5.1 For data protection queries and to exercise your rights, you can contact us in these ways:
5.2 Hazlewoods does not have a Data Protection Officer. Our Technical Partner and our Finance and Administration Partner oversee data protection matters.
6.1 The firm needs to process data as part of the recruitment process and to meet its obligations under relevant legislation. The data used in the recruitment process may be subsequently used for employment purposes if your application is successful.
6.2 In some cases, the firm needs to process data to ensure that it is complying with its legal obligations. For example, it is required to check an individual’s entitlement to work in the UK and to comply with health and safety laws.
6.3 In other cases, the firm has a legitimate interest in processing personal data before any employment relationship may develop.
6.4 Processing job applicant data allows the firm to, for example:
6.4.1 run recruitment and promotion processes, including providing job alerts;
6.4.2 maintain accurate and up-to-date recruitment records and contact details;
6.4.3 operate and keep a record of grievance and disciplinary processes;
6.4.4 to plan for career development, and for succession planning and talent management purposes;
6.4.5 obtain occupational health advice, to ensure that it complies with duties in relation to individuals with disabilities, meet its obligations under health and safety law;
6.4.6 ensure effective general HR and other business administration;
6.4.7 operate our website;
6.4.8 respond to and defend legal claims;
6.4.9 conduct monitoring of IT and communication systems and operate CCTV.
6.5 Some special category data, such as medical records and other information about health or medical conditions, is processed to carry out employment law obligations (such as those in relation to employees with disabilities). We rely on these obligations as one of the processing conditions under data protection legislation to process this kind of data. See section 8.1.2.
6.6 Where the firm processes other special category data, such as information about ethnic origin, sexual orientation or religion or belief, this is done for the purposes of equal opportunities monitoring. This is to carry out its obligations and exercise specific rights in relation to employment.
6.7 Certain information, such as your right to work in the UK, have to be provided to enable the firm to know whether it will be able to enter into a contract of employment with you. If you do not provide other information, this will hinder the organisation's ability to administer the rights and obligations arising as a result of any subsequent employment relationship efficiently.
Back to top
7. OUR LAWFUL BASIS FOR PROCESSING YOUR PERSONAL DATA
7.1 Hazlewoods must have a lawful basis to process your personal data.
7.2 These are the bases we most often rely on:
188.8.131.52 The processing is necessary because you have asked us to take specific steps before entering into a contract of employment with us. This is regardless whether the contract negotiation successful, i.e. whether the recruitment process leads to you being employed by the firm.
184.108.40.206 We would be unable to carry out contract negotiations with you if you did not provide or we were unable to process your personal data under this lawful basis.
7.2.2 Legal obligation
220.127.116.11 The processing is necessary for us to comply with the laws or regulations we are subject to (not including our contractual obligations).
18.104.22.168 We would be unable to process your application if you did not provide or we were unable to process your personal data under this lawful basis.
7.2.3 Legitimate interests
22.214.171.124 We also undertake processing in our legitimate interests or the legitimate interests of a third party. We check beforehand that this processing is not going to override your rights and interests.
126.96.36.199 We may ask your consent in specific circumstances. We may be unable to process or continue with your application if you did not provide consent, as we could not process the personal data.
Back to top
8. CATEGORIES OF PERSONAL DATA
8.1 We deal with two kinds of personal data as defined under the legislation.
8.1.1 Personal data
188.8.131.52 This is information that can be linked to a living individual. The firm collects and processes a range of information about you. This includes, for example:
- your name, address and contact details, including email address and telephone number, date of birth and gender;
- details of your qualifications, skills, experience and employment history, including start and end dates, with previous employers and with the firm;
- information about your remuneration, including entitlement to benefits such as pensions or insurance cover;
- information about your nationality and entitlement to work in the UK;
- details of your proposed schedule (days of work and working hours) and attendance at work;
- details of forthcoming periods of leave which will need to be taken by you, including holiday, sickness absence, family leave or other absences, and the reasons for the leave;
- details of any disciplinary or grievance procedures in which you have been involved, including any warnings issued to you and related correspondence;
- psychometric testing outcomes for recruitment purposes.
8.1.2 Special category data (also referred to as sensitive personal data)
8.1.3 Although often described as information about your physical and mental health, this category of data also covers personal data referring to racial or ethnic origin; political opinions; religious or philosophical beliefs; trade union membership; sexual orientation and health, along with genetic data and biometric data.
8.1.4 Information about medical or health conditions, includes whether or not you have a disability for which the firm would need to make reasonable adjustments.
8.1.5 Equal opportunities monitoring information includes information about your ethnic origin, sexual orientation and religion or belief.
8.1.6 As well as needing a lawful basis, we must follow an additional rule (processing condition) to process special category data. Hazlewoods most often uses the following processing conditions:
- Where the data is used for employment purposes (which includes the recruitment process);
- Where you have given your explicit consent for us to use it. You can withdraw this consent at any time, by contacting us using any of the contact details in section 5 of this policy. Without this consent we may also be unable to meet your requirements when attending a meeting, seminar or other event;
- Where we need to use this data for the establishment, exercise or defence of legal claims; and
- Where such data has been manifestly made public by you.
Back to top
9. SOURCES OF DATA
9.1 The firm may collect information about you in a variety of ways. For example, data might be collected through application forms, CVs or resumes; obtained from your passport or other identity documents such as your driving licence; or through interviews, meetings or other assessments.
9.2 In some cases, the firm may collect personal data about you from third parties, such as references supplied by former employers, educational institutions, information from employment background check providers, information from credit reference agencies and information from criminal records checks permitted by law.
9.3 We will also obtain personal data from you when you, for example:
9.3.1 correspond with us via our website, by phone, e-mail or otherwise;
9.3.2 participate in, seminars or other events we arrange;
9.3.3 fill in forms on our website and submit information to us;
9.3.4 participate in other social media functions on our website or enter a competition, promotion or survey;
9.3.5 report a problem with our website;
9.3.6 visit our offices; or
9.3.7 use the wi-fi network in our offices.
9.4 We may obtain or receive information about you from third parties and publicly- available sources, such as
9.4.1 Family and other associates
9.4.2 Professional advisers
9.4.3 analytics providers
9.4.4 publicly-available databases, such as Companies House or details on a company website
9.4.5 social media sites.
9.5 Data will be stored in a range of different places, including in your personnel file, in the firm's HR management systems and in other IT systems (including the firm's email system).
Back to top
10. WHO WE SHARE YOUR PERSONAL DATA WITH
10.1 Depending on the nature of the activity being undertaken, the lawful basis and purpose of processing, we may need to share your personal data between the Hazlewoods data controllers listed at the beginning of this policy, Hazlewoods LLP, suppliers and others involved in the running of the firm or with whom we need to deal. These parties are subject to data protection legislation and principles. We will usually have notified you of the sharing of your data with these parties. However, certain legislation may prevent us from doing so. Many of these parties both receive personal data from us and provide it to us.
10.2 Your information may be shared internally, including with members of the HR and recruitment team, health and safety representatives, the relevant manager or managers in the recruitment activity, directors, partners and IT staff if access to the data is necessary for performance of their roles.
10.3 The firm shares your data with third parties in order to obtain pre-employment references from other employers, obtain employment background checks from third- party providers and obtain necessary criminal records checks from the Disclosure and Barring Service.
10.4 Other parties may include:
10.4.1 providers of technical, payment and delivery services
10.4.2 HM Revenue & Customs, other Government agencies and departments
10.4.3 law enforcement agencies and courts
10.4.4 solicitors, accountants, auditors and other professional advisers
10.4.5 agents and representatives
10.4.6 credit reference and fraud prevention agencies
10.4.7 providers of credit reference or fraud prevention services
10.4.8 quality assurance assessors and other business consultants
10.4.9 our insurers.
10.5 Furthermore, we will disclose your personal information:
10.5.1 in the event that we sell or buy any business or assets, in which case we will disclose your personal data to the prospective seller or buyer of such business or assets, or their advisers.
10.5.2 if we or substantially all of our assets are acquired by a third party, in which case personal data held by us about job applicants will be one of the transferred assets.
10.5.3 if we are under a duty to disclose or share your personal data in order to comply with any legal obligation, or to protect the rights, property, or safety of Hazlewoods LLP or Hazlewoods Financial Planning LLP, Hazlewoods Management Services Limited, our clients, or any other third parties.
Back to top
11. SHARING PERSONAL DATA WITH CREDIT REFERENCE AGENCIES
11.1 Hazlewoods has a legal obligation to follow prevailing anti-money laundering legislation and takes step to prevent fraud. It is also in our legitimate interests to do so.
11.2 Consequently, we are required to obtain satisfactory evidence to confirm your identity at such times as we consider necessary. In order to verify personal information provided by you we may undertake searches with a credit reference or fraud prevention agency, which will include checking the information against any database (public or otherwise) to which they have access. The agencies may record details of such a search and may disclose your information and the fact that a search was made to their other customers, to assist companies for verification purposes or in assessing the risk of giving credit, to prevent fraud and money laundering, and to trace debtors. The searches do not impact your credit rating.
Back to top
12. DATA PROCESSORS
12.1 Where we are appointing any individual or organisation to process your personal data on our behalf (otherwise known as ‘data processors’), they may only do so for specified purposes and according to our written instructions. Hazlewoods seeks confirmation of the processor’s IT security arrangements and whether personal data is processed outside the European Union.
Back to top
13. TRANSFERS OF PERSONAL DATA OUTSIDE THE EUROPEAN UNION
13.1 Where possible, we or our appointed data processors will process your personal data within the European Union (EU). If your personal data does need to be transferred outside the EU, we ensure appropriate safeguards are in place to ensure that your data is properly looked after.
13.2 We ensure personal data is adequately protected and take into account:
13.2.1 Where the European Commission has decided that a country, a territory or one or more specific sectors in a country, or an international organisation, ensures an adequate level of protection. This currently includes the US privacy shield framework.
13.2.2 Other safeguards available to us under data protection legislation.
Back to top
14. KEEPING YOUR PERSONAL DATA SECURE
14.1 We operate a series of security measures concerning access to our offices and our systems. The level and extent of each individual measure may vary, but can include, for example:
14.2 Access controls to buildings, systems and, where appropriate, individual IT applications; anti-virus and malware prevention; breach logging; encryption; equipment/access logs; horizon scanning; arranging back-up copies of personal data; penetration testing, system monitoring and system updates (e.g. patching).
14.3 For applications running on our in-house systems, we operate a back-up facility as contingency. Our back-up data is held off-site within the UK.
14.4 We have a Business Continuity Plan (BCP) in place which is tested periodically. The BCP covers for example: Business continuity and disaster, recovery management strategy and policy; key contacts and crisis management team members; triggers for invoking and revoking plans; roles and responsibilities; communication plans– internal and external, including with service providers and IT suppliers; specific threat plans.
14.5 Where we have given you (or where you have chosen) a password which enables you to access certain parts of our systems, you are responsible for keeping this password confidential. We ask you not to share that password with anyone.
Back to top
15. HOW LONG WE KEEP YOUR PERSONAL DATA
15.1 In line with data protection principles, we only keep your data for as long as we need it for.
15.2 If your application is unsuccessful and we have sought your consent to keep your data on file for future job opportunities and you have provided consent, we will keep your data for six months once the recruitment process ends. At the end of this period, we will delete or destroy your data, unless you have already withdrawn your consent to our processing of your data in which case it will be deleted or destroyed upon withdrawal of consent.
15.4 The timescales for the retention of your personal data and related documentation are subject to various legal, regulatory or contractual requirements, which will reflect the purpose and lawful basis for processing the data.
Back to top
16. YOUR RIGHTS
16.1 Data protection legislation provides the following legal rights for individuals:
16.1.1 The right to be informed
16.1.2 The right of access
16.1.3 The right to rectification
16.1.4 The right to erasure
16.1.5 The right to restrict processing
16.1.6 The right to data portability
16.1.7 The right to object
16.1.8 Rights in relation to automated decision making and profiling. We do not use your personal data for automated decision making as part of our recruitment processes. The personal data you submit as part of any psychometric or other assessment may subsequently be used by the provider for research purposes, but the data will be anonymised or aggregated so that no individual can be identified.
16.2 You can exercise your rights at any time by contacting us using any of the contact details at the beginning of this policy. More information is available from the Information Commissioner’s Office website https://ico.org.uk/
16.3 Some rights can only be exercised under certain circumstances. If we are unable to comply with your request for any reason, we will contact you to explain our reasoning.
Back to top
17.1 Hazlewoods aims to deal efficiently with any query or to resolve any complaint you might have about how we handle your personal data.
17.2 Your right to complain
17.2.1 If you consider we have processed your data in a way that infringes the legislation, you have the right to complain to the Information Commissioner’s Office. Their contact details are:
Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
Back to top
18.2 Subsequent changes to the policy may occur due to changes in the ICO’s guidance. Each version of the policy will be uniquely referenced.