1. Background and Context
The details below provide information about the data we collect and how we use data about you if you submit an application for employment.
This Applicant Data Privacy Notice is designed to provide information on how Oakbrook Finance Limited (referred to as “we”,
“us”, “our”) processes the personal data of its workforce (referred to as “you”, “your”) in accordance
with the General Data Protection Regulation (Regulation (EU) 2016/679) and, when enacted, Data
Protection Act 2018 (together referred to as the “GDPR”). This notice applies to applicants for
employment, whether successful or otherwise.
As a “data controller”, we are responsible for deciding how we your process personal data. We take your privacy seriously and we are fully committed to protecting your personal data at all times. We will only process your personal data in accordance with applicable data protection laws, adhering to the principles (as applicable) contained in the GDPR.
This notice does not form part of any offer of employment or any contract of employment you may be offered and we may amend it at any time to reflect any changes in the way in which we process your personal data. If you are in the application process when any changes are made to this notice, we will bring any such changes to your attention as soon as practicable.
Our Chief People Officer is responsible for ensuring that this privacy notice is maintained. That post is held by Sarah Marriott.
The kind of information we hold about you
1.1 “Personal data” is any information about a living individual from which they can be identified such as name, location data, any online identifier, or any factor specific to the physical, physiological, genetic, mental, economic or social identity of that person. It does not include data where any potential identifiers have been removed (anonymous data) or data held in an unstructured file.
1.2 There are “special categories” of more sensitive personal data which are more private in nature and therefore require a higher level of protection, such as genetic data, biometric data, sex life and sexual orientation, race or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership and health.
1.3 When we refer to “processing”, this means anything from collecting, using, storing, transferring, disclosing, altering or destroying personal data.
2. How we use your personal data
We process your personal data for various reasons, relying on a variety of different bases for lawful processing under GDPR, as set out below.
2.1 To comply with our legal obligations or exercise legal rights conferred upon us. This may include:
- checks for eligibility to work in the UK and Ireland (as appropriate) as required by immigration laws, such as passport and visa documentation;
- formal identification documentation relating to you, such as a passport or driving licence, to verify your identity (including your date of birth);
- information in relation to legal claims made by you or against you, in order to comply with court processes and court orders;
- Disclosure and Barring Service (DBS) checks where we have a legal right or reason for doing so (please see section 5 below)
- information gathered from background checks relating to the occurrence, investigation or prevention of fraud;
- any adjustments that you require for the purposes of interview.
2.2 To pursue our (or a third party’s) legitimate interests as a business. This may include:
- your contact details such as your name, address, telephone number and personal email address which will be used to communicate with you in relation to the recruitment process;
- your CV and any or education or employment history, professional qualifications and certifications in order for us to consider your suitability for a job vacancy you are applying for;
- employment references provided to us;
- details of the job role you are applying for and any interview notes made by us during or following an interview with you, in order to assess your suitability for that role;
- pay and benefit discussions with you to help determine whether a job offer may be made to you;
- voicemails, emails, correspondence, and other communications created, stored or transmitted by you on or to our computer or communications equipment in order to progress the application through the recruitment process;
- CCTV footage of you on site in the reception area of the building for security reasons, for the protection of our property and for health and safety reasons; and
- network and information security data in order for us to take steps to protect your information against loss, theft or unauthorised access.
Some of the above grounds for processing will overlap and there may be several grounds which justify our use of your personal data.
We will only use your personal data for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If we need to use your personal data for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so.
3. How we use your special categories data
We also collect, store and use your special categories data for a range of reasons, relying on a variety of different bases for lawful processing under the GDPR, as set out below.
3.1 To enable us to perform our legal obligations in respect of employment, social security, social protection law, or needed in the public interest. This may include:
- health information to assess and/or to comply with our obligations under employment, equal opportunities and health and safety legislation (for example a requirement to make reasonable adjustments to your working conditions).
3.2 For occupational health reasons or where we are assessing your working capability, subject to appropriate confidentiality safeguards. This may include:
- information about your physical or mental health, or disability status, to assess whether any reasonable adjustments are required for you during the recruitment process, carrying out any medical assessment required for your role, pension and any insurance benefits.
3.3 To establish, defend or exercise legal claims in an employment tribunal or any other court of law.
3.4 For statistical purposes in the public interest such as equal opportunities monitoring (for example the collection of information about race, ethnic origin, sex or religion). Any such information shall only be used in an anonymised form for statistical purposes and will not be used in relation to your application for employment with us.
4. Criminal convictions information
For certain roles, we have a legal right, to undertake Disclosure and Barring Service (DBS) and fraud checks. Where we do so, we only do so in accordance with our data protection policies, the principles of the GDPR and the prevailing legislation in this area (as updated from time to time). For details of how long we retain criminal convictions information and how it is disposed of, please refer to Appendix 1.
5. Automated decision making / profiling
You will not be subject to decisions that will have a significant impact on you based solely on automated decision-making, unless we have a lawful basis for doing so and we have notified you.
Automated decision-making takes place when an electronic system uses information to make a decision without human intervention. We are allowed to use automated decision-making in the following circumstances:
- Where we have notified you of the decision and given you 21 days to request a reconsideration; and
- In limited circumstances, with your explicit written consent and where appropriate measures are in place to safeguard your rights.
If we make an automated decision on the basis of any special category of personal data, we must have either your explicit written consent or it must be justified in the public interest, and we must also put in place appropriate measures to safeguard your rights.
“Profiling” means any form of automated processing to evaluate certain personal aspects relating to you, in particular to analyse or predict aspects concerning performance at work, financial situation, health, personal preferences, interests, reliability, behaviour, location or movements.
6. Data sharing
We may share your personal data and special category personal data internally. In particular, it may be shared with: HR employees involved in the recruitment process, employee relations and/or administration of any offer of employment; line managers for the role in question; consultants; advisers; and/or other appropriate persons who may be involved in the recruitment process for the job(s) you are applying for.
We may share your personal data and special category personal data with third parties, agents, subcontractors and other organisations (as listed below) where it is necessary to administer a prospective working relationship with you or where we otherwise have a lawful basis for doing so:
- credit reference agencies;
- financial crime and fraud prevention agencies
- payroll and pension providers;
- insurance providers;
- employee benefits providers;
- training providers;
- recruitment agencies;
- providers of IT services; and
- providers of legal services;
- previous employers;
- Disclosure and Barring services;
- Background checking agencies.
When we disclose your personal data to third parties, we only disclose to them any personal data that is necessary for them to provide their service and where we are sure that they have adequate policies/procedures in place in relation to data security. We have contracts in place with these third parties in receipt of your personal data requiring them to keep your personal data secure and not to use it other than in accordance with our specific instructions.
We may also share your personal data and special category personal data with other third parties for other reasons. For example: in the context of the possible sale or restructuring of the business; to provide information to a regulator; or to otherwise comply with the law. To comply with our legal obligations we may share your data with the following:
- HMRC for tax purposes;
- FCA for financial compliance purposes; and
- Home Office for immigration purposes.
We may obtain personal data and/or special category personal data about you from third party sources, such as recruitment agencies, job boards, recruitment assessment centres, occupational health professionals and background check providers. Where we receive such information from these third parties, we will only use it in accordance with this notice.
In some cases, they will be acting as a controller of your personal data and therefore we advise you to read their privacy notice and/or data protection policy.
7. Transferring information outside the EEA
We do not envisage that we will transfer your personal data outside of the EEA (meaning the remaining EU 27 member states, UK, Norway, Iceland and Liechtenstein), however we will notify you in writing if this position changes.
8. Data security and storage
Your personal data and special category personal data is stored in a variety of locations, including: electronically on our secure servers, in hard copy form in access-restricted, locked filing cabinets and/or on the Electronic People platform.
We take appropriate technical and organisational security measures and have rules and procedures in place to guard against unauthorised access, improper use, alteration, disclosure and destruction and accidental loss of your personal data.
In addition, we limit access to your personal data to those who have a business need to know and they will only process your personal data on our instructions and subject to a duty of confidentiality.
We have put in place procedures to deal with any suspected or actual data security breach and will notify you and the Information Commissioner’s Office (“ICO”) of a suspected breach where we are legally required to do so.
9. Data retention
We keep your personal data and special category personal data for as long as is necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirement. Information about how long we retain such personal data is set out in Appendix 1.
When applying for a job with us, we compile and keep a manual and/or electronic file containing information about you which relates to your application for a job with us. Your information will be kept secure and will be used for the purposes of your job application.
If you are offered and you accept a job with us, your personal data will be transferred to a manual and electronic personnel file. Any hard copy personnel file will be kept in access-restricted, locked filing cabinets. The retention period varies according to the personal data that we hold about you, and your personal data will be permanently and securely deleted at the end of this retention period.
In some circumstances we may anonymise your personal data so that it can no longer be associated with you, in which case we may use and retain such information without further notice to you, as it falls outside of the definition of personal data under the GDPR.
In some circumstances and with your express consent we may also retain your personal data, as collected as part of the application process, in order to consider you for any roles within our business other than the post you are applying for.
10. Your duties
We encourage you to ensure that the personal data that we hold about you is accurate and up to date by keeping us informed of any changes to your personal data. You can do this through your individual and secure log in to the People HR platform or by notifying the HR department directly.
11. Your rights
You may make a formal request for access to personal data and/or special category data that we hold about you at any time. This is known as a Subject Access Request. Such a request must be made in writing and we must respond within a certain time period (being 40 days under the Data Protection Act 1998, reducing to 1 month under the GDPR from 25 May 2018). Please note that under the GDPR we are permitted to extend the 1 month time period for responding by an additional 2 months where in our view your request is complex or numerous in nature. We may also charge a reasonable fee based on administrative costs where in our view your request is manifestly unfounded, excessive or a request for further copies. Alternatively, we may refuse to comply with the request in such circumstances.
Under certain circumstances, by law you also have the right to request:
- to have your personal data corrected where it is inaccurate;
- to have your personal data erased where it is no longer required. Provided that we do not have any continuing lawful reason to continue processing your personal data, we will make reasonable efforts to comply with your request;
- that your personal data be transferred to another person;
- to restrict the processing of your personal data where you believe it is unlawful for us to do so, you have objected to its use and our investigation is pending, or you require us to keep it in connection with legal proceedings; and
- to object to the processing of your personal data, where we rely on legitimate business interests as a lawful reason for the processing of your data. You also have the right to object where we are processing your personal data for direct marketing purposes. We have a duty to investigate the matter within a reasonable time and take action where it is deemed necessary. Except for the purposes for which we are sure we can continue to process your personal data, we will temporarily stop processing your personal data in line with your objection until we have investigated the matter. If we agree that your objection is justified in accordance with your rights, we will permanently stop using your data for those purposes. Otherwise, we will provide you with our justification as to why we need to continue using your data.
The way we process your personal data and the legal basis on which we rely to process it may affect the extent to which these rights apply. If you would like to exercise any of these rights, please address them in writing to Sarah Marriott, Chief People Officer.
We may need to request specific information from you to help us to confirm your identity and ensure your right to access the information (or to exercise any of your other rights). This is an appropriate security measure to ensure that personal data is not disclosed to any person who has no right to receive it.
You may complain to a supervisory body if you are concerned about the way we have processed your personal data. In the UK this is the ICO – www.ico.org.uk.
- Strictly necessary cookies. These are cookies that are, quite simply, strictly necessary for the operation of our site. They include, for example, cookies that enable you to log into secure areas of our site. If you disable these cookies then parts of our site will no longer work for you. It also limits our ability to keep your information secure.
- Performance cookies. They allow us to recognise and count the number of visitors and to see how visitors move around our site when they are using it. This helps us to improve the way our website works, for example, by ensuring that users are finding what they are looking for easily. We also use third party performance cookies to record and analyse information of this nature in order for us to improve our website. Two examples are highlighted below but other cookies may be used to carry out similar functions.
- Google Analytics. We use Google Analytics to help us collect and assess this information. Google Analytics stores information such as which pages you visit, how long you are on the site, how you got here and what you click on. The information is anonymous and cannot be used to identify you. To opt out of Google Analytics cookies please visit https://tools.google.com/dlpage/gaoptout.
- Functionality cookies. These are used to recognise you when you return to our site. This enables us to personalise our content for you, remember your username, and remember if you are resuming an application you started previously.
- Targeting cookies. These cookies record your visit to our site, the pages you have visited and the links you have followed. We will use this information to make our site and our advertising more relevant to your interests. For example, targeting cookies may help us to improve the targeting of our advertising. We may provide third parties such as Google and Facebook with this information so our adverts can be placed on third party websites. If you choose to block these cookies you will still see our adverts on other websites but they will not be tailored to you.
- Managing Your Cookies. Cookies can be controlled by your web browser settings. Whether our cookies are used will depend on your browser settings, so you are in control. To find out more about cookies, including how to see what cookies have been set and how to manage and delete them, please use the following links:
For mobile devices, you can also try looking in the browser app settings for cookie controls. Please be aware that by blocking all cookies you may not be able to access or use all the features of our website and you will not receive a personalised service.
If you have any questions about any matter relating to data protection or the personal data and/or special category personal data that that we process about you, please contact Sarah Marriott, Chief People Officer.