NUS Recruitment and Selection Privacy Policy

Last updated 17th May 2018

Privacy Principles

NUS takes privacy seriously. The following principles underpin our approach to respecting your privacy:

  • We value the trust that you place in us by giving us your personal information. We will always use your personal information in a way that is fair and worthy of that trust.
  • We will provide clear information about how we use your personal information. We shall always be transparent with you about what information we collect, what we do with it, with whom we share it and who you should contact if you have any concerns.
  • We will take all reasonable steps to protect your information from misuse and keep it secure.
  • We will comply with all applicable data protection laws and regulations and we will co-operate with data protection authorities. In the absence of data protection legislation, we will act in accordance with generally accepted principles governing data protection.

Privacy Notice

This notice explains how NUS Holdings Limited (referred to in this notice as we, us or our) collects and uses information during the recruitment and selection process. 

This notice covers the following:

What is personal information?

How do we collect personal information?

What information do we collect?

How do we use your information?

What is the legal basis that permits us to use your information?

What happens if you do not provide information that we request?

How do we share your information?

How do we keep your information secure?

When do we transfer your information overseas?

For how long do we keep your information?

Your rights in relation to your information

Complaints

The Table at the end of this notice provides an overview of the data that we collect, the purposes for which we use that data, the legal basis which permits us to use your information and the rights that you have in relation to your information.

This notice does not form part of any contract of employment or other contract to provide services. We keep this privacy notice up to date, so if there are any changes to the way in which your personal information is used this privacy notice will be updated and we will notify you of the changes.

What is personal information?

Personal information is any information that tells us something about you or could uniquely identify you. This could include information such as your name, contact details, date of birth, and references.

How do we collect personal information? 

We collect personal information about you from various sources including:

  • Information that you give us directly through the application and recruitment process;
  • Information collected automatically when you use NUS Sites;
  • Information we collect from other sources, for example, when we check references or carry out background checks – if we do this we will inform you during the recruitment process of the exact checks that are carried out.

What information do we collect?           

We may collect the following categories of information about you:

Information that you give us directly

We may collect information from you directly when you provide us with personal information during the application process. The types of information we may collect from you directly include your:

  • Personal contact details such as name, title, address, telephone number and personal email addresses
  • Date of birth
  • Gender
  • Equal opportunities monitoring information such as race, ethnicity, religion, disability and sexual orientation
  • Information relating to any reasonable adjustments requested during the selection process
  • Recruitment information (including copies of right to work documentation, references and other information in your application, supporting statement or otherwise provided as part of the application process)
  • User generated content, posts and other content you submit to NUS sites
  • Any other personal information that you voluntarily provide to us

Information collected automatically when you use NUS Sites;

We (and third party service providers acting on our behalf) use cookies and other tools (such as web analytic tools and pixel tags) to automatically collect information about you when you use NUS Sites, subject to the terms of this Privacy Notice and applicable data laws and regulations. The types of information collected automatically may include:

  • Information about the type of browser you use
  • Details of the web pages you have viewed
  • Your IP address
  • The hyperlinks you have clicked
  • Your user name, profile picture, gender, networks and any other information you choose to share when using Third Party Sites (such as when you use the “Like” functionality on Facebook or the +1 functionality on Google+)
  • The websites you visited before arriving at a NUS Site

Information we collect from other sources

We may receive personal information about you from other legitimate sources, including information from commercially available sources, such as public databases and data aggregators, and information from third parties. The types of personal information that we may collect from such sources include your:

  • Personal contact details such as name, title, address, telephone number and personal email addresses
  • Date of birth
  • Gender

How do we use your information? 

We use your information for the following purposes:

  • To make decisions about your recruitment and appointment
  • To check you are legally entitled to work in the UK
  • To make any requested reasonable adjustments, if requested, during recruitment and selection
  • To assess your qualifications for a particular job or task
  • To conduct data analytics studies to review and better understand job application rates
  • To carry out equal opportunities monitoring
  • To administer your attendance at an event to ensure that your requirements are accommodated so that you can fully participate in the event.
  • To contact you regarding products and services which may be of interest to you, provided you have given us consent to do so or you have previously requested a product or service from us and the communication is relevant or related to that prior request and made within any timeframes established by applicable laws.
  • To determine the terms on which you work/provide services for us
  • To deal with legal disputes involving you or other employees, workers or contractors, including accidents at work
  • To comply with health and safety obligations
  • To prevent fraud
  • For insurance purposes

We may use your personal information to:

  • suggest products or services (including those of relevant third parties) which we think may be of interest to you
  • offer you the opportunity to take part in competitions or promotions

You can opt out of receiving communications from us at any time. Any direct marketing communications that we send to you will provide the information and means necessary to opt out.

  • To provide you with services that you request from us:

We may use your personal information:

  • to send you information that you have requested
  • to respond to your queries or comments

In order to protect information from accidental or malicious destruction, when we delete information from our services we may not immediately delete residual copies from our servers or remove information from our backup systems

We keep this privacy notice up to date, so if there are any changes to the way in which your personal information is used this privacy notice will be updated and we will notify you of the changes.

What is the legal basis that permits us to use your information? 

Under data protection legislation we are only permitted to use your personal information if we have a legal basis for doing so as set out in the data protection legislation. The legal basis that permits us to use your information depends on the basis that we are using that information for.  We rely on the following legal bases to use your information:

  • Where we need information to perform the contract we have entered into with you.
  • Where we need to comply with a legal obligation.
  • Where it is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests.

In more limited circumstances we may also rely on the following legal bases:

  • Where we need to protect your interests (or someone else's interests).
  • Where it is needed in the public interest or for official purposes.

The Table at the end of this notice provides more detail about the information that we use, the legal basis that we rely on in each case and your rights.

Some information is classified as "special" data under data protection legislation. This includes information relating to health, racial or ethnic origin, religious beliefs or political opinions, sexual orientation and trade union membership. This information is more sensitive and we need to have further justifications for collecting, storing and using this type of personal information. There are also additional restrictions on the circumstances in which we are permitted to collect and use criminal conviction data. We may process special categories of personal information and criminal conviction information in the following circumstances:

  • In limited circumstances with your explicit consent, in which case we will explain the purpose for which the information will be used at the point where we ask for your consent.
  • We will use information about your physical and mental health or disability status to comply with our legal obligations, including to ensure your health and safety in the workplace and to assess your fitness to work, and to provide appropriate workplace adjustments during selection.
  • We will use information about your race or ethnic origin, religious or philosophical beliefs, your sexual life or sexual orientation to ensure meaningful equal opportunity monitoring and reporting – the legal basis of this processing is that it is in the public interests to carry out diversity monitoring.

What happens if you do not provide information that we request? 

We need some of your personal information in order to conduct the recruitment and selection process before we can enter into a contract with you. If you do not provide such information, we will not be able to continue with the recruitment process or offer you employment/engagement. We explain when this is the case at the point where we collect information from you.

How do we share your information? 

We share your personal information in the following ways:

  • With other entities in our group.
  • Where we use third party services providers who process personal information on our behalf in order to provide services to us. This includes recruitment agents, IT systems providers and IT contractors.
  • We will share your personal information with regulators where we are required to do so by law or to comply with our regulatory obligations.
  • We will share your personal information with third parties where we are required to do so by law.
  • If we sell any part of our business and/or integrate it with another organisation your details may be disclosed to our advisers and to prospective purchasers or joint venture partners and their advisers. If this occurs the new owners of the business will only be permitted to use your information in the same or similar way as set out in this privacy notice.

Where we share your personal information with third parties we ensure that we have appropriate measures in place to safeguard your personal information and to ensure that it is solely used for legitimate purposes in line with this privacy notice.

How do we keep your information secure? 

We take all reasonable precautions to keep your personal information secure and require any third parties that handle or process your personal information for us to do the same. Access to your personal information is restricted to prevent unauthorised access, modification or misuse and is only permitted among our employees and agents on a need-to-know basis.

We will ensure your information is secure and protect access to data and systems with the following security measures:

  • Network and client Firewall security, virus checking and Malware updates and storage device control.
  • File/Folder Access controls to lockdown and secure access to data.
  • Secure Access controls to servers and databases
  • Strong password Policy controls to device and systems
  • Regular client, server and application level patching and security updates.
  • Encryption and password protection of confidential emails
  • Regular Server, Database, Application and File/Folder Level Back-ups
  • Secure removal before disposing of old computers and storage devices.
  • Systems Auditing and Monitoring and reporting controls
  • Annual Systems Security Penetrate testing
  • Secure and encrypted client access to NUS systems

When do we transfer your information overseas? 

When data is transferred to countries outside of the UK and the European Economic Area those countries may not offer an equivalent level of protection for personal information to the laws in the UK. Where this is the case we will ensure that appropriate safeguards are put in place to protect your personal information.

The countries to which your personal information is transferred and the safeguards in place are detailed below:

We do not currently transfer your personal data outside of the UK and the European Economic Area.

For how long do we keep your information? 

As a general rule we keep your personal information only for as long as we need it.  What this really means is that we will retain your information for the duration of the recruitment and selection process and for a period of 6 months after candidates have been notified whether their application has been successful.

However, where we have statutory obligations to keep personal information for a longer period or where we may need your information for a longer period in case of a legal claim, then the retention period may be longer.

Your rights in relation to your information 

You have a number of rights in relation to your personal information, these include the right to:

  • be informed about how we use your personal information;
  • obtain access to your personal information that we hold;
  • request that your personal information is corrected if you believe it is incorrect, incomplete or inaccurate;
  • request that we erase your personal information in the following circumstances:
    • if we are continuing to process personal data beyond the period when it is necessary to do so for the purpose for which it was originally collected;
    • if we are relying on consent as the legal basis for processing and you withdraw consent;
    • if we are relying on legitimate interest as the legal basis for processing and you object to this processing and there is no overriding compelling ground which enables us to continue with the processing;
    • if the personal data has been processed unlawfully (i.e. in breach of the requirements of the data protection legislation);
    • if it is necessary to delete the personal data to comply with a legal obligation.
  • ask us to restrict our data processing activities where you consider that:
    • personal information is inaccurate;
    • our processing of your personal information is unlawful;
    • where we no longer need the personal information but you require us to keep it to enable you to establish, exercise or defend a legal claim;
    • where you have raised an objection to our use of your personal information;
  • request a copy of certain personal information that you have provided to us in a commonly used electronic format. This right relates to personal information that you have provided to us that we need in order to take steps to enter into a contract with you and personal information where we are relying on consent to process your personal information;
  • object to our processing of your personal information where we are relying on legitimate interests or exercise of a public interest task to make the processing lawful. If you raise an objection we will carry out an assessment to determine whether we have an overriding legitimate ground which entitles us to continue to process your personal information;
  • not be subject to automated decisions which produce legal effects or which could have a similarly significant effect on you.

If you would like to exercise any of your rights or find out more, please contact dpo@nus.org.uk. The Table at the end of this notice provides more detail about the information that we use, the legal basis that we rely on in each case and your rights.

Complaints or Contacting Us 

Contact details

Our contact details are as follows:

Address:       Ian King House, Snape Road, Macclesfield, Cheshire, SK10 2NZ
Telephone:     0300 303 8602

We have appointed a person with responsibility for data protection matters who has responsibility for advising us on our data protection obligations. You can contact this person officer using the following details:

DPO@nus.org.uk

Complaints

If you have any complaints about the way we use your personal information please contact DPO@nus.org.uk who will try to resolve the issue. If we cannot resolve your complaint, you have the right to complain to the data protection authority in your country (the Information Commissioner in the UK).


 

Table: quick check of how we use your personal information

Purpose

Data used

Legal basis

Which rights apply?*

Recruitment decisions

Personal contact details, national insurance number, recruitment information, qualification and development information, employment/engagement records, references, security checks and compensation history.

Legitimate interest and contract. It is in our interests to ensure we recruit the best possible candidates in order to achieve our business goals and objectives.  The processing of certain personal information is necessary for us to help determine whether we can enter into a contract with you.

The generally applicable rights plus the right to object.

 

Right to work checks

Information relating to your right to work status, national insurance number, passport number, nationality, tax status information, and personal contact details.

 

Legitimate interest. It is in our interests to ensure that those who work for us have the right to work in the UK as well as to establish the statutory excuse to avoid liability for the civil penalty for employing someone without the right to undertake the work for which they are employed.

 

The generally applicable rights plus the right to object.

Compliance with our statutory duties to ensure a safe place of work

Information about your health, including any medical condition, health and sickness records and location of employment or workplace.

Legal obligation.

The generally applicable rights only.

Fraud and crime prevention

Information about criminal convictions and offences committed by you. Identity verification information.

 

Public interest and legitimate interest. It is in our interests as well as the interest of our candidates/ employees/ workers/ contractors to ensure the prevention of fraud and crime is monitored. This will ensure a safe workplace for all.

 

The generally applicable rights plus the right to object.

Diversity monitoring

Gender, marital status and dependents, location of employment or workplace and information about your race or ethnicity, religious belief and sexual orientation.

 

Public interest.

The generally applicable rights plus the right to object.

To deal with legal disputes

Personal contact details, references, information submitted as part of the selection process and interview notes and other information obtained through electronic means and information about criminal convictions and offences committed by you.

 

Legitimate interest. It is in our interests to process personal data to make and defend legal claims to ensure that our legal rights are protected.

 

The generally applicable rights plus the right to object.

Business management and business planning

Information about your use of our information and communication systems, employment/ engagement records, location of workplace, salary and benefit information and personal contact details.

 

Legitimate interests.  It is in our interests to undertake this processing to ensure we can improve any business operations which will ultimately improve the overall quality of work/the workplace. Employees/workers/ contractors will ultimately benefit as the workplace and its procedures may be strengthened.

 

The generally applicable rights plus the right to object.

*The following generally applicable rights always apply: right to be informed, right of access, right to rectification, right to erasure, right to restriction and rights in relation to automated decision making. For more detail about your rights and how to exercise them please see Your rights in relation to your information