Job Candidate Privacy Notice
1.1 Who are we, and what is the purpose of this notice?
The Risk Advisory Group (Holdings) Ltd, its branches and subsidiaries (“we”, “us”, “our”) is a leading global risk management company. This privacy notice outlines how we process certain personal data about you as part of our recruitment process.
We are committed to protecting your privacy and handling your personal data in accordance with data protection laws. The purpose of this notice is to make you aware of the personal data we collect, how we use it, with whom we share it and how we protect it.
This notice applies to candidates for vacant roles that we advertise either via our website or through a recruitment agency and any speculative job applications that you make to The Risk Advisory Group (Holdings) Ltd and its branches and subsidiaries (“candidates”).
If we offer or have offered you a position, then our ‘employee privacy notice’ outlines how we will use your data in the course of the onboarding process and once you have joined us. The employee privacy notice will be made available to you in the event that we make you an offer of employment.
2.1 General principles
Which of your personal data do we collect and how do we collect it?
Like all prospective employers, we may collect and process personal data that you provide to us in the course of the recruitment process.
The personal data we collect from you will vary from time-to-time as required for us to manage your progress within the recruitment process and to meet legal and regulatory requirements. Personal data we collect about you may include for example: contact details; information on academic and professional qualifications and memberships; historic employment information; correspondence with or about you; and records of assessments that we may ask you to participate in.
2.2 Lawfulness, fairness and transparency
Which of your personal data do we collect and how do we collect it?
We will process your personal data only for the purposes set out in this section.
If we are required to process your personal data for any purpose other than those included in this section, we will notify you of this before doing so.
To the extent that we rely upon your consent or explicit consent as the legal basis under which we process your personal data, you are entitled to withdraw your consent at any time.
In summary, we generally use your personal data in order to evaluate your suitability for a role with The Risk Advisory Group, to manage our relationship with you as your potential employer and to comply with our legal obligations.
2.3 Purpose limitation
The Risk Advisory Group will only request adequate, relevant and limited information in relation to the purpose for which they are to be processed.
2.4 Storage & Access
Disclosure information is kept by the HR department for the first 6 months of employment, it is then securely destroyed.
How do we share your personal data?
We may share your personal data with:
other companies within our group
selected third-party service providers, where necessary, to provide us or you with services, which may include:
Shortlister – which provides our aptitude testing platform which we may use if we ask you to complete an assessment;
any relevant recruitment agent who you have been in touch with about the role that you are applying for;
Salesforce to host your data and assist us with administering the recruitment process.
We only transfer your personal data to third parties, including those outside of the European Union (see below at Do we transfer your personal data internationally?), if we are satisfied they take appropriate measures to protect it.
Where we are required to disclose your personal data to law enforcement agencies and regulatory bodies to comply with our legal and regulatory obligations, we may be unable to inform you of such disclosures.
As a multinational organisation, and in line with the global nature of our services, we are often required to transfer personal data internationally. Accordingly, your personal data may be transferred globally (if your data is collected within the European Union, this means that your data may be transferred outside it, if your data is collected outside of the European Union, this means that your data may be transferred into it).
Depending on where you are resident, you may have some or all of the following rights under applicable law in respect of the personal data about you that we hold:
request us to give you access to it
request us to rectify it, update it, or erase it
request us to restrict our using it, in certain circumstances
object to our using it, in certain circumstances
withdraw your consent to our using it
data portability, in certain circumstances; and
lodge a complaint with the supervisory authority in your country (if there is one).
You are able to exercise these rights by contacting us using the details set out below (at Who should you contact with questions?).
What security arrangements do we have in place to protect your personal data?
We implement appropriate technical and organisational measures to protect personal data that we hold from unauthorised disclosure, use, alteration or destruction. The Risk Advisory Group is ISO27001 certified and, as such, has in place various safeguards to protect all data, including your personal data. This includes the following measures in relation to:
unauthorised disclosure or use: access to employee personal data is given on a need to know basis, and is authorised by senior management. Segregation of duties is in place to restrict access. The systems holding data are secured from unauthorised access with logins traceable to individuals and multi-factor authentication. Data is marked using a document classification scheme to define the permissible level of sharing and the required security restrictions that need to be applied.
alteration or destruction: all systems have detailed logging in place, data is being backed up to the alternative location where it is stored encrypted.
How long will your data be retained for?
The period for which we may retain data about you will depend on the purposes for which the data was collected, whether you have requested the deletion of the data, and whether any legal obligations require the retention of the data (for example, for regulatory compliance).
If we offer you employment at The Risk Advisory Group and you accept, then the retention periods that apply to your data are set out in the employment privacy notice that we will provide to you upon making you an offer.
Otherwise we will only retain any assessment results and responses until the recruitment process has ended. Your contact information, qualification details and employment history are generally only kept on record for one year following the end of the recruitment process.
If you have any questions or concerns about our handling of your personal data or this privacy notice, please speak to the Head of Human Resources at firstname.lastname@example.org or on +44 20 7578 0000.
You have a right to contact the UK Information Commissioner with any questions or concerns in relation to how your personal data is processed by us.
This privacy notice was published on 8th October 2018.
This privacy notice does not form part of your contract of employment, and we may update it from time to time. We will always seek to inform you of any changes made to this privacy notice.
This policy is available to all candidates via the careers page on the company’s website.
3.1 Changes to this notice
This privacy notice overrides any notice previously communicated to you.
This policy is owned by HR and overseen by the Data Protection Officer.