Privacy Notice
Recruitment Privacy Notice
At IC24 we take your privacy and protection of your personal data seriously. This
recruitment privacy notice explains how we collect, use and share the personal data of all
candidates and your rights in relation to that data.
When appropriate we will provide a ‘just in time’ notice to cover any additional processing
activities not mentioned in this document.
What personal data do we collect?
We may collect and process the following personal data about you:
• Contact details, including your name, address, email address, and phone number
• Date of birth, gender details and marital status
• National Insurance number
• Your photograph
• A copy of your passport or similar photographic identification and / or proof of
address documents.
• Your next of kin, emergency contacts and their contact information
• Bank account details
• Employment history, education, qualifications, employment references, right
to work information and details of any criminal convictions you declare
• Details of any secondary employment, political declarations, conflict of interest
declarations or gift declarations
• Other pre-employment checks
• Ethnicity
• Criminal, legal and conduct data from 3rd party organisations
• Job title and role applying for
• Health and medical information
• IP Address (Required for homeworking positions and online contract signing if
successful)
• Your responses to recruitment surveys if this data is not anonymised and full legal
basis for collating information has been advised on the survey
How do we get your information?
We get information about you from the following sources:
• Directly from you
• From an employment agency
• From referees, either external or internal
• From security clearance providers
• From Occupational Health and other health providers
• From Pension administrators and other government departments, for example tax
details from HMRC
• CCTV images from our landlords or taken using our own CCTV systems (applicable if
attending IC24 premises for events such as Open Days, Assessment Days & Interviews)
Why do we process your personal data?
We process your personal data for the following purposes:
• To manage your application & onboarding if successful
• To manage your employment contract and to pay your salary and benefits
• To Provide you access to services required for your role
• To provide all successful candidates a platform to receive ongoing benefits,
discounts, recognition, and rewards in line with our Staff Privacy Notice
• To Manage our human resources processes
• To comply with legal and regulatory requirements
• To ensure the health, safety, and wellbeing of successful candidates
• To carry out pre-employment checks and vetting
• To monitor and record communications sent through our Career Website
• Other legitimate business purposes
How do we share your personal data?
We will only share your personal data with third parties where it is necessary and lawful to
do. We may share your personal data with the following categories of recipients.
• Third-party service providers, such as payroll and benefits providers
• IT systems providers
• Legal and professional advisors
• Government agencies and regulatory bodies, such as HMRC, the Home Office,
and the Information Commissioner’s Office
• Other companies in our group, where necessary for legitimate business purposes
• Internal departments where it is legitimate to do so
• External 3rd parties, for example under a Data Subject Access Request, where
your details are legally or legitimately required
How do we protect your personal data?
We take appropriate technical and organisational measures to protect your personal
data from Unauthorised access, accidental loss, or destruction. We ensure our
employees and third-party service providers are bound by confidentiality and legislative
data protection obligations.
Our legal basis for processing personal data
The legal bases for the majority of our processing is:
• Article 6(1)(e) – processing is necessary for the performance of a task carried
out in the public interest or in the exercise of official authority vested in the
controller.
For entering into and managing contracts, for example our employees or candidates, the legal
basis is:
• Article 6(1)(b) – processing is necessary for the performance of a contract to which
the data subject is party or in order to take steps at the request of the data subject
prior to entering into a contract.
Where we have a specific legal obligation requiring processing of personal data, the legal
basis is:
• Article 6(1)(c) – processing is necessary for compliance with a legal obligation to
which the controller is subject.
Where we process special categories data, for example data concerning including health,
racial or ethnic origin, or sexual orientation, we need to meet an additional condition in the
GDPR. Where we are processing special categories personal data for purposes related to
the commissioning and provision of health services the condition is:
• Article 9(2)(h) – processing is necessary for the purposes of preventive or
occupational medicine, for the assessment of the working capacity of the
employee, medical diagnosis, the provision of health or social care or treatment or
the management of health or social care systems and services
Where we process special categories data for employment or safeguarding purposes the
condition is:
• Article 9(2)(b) – processing is necessary for the purposes of carrying out the
obligations and exercising specific rights of the controller or of the data subject in
the field of employment and social security and social protection law
We may also process personal data for the purpose of, or in connection with, legal
proceedings (including prospective legal proceedings), for the purpose of obtaining legal
advice, or for the purpose of establishing, exercising or defending legal rights. Where we
process personal data for these purposes, the legal basis for doing so is:
• Article 6(1)(e) – processing is necessary for the performance of a task carried
out in the public interest or in the exercise of official authority vested in the
controller; or
Article 6(1)(c) – processing is necessary for compliance with a legal obligation to which
the controller is subject; or
Article 6(1)(f) – processing is necessary for the purposes of legitimate interests pursued
by the controller.
• Where we process special categories of personal data for these purposes, the legal
basis for doing so is:
• Article 9(2)(f) – processing is necessary for the establishment, exercise or defence
of legal claims; or
• Article 9(2)(g) – processing is necessary for reasons of substantial public interest.
We may also use:
Legitimate Interest Article 6(1)(f) may also be used for purposes including:
• Fraud prevention
• Network and information security
• Indicating possible criminal acts or threats to public security
Your Rights
You have the following rights in relation to your personal data:
• The right to access your personal data
• The right to rectify your personal data if it is inaccurate or incomplete
• The right to request erasure of your personal data
• The right to restrict processing of your personal data
• The right to object to the processing of your personal data
• The right to data portability in certain circumstances
If you wish to exercise any of these rights, please forward all Data Subject Requests to the
appropriate Regional Quality, Safety & Governance Department who will work with the
Information Asset Owners (IAO’s) to co-ordinate completion, liaise with the appropriate
people, monitor progress, and maintain records of the access.
Contact Us
If you have any questions or concerns about how we process your personal data, or if you
wish to exercise your rights in relation to that data, please contact our Data Protection
Officer Craig.Christiaens@IC24.NHS.UK or the Information Governance Department at
IGTeam.IC24@NHS.net.
We may update this staff privacy notice from time to time and will notify you of any
significant changes