Purpose of this Document
It is the intention of Ai Recruitment Technologies Ltd to have the organisation policy and governance infrastructure in place in order to demonstrate the capability and willingness to comply, as completely as possible, as a matter of design with the following legislation and regulation:
The EU General Data Protection Regulation (EU GDPR)
The 2018 UK Data Protection Act
And any other legislation/regulation as it is brought to the attention of Ai Recruitment Technologies Ltd that will have an impact on personal data protection.
The CEO of Ai Recruitment Technologies Ltd will coordinate the effort of the following disciplines to implement of this policy:
- Information Security
- Enterprise Architecture and Design
- Assurance and Quality Management
- Information Management
In respect of the protection of personal data in particular, the lead compliance agency that Ai Recruitment Technologies Ltd will draw guidance from is the UK Information Commissioner's Office. Those responsible for privacy governance will be contacted, in the event of conflict of any interest, need for specific advice or uncertainty for guidance to resolve such matters.
GDPR legislation requires that there is an identifiable management structure which will ensure that data management policy is defined, applied and has the appropriate governance regime in place which can ensure the integrity of data holdings.
Ai Recruitment Technologies Ltd will therefore institute a Data Protection Committee which will meet, initially quarterly, to discuss refinement of this policy document and its associated governance regime. The membership of the board will vary from time to time as the working situation demands it, with the committee having the authority to call on specific expertise from across the company as need demands. The permanent members of the Data Protection Committee will be:
- Chief Executive Officer
- Head of Development
- Person fulfilling the role of Data Protection Officer in a part time capacity.
The CEO has ultimate responsibility for personal data protection and will delegate operation of the policy to the DPO.
This committee will be responsible for conduct and recording the results of an annual privacy risk assessment and audit. This audit will record the information about the data held including its source, the processing undertaken and the basis for doing so.
The committee will also ensure the following by design and policy:
- Processing is limited and specific
- Data is secure
- Ai Recruitment Technologies Ltd’s registration with the ICO remains current
- Privacy procedures are implemented by design and default
- Data is kept up to date including ensuring that any database containing personal data reflects current source data as soon as possible and the requisite levels of consent are still applicable.
- Data Protection requirements are fully considered when proposing and designing new products, services, business systems, marketing methods and databases.
Compliance Principles and Obligations
The overarching data management principle for Ai Recruitment Technologies Ltd is:
The recording of the minimum data, for the minimum period of time to maximum effect held securely such that integrity is maintained and verification can be proved if necessary in a manner that is legally sound on an end to end through life basis.
The GDPR introduces new rights for the data subject. The new rights are set out in the table below:
|1||The right to be informed||Individuals have the right to be informed about the collection and use of their personal data. This is a key transparency requirement under the GDPR.|
|2||The right of access||Ai Recruitment Technologies Ltd must provide individuals with information including: the purposes of processing their personal data, the retention periods for that personal data, and who it|
|3||The right to rectification||Individuals have the right (subject to legitimate legal rights of the company), to request changes to their data if they identify an error or omission|
|4||The right to erasure||Individuals have the right (subject to legitimate legal rights of the company), to have their data removed from the corporate information management infrastructure wherever it may appear.|
|5||The right to restrict processing||Individuals have the right (subject to legitimate legal rights of the company), to restrict how their data is used.|
|6||The right to data portability||Individuals have the right (subject to legitimate legal rights of the company), to ask for their data which must be delivered in a coherent way such that it may be used by the data subject elsewhere at their discretion.|
|7||The right to object||Individuals have the right (subject to legitimate legal rights of the company), to object to the holding or processing of their data.|
|8||Rights in relation to automated decision making and profiling||Individuals have the right (subject to legitimate legal rights of the company), to object to processing carried out using their data if there is a perceived risk to themselves in any form.|
The 8 primary principles of personal data protection as set out in the EU GDPR and the UK Data Protection Act 2018 will be applied across Ai Recruitment Technologies Ltd. The 8 principles are:
- Personal data shall be processed fairly and lawfully and, in particular, shall not be processed unless – (a) at least one of the conditions in Schedule 9 is met, and (b) in the case of sensitive personal data, at least one of the conditions in Schedule 10 is also met.
- Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes.
- Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed.
- Personal data shall be accurate and, where necessary, kept up to date.
- Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.
- Personal data shall be processed in accordance with the rights of data subjects under the Data Protection Act 2018.
- Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.
- Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.
Additionally, current privacy protection regulation sets out, in overview, 6 legitimate reasons to hold store and analyse personal data
- Consent: the individual has given clear consent to process their personal data for a specific purpose.
- Contract: the processing is necessary for a contract with the individual, or because they have asked for specific steps to be taken before entering into a contract with them.
- Legal obligation: the processing is necessary for you to comply with the law (not including contractual obligations).
- Vital interests: the processing is necessary to protect someone’s life.
- Public task: the processing is necessary to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law.
- Legitimate interests: the processing is necessary for your legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests.
Ai Recruitment Technologies Ltd has developed big data and AI driven talent analytics products and services which drive fast and informed recruitment.
The company’s original product Wammee 1.0 used personal data and would be subject to GDPR legislation. Wammee 1.0 was discontinued on the 24th May 2018. Any client with remaining email marketing credits was moved to Wammee 2.0.
The company launched Horsefly in late 2016. Using anonymous data of millions of profiles obtained online, Horsefly can provide essential strategic and tactical information to make the recruitment process much more efficient.
As Horsefly uses anonymous data obtained from the Internet, it is not subject to GDPR.
Any other potential identifier fields are kept anonymous by using pseudonymisation. Two way encryption is used to ensure data cannot be reversed engineered back into personal data without the secure encryption key. The source encryption key is only available to the head of development.
Wammee 2.0 is used by client companies to advertise employment roles within their businesses. Using the insights obtained through Horsefly we are able to optimise the keywords to create custom audiences and broadcast by using the Facebook, Instagram and Twitter advertising API. Personal data is not used by Ai Recruitment Technologies Ltd in this process and therefore Wammee 2.0 is not subject to GDPR.
The Horsefly data can be used to drive a candidate facing career advice platform. Access to this platform is being and will continue to be offered to all natural persons who wish to use the platform, such persons will provide relevant personal data directly.
This database which is called Wammee DB will contain data of natural persons who have provided personal data by actively signing up and providing relevant personal data directly and it will be processed in accordance with GDPR. Further details on the compliance of the Wammee DB are provided in Appendix A.
The Use of Encryption
Where possible, the use of encryption in respect of the protection of the integrity of personal data is to be encouraged. The deployment and subsequent use of encryption facilities is to be managed by the company Head of Development taking into account the need to protect personal data as advised by the company DPO appointee.
As Controller to Third Parties
In the event that personal data is passed to third parties for ongoing processing, the controller is the company. However, all such operational requirements will be subject to contract and monitored, from an assurance perspective, such that company compliance with personal data protection is not compromised in any way.
The development and construction of such contracts particularly those that contain personal data will be subject to the scrutiny and approval of the company legal representatives, the DPO and the Chief Executive Officer. Such contracts will be subject to regular review.
Particular care in such contractual arrangements must be taken in respect of breach reporting and in the circumstances of a breach ensure that both the company and the authorities are informed of such things within the time limits specified by the UK Information Commissioner.
The DPO will be responsible for the development of training programmes for new starters and regular refreshment.
In addition processes will be to developed and tested to respond to the various types of subject access requests and breach reporting.
- As legislation changes and such changes require a policy review
- As internal processes related to privacy protection change.
- As we introduce any new product offerings.
- As the nature of any privacy related risk require it (for example a breach).
- Any other circumstances in which a review is seen as highly desirable.
Any review will be carried out by the company Data Protection Committee as sponsor with the company Data Protection Officer being responsible for the work associated with any review and the development of any recommendations.
Reviews will be recorded with the minutes stored in the company.
Annex A – Wammee DB
When personal data is obtained by Ai Recruitment Technologies Ltd, within 30 days, the person is notified that the company has obtained personal data and is provided with detailed information and a range of options.
If the person does not respond within 30 days, the personal data is removed from the Wammee DB.
If the person requests the removal of the personal data, the personal data is removed from the Wammee DB within 30 days.
If the person gives permission for the data to be used, then personal data is retained in the Wammee DB together with details of the permissions granted.
For each set of personal data, the Wammee DB will also record:
The Data Subject’s response
The source of the data
The retention period before requesting an input. The default retention period is three years.
Annex B - Data Protection Officer (DPO)
Ai Recruitment Technologies Ltd will not employ a person whose sole remit is to fulfil the role of Data Protection Officer. However there will always be a person whose is designated to fulfil that role on a part time basis.
To contact this person by email in their capacity as DPO please use this email address: email@example.com.
This person will be the contact for Data Subjects who want to exercise their right to:
- The right to be informed
- The right of access
- The right to rectification
- The right to erasure
- The right to restrict processing
- The right to data portability
- The right to object
- Rights in relation to automated decision making and profiling.
This person should also be contacted if a breach of any Data Protection legislation is suspected.
To ensure good governance with respect to Data Protection legislation, this person has the right, with respect to Data Protection issues, to direct access to the Chair of the company
Annex C – Frequently Asked Questions
What is this about?
We are obliged to follow the regulation known as the General Data Protection Regulation (GDPR) which is legislation from the European Union together with the Data Protection Act 2018. As a consequence of the legislation we have a number of duties with respect to data of natural persons. If we hold personal data we will tell you what information we have and tell you how you can ask us to do various things like deleting your data or transferring it.
What personal data do we need?
If you would like us to provide you with career services using CareerMatter.io then the details required are:
- Full Name
- Location (Town or City)
- Email Address
- Professional Profiles e.g. CV which includes, but not limited to:
- Work experience
- Professional skills
- Educational background
Can I withdraw consent?
If you are not an employee then the answer is yes. Any time you like. Just let us know that you do not want us to use your data. If you are an employee we will have to work with you to consider your concerns so that we can continue to operate efficient administrative process.
What if I think there is a problem?
Please contact firstname.lastname@example.org
Annex D – Privacy Statement – General
Ai Recruitment Technologies Ltd is committed to ensuring that your privacy is protected. Should we hold any data by which you can be identified then you can be assured that it will only be used in accordance with this privacy statement.
Ai Recruitment Technologies Ltd may change this policy from time to time by updating this page. You should check this page from time to time to ensure that you are happy with any changes. This policy is effective from 25th May 2018.
What we collect
We may collect the following information:
- name and job title
- contact information including email address
- demographic information such as your current location (town / city), preferences and interests
- other information relevant to providing career advice and/or employment
What we WILL NOT Collect
We will not collect, on line, credit card, other financial details or any special categorises of personal data.
What we do with the information we gather
We require this information to understand your needs and provide you with a better service, and in particular for the following reasons:
- Internal record keeping.
- We may use the information to improve our products and services.
- Evaluating a candidate’s work history and forming a view as to which employers might be suitable.
- Forming a view as to roles which might be desirable.
- Forming a view as to likely salaries that can be expected.
We are committed to ensuring that your information is secure. In order to prevent unauthorised access or disclosure, we have put in place suitable physical, electronic and managerial procedures to safeguard and secure the information we collect online.
Links to other websites
Our website may contain links to other websites of interest. However, once you have used these links to leave our site, you should note that we do not have any control over that other website. Therefore, we cannot be responsible for the protection and privacy of any information which you provide whilst visiting such sites and such sites are not governed by this privacy statement. You should exercise caution and look at the privacy statement applicable to the website in question.
Controlling your personal information
We will not sell, distribute or lease your personal information to third parties. We may use your personal information to send you promotional information about third parties which we think you may find interesting if you tell us that you wish this to happen.
You may request details of personal information which we hold about. If you would like a copy of the information held on you please write to email@example.com
If you believe that any information we are holding on you is incorrect or incomplete, please write to or email us as soon as possible, at the above address. We will promptly correct any information found to be incorrect.
If you discover something that you think might be a cookie from our site, let us know and we will remove the offending code. We track things like mouse activity and navigation through parts of the site, but only on the basis of monitoring navigation so that we can put our limited resources to best use.
Annex F – Privacy Statement - Personal Data Collection in Respect of Employment
Employee Privacy Notice
Data controller: Ai Recruitment Technologies Ltd (Company Number: 07651107) Data protection officer: firstname.lastname@example.org The company collects and processes personal data relating to its employees to manage the employment relationship. The company is committed to being transparent about how it collects and uses that data and to meeting its data protection obligations.
What information does the company collect?
The company collects and processes a range of information about you. This includes:
- your name, address and contact details, including email address and telephone number, date of birth and gender;
- the terms and conditions of your employment;
- details of your qualifications, skills, experience and employment history, including start and end dates, with previous employers and with the company;
- information about your remuneration, including entitlement to benefits such as pensions or insurance cover;
- details of your bank account and national insurance number;
- information about your marital status, next of kin, dependants and emergency contacts;
- information about your nationality and entitlement to work in the UK;
- information about your criminal record;
- details of your schedule (days of work and working hours) and attendance at work;
- details of periods of leave taken by you, including holiday, sickness absence, family leave and sabbaticals, and the reasons for the leave;
- details of any disciplinary or grievance procedures in which you have been involved, including any warnings issued to you and related correspondence;
- assessments of your performance, including appraisals, performance reviews and ratings, performance improvement plans and related correspondence;
- information about medical or health conditions, including whether or not you have a disability for which the company needs to make reasonable adjustments; and
- equal opportunities monitoring information, including information about your ethnic origin, sexual orientation, health and religion or belief.
The company may collect this information in a variety of ways. For example, data might be collected through application forms, CVs or resumes; obtained from your passport or other identity documents such as your driving licence; from forms completed by you at the start of or during employment (such as benefit nomination forms); from correspondence with you; or through interviews, meetings or other assessments.
In some cases, the company may collect personal data about you from third parties, such as references supplied by former employers, information from employment background check providers, information from credit reference agencies and information from criminal records checks permitted by law.
Data will be stored in a range of different places, including in your personnel file, in the company's HR management systems and in other IT systems including the company's email system.
Why does the company process personal data?
The company needs to process data to enter into an employment contract with you and to meet its obligations under your employment contract. For example, it needs to process your data to provide you with an employment contract, to pay you in accordance with your employment contract and to administer benefit, pension and insurance entitlements.
In some cases, the company needs to process data to ensure that it is complying with its legal obligations. For example, it is required to check an employee's entitlement to work in the UK, to deduct tax, to comply with health and safety laws and to enable employees to take periods of leave to which they are entitled.
In other cases, the company has a legitimate interest in processing personal data before, during and after the end of the employment relationship. Processing employee data allows the company to:
- run recruitment and promotion processes;
- maintain accurate and up-to-date employment records and contact details (including details of who to contact in the event of an emergency), and records of employee contractual and statutory rights;
- operate and keep a record of disciplinary and grievance processes, to ensure acceptable conduct within the workplace;
- operate and keep a record of employee performance and related processes, to plan for career development, and for succession planning and workforce management purposes;
- operate and keep a record of absence and absence management procedures, to allow effective workforce management and ensure that employees are receiving the pay or other benefits to which they are entitled;
- obtain occupational health advice, to ensure that it complies with duties in relation to individuals with disabilities, meet its obligations under health and safety law, and ensure that employees are receiving the pay or other benefits to which they are entitled;
- operate and keep a record of other types of leave (including maternity, paternity, adoption, parental and shared parental leave), to allow effective workforce management, to ensure that the company complies with duties in relation to leave entitlement, and to ensure that employees are receiving the pay or other benefits to which they are entitled;
- ensure effective general HR and business administration;
- provide references on request for current or former employees;
- respond to and defend against legal claims; and
- maintain and promote equality in the workplace.
Some special categories of personal data, such as information about health or medical conditions, is processed to carry out employment law obligations (such as those in relation to employees with disabilities).
Where the company processes other special categories of personal data, such as information about ethnic origin, sexual orientation, health or religion or belief, this is done for the purposes of equal opportunities monitoring. Data that the company uses for these purposes is anonymised or is collected with the express consent of employees, which can be withdrawn at any time. Employees are entirely free to decide whether or not to provide such data and there are no consequences of failing to do so.
Who has access to data?
Your information may be shared internally, including with members of the HR and recruitment team (including payroll), your line manager, managers in the business area in which you work and IT staff if access to the data is necessary for performance of their roles.
The company shares your data with third parties in order to obtain pre-employment references from other employers, obtain employment background checks from third-party providers and obtain necessary criminal records checks from the Disclosure and Barring Service. The company may also share your data with third parties in the context of a sale of some or all of its business. In those circumstances the data will be subject to confidentiality arrangements.
The company may also shares your data with third parties that process data on its behalf, in connection with payroll, the provision of benefits and the provision of occupational health services.
The company will not transfer your data to countries outside the European Economic Area.
How does the company protect data?
The company takes the security of your data seriously. The company has internal policies and controls in place to try to ensure that your data is not lost, accidentally destroyed, misused or disclosed, and is not accessed except by its employees in the performance of their duties.
Where the company engages third parties to process personal data on its behalf, they do so on the basis of written instructions, are under a duty of confidentiality and are obliged to implement appropriate technical and organisational measures to ensure the security of data.
For how long does the company keep data?
The company will hold your personal data for the duration of your employment. The periods for which your data is held after the end of employment are the end of the first full financial year following the end of your employment.
As a data subject, you have a number of rights. You can:
- The right to be informed
- The right of access
- The right to rectification
- The right to erasure
- The right to restrict processing
- The right to data portability
- The right to object
If you would like to exercise any of these rights, please contact email@example.com.
If you believe that the company has not complied with your data protection rights, you can complain to the Information Commissioner, though we would ask that before you do so you raise any concerns with us in order that we have the chance to deal with any complaints beforehand.
What if you do not provide personal data?
You have some obligations under your employment contract to provide the company with data. In particular, you are required to report absences from work and may be required to provide information about disciplinary or other matters under the implied duty of good faith. You may also have to provide the company with data in order to exercise your statutory rights, such as in relation to statutory leave entitlements. Failing to provide the data may mean that you are unable to exercise your statutory rights.
Certain information, such as contact details, your right to work in the UK and payment details, have to be provided to enable the company to enter a contract of employment with you. If you do not provide other information, this will hinder the company's ability to administer the rights and obligations arising as a result of the employment relationship efficiently.
Employment decisions are not based solely on automated decision-making.
Annex G - Wammee 2.0 Social Broadcasting Example
Annex H – Website Visitors
By registering or using this Site, you consent to the collection, use and transfer of your information under the terms of this policy.
Information that we collect from you
When you visit or register on the Site you may be asked to provide certain information about yourself including your name, address, email address, telephone number, gender, role sought, availability and various contact permission options. If you apply for jobs, the information you provide in any application form will also be stored. In addition, if you upload your CV to the Site it will be stored on our server. We may also collect information about your usage of our Site, as well as information about you from e-mails or letters you send to us, or from e-mails you send in response to jobs advertised on our Site.
Use of your information
Your information will enable us to provide you with access to all parts of our Site and to supply our services. We will also use and analyse the information we collect so that we can administer, support, improve and develop our business, which may include contacting you to notify you of our current or future services.
In particular, we may use your information to contact you for your views on our services and to notify you occasionally about important changes or developments to the Site or our services. Further, where you have consented, we might also use your information to let you know about other services that we offer which may be of interest to you and we may contact you by post, telephone or fax, as well as by e-mail.
We retain all information and CVs for up to 6 years. If you change your mind about being contacted in the future, please let us know or, if you would like us to delete your personal information or to remove a CV that you have uploaded please send an email to firstname.lastname@example.org and provide details of your request.
If you apply to job adverts then your profile information will be sent with the relevant personal information to the advertisers via Ai Recruitment Technologies Ltd's servers.
Disclosure of your information
The information you provide to us will be held on computers solely owned by Ai Recruitment Technologies Ltd.
Where your consent has been given your information will be shared with businesses looking to recruit or advertise on this Site. Your information may be accessed by or given to our staff working within and outside the UK and third party companies whom we may use to provide part of our services and who may be located outside the European Economic Area. We may also pass aggregate statistical information on the usage of our Site to third parties but this will not include information that can be used to identify you.
Your CV will be stored on the Ai Recruitment Technologies Ltd, unless required to do so by law, we will not otherwise share, sell or distribute any of the information you provide to us without your consent.
We employ security measures to protect your information from access by unauthorised persons and against unlawful processing, accidental loss, destruction and damage.