notice within a reasonable period after obtaining the personal data, but at the latest within one month. If we intend to disclose the personal data to a third party then the privacy notice will be issued when the personal data is first disclosed (if not issued sooner).
Where we intend to further process the personal data for a purpose other than that for which the data was initially collected, we will give you information on that other purpose and any relevant further information before we do further processing.
2. Right of access
You are entitled to access your personal data on request from the data controller, to check your data is being processed lawfully.
3. Right to rectification
You or another data controller at your request, has the right to ask us to rectify and correct any inaccurate or incomplete personal data concerning your data.
4. Right to erasure
You or another data controller at your request, has the right to ask us to erase your personal data.
If we receive a request to erase your data, we will ask if you want your personal data to be removed entirely or whether you are happy for your details to be kept on a list of individuals who do not want to be contacted in the future, for a specified period, reason or otherwise.
We cannot keep a record of individuals whose data we have erased so there is a chance that you may be contacted again by Globe Locums should we come into possession of your personal data at a later date.
If we have made your data public, we shall take reasonable steps to inform other data controllers and data processors processing your personal data to erase it, taking into account available technology and the cost of implementation.
5. Right to restrict processing
You or a data controller at your request, have the right to ask us to restrict our processing of your personal data where:
- You challenge the accuracy of the personal data
- The processing is unlawful and you oppose its erasure
- We no longer need the personal data for the purposes of the processing, but your personal data is required for the establishment, exercise or defence of legal claims
- You have objected to processing (on the grounds of a public interest or legitimate interest) pending the verification whether our legitimate grounds override those of the individual.
6. Right to data portability
You shall have the right to receive personal data concerning you, which you have provided to us, in a structured, commonly used and machine-readable format and have the right to transmit those data to another data controller in circumstances where:
- The processing is based on your consent or a contract; and
- The processing is carried out by automated means.
Where feasible, we will send the personal data to a named third party on your request.
7. Right to object to processing
You have the right to object to your personal data being processed based on a public interest or a legitimate interest. You will also be able to object to the profiling of your data based on a public interest or a legitimate interest.
We shall cease processing unless we have compelling legitimate grounds to continue to process your personal data which override your interests, rights and freedoms or for the establishment, exercise or defence of legal claims.
You have the right to object to your personal data for direct marketing. To request to opt out from direct marketing please email [email protected].
8. Enforcement of rights
All requests regarding your rights should be sent to the Data Protection Team [email protected].
Where you have consented to us processing your personal data and sensitive personal data you have the right to withdraw that consent at any time. Please note that if you withdraw your consent to further processing, that does not affect any processing done prior to the withdrawal of that consent, or which is done according to another legal basis.
There may be circumstances where we will still need to process your data for legal or official reasons. Where this is the case, we will tell you and we will restrict the data to only what is necessary for those specific reasons.
We shall act upon any subject access request, or any request relating to rectification, erasure, restriction, data portability or objection or automated decision making processes or profiling within one month of receipt of the request. We may extend this period for two further months where necessary, taking into account the complexity and the number of requests.
Where we consider that a request under this section is manifestly unfounded or excessive due to the request's repetitive nature we may either refuse to act on the request or may charge a reasonable fee taking into account the administrative costs involved.
If we have given your personal data to any third parties we will tell those third parties that we have received a request to rectify, erase, restrict, for portability, objection, automation or profiling, your personal data as applicable, unless this proves impossible or involves disproportionate effort. Those third parties notified should also action accordingly regards the personal data they hold, however we will not be in a position to audit those third parties to ensure that the relevant actions have occurred.
9. Automated decision making
We will not subject you to decisions based on automated processing that produce a legal effect or a similarly significant effect on you, except where the automated decision:
- Is necessary for the entering into or performance of a contract between the data controller and the individual
- Is authorised by law
- You have given your explicit consent.
We will not carry out any automated decision-making or profiling using the personal data of a child.
Personal Data Breaches
All data breaches should be referred to the Data Protection Team, [email protected].
1. Personal data breaches where the Globe Locums is the data controller
Where we establish that a personal data breach has taken place, we will take steps to contain and recover the breach. Where a personal data breach is likely to result in a risk to the rights and freedoms of any individual we will notify the ICO.
Where the personal data breach happens outside the UK, we shall alert the relevant supervisory authority for data breaches in the effected jurisdiction.
2. Personal data breaches where Globe Locums is the data processor
We will alert the relevant data controller as to the personal data breach as soon as they are aware of the breach.
3. Communicating personal data breaches to individuals
Where we have identified a personal data breach resulting in a high risk to the rights and freedoms of any individual, we shall tell all affected individuals without undue delay.
We will not be required to tell individuals about the personal data breach where:
- We have implemented appropriate technical and organisational protection measures to the personal data affected by the breach, in particular to make the personal data unintelligible to any person who is not authorised to access it, such as encryption.
- We have taken subsequent measures which ensure that the high risk to the rights and freedoms of the individual is no longer likely to materialise.
- It would involve disproportionate effort to tell all affected individuals. Instead, we shall make a public communication or similar measure to tell all affected individuals.
The Human Rights Act 1998
All individuals have the following rights under the Human Rights Act 1998 (HRA) and in dealing with personal data these should be respected at all times:
- Right to respect for private and family life (Article 8)
- Freedom of thought, belief and religion (Article 9)
- Freedom of expression (Article 10)
- Freedom of assembly and association (Article 11)
- Protection from discrimination in respect of rights and freedoms under the HRA (Article 14)
If you have a complaint or suggestion about our handling of personal data then please contact the Data Protection Team at [email protected].
The Data Protection Team are responsible for:
- Adding, amending or deleting personal data
- Responding to subject access requests, requests for rectification, erasure, restriction data portability, objection and automated decision making processes and profiling
- Reporting data breaches, dealing with complaints
You also have the right to raise concerns with Information Commissioner's Office on 0303 123 1113 or at https://ico.org.uk/concerns/ or any other relevant supervisory authority should your personal data be processed outside of the UK, if you believe that your data protection rights have not been adhered to.