About this document
Newcastle Building Society (“NBS”) collects, uses and shares personal data relating to its job applicants to manage the recruitment process. NBS is committed to complying with its data protection obligations.
NBS is a data “controller” for the purposes of the applicable UK data protection legislation. This means that we are responsible for deciding how and why we hold and use personal data about you.
Group Data Protection Officer: Catherine Bolam
Assistant Group Data Protection Officer: Julie Meade
Address: Newcastle Building Society, 1 Cobalt Park Way, Wallsend, NE28 9EJ
This policy applies to current and former job applicants. We may update this policy at any time.
It is important that you read this policy, together with any other separate specific privacy policies that we may provide on particular occasions when we are collecting or processing personal data about you, so that you are aware of how and why we are using such information.
Data protection principles
We will comply with the data protection principles under the applicable data protection legislation when we process personal data about you.
NBS will ensure that it protects personal data by complying with a set of principles relating to processing of personal data, as set out within the applicable data protection legislation, which require personal data to be:
- Processed lawfully, fairly and in a transparent way (‘Lawfulness, fairness and transparency’).
- Collected only for specified, explicit and legitimate valid purposes that we have clearly explained to you and not used in any way that is incompatible with those purposes (‘Purpose limitation’).
- Adequate, relevant and limited to what is necessary for the purposes that we have told you about (‘Data minimisation’).
- Accurate and where necessary kept up to date (‘Accuracy’).
- Kept only as long as necessary for the purposes we have told you about and for which the data is processed (‘Storage limitation’).
- Processed securely using appropriate technical and organisational measures to protect against unauthorised or unlawful processing and against accidental loss, destruction or damage (‘Security, integrity and confidentiality’).
NBS is also responsible for and must be able to demonstrate compliance with the principles listed above (‘Accountability’).
The kind of information we hold about you
Personal data means any information about an individual from which that person can be identified. It does not include information from which an individual can no longer be identified (anonymous data). There are also “special categories” of more sensitive personal data which require a higher level of protection. We may also collect, store and use the following “special categories” of particularly sensitive personal data:
- Information about your physical or mental health, including whether or not you have a disability for which NBS needs to make reasonable adjustments during the recruitment process.
- Information about your race or ethnic origin, religious or philosophical beliefs to ensure equal opportunity monitoring.
- The categories of personal data that we collect, store, and use about you are set out at Appendix 1 along with the purposes for which we will process that data and the lawful reasons we rely on to carry out that processing.
How id your personal data collected?
We collect personal data about you through the application and recruitment process either directly from you as part of your application, during interviews or other forms of assessment including online tests.
We also collect additional information from third parties including former employers, employment agencies, background check agencies, pension administrators, the Disclosure and Barring Service, other colleagues, monitoring of our website, CCTV and access control systems, the intranet, and publicly accessible sources including the electoral role and possibly business related social media platforms such as LinkedIn. NBS also seek further information from third parties once a job offer to you has been made and will inform you that it is going to do so.
How we will use information about you
Our obligations when using any type of personal data about you
We will only use your personal data when the law allows us to. Most commonly, we will use your personal data for the following lawful reasons:
- Where we need to use the information so that we can perform a contract we have entered into with you, such as an employment contract.
- Where we need to use the information to comply with a legal obligation.
- Where it is necessary to use the information for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests. If we are processing the information for our legitimate interests, we have set out what those particular legitimate interests are in the section below.
- Where we have your consent. Please note that we do not need your consent to process information if one or more of the other lawful reasons for us processing your information apply. These are the reasons set out in this section of this policy.
We may also use your personal data in the following situations, which are likely to be rare:
- Where we need to use the information to protect your vital interests (or someone else’s vital interests). For example, in a life and death type situation.
- Where we need to use the information to carry out a task in the public interest.
The purposes for which we will process your different kinds of personal data and the lawful reasons that we rely on to carry out that processing are listed at Appendix 1.
Our additional obligations when using special categories of personal data about you
Where we use “special categories” of particularly sensitive personal data (as described above) about you, we have some additional compliance obligations as those types of data require higher levels of protection.
We need to have further justification for collecting, storing and using these types of personal data. We are allowed to process these special categories of personal data in the following circumstances:
- In limited circumstances, with your explicit written consent.
- Where it is necessary for us to process your information to carry out our legal obligations or exercise our rights under employment law and we do so in accordance with our Data Protection Policy, Data Retention Policy, Absence Policy, Equality Policy, Death in Service Policy and Strengthening Accountability in Banking Policy as well as in accordance with NBS’s Data Protection Guidelines on Data Processing for HR Purposes.
- Where the processing is necessary in the substantial public interest and we do so in accordance with our Data Protection Policy, Data Retention Policy, Dignity at work Policy and Equality Policy as well as in accordance with NBS’ Data Protection Guidelines on Data Processing for HR Purposes. Our processing for these purposes may include where we use the personal data:
- For equal opportunities monitoring purposes generally and also to ensure racial and ethnic diversity at senior levels of the organisation;
- To prevent or detect unlawful acts;
- To comply with regulatory requirements relating to unlawful acts and dishonesty etc.;
- To prevent or detect fraudulent acts or where there is suspicion of terrorist financing or money laundering.
- Where the processing is necessary to assess your working capacity on health grounds, provided that our processing is subject to appropriate confidentiality safeguards and in compliance with the applicable data protection legislation.
- Where we need to process the information to protect your vital interests (or someone else’s vital interests) and you or they are not capable of giving consent.
- Where we need to process the information in relation to legal claims.
- Where the information has been deliberately made public by you.
- Where we need to process the information for national security reasons
The purposes for which we will process your different special categories of data and the lawful reasons that we rely on to carry out that processing are listed at Appendix 1 attached.
Do we need your consent to process special categories of data about you?
We do not need your consent if we use special categories of your personal data about you for one of the other reasons set out above.
In very limited circumstances, we may approach you for your written consent to allow us to process certain particularly sensitive data. If we do so, we will provide you with full details of the information that we would like to process and the reason we need to do so, so that you can carefully consider whether you wish to consent. You should be aware that it is not a condition of your application with us that you agree to any request for consent from us to process your personal data.
Processing in accordance with our other policies
Any personal data processed about you (including special categories of data) will be processed in accordance with NBS’s Data Protection Policy, Data Retention Policy and our HR Policies. For details about a specific policy please contact HR or visit the HR intranet site.
Information about criminal convictions and offences
We only use information relating to criminal convictions where the law allows us to do so. We process information relating to criminal convictions and offences in the following circumstances:
- Where the processing is necessary to carry out our obligations and exercise our rights and provided we do so in line with our Data Protection Policy, Data Retention Policy, Equality Policy as well as in accordance with NBS’s Data Protection Guidelines on Data Processing for HR Purposes;
- Where you have given your consent.
- Where the processing is necessary to protect your vital interests (or someone else’s vital interests) and you or they are not capable of giving consent.
- Where the processing is necessary in relation to legal claims.
- Where you have already made the information public.
We will only collect information about criminal convictions and offences if it is appropriate for your role and where we are legally able to do so i.e. where legislation permits.
We hold and use information about your actual or potential criminal convictions and offences in the ways set out in Appendix 2.
Automated decision-making (including profiling) takes place when an electronic system uses personal data to make a decision without human intervention. You have a general right not to be subject to any decision based solely on such processing, which produces legal effects concerning you or similarly significantly affects you. This right does not, however, apply and we are allowed to use automated decision-making (including profiling) in the following circumstances:
- Where we have notified you in writing that a decision has been based solely on automated processing and given you one month beginning with receipt of the notification to request a reconsideration or that a new decision is taken not based solely on automated processing. Where such a request has been made we will respond to you in most cases without undue delay and in any event within one month of receipt of the request. In some limited situations and where we notify you, this period may be extended by two further months.
- Where it is necessary to enter into or perform a contract with you.
- In limited circumstances, with your explicit written consent.
In all these cases we must ensure that appropriate measures are in place to safeguard your rights, including allowing you to exercise your right to obtain human intervention by us, to express your point of view and to contest the automated decision made.
If we make an automated decision on the basis of any particularly sensitive personal data, we must have either your explicit written consent or it must be justified in the public interest, and we must also put in place appropriate measures to safeguard your rights (as above).
Recruitment decisions are not based solely on automated decision-making; however, we will notify you in writing if this position changes.
Please see more detailed information below about all of these data sharing situations.
Why do you share my personal data with third party controllers, outside our NBS group companies?
We will share your personal data with third party data controllers outside our group companies, for the following reasons:
- Where required by law;
- Where it is necessary as part of the recruitment process;
- Where your application for employment is successful and NBS makes you an offer of employment. NBS will share your information, for example, with former employers to obtain references for you, with employment background check providers, and with the DBS to obtain necessary criminal records checks.
- Where we have another legitimate business interest in doing so (for example, to obtain references about you (for example, in relation to jobs, academic performance, qualifications or experience);
- Where we are permitted to do so under the exemptions under the applicable data protection legislation (for example to regulators, law and tax enforcement agencies and fraud prevention agencies).
- Where it is necessary for the purpose of, or in connection with, any legal proceedings (including prospective legal proceedings), for the purpose of obtaining legal advice, or it is otherwise necessary for the purposes of establishing, exercising or defending legal rights;
- To ask to receive or to provide reference requests from third parties (for example, in relation to roles, academic performance, qualifications or experience.
Where we share your personal data with third party controllers we will comply with our Data Protection Guidelines on Sharing Personal Data with Third Parties.
Why do you share my personal data with other entities in our NBS corporate group, where they act as data controllers?
We will also share your personal data with other entities in our NBS group where they are acting as a joint data controller for the following reason:
- Where it is necessary as part of our regular reporting activities on the performance of the organisation;
- To perform your employment contract; or
- In the context of a business reorganisation.
We have set out at Appendix 1, situations where we share your information with specific NBS group companies as data controllers, and the reasons why we do so.
Which third-party processors/ service providers outside our NBS group companies, will process my personal data and how secure will it be?
“Third parties” includes third-party service providers (including contractors and designated agents).
The following data processing activities are carried out by third-party service providers in relation to your personal data during the recruitment process:
- the online application system;
- credit checks (Credit reference agencies will give us information about you such as your financial history. We use this information to assess creditworthiness and role suitability, check your identity and prevent criminal activity. CRAs will share your information with other organisations. Your data may also be linked to the data of your spouse or other financial associates. The identities of the CRAs, and the ways in which they use and share personal information, are explained in more detail at www.experian.co.uk/crain.
- DBS checks where applicable;
- Identity checks
Why do you share my personal data with other entities in our NBS corporate group acting as data processors?
We will also share your personal data with other entities in our NBS group for them to process personal data on our behalf for the following reasons:
- in the context of a business reorganisation or group restructuring exercise;
- for managing our IT systems and security;
- for hosting of data;
- for HR support.
We have set out at Appendix 1, situations where we share your information with specific NBS group companies as data processors, and the reasons why we do so.
What steps do you take to protect my information when you share it with data processors inside or outside the NBS corporate group?
All our third-party service providers as well as other entities in our corporate group, acting as data processors, are required to take appropriate security measures to protect your personal data in line with our policies and are appointed in accordance with our NBS Data Protection Guidelines on Appointing Data Processors.
We do not allow data processors to use your personal data for their own purposes. We only permit them to process your personal data for specified purposes and in accordance with our instructions as the controller of that information.
Transferring information outside the European Economic Area (EEA)
We will not transfer your personal data to countries outside the EEA.
If you fail to provide personal data
If you fail to provide certain information when requested, we may be prevented from processing your application properly or at all; or from entering into a contract of employment with you if you are successful in your application; or from complying with our legal obligations (such as to ensure that you are legally entitled to work in the UK).
Change of purpose
We will only use your personal data for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If we need to use your personal data for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so.
We have put in place measures to protect the security of your information. Details of these measures are available on request.
Third party data processors will only process your personal data on our instructions and where they have agreed to treat the information confidentially and to keep it secure.
We have put in place appropriate security measures to prevent your personal data from being accidentally or unlawfully used, destroyed, lost, altered, disclosed or accessed. Details of these measures are available on request.
In addition, we limit access to your personal data to those of our employees, agents, contractors and other third parties who have a business need to know. They will only process your personal data on our instructions and they are subject to a duty of confidentiality. They must also comply with their obligations under the applicable data protection legislation.
We have put in place procedures to deal with any suspected data security breach and will notify you and any applicable regulator of a suspected breach without undue delay where we are legally required to do so.
How long will you use my information for?
We will only retain your personal data for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements.
If your application is unsuccessful, NBS will hold your personal data for 2 years after the end of the recruitment process. If you agree to allow the organisation to keep your personal data on file, NBS will hold your personal information for a further 12 months for consideration of future employment opportunities. At the end of that period, your personal information will be securely destroyed in accordance with our document retention policy.
If your application for employment is successful, your personal data will be transferred to your personnel file and retained during your employment. We will in those circumstances provide you with further information about how we will process your information, including in relation to the periods of time for which we keep different aspects of employee personal data.
To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.
In some circumstances we anonymise your personal data so that it can no longer be associated with you, in which case we may use such information without further notice to you.
Your rights and duties
Your duty to inform us of changes
It is important that the personal data we hold about you is accurate and current. Please keep us informed if your personal data changes during your recruitment relationship with us.
Your rights in connection with personal data
Under certain circumstances, by law you have the right to:
- Request access to your personal data (commonly known as a “subject access request”). This enables you to ask for and receive a copy of the personal data we hold about you.
- Request correction of the personal data that we hold about you. This enables you to have any incomplete or inaccurate information we hold about you corrected.
- Request erasure of your personal data. This enables you to ask us to delete or remove personal data where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal data where you have exercised your right to object to processing (see below).
- Object to processing of your personal data where we are relying on a legitimate interest (or those of a third party) to process your personal data and there is something about your particular situation which makes you want to object to processing on this ground. You also have the right to object where we are processing your personal data for direct marketing purposes and here we process your personal data to make decisions solely by automated means which have legal effects or similarly significant effects.
- Withdrawal of consent. Where our processing is based on your consent (or explicit consent), you have a right to withdraw consent at any time (see below for further information about this).
- Request the restriction of processing of your personal data. This enables you to ask us to suspend the processing of personal data about you, for example if you want us to establish its accuracy or the reason for processing it.
- Request the transfer of your personal data to another party.
- Lodge a complaint with the UK’s Information Commissioner, or other applicable data protection regulator.
Unless it proves impossible or involves disproportionate effort, we will notify others to whom we have shared your data of your request to rectify, erase or restrict the processing of your personal data.
Fees for subject access requests
You will not have to pay a fee to access your personal data (or to exercise any of the other rights). However, we may charge a reasonable fee:
- if your request for access is clearly unfounded or excessive - we may also refuse to comply with the request in those circumstances; or
- in the event that you ask for further copies of the information.
What we may need from you
We may need to request specific information from you to help us confirm your identity and ensure your right to access the information (or to exercise any of your other rights). This is another appropriate security measure to ensure that personal data is not disclosed to any person who has no right to receive it.
Right to withdraw consent
In the limited circumstances where you may have provided your consent to the collection, processing and transfer of your personal data for a specific purpose, you have the right to withdraw your consent for that specific processing at any time. To withdraw your consent, please contact us. Once we have received notification that you have withdrawn your consent, we will no longer process your information for the purpose or purposes you originally agreed to, unless the applicable data protection legislation otherwise permits us to do so (for example, as a result of exemptions under the law. This will not affect the lawfulness of the processing that you consented to before you withdrew your consent.
Data Protection Officer