We use cookies to help provide you with the best possible online experience.
By using this site, you agree that we may store and access cookies on your device. Cookie policy.
Cookie settings.
Functional Cookies
Functional Cookies are enabled by default at all times so that we can save your preferences for cookie settings and ensure site works and delivers best experience.
3rd Party Cookies
This website uses Google Analytics to collect anonymous information such as the number of visitors to the site, and the most popular pages.
Keeping this cookie enabled helps us to improve our website.
Candidates applying for work privacy notice
Introduction
At The Medical Centre, we have a legal duty to explain how we use any personal information we collect about you at the organisation. We collect records during the recruitment stage and then data is continued to be collected for any successful candidate. This is in both electronic and paper format.
This privacy notice applies to personal information processed by or on behalf of The Medical Centre.
We are required to provide you with this privacy notice by law. It provides information on how we use the personal and healthcare information we collect, store and hold about you. If you have any questions about this privacy notice or are unclear about how we process or use your personal information or have any other issue regarding your personal and healthcare information, then please contact our Data Protection Officer. The Data Protection Officer (DPO) is provided through the Data Protection Support Service contracted through Digital Health and Care Wales (DHCW).
Their role is to act as the Practices trusted advisor, to ‘inform and advise’ and not ‘to do’ or ‘decide’ on behalf of the practice. The service also provides an open access forum for Practices to actively seek IG advice. The DPO Support Service will assist the Practice to operate within the law by advising and helping to monitor and demonstrate compliance. They play a key role in the practice’s data protection governance structure and help to improve and facilitate ‘accountability’ to comply with UK General Data Protection Regulation. Contact our DPO.
This notice explains:
- Who we are, how we use your information and our Data Protection Officer (DPO)
- What kind of personal information about you we process
- What the legal grounds are for our processing of your personal information (including when we share it with others)
- What you should do if your personal information changes
- How long your personal information is retained by us
- What your rights are under data protection laws
The UK General Data Protection Regulation (UK GDPR) became law on 24th May 2016. This is a single EU-wide regulation on the protection of confidential and sensitive information. It entered into force in the UK on the 25th May 2018, repealing the Data Protection Act (1998).
For the purpose of applicable data protection legislation (including but not limited to the General Data Protection Regulation (Regulation (EU) 2016/679) (the "GDPR"), and the Data Protection Act 2018 (DPA2018) the organisation responsible for your personal data is The Medical Centre.
This notice describes how we collect, use and process your personal data and how, in doing so, we comply with our legal obligations to you. Your privacy is important to us and we are committed to protecting and safeguarding your data privacy rights. This privacy policy applies to the personal data collected from candidates applying for roles within the organisation.
How we use your information and the law
The Medical Centre will be what is known as the ‘controller’ of the personal data you provide to us.
Upon applying for work with the organisation you will be asked to supply the following personal information:
- Name
- Address
- Telephone numbers
- Email address
- Date of birth
- Previous employment data
- Recruitment information such as your application form and CV, references, qualifications and membership of any professional bodies and details of your employment history, skills and experience
- Information about your current level of remuneration, including benefit entitlements
- Whether or not you have a disability for which the organisation needs to make reasonable adjustments during the recruitment process
- Information in relation to your right to work in the UK [as per the Rights to Work in the UK – guide to checking]
- Information from the Disclosure and Barring Service (DBS) in order to administer relevant checks and procedures
- Vaccination and immunisation status/information
The information that we ask you to provide to the organisation is required for the following reasons:
- In order for us to review your application
- In order for us to contact you with interview details
- To comply with appropriate employment law
- To ensure that we can provide any reasonable adjustments as necessary
The organisation may collect this information in a variety of ways, for example from application forms, CVs or resumes, obtained from your passport or other identity documents such as your driving licence and from forms completed by you or through interviews, meetings or other assessments including on-line tests.
This personal data might be provided to us by you, or someone else (such as a former employer’s reference, information from background check providers including criminal records checks permitted by law) or it could be created by us.
The organisation will seek information from third parties only once a job offer has been made to you and we will inform you that we are doing so.
Your personal data will be stored in a range of different places including in your application record, in the organisation's HR management systems and in other IT systems (including the organisation's email system).
Throughout the application process we will collect data and add this to your personnel file i.e., interview question answers, interview scores etc.
Special categories of personal data
Some special categories of personal data, such as information about health or medical conditions, is processed to carry out employment law obligations (such as those in relation to job applicants with disabilities).
For some roles, the organisation is obliged to seek information about criminal convictions and offences. Where we seek this information, we do so because it is necessary for us to carry out our obligations and exercise specific rights in relation to employment.
Where the organisation processes other special categories of personal data such as information about ethnic origin, sexual orientation or religion or belief, this is done for the purposes of equal opportunities monitoring. Data that the organisation uses for these purposes is anonymised or is collected with the express consent of job applicants which can be withdrawn at any time. Job applicants are entirely free to decide whether or not to provide such data and there are no consequences of failing to do so.]
If your application is unsuccessful, the organisation may keep your personal data on file in case there are future job opportunities for which you may be considered. We will seek your consent to do this and you are free to withdraw your consent at any time.
Automated decision-making
Employment decisions are not based solely on automated decision-making.
How do we lawfully use your data?
We need to know your personal, sensitive and confidential data in order to employ you. Under the General Data Protection Regulation we will be lawfully using your information in accordance with:
- Article 6, (b) Necessary for performance of/entering into contract with you
- Article 9(2) (b) Necessary for controller to fulfil employment rights or obligations in employment
This notice applies to the personal data of our candidates applying for work at The Medical Centre.
How do we maintain the confidentiality of your record?
We are committed to protecting your privacy and will only use information collected lawfully in accordance with:
- Data Protection Act 2018
- The UK General Data Protection Regulations
- Human Rights Act 1998
- Common Law Duty of Confidentiality
- NHS Codes of Confidentiality, Information Security and Records Management
We will only ever use or pass on information about you to others who have a genuine need for it. We will not disclose your information to any third party without your permission unless there are exceptional circumstances (i.e., life or death situations) or where the law requires information to be passed on.
Our policy is to respect the privacy of our candidates and to maintain compliance with the UK General Data Protection Regulation (UK GDPR) and all UK specific Data Protection Requirements. Our policy is to ensure all personal data will be protected.
All employees and sub-contractors engaged by The Medical Centre are asked to sign a confidentiality agreement. The organisation will, if required, sign a separate confidentiality agreement if the client deems it necessary. If a sub-contractor acts as a data processor for The Medical Centre an appropriate contract (art 24-28) will be established for the processing of your information.
Where do we store your information electronically?
All the personal data we process is processed by our organisation in the UK. However, for the purposes of IT hosting and maintenance this information may be located on servers within the European Union.
No third parties have access to your personal data unless the law allows them to do so, and appropriate safeguards have been put in place. We have a data protection regime in place to oversee the effective and secure processing of your personal and or special category (sensitive, confidential) data.
Who are our partner organisations?
We may also have to share your information, subject to strict agreements on how it will be used, with the following organisations:
- Primary Care Networks (also known as collaboratives in Wales)
- Integrated Care Systems
- NHS Commissioning Support Units
- Clinical Commissioning Groups
- NHS England (NHSE) and NHS Digital (NHSD)
- Local authorities
- CQC or Health Inspectorate Wales
- Private sector providers providing employment services
- Other ‘data processors’ which you will be informed of
Sharing your personal data
Your information may be shared internally for the purpose of the recruitment exercise including with members of the HR and recruitment team, interviewers in the recruitment process, managers in the business area with the vacancy and IT staff if access to the data is necessary for performance of their roles.
The organisation will not share your personal data with third parties except those engaged for the purposes of the recruitment process or unless your application for employment is successful and we make you an offer of employment. We will then share your data with former employers to obtain references for you, employment background check providers to obtain necessary background checks and the Disclosure and Barring Service to obtain necessary criminal record checks.
The organisation will not transfer your data to countries outside the European Economic Area. You will be informed who your data will be shared with and in some cases asked for consent for this to happen when this is required.
We may also use external companies to process personal information such as for archiving purposes. These companies are bound by contractual agreements to ensure information is kept confidential and secure. All employees and sub-contractors engaged by The Medical Centre are asked to sign a confidentiality agreement. If a sub-contractor acts as a data processor for the organisation, an appropriate contract (art 24-28) will be established for the processing of your information.
Who is the data controller?
The Medical Centre is registered as a data controller under the Data Protection Act 2018. Our registration number is Z6015949 and our registration can be viewed online in the public register at http://www.ico.gov.uk. This means we are responsible for handling your personal and healthcare information and collecting and storing it appropriately.
We may also process your information for a particular purpose and therefore we may also be data processors. The purposes for which we use your information are set out in this privacy notice.
How long do we keep your personal information?
We are required under UK law to keep your information and data for the full retention periods as specified by the NHS Records Management Code of Practice for health and social care and national archives requirements.
If your application is unsuccessful, the organisation will hold your personal data for a period of six months following the recruitment process. If you agree to allow the organisation to keep your personal data on file, for consideration for future job opportunities, we will hold your data for a further six months. At the end of that period (or once you withdraw consent), your data will be deleted or destroyed.
If your application for employment is successful, personal data gathered during the recruitment process will be transferred to your personnel file and retained during your employment. More information on records retention can be found online at: NHSX – Records Management Code of Practice 2020.
Storing DBS certificates
The correct storage of DBS certificate information is important. The code of practice requires that the information revealed is considered only for the purpose for which it was obtained and should be destroyed after six months.
How can you access, amend or move the personal data that you have given to us?
Even if we already hold your personal data, you still have various rights in relation to it. For further information about this, please contact the Business Manager. We will seek to deal with your request without undue delay and in any event in accordance with the requirements of any applicable laws. Please note that we may keep a record of your communications to help us resolve any issues which you raise.
- Right to object: If we are using your data because we deem it necessary for our legitimate interests to do so, and you do not agree, you have the right to object. We will respond to your request within 30 days (although we may be allowed to extend this period in certain cases). Generally, we will only disagree with you if certain limited conditions apply.
- Right to withdraw consent: Where we have obtained your consent to process your personal data for certain activities (for example for a research project), or consent to market to you, you may withdraw your consent at any time.
- Right to erasure: In certain situations (for example, where we have processed your data unlawfully), you have the right to request us to "erase" your personal data. We will respond to your request within 30 days (although we may be allowed to extend this period in certain cases) and will only disagree with you if certain limited conditions apply. If we do agree to your request, we will delete your data but will generally assume that you would prefer us to keep a note of your name on our register of individuals who would prefer not to be contacted. That way, we will minimise the chances of you being contacted in the future where your data is collected in unconnected circumstances. If you would prefer us not to do this, you are free to say so.
- Right of data portability: If you wish, you have the right to transfer your data from us to another data controller.
Your rights as a candidate applying for work
Data Subject Access Requests (DSAR): You have a right under the data protection legislation to request access to view or to obtain copies of what information this organisation holds about you and to have it amended should it be inaccurate. To request this, you need to do the following:
- Your request should be made to the Business Manager.
- There is no charge to have a copy of the information held about you. However, we may, in some limited and exceptional circumstances, have to make an administrative charge for any extra copies if the information requested is excessive, complex or repetitive
- We are required to provide you with information within one month. We would ask therefore that any requests you make are in writing and it is made clear to us what and how much information you require
- You will need to give adequate information (for example full name, address, date of birth and details of your request) so that your identity can be verified and your records located
What should you do if your personal information changes?
You should tell us so that we can update our records. Please contact the Business Manager as soon as any of your details change, this is especially important for changes of address or contact details (such as your mobile phone number).
What to do if you have any questions
Should you have any questions about this privacy policy or the information we hold about you, you can:
- Contact the organisation via email
- Write to the data protection officer
- Ask to speak to the Business Manager, Graeme Hunter.
The Data Protection Officer (DPO) for the Medical Centre is provided through the Data Protection Support Service contracted through Digital Health and Care Wales (DHCW).
Objections or complaints
In the unlikely event that you are unhappy with any element of our data-processing methods, do please contact the Business Manager, Graeme Hunter, at The Medical Centre, Heol-yr-Onnen, Pencoed CF35 5PF, in the first instance. If you feel that we have not addressed your concern appropriately, you have the right to lodge a complaint with the ICO. For further details, visit the ICO website and select “Raising a concern” or telephone: 0303 123 1113.
The Information Commissioner’s Office is the regulator for the General Data Processing Regulations and offers independent advice and guidance on the law and personal data including your rights and how to access your personal information.
Changes to our privacy policy
We regularly review our employee privacy policy and any updates will be published to reflect the changes. This policy is to be reviewed 1 June 2024.