What is a privacy notice?
Vaultex UK Limited (“Vaultex” or “we”) wants to ensure you understand what information we collect about you, how we will use it and for what purpose. We are also required by data protection legislation to explain certain matters to you. This notice sets this out [and overrides anything previously communicated to you which is different].
For the avoidance of doubt, this privacy notice does not form part of your contract of employment and we may update it at any time.
What we collect and use
Vaultex is both the ‘Controller’ and the ‘Processor’ of the personal data you provide to us for the purposes of your application for employment or engagement with Vaultex. As part of that process we will obtain certain personal data about you, including:
- full name, any names that you were previously known by, date of birth, place of birth, address, contact details, gender, marital status, immigration status, next of kin detail, personal email address, mother’s maiden name;
- Education, CV, qualifications and training records;
- Nationality/Visa and right to work in the UK
- Recruitment and employment history; including but not limited to salary and benefit information
- Employer & character references; including contact number and email address
- Adverse media check data and disqualified director check data;
- Credit reference check data;
- Assessment results;
- Payroll records, bank account and national insurance details;
- Passport or Driver’s licence if required for the purposes of the role or for identification;
- Job title, line manager, location of work, salary, grade, working pattern, shift allowance.
We may also collect, process and store the following “special categories” of more sensitive personal information:
- Your race, ethnicity, religious beliefs, sexual orientation and socio-economic background;
- Information about your health, including that relating to maternity absences and your sickness records;
- Your genetic information and biometric data including psychometric assessment results. For more information on Biometric, please refer to the biometric Privacy notice;
- Photographs and images from recording equipment such as CCTV on site or recordings from telephone or video interviews; and
- Information about criminal convictions and offences.
How and why we will use your personal data
In most cases we will use your personal information to further Vaultex’s legitimate business interests in recruiting new staff through managing your application, assessing your suitability for the role you have applied for with Vaultex and complying with our legal obligations as your prospective employer by carrying out the necessary checks required by law. We will not collect any personal data from you we do not deem necessary.
We obtain your personal data either directly from you or in some cases from third parties such as employment agencies, your former employers and background check agencies. In rare cases we may need to use your personal information to protect you or someone else’s best interests or if it is in the public interest to do so.
The situations in which we will use your personal information will include:
- Reviewing your application and vetting information;
- Assessing your suitability (Skills, strengths, behaviours, experience) for the role;
- Checking you have the requisite skills and experience for the role;
- Undertaking pre-employment screening checks such as credit reference and debt checks in relation to financial risks to the business;
- Assessing and progressing your application;
- Determining your recruitment and the terms and conditions of your employment;
- Activities needed to complete the on-boarding and screening process if your application is successful.
How and why we will use your particularly sensitive personal data
We may process “special categories” of particularly sensitive personal information and criminal convictions in the following circumstances:
- In limited circumstances, with your explicit consent;
- where we need to carry out our legal obligations and in line with our data protection policy;
- where it is needed in the public interest, such as for equal opportunities monitoring and in line with our data protection policy;
- where it is needed to assess your prospective working capacity on health grounds, subject to appropriate confidentiality safeguards;
- in relation to legal claims;
- to protect your/someone else’s interests and you are not capable of giving your consent; or
- Where you have already made the information public.
We will use your particularly sensitive personal information in the following ways:
- information about your physical or mental health, or disability status, to ensure your health and safety when attending any face-to-face interviews and to assess your potential fitness to work, whether prospective appropriate workplace adjustments would be required for you to take on the role; and
- Information about your race or nationality or ethnic origin, religious, philosophical or moral beliefs, or your sexual life or sexual orientation, to ensure meaningful equal opportunity monitoring and reporting. and
- Vetting in respect of the Bank of England’s requirements for the role.
We envisage that we will hold information about criminal convictions undertaken as part of our recruitment and vetting procedures or directly obtained from you as notified to us in the course of the recruitment process. We will use information about criminal convictions and offences to ensure we are compliant with the Bank of England requirements in respect of the role you have applied for. Given the nature of our business, we have contractual and regulatory obligations to ensure that the people we employ can be relied upon to handle client money and information responsibly. We therefore ask questions about any unspent criminal convictions you may have been subject to, in order to the conduct criminal record checks.
What we do with it
All the personal data we process and/or control is processed both internally and in specific areas, i.e. by the HR, Legal, Conduct, Risk, HR, IT and Regulatory and Fraud Teams, Vaultex premises security managers and employees who would have managerial responsibility for you or are acting on their behalf, and externally by our approved suppliers and advisers; Equifax, Scottish Disclosure, Personnel checks, HireRight, for the purposes of assessing your job application. For the purposes of IT hosting and maintenance.
The Employee Relations Team may store personal data relating to your job application in files in paper copy and electronic form; HRSystem; and HR Shared Drive.
We will need to share your personal data with others from time to time, including:
- Internally within Vaultex to ensure that the recruitment process is followed as thorough and promptly as possible
- Our professional advisers, such as our accounting and legal advisers where they require that information in order to provide advice to Vaultex;
- The Financial Conduct Authority, [the Bank of England], HM Revenue & Customs and any other regulatory authority that we may be subject to for the purpose of demonstrating compliance with applicable law and regulations;
- Such third parties as we reasonably consider necessary in order to prevent crime, e.g. the police;
- Our service providers (such as our advisers, credit checking/reference agencies, criminal checking bureaus and other vetting service providers, as well as those who provide and support our management and data storage systems); and
- Academic institutions to validate the education information you have provided.
[Your personal data may be stored and processed outside of the European Economic Area (EEA) in countries that may have different data protection rules to those in the UK. However, Vaultex will ensure that the transfer of your personal data outside of the EEA will only occur where the appropriate safeguards have been put in place, such as using corporate rules which are binding on the data processors and have been approved by the ICO. If you want to learn more about the details of these safeguards you should get in touch with us using the contact details at the bottom of this notice.]
No 3rd parties have access to your personal data unless the law allows them to do so.
We have a Data Protection policy in place to oversee the effective and secure processing of your personal data. Information or a copy of the Data Retention Policy can be made available upon request.
Your personal data will only be retained as long as is reasonably necessary. What this means in practice will vary between different types of data. To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, any continued need to process the data and also our legal obligations in relation to tax, health and safety, employment and potential or actual disputes or investigations relating to those matters.
We are required under a variety of different legislation to retain data for specific periods, after which time it will be destroyed. Please refer to our retention policy to determine the type of data and the confirmed retention periods, which can be found on the intranet or requested via the recruitment team. Generally an unsuccessful job applicant’s file is kept at one of Vaultex’s sites for 12 months after the conclusion of the application process. Successful job applicants will have their employee personnel files kept on a Vaultex site for the duration of their employment plus an additional seven years post-employment (on a Vaultex site for one year and at an offsite secure storage facility run by Iron Mountain for a further six years).
In some circumstances we may anonymise your personal information so that it can no longer be associated with you, in which case we may use such information without further notice to you. Once you are no longer an employee, worker or contractor of the company we will retain and securely destroy your personal information in accordance with our data retention policy and applicable laws and regulations.
How will your personal information be kept safe?
We take the security of your personal information very seriously and we have put in place internal controls and security measures to protect it. Access to your personal information is restricted to those employees, workers and agents who are required to access it. We also have cyber security measures in place as set out in our [IT Policy]. We also take steps to ensure that third parties who access personal data will only process your personal information on our instructions and they are subject to a duty of confidentiality. We have put in place procedures to deal with any suspected data security breach – [please refer to our Data Policy for more details.]
What are your rights?
You have the right to make a request to get a copy of the personal information that we hold about you. You can also ask us to correct your personal information if it is incorrect. You can contact us for details about how to do this by emailing: firstname.lastname@example.org
For further information on Subject Access Requests, please refer to the Data Access Policy found on the intranet.
If you wish to raise a complaint on how we have handled your personal data you can do so by emailing your complaint to: email@example.com
If you are not satisfied with our response or believe we are processing your personal data not in accordance with the law you can complain to the Information Commissioner’s Office (ICO).