Last modified: 17th May 2018
The Supply Register enables client hiring organisations to manage their bank staff booking process and /or connect with recruitment agency panels for the purpose of finding candidates for their vacancies that are non-permanent in nature.
This “connection” happens through a software platform. The client hiring organisation decides which vacancies to post to the platform and what the requirements of the job are – for example what compliance items the worker needs to have in place (such as DBS checks) – and whether the job is an opportunity for their own internal bank staff, or additionally/instead one which is available for their recruitment agency panels to propose candidates to.
The technology platform then makes sure this vacancy is flagged to the client hiring organisation’s bank staff and/or recruitment agency panels. Bank staff alerted to the vacancy can then decide whether they want to put themselves forward to the job. In a similar way, recruitment agency panels also take the decision which candidates they want to add onto the technology platform and propose for the vacancy in question.
The Supply Register is a recruitment agency and bank manager and exists as an outsourced third party that facilitates the process of hiring, ensuring that all decisions in the recruitment process can be tracked via a system so all parties to the process know at what stage the recruitment is at, with all actions recorded from which candidates were proposed, by whom, whether they had the requisite compliance items, who was accepted or rejected and how much they are paid.
Under the model The Supply Register is a data processor, processing personal data on behalf of bank staff, recruitment agencies who propose candidates and client hiring organisations who hire candidates. In simple terms processing means enabling the “connection” between parties in the recruitment process and allowing the secure viewing of the data required to conduct a safe and efficient recruitment process and ongoing activity during a temporary or contingent worker’s assignment.
Client hiring organisations act as data controller for the purposes of deciding which vacancies to post, whether to post these vacancies to bank staff/and or to their recruitment agency panels, what the requirements are of the job including compliance items such as DBS check or health status forms, and who to accept from those candidates proposed, based on the criteria of the job.
The Supply Register and recruitment agencies on panel also act as data controllers with the responsibility to ensure the candidate they propose to the vacancy is aware of how their data will be shared and that the personal data shared on the candidate or their compliance items are accurate. Bank staff are also in control of deciding whether to accept a vacancy proposed to them or not.
Please note in respect of the platform logins issued to client hiring organisation users and recruitment agency panel users and bank staff users, The Supply Register acts as the data controller. We additionally act as the data controller for any details left on our website in relation to queries about our service offering, supplier details and agency details for panel enquiries. In all other instances The Supply Register acts as the data processor.
THIS PRIVACY NOTICE
This Privacy Notice explains how The Supply Register collects/receives data, how we process any data we collect/receive, who we collect/receive this data from, why we collect/receive it, and what happens to this data.
Our privacy notice also explains how we manage subject access requests and the right to erasure. This privacy notice details how we comply with our legal obligations under the General Data Protection Act 2018. Your privacy is important to us, and we are committed to protecting and safeguarding data privacy rights.
WHO DOES THIS POLICY APPLY TO?
For the purpose of applicable data protection legislation (including but not limited to the General Data Protection Regulation (Regulation (EU) 2016/679), the company responsible for your personal data is The Supply Register UK.
WHAT KIND OF PERSONAL DATA DO WE PROCESS OR COLLECT & HOW DO WE USE IT?
PLATFORM USER DATA
What we collect and why: We provide every platform user (whether client/internal or agency or bank staff) with a unique login to access the system as part of our contractual agreements. In order to do this, we ask for name, company workplace and email address. We then use this data to ensure there is an audit trail of activity on the site (for example which users are changing what information). This ensures we have visibility of who is using the system from a data security perspective. Every year, we check to see whether users are still logging in and if they are not, we exercise our retention period of 6 months before deletion.
In addition, and in order to fulfil our contractual obligations, we may need to email our users from time-to-time using their email address, either to make them aware of an update to the technology platform or changes to pay rates on the system due to legislation such as pensions auto- enrolment or national minimum wage uplifts for example, or to make them aware of training or best practice. For example: obligations under GDPR.
PROPOSED CANDIDATE DATA
What we process and why: Our client hiring organisations, as data controllers, decide what information is required from any candidate being proposed for each type of vacancy posted. This information is typically as follows:
- Contact Details
- Supply type: (Whether someone is working under PAYE, or they are VAT applicable, or self- employed as a PSC, so that they can be taxed appropriately
- A CV (so their application can be assessed)
And, where appropriate and in accordance with local laws and requirements governing certain employment scenarios, various compliance items for example Right to Work, DBS checks, health status, Drivers’ License etc.
Our recruitment agency panels or bank staff then supply this. The Supply Register processes this data.
Additionally, The Supply Register asks for date of birth, diversity information and an email address/phone number, as well as next of kin details and Identity Number (either passport or NI number). This information is not seen by the client. This information collected is used in the following ways:
Date of Birth and Identity Number is to ensure the identity of the candidate for HMRC reporting.
Diversity Information is collected so that we can help our client hiring organisations understand whether any diversity initiatives are successful, however, diversity statistics are never provided at an individual level but are presented as an aggregate meaning an individual cannot be specifically identified.
The email address and phone number for either the worker or next of kin is not passed on to the client hiring organisation but is available for emergencies should The Supply Register need to contact the candidate/next of kin urgently, for example in an emergency situation where the candidate’s agency cannot be reached.
WORKING CANDIDATE DATA
What we process and why: Once a candidate is working at a client hiring organisation, The Supply Register processes the hours they work, their rate of pay, appropriate tax and NI contributions, the length of the assignment, the type of assignment, and where that assignment is based, any incidents on that assignment and objective feedback from that assignment. We may also review compliance documentation to ensure that our agencies have asked for the appropriate permissions to share this with the client hiring organisation and that the compliance documentation is accurate.
What we collect and why: We use traffic log cookies to identify which pages are being used. This helps us analyse data about web page traffic and improve our website by tailoring it to customer needs. We only use this information for statistical analysis purposes, following this, the data is removed from the system. Overall, cookies help us provide you with a better website experience, by letting us to monitor which pages you do and do not find useful. A cookie in no way gives us access to your computer or reveals any information about you, other than the data you choose to share with us. You can choose to accept or decline cookies. Most web browsers automatically accept cookies, but you can usually change your browser setting to decline cookies if you prefer. However, this may prevent you from taking full advantage of our website.
Whilst we collect corporate data on which companies visit our site and what pages they visit, which we use to understand whether organisations may be interested in our service, we do not collect data on individuals visiting the site unless an individual leave their details in order to ask for more information about our service.
What we collect and why: We need a small amount of information from our suppliers to ensure that things run smoothly. We need contact details of relevant individuals at your organisation so that we can communicate with you. We also need other information such as your bank details so that we can pay for the services you provide (if this is part of the contractual arrangements between us).
Please note: Across all categories of data and depending on the type of personal data in question and the grounds on which we may be processing it, should you decline to provide us with such data, we may not be able to fulfil our contractual requirements or, in extreme cases, may not be able to continue with our relationship.
AGENCIES WHO ARE INTERESTED IN JOINING OUR PANEL
What we collect and why: We may, on occasion, collect contact details from agencies who do not currently work with The Supply Register so we can contact an employee at that recruitment agency over email or on the phone regarding an opportunity to supply to one of our client hiring organisations.
When we do this, we do this as a legitimate interest gateway under GDPR -e.g. that it is an opportunity for the agency that would outweigh any concern over our contact regarding the opportunity.
WHO DO WE SHARE YOUR PERSONAL DATA WITH?
PLATFORM USER LOGINS
This data may be shared internally within The Supply Register to understand who is doing what on the portal, for reasons of data security and data transparency.
Unless you specify otherwise, we may share your information within our company and associated third parties such as our service providers and organisations to whom we provide.
Unless you specify otherwise, we may share your information with providers of web analytics services.
WORKING CANDIDATE DATA
In order to fulfil our legal obligations, we may need to share your details with third parties like HMRC to ensure your taxation is correct.
HOW DO WE SAFEGUARD YOUR PERSONAL DATA?
We care about protecting your information. That’s why we put in place appropriate measures that are designed to prevent unauthorised access to, and misuse of, your personal data.
HOW LONG DO WE KEEP YOUR PERSONAL DATA FOR?
As a data processor, we abide by our data controller’s requirements on all data retention policies and facilitate these requirements unless we believe in good faith that the law or other regulation requires us to preserve it (for example, because of our obligations to tax authorities or in connection with any anticipated litigation).
The exception to this is as follows:
Portal logins: As we are the data controller, and in order to preserve the security of the technology platform, we delete user logins if a login has not taken place in six months.
Agencies who may be interested in joining our panel: We keep your details unless you request for us to remove this, due to the nature of contract wins occurring over a number of years based in the areas in which you can supply.
Information gathered during the Audit Process: We consider all documents sent by agencies to the Audit team in reference to a specific audit relevant and should be accessible until the next audit is due, in line with contractual requirements. In standard cases, this is 12 months.
All emails containing information which falls into the above categories will be assigned a deletion policy in line with the timescales listed above, and an audit will be carried out every 6 months to ensure all relevant emails have been deleted.
How can you access, amend or take back the personal data that you have given to us?
Even if we already hold your personal data, you still have various rights in relation to it and you can contact firstname.lastname@example.org in order to raise these rights. We will seek to deal with your request without undue delay, and in any event in accordance with the requirements of any applicable laws.
Please note that we may keep a record of your communications to help us resolve any issues which you raise. We may also need to refer you to a data controller to help assess your rights (for example if you are a candidate that works through a recruitment agency panel for a client hiring organisation, as depending on the circumstances it is your recruitment agency panel or the client hiring organisation that will be the data controller who is best placed to assess your rights).
Subject Access Request: If you are interested to find out what data we hold on you and/or wish to request that we modify, update or delete this information, please contact the team at email@example.com at any point and we will be happy to advise.
Please note that in order to comply with your request, we may ask you to verify your identity, or ask for more information about your request and we may decline your request, where we are legally permitted to do so, but we will explain why if we do so.
Right to erasure: In certain situations, you have the right to request us to “erase” your personal data. We will respond to your request within 30 days (although we may be allowed to extend this period in certain cases and we may, should a worker contact us directly, need to refer this request to the appropriate data controller to assess – for example the client hiring organisation or the recruitment agency panel) and will only disagree with you if certain limited conditions apply (these will typically be around competing legislation for example health and safety or HMRC requirements). If we do agree to your request, we will delete your data but will generally assume that you would prefer us to keep a note of your name on our register of individuals who would prefer not to be contacted. That way, we will minimise the chances of you being contacted in the future where your data are collected in unconnected circumstances. If you would prefer us not to do this, you are free to say.
Right to withdraw consent: Where we have obtained your consent to process your personal data for certain activities (for example, for having a login in) you may withdraw your consent at any point.
Right to object: If we are using your data because we deem it necessary for our legitimate interests to do so, and you do not agree, you have the right to object. We will respond to your request within 30 days (although we may be allowed to extend this period in certain cases). Generally, we will only disagree with you if certain limited conditions.
Right of data portability: If you wish, you have the right to transfer your data from us to another data controller. We will help with this – either by directly transferring your data for you, or by providing you with a copy in a commonly used machine-readable format.
Right to lodge a complaint with a supervisory authority: You also have the right to lodge a complaint with your local supervisory authority.
This is: Information Commissioner’s Office Wycliffe House, Water Lane Wilmslow, Cheshire SK9 5AF. Telephone: 0303 123 1113 or 01625 545745.