Red Snapper Recruitment Ltd. – Public Data Privacy Notice
25 May 2018
What is personal data?
Personal data is information that can be used to identify an individual living person, either through use of a single or combination of data sets. You have the right of control over who uses your personal data, what it is used for, and what the legal basis for this processing is.
Who are we?
Red Snapper Recruitment Ltd. is a recruitment and employment business specialising in the cyber security and information risk management industries. To our clients we provide suitable personnel to meet their hiring needs on a permanent or temporary (contract) basis; for our candidates we identify employment opportunities that meet their criteria and present their application for these.
How do we process your personal data?
As a recruitment and employment business, Red Snapper provide services pre- and post- offer of employment. As such the data we process and how we process it are clearly defined in to two separate stages of this lifecycle, and for the purposes of this notice shall be referred to as ‘For Registration’ and ‘For Employment’.
Name: So that we can create a unique account and record for you. Your website account allows you to make and manage job applications to positions available on our website.
Address: Not requested by us but may typically be provided as standard content of a CV. As part of the process of understanding your criteria for a new role, we would expect to understand your broad location or geographical areas which you are willing to consider for work.
Contact details: We require an email address be provided as part of our registration process so as to create a unique website account for you. You will receive only communications relevant to your employment search unless you have specifically opted-in to receive other communications.
We request a minimum of one contact telephone number so that we can further discuss the criteria for your job search with you, and to present job opportunities to you that we deem suitable (please note that despite our best efforts it is not always possible to list all opportunities we are engaged on via our website). You will not receive any marketing communications via phone from us.
Your contact details will not be shared with our clients except where required for the purpose of conducting an interview, you will be notified of such a request before it is actioned in each instance, and you retain the right to reject any or all requests.
Gender: We do not require you to specify your gender, however we do provide an optional field for registrants to select their proper title of address (e.g. Dr, Mr, Mrs, etc)
CV: In order to work with you and to provide your application for employment to employers (our clients), we require a CV document so that we can more fully understand your professional experience, qualifications, and areas of expertise. We regard the contents of your CV to constitute personal data and as such will not share it with third parties (our clients) without your express written consent on a per-application basis (we will send you a ‘Right to Represent’ request).
Pay rate and benefits: After you have registered with us, a member of our team will contact you to discuss your criteria for new employment, including details of your current salary or daily pay rate (total package value would include benefits such as bonus and pension contributions), or your expectations for remuneration. This is to help ensure we provide you with visibility of appropriate opportunities in line with your expectations, and to manage the expectations for job offers made by any prospective employers.
Ethnic origin: We do not request or meaningful process this information, however individuals should be aware that this data is collected if included in the contents of the CV provided to us through registration.
Religion: We do not request or meaningful process this information, however individuals should be aware that this data is collected if included in the contents of the CV provided to us through registration.
Nationality: We do not request or process this information during the initial website registration, however we will typically follow this up with a telephone call to better understand your situation and requirements. During the process of this call, we will ascertain with you whether you are an EU national or not and therefore whether you would require sponsorship to maintain your visa/work status in the UK; with your agreement this will be disclosed to the hiring business (our client), however please note that we operate transparently in the applications we make of your behalf and are obligated to inform a company that you would require sponsorship if applicable.
The nature of some our clients’ business, means that they may require someone who is eligible to undergo a specific level of security clearance for which nationality or minimum UK residency period is a prerequisite. In such cases we have a duty of care to our clients to ensure you are able to complete this process.
Photographs: We do not request or meaningful process this information, however individuals should be aware that this data is collected if included in the contents of the CV provided to us through registration.
Username & password: You will be provided with a username (the email address you submitted) and password (stored in an encrypted state) should you complete the registration process for our website. This is used so that you can sign-in, and make and manage job applications. You may change or delete these details at any time.
Pay rate and benefits: As a recruitment and employment business, part of our service includes delivering job offers on behalf of our clients, as well as the particulars of that offer. This would reasonably be expected to include salary or pay rates, potentially including package details such as bonuses and pension contributions.
If you are working as a contractor through Red Snapper then it is highly likely that we will be making payments to either your limited company or directly to you as a PAYE contractor. Understandably we will need to know your per unit rate so that we can pay you the correct amount for your work.
Furthermore, our clients typically pay Red Snapper a fee calculated as a percentage payment based on salary or daily pay rates. We have a legitimate interest to understand your rate of pay so that we may bill clients accurately; and where you are contracting through us, to provide payment of your day rate to you.
Verification checks: If you accept an offer to undertake a contract job through Red Snapper, then depending on the basis by which you are paid (namely PAYE, umbrella company, limited company, sole trader) we will require some documentation from you to fulfil our legal obligations by verifying your right-to-work in the UK, identity, and address. Documents we will request from you for these purposes will be treated as personal data and can consist of a selection from the below within each category:
Eligibility to work – Passport; Visa; Birth certificate; National Insurance number
Proof of identity – Passport; EU identity card; Biometric residence permit; Driving licence
Proof of address – Utility bill; Student Loan statements; Credit card/bank statement or letter; Government or council document giving entitlement such as from DWP or HMRC; Printed P45 or P60; Mortgage statement; Financial statement; Council Tax statement.
Address: We require a mailing address so that we may send to you any documents which we are legally obliged to provide following your completion of employment.
Nationality: Should you receive an offer of contract employment through Red Snapper, we have a legal obligation to ensure you are entitled to work in the UK. To that effect we must prove the status under which you are working in the UK, and therefore are required to verify your passport or visa status.
Age: Should you receive an offer of contract employment through Red Snapper, we have a legal obligation to verify that you are of the minimum legal age to undertake full-time work.
Bank details: If you accept a contract role with us and operate under PAYE or through your own limited company, we will need your bank details so that we can pay you for the work you perform on our behalf.
Background checks: Depending on the environment that you will be working in, or the nature of our client’s business, you will be required to undergo a number of background checks prior to engaging contract employment through Red Snapper. These will vary per situation, we will seek your express consent for each, and these would typically include some of:
Vetting (e.g. DBS check); criminal declarations; qualification certificates; employment references; bankruptcy; security clearances
Disability: We do not request this information but expect that upon accepting an offer of employment you should notify us if appropriate, to ensure that working conditions are made suitable for you.
Medical/Sickness: We do not collect specific medical records or history, however if you are working on a contract basis via Red Snapper, we are likely to be notified by the end employer (our client) of any absence through sickness for the purpose of managing and verifying timesheets.
Partner information This may be applicable if you are contracted via Red Snapper and provide your partner’s details as your Next of Kin (NoK). We do not process these details other than to store them securely in the event of an incident that might require us to contact your designated NoK. We reasonably presume that you will have notified your NoK of your intention to designate them, and that we will utilise the legal basis of vital interest for storing their details and contacting them in an emergency.
What is the legal basis for processing your personal data?
As a recruitment company, we are of the belief that if you have registered with us, you are doing so because you would like to hear about suitable job opportunities that Red Snapper are working on. We will contact you regarding such roles on the basis that you have expressed a legitimate interest in receiving this information. Likewise we believe we have a legitimate interest, as well as a contractual obligation, to provide you with information about opportunities that you have signed up to gain visibility of.
We know not everyone who is registered with us is an active jobseeker, and some just want to be aware of what else might be available to them. You can tell us to stop, all or some of our processing activities at any time and we will oblige. Until then, we will keep in touch occasionally to tell you about some of the vacancies we are working on, but you can always sign up to Jobs by Email updates to receive more regular messaging about new opportunities.
Should we go on to successfully place you in to a contract position then we will be required to retain your data for 7 years according to UK employment law. Beyond that, we have a contractual obligation to our clients and to you the contractor, to provide in-post services and care. We will need to process your personal data to manage your hours of work, pay you, and keep in touch throughout your tenure.
For those we place in to permanent roles, the ongoing requirement for processing is less explicit. We have a legitimate interest as a business to know which candidates we have placed with our clients, however we want to balance that with still allowing you to exercise your individual rights as a data subject; should you wish us to remove your data or restrict processing then we will pseduonymise that data where possible and remove as much data as we can so as to respect your request and rights. We will retain only your name for our reference, and details of your basic salary or contract day rate as this is how our fee is calculated with our clients.
Sharing your personal data?
Should you wish to apply to an employment opportunity with us, we will of course have to share some of your details with the hiring business (our client). Such data will not include your contact details but could reasonably expect to cover your name, CV, broad location, salary expectations, and notice period. Although we recognise that we could submit your CV (with your permission of course) under the basis of legitimate interest, we believe that recent changes to data protection laws have been made to encourage transparency and accountability. To that effect, in all instances we will request written consent from you to share your data with our client in application for the designated role.
Red Snapper believe that if you wanted a third party to process your data, you would provide it to them directly, therefore we share your personal data with carefully selected processors only to provide essential parts of our service. In all instances this is only applicable where we have gone on to place you within contract employment with one of our clients. In such instances, processors who supply essential parts of our recruitment service, and whom we would intend to share your data are:
Location: New Zealand (transferred using the EU’s adequacy decision under GDPR which states no further safeguards are required)
Purpose: To provide secure digital services for the signing of contracts and compliance documentation.
Purpose 1: To provide a timesheet management system so that contractors may submit their completed working hours for review and payment.
Purpose 2: Should you wish to fulfil your contract on a PAYE basis, Eden is our preferred supplier for the provision of umbrella company services. You are free to select your own provider for this and notify us of their details, however please note that we will not transfer personal data outside of the EEA without an EU adequacy decision, a data-sharing framework such as EU-US Privacy Shield, or using standard data protection contractual clauses mirroring the requirements of GDPR.
Purpose: Should you secure a contract position with us, you may be required to undergo a DBS Check. Atlantic Data are our providers for the DBS Check service. They operate a strict policy for retention periods and all personal data is erased after 6 months; it is held for this initial period to rectify any disputes with certificates issued. After 6 months the only data retained is in their financial records and is limited to your name, the date a certificate was issued, and the nature of that certificate.
How long do we keep your personal data for?
Once you have registered with us, we will automatically delete your data after an inactive period of 5 years from the point of data collection; inactivity being defined by not engaging with us in recruitment processes, by updating your CV, or applying to a job through us. You are of course free to remove your details or restrict processing of your personal data at any time – please see the section below ‘How to access and control your personal data’. You will receive notification via email from us informing you that we have stopped processing of and removed your data for your own records.
Should you perform a contract role through Red Snapper, we are obliged by employment law to retain certain data for a period of 7 years from the end of your assignment. Should you have been placed in to a job by us but wish for us to restrict processing of your data, we will make all efforts possible to remove your personal data from our records and retain only that data which we are required to hold by law; we will not conduct any further processing of your data and all records will pseudonymised or anonymised as far as is legally possible.
How to access and control your personal data
Please visit http://rsr.ltd/about/rights to view and exercise your rights around your personal data; how you may submit a Subject Access Request to understand what data we hold on you and how we use it; or to lodge a complaint about our use of your data.
Please visit http://www.rsr.ltd/about/cookies to read about the cookies used on our website, their purpose, and how you may manage use of them across various browsers (including blocking them altogether).
Data Protection Officer
For any questions or complaints about the processing of your personal data by Red Snapper, or to make a subject access request, please send details of your enquiry to our Data Protection Officer, Ryan Farmer at firstname.lastname@example.org.