The Cabinet Office will use your data in line with our
privacy policy.
About this privacy notice
This privacy notice sets out how we handle, store, use, share or otherwise process your personal data. The Equality and Human Rights Commission (EHRC) is a 'data controller'. This means that we are responsible for deciding how we hold and use personal data about you. We are required under data protection legislation to notify you of the information contained in this privacy notice.
This notice applies to prospective employees, including agency workers, interns, apprentices and contractors. This notice does not form part of any contract of employment or other contract to provide services. We may update this notice at any time but if we do so, we will provide you with an updated copy of this notice as soon as reasonably practical.
This notice replaces all previous privacy or fair processing notices or statements issued by us. It is important that you read this notice, together with any other privacy notice we may provide on specific occasions when we are collecting or processing personal information about you, so that you are aware of how and why we are using such information and what your rights are under data protection legislation.
What we do with your data
What we collect if you have applied to work at the EHRC in any capacity.
Basic information
Your name (including any previous names) and personal contact details. This is necessary for us to enter into correspondence with you about prospective employment or when we need to provide you with information relating to a role or contract.
Refer to number 2 below, where we specify the legal basis for this.
Financial information and any other information that would affect your pay or benefits, in order to ensure that you are paid correctly and any requested deductions, such as pension contributions, are made. We may also use this information to record details of any expenses claimed to enable reimbursement.
Refer to number 2 and 8 below, where we specify the legal basis for this.
If you are paid directly by us, we will collect your National Insurance Number to pay National Insurance contributions through PAYE and your National Insurance details, data of birth and sex as part of the identification process.
Refer to number 3 below, where we specify the legal basis for this.
We collect copies of evidence, which you provide, of your eligibility-to-work in the UK. We are legally required to collect this under the Immigration Asylum and Nationality Act 2006.
Refer to number 3 and 12 below, where we specify the legal basis for this.
We view copies of your Disclosure and Baring Service (DBS) certificate and / or Scottish Disclosure certificate and will retain the date of issue and reference number on our HR system. As an exception, we may retain a copy of your certificate for up to 6 months. We view original documents and collect copies of proof of address, proof of National Insurance Number and proof of ID. We do this as part of our mandatory security check. This is the Baseline Personnel Security Standard (BPSS) to check identify which is necessary for security and employment purposes.
Refer to number 6 and 8 below, where we specify the legal basis for this.
In the event that you are taken seriously ill on our premises, we may disclose relevant information, such as health conditions that we know about, to the emergency or health services. We only do this when it is in your vital interests for the information to be shared.
Refer to number 4 and 9 below, where we specify the legal basis for this.
Equality and diversity monitoring
We ask you for data relating to your age, sex and nationality for pay, pension and ‘right to work’ checks, however we also use this information, along with disabilities and ethnicity information, to monitor equality and diversity within the EHRC:
to ensure that we do not overlook potential employees who are disadvantaged or underrepresented and that we are promoting people fairly whatever their protected characteristic
to ensure that we are meeting our public sector equality duty
to ensure that women and men’s pay is comparable in similar or equivalent jobs
to meet our pay gap reporting obligations
to guarantee you a first stage interview where appropriate to do so in accordance with our Disability Confident Scheme, and
to award roles to individuals who possess a protected characteristic that we reasonably believe is underrepresented within our workforce, in the event that more than one candidate is equally qualified for a role.
Refer to number 3 and 12 below, where we specify the legal basis for this.
The following categories of information are also collected for equality and diversity monitoring, and although we are obliged to request the details, providing this information is entirely optional and there will be no impact on you if you do not provide it. It will not affect your employment status at the EHRC.
Caring responsibilities
Marital status
Religion or belief
Sexual orientation
Transgender status
Refer to number 3 and 12 below, where we specify the legal basis for this.
Health information
We hold information that you provide us with relating to your physical or mental health or disability.
We hold information to ensure your health and safety in our workplace, for example undertaking Display Screen Equipment assessments, ensuring that you have the equipment that you need to take part in an interview safely or have a Personal Emergency Evacuation Plan (PEEP) in place should you require one. The outcome of these assessments or plans will be discussed with you and shared with interviewer(s) where relevant or necessary to do so. PEEPs will also be shared with Building Management to enable them to effectively manage emergency evacuations and provide information to fire and rescue services if needed.
Refer to number 3 and 8 below, where we specify the legal basis for this.
We hold information to provide any reasonable adjustments that you may require. If you are attending our premises or an offsite location for interview, we may need to share relevant details with the office location or venue in order to ensure that you can be catered for.
Refer to number 3 and 8 below, where we specify the legal basis for this.
Information will only be shared with the relevant internal teams required to manage each scenario. This may include the People Team, your line manager, the Finance Team, the Facilities Management Team and, if you have a PEEP, your fire marshal and Building Management. It will only be shared with those necessary to meet the purpose listed.
If you are involved in an accident or incident on our premises, we will record details relating to the accident or incident, including any relevant details about you.
Refer to number 3 and 8 below, where we specify the legal basis for this.
Unless specifically stated, providing us with health information is not a legal requirement, however if you choose not to provide this information we may be unable or limited in our ability to assess or meet your needs, requests, catering requirements or ensure your health and safety at work.
Recruitment
Applications and interviews
In order to assess your suitability for the role, we will collect information relating to your skills, experiences and qualifications.
Refer to number 2 below, where we specify the legal basis for this.
We are a disability confident leader. If you tell us that you have a disability as defined by the Equality Act 2010 as part of the application process, and you meet the minimum criteria for the role, we will invite you to a first stage interview. Where high numbers of applications are received, we may only invite to interview the candidates that best meet the minimum criteria for the role. This is part of the Disability Confident Scheme.
Refer to number 3 and 8 below, where we specify the legal basis for this.
In the event that more than one candidate is equally qualified for a role and we believe that one candidate possesses a protected characteristic that we reasonably believe is underrepresented within our workforce, that individual may be awarded the role.
Refer to number 5 and 8 below, where we specify the legal basis for this.
We will collect data that you provide to us regarding any reasonable adjustments that may need to be made. You do not have to provide this information. However, without it we will be unable or limited in our ability to meet your needs. This is to ensure that you can fully participate in the recruitment process and also enables us to ensure we are meeting our legal obligations to you under the Equality Act 2010.
Refer to number 3 and 8 below, where we specify the legal basis for this.
Our vacancies are advertised through BeApplied, which is an applicant tracking system. Information that you share via the platform will be used to establish suitability for the role, and for reviewing patterns in our recruitment process (non-identifiable). The information is retained for a period of up to two years. If you apply for a role through BeApplied then your data will be processed by them for their own purposes too. Please see their privacy notice. We also use Civil Service Jobs to advertise our vacancies.
If your application is successful
We will ask you for confirmation that you are happy for us to contact your referees for a reference so that we can verify your suitability for the role level.
Refer to number 2 below, where we specify the legal basis for this.
Records of your registration with any applicable regulatory authority such as the Bar Association in order to verify any required professional registrations.
Refer to number 2 below, where we specify the legal basis for this.
If your application is unsuccessful
If you are unsuccessful in your application, your data will be retained for a period of up to two years to ensure that any complaints about fair and open competition can be reviewed and considered.
Refer to number 6 below, where we specify the legal basis for this.
If you are unsuccessful in your application but pass the interview criteria for the role, we may also keep your details on a reserve list for a period of 12 months for future similar vacancies. In this event, you will be contacted and given the opportunity to not have your name on this. We do this in our legitimate interests for recruitment.
Refer to number 6 below, where we specify the legal basis for this.
Internal recruitment
If you apply for an internal vacancy via BeApplied and / or submit an expression of interest form these will be shared with the People Team as well as the recruiting manager, and the shortlisting and / or interview panel members.
Refer to number 2 below, where we specify the legal basis for this.
In the office and at work
Building security
Your name and a photo of you will be collected by the local Building and Facilities Management Teams at each of our offices so that you are provided with a personalised staff badge and access to premises. These will be shared with reception staff who, depending on the site, will ask to see a copy of your photo ID for verification purposes, but will not make a copy. We may also provide you with a separate security pass with your name and a photo so that you can gain access to our premises which are secured using our own access control system.
Refer to number 6 below, where we specify the legal basis for this.
While in our office premises, your image will be caught by CCTV cameras which are operated and managed by us. Sometimes, this may also involve the processing of special category personal data, for example where the image captures a visible disability.
Processing this data is necessary under our legitimate interests in security and health and safety, and to prevent or detect unlawful acts. There are also CCTV cameras operated and managed by the relevant building management companies at the sites in which our offices are based.
Refer to number 6 and 12 below, where we specify the legal basis for this.
Where you use your pass to enter the office areas, these records are collected and managed by the Building Management team of the site rather than by us. However, in the Manchester office we maintain our own access control records. These records are used to record the dates and times you have accessed the premises and may be used to evidence when access passes have been de-activated, or as evidence in the event of any suspected or actual security breaches.
Building swipe card records may also be collected by the relevant building management companies where these are required to enter the building itself.
Refer to number 6 below, where we specify the legal basis for this.
From time to time you may be asked to provide additional identification and / or be asked to sign in and out of our buildings, for example, in the case of a heightened state of security. We have a legitimate interest in maintaining effective ICT and security.
Refer to number 6 below, where we specify the legal basis for this.
The legal basis in which we process your data
Personal Data
When processing your personal data, we will always meet at least one of the following bases within the UK General Data Protection Regulation (UK GDPR):
We have your consent
Article 6 (1)(a)
The processing is necessary to fulfil a contract that we have with you
Article 6 (1)(b)
The processing is necessary for us to meet a legal obligation
Article 6 (1)(c)
The processing is necessary to protect someone’s vital interests
Article 6 (1)(d)
The processing is necessary for us to perform our public tasks or a task in the public interest
Article 6 (1)(e)
There is a legitimate interest in the processing
Article 6 (1)(f)
Special Category Personal Data
There may be occasions where we need to process more sensitive information about you, such as data relating to your:
Racial or ethnic origin
Political opinions
Religious or philosophical beliefs
Trade union membership
Health
Sex life or sexual orientation
Genetic or biometric data for identification purposes
If we process any of the data listed above, we will also meet at least one additional condition within the UK GDPR:
We have your explicit consent
Article 9 (2)(a)
The processing is necessary for employment purposes
Article 9 (2)(b) and Schedule 1, Part 1 (1) of the DPA 2018
The processing is necessary to protect someone’s vital interests
Article 9 (2)(c)
The information has been made public by you
Article 9 (2)(e)
The processing is necessary to exercise or defend legal claims
Article 9 (2)(f)
The processing is necessary for reasons of substantial public interest
Article 9 (2)(g) and Schedule 1, Part 2 of the DPA 2018
To assess your working capacity in relation to your health
Article 9 (2)(h)
The processing is necessary for archiving purposes
Article 9 (2)(j)
How we share, store and keep your personal data secure
Organisations acting on our behalf (suppliers)
We contract third party organisations (suppliers) to process data on our behalf. We will only work with organisations that have equivalent or sufficient security in place to handle personal data, considering the sensitivity of the data. We will always have a contract or agreement in place with the supplier.
Where it is possible to disclose anonymised data we will do so. If personal data needs to be provided, we will only disclose the minimum required.
We use the following types of third-party services:
Payroll, expenses and other financial system providers
Human resources information systems providers
IT system providers
Job evaluation providers
Photo management platforms
Phone service providers
Professional advisors or consultants working on our behalf
Paper and electronic archive providers
Other organisations
We may need to share your personal data with other organisations that will use the data for their own purposes. For example, with a regulator or to otherwise comply with the law.
This may include sharing relevant data with the following organisations:
HMRC
Department for Work and Pensions
National Audit Office
Internal auditors
External legal services
Cabinet Office
Government Actuaries Department
The National Archives
Building management companies for example if you have a PEEP
Other circumstances
We may also share data in other one-off circumstances such as providing information to the police to assist with their work to prevent or detect crime.
In the event of an emergency or safeguarding concern, we may share relevant data with key authorities such as the emergency services or other safeguarding services where this is believed to be in the best interests of yourself or another individual, or where it is in the public interest.
There are also circumstances where we are legally obliged to share data, for example if the courts require us to disclose information to them.
How long we keep your personal data
We will only keep your personal data for as long as it is needed.
For details of how long we keep different types of records for please see our retention schedule.
How we keep your personal data secure
We act appropriately to secure your personal data and protect it against unauthorised or unlawful processing, as well as against its accidental loss, destruction or damage. This includes ensuring both technical and organisation security measures are in place including:
Technical security measures
Using secure servers to store personal data.
Using technologies to encrypt data in transit and at rest.
Access permissions to restrict access only to staff that need it.
Providing access to the minimum personal data necessary.
Making the data anonymous, pseudonymised or unidentifiable whenever possible.
Regular security testing and assurance.
Organisational security measures
Having organisational policies and procedures in place to protect your data.
Ensuring staff handling personal data receive relevant training.
Ensuring formal agreements such as contracts or data sharing agreements are in place with other organisations that work with us and handle personal data.
Making sure we check suppliers have good security measures in place before working with them.
Transferring your personal data to other countries
In most cases, your data remains within the United Kingdom or within the European Economic Area (EEA), which is recognised in UK law as having adequate safeguards in place to protect your data protection rights.
We may transfer your personal data to countries outside of the UK, the European Economic Area (EEA) and / or to an international organisation. If we do this, we will ensure that adequate safeguards are used to secure the data. These are detailed in our Data Protection Policy.
Where organisations that we work with operate globally, or use services outside the UK or EEA, we will take reasonable steps to ensure that safeguards such as model contract clauses are in place to protect your personal data.
For information on data transfers to third countries through our use of cookies, please see our cookies policy.
Your rights
You have the following rights under data protection legislation in respect of your personal data:
You have the right to know how we handle, store, use or otherwise process your personal data (‘the right to be informed’).
You have the right to ask us for copies of your personal data (‘the right of access’).
You have the right to ask us to rectify data you think is inaccurate or to complete data you think is incomplete (‘the right to rectification’).
You have the right to ask us to erase your personal data where we do not have an overriding legal obligation or reason to retain it (‘the right to erasure’).
You have the right to ask us to restrict the processing of your personal data (‘the right to restriction’).
You have the right to object to the processing of your personal data (‘the right to object’).
You have the right to ask us to transfer data you gave us to another organisation on your behalf (‘the right to data portability’).
These rights are not absolute and are subject to certain exemptions. Some rights may also apply only in certain circumstances.
Where you have provided your consent for us to process your personal data, you have the right to withdraw this consent at any time.
To exercise your rights or withdraw your consent, please contact our Data Protection Officer.
You can find more information about your rights on the Information Commissioners Office website.
Who to contact
If you have any questions or concerns about how we collect, handle, store or secure your personal data, please contact our Data Protection Officer:
Data Protection Officer
Equality and Human Rights Commission
Arndale House
The Arndale Centre
Manchester
M4 3AQ
Email the Data Protection Officer
You also have the right to lodge a complaint with the Information Commissioner’s Office (ICO):
Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF
https://ico.org.uk/