Who are GRI from a DATA context?
GRI enables client hiring organisations to manage their bank staff booking process, and /or connect with talent pools/ recruitment agency panels for the purpose of finding candidates for their vacancies that are non-permanent in nature. E.G. temporary, contract and fixed term roles.
This “connection” happens either through GRI’s software systems – e-tips® or b2bBuyer® - or a third party software such as Peoplefluent or Beeline. The client hiring organisation decides which software system to opt for and then which vacancies to post to the chosen software system, what the requirements of the job are - for example the compliance items the worker needs to have in place (such as DBS checks) - and whether the job is an opportunity for their own internal bank staff/talent pool, or additionally/instead one which is available for their recruitment agency panels to propose candidates to.
The software system then makes sure this vacancy is flagged to the client hiring organisation’s bank staff and/or recruitment agency panels. Bank staff alerted to the vacancy can then decide whether they want to put themselves forward to the job. In a similar way, recruitment agency panels also take the decision which candidates they want to add onto the software system and propose for the vacancy in question.
GRI UK does not own any recruitment agencies or act as a bank manager/talent pool manager and exists as an outsourced third party that facilitates the process of hiring, ensuring that all decisions in the recruitment process can be tracked via a system so all parties to the process know at what stage the recruitment is at, with all actions recorded: from which candidates were proposed, by whom, whether they had the requisite compliance items, who was accepted or rejected and how much they are paid.
This way of recruiting is typically known as a neutral vendor model of recruitment and it is very common. In the UK 13% of all temporary recruitment undertaken by hiring organisations operates through an outsourced model.
Under the neutral vendor model GRI is a data processor, processing personal data on behalf of bank staff, talent pools, recruitment agencies who propose candidates and client hiring organisations who hire candidates. In simple terms processing means enabling the “connection” between parties in the recruitment process and allowing the secure viewing of the data required to conduct a safe and efficient recruitment process and ongoing activity during a temporary or contingent worker’s assignment.
Client hiring organisations act as data controller for the purposes of deciding which vacancies to post, whether to post these vacancies to bank staff/talent pools and or to their recruitment agency panels, what the requirements are of the job including compliance items such as DBS check, driving license or health status forms, and who to accept from those candidates proposed, based on the criteria of the job.
Recruitment agency panels also act as data controllers with the responsibility to ensure the candidate they propose to the vacancy is aware of how their data will be shared and that the personal data shared on the candidate or their compliance items are accurate. Bank staff and talent pool candidates are also in control of deciding whether to accept a vacancy proposed to them or not.
Please note in respect of the e-tips® and b2bBuyer® logins issued to client hiring organisation users and recruitment agency panel users and bank staff users, GRI acts as the data controller. We additionally act as the data controller for any details left on our website in relation to queries about our service offering, supplier details and agency details for panel enquiries. In all other instances GRI acts as the data processor.
This Privacy Notice
This Privacy Notice explains how GRI collects/receives data, how we process any data we collect/receive, who we collect/receive this data from, why we collect/receive it, and what happens to this data.
Our privacy notice also explains how we manage subject access requests and the right to erasure. This privacy notice details how we comply with our legal obligations under the General Data Protection Act 2018. Your privacy is important to us, and we are committed to protecting and safeguarding data privacy rights.
Note: If you are a GRI staff member please contact HR to refer to the GRI staff privacy notice.
Who does this policy apply to?
For the purpose of applicable data protection legislation (including but not limited to the General Data Protection Regulation (Regulation (EU) 2016/679), the company responsible for your personal data is GRI UK Limited.
It is important to point out that we may amend this Privacy Notice from time to time. We will post any changes here, so you can easily take a look at any point to keep up to date.
If you have a query about any aspect of our Privacy Notice, you can contact our GDPR team and our data protection officer, Alexandra Nathanson on GDPR2018@depoel.co.uk
What kind of personal data do we process or collect & how do we use it?
e-tips® and b2bBuyer® USER DATA
What we collect and why: We provide every e-tips® or b2bBuyer® user (whether client/internal or agency or bank staff) with a unique login to access the system as part of our contractual agreements. In order to do this, we ask for name, company workplace and email address. We then use this data to ensure there is an audit trail of activity on the site (for example which users are changing what information). This ensures we have visibility of who is using the system from a data security perspective. Every year, we check to see whether users are still logging in and if they are not, we exercise our retention period of 6 months before deletion.
In addition, and in order to fulfil our contractual obligations, we may need to email our e-tips® or b2bBuyer® users from time-to-time using their email address, either to make them aware of an update to the e-tips® or b2bBuyer® system (as is relevant) or changes to pay rates on the system due to legislation such as pensions auto-enrolment or national minimum wage uplifts for example, or to make them aware of training or best practice. For example: obligations under GDPR.
PROPOSED CANDIDATE DATA
What do we process and why? Our client hiring organisations, as data controllers, decide what information is required from any candidate being proposed for each type of vacancy posted. This can include any or all of the following, depending on the client:
- Contact Details
- Supply type: (Whether someone is working under PAYE, or they are VAT applicable, or self-employed as a PSC, so that they can be taxed appropriately
- A CV (So their application can be assessed) or the primary skills required or preferred, the education required or preferred, the years of technical experience required or preferred. Please note when “experience” is collected it relates to technical skills gained over a number of years, not the age of the candidate
- Nationality – to better understand the Brexit risk status
- And, where appropriate and in accordance with local laws and requirements governing certain employment scenarios, various compliance items for example Right to Work, DBS checks, health status, Drivers’ License etc
- Whether the candidate has previously worked at and/or subsequently retired from the organisation they now wish to temp at and if they have, what grade they were at or what position they occupied previously.
- Notice period – if applicable
- The stages of the recruitment process if any, that the candidate moves through. For example 1st interview etc.
Our recruitment agency panels or bank staff/talent pools then supply this information. GRI processes this data.
Additionally, GRI may ask for date of birth, diversity information and an email address/phone number, as well as next of kin details and Identity Number (either passport or NI number). When this is asked for this information is not seen by the client against the individual candidate record card. This information collected is used in the following ways:
- Date of Birth and Identity Number is to ensure the identity of the candidate for HMRC reporting
- Diversity Information is collected so that we can help our client hiring organisations understand whether any diversity initiatives are successful, however, diversity statistics are never provided at an individual level to hiring managers but are presented as an aggregate meaning an individual cannot be specifically identified.
- Nationality is requested to identify current and future Brexit risk and impact profiles
- Where an email address and phone number for either the worker or next of kin is requested, it is not passed on to the client hiring organisation but is available for emergencies should GRI need to contact the candidate/next of kin urgently, for example in an emergency situation where the candidate’s agency cannot be reached.
WORKING CANDIDATE DATA
What we process and why: Once a candidate is working at a client hiring organisation, e-tips® and b2bBuyer® records he hours they work, their rate of pay, appropriate tax and NI contributions, the length of the assignment, the type of assignment, and where that assignment is based, any incidents on that assignment and objective feedback from that assignment. Our Audit Team may also review compliance documentation to ensure that our agencies have asked for the appropriate permissions to share this with the client hiring organisation and that the compliance documentation is accurate.
What we collect and why: We use traffic log cookies to identify which pages are visited. This helps us analyse data about web page traffic and improve our website by tailoring it to customer needs. We only use this information for statistical analysis purposes, following this, the data is removed from the system. Overall, cookies help us provide you with a better website experience, by letting us to monitor which pages you do and do not find useful. A cookie in no way gives us access to your computer or reveals any information about you, other than the data you choose to share with us. You can choose to accept or decline cookies. Most web browsers automatically accept cookies, but you can usually change your browser setting to decline cookies if you prefer. However, this may prevent you from taking full advantage of our website.
Whilst we collect corporate data on which companies visit our site and what pages they visit, which we use to understand whether organisations may be interested in our service, we do not collect data on individuals visiting the site unless an individual leaves their details in order to ask for more information about our service.
What we collect and why: We need a small amount of information from our suppliers to ensure that things run smoothly. We need contact details of relevant individuals at your organisation so that we can communicate with you. We also need other information such as your bank details so that we can pay for the services you provide (if this is part of the contractual arrangements between us).
Please note: Across all categories of data and depending on the type of personal data in question and the grounds on which we may be processing it, should you decline to provide us with such data, we may not be able to fulfil our contractual requirements or, in extreme cases, may not be able to continue with our relationship.
AGENCIES WHO ARE INTERESTED IN JOINING OUR PANEL
What we collect and why: We may, on occasion, collect contact details from agencies who do not currently work with GRI so we can contact an employee at that recruitment agency over email or on the phone regarding an opportunity to supply to one of our client hiring organisations. When we do this, we do this as a legitimate interest gateway under GDPR - e.g. that it is an opportunity for the agency that would outweigh any concern over our contact regarding the opportunity.
Who do we share your personal data with?
A full list of our sub-processors can be found here: https://www.geometricresults.co.uk/gdpr but we would draw particular attention to the following:
- E-TIPS® and b2bBuyer® USER LOGINS: This data may be shared internally within GRI to understand who is doing what on the e-tips® or b2bBuyer® portal, for reasons of data security and data transparency. Where we need to send an e-tips® user an email, your data is processed by our email platform- dotmailer.
- AGENCIES WHO ARE INTERESTED IN JOINING OUR PANEL: Where we send information regarding this opportunity via email other than outlook, your data is processed by our email platform – dotmailer.
- USERS WHO NEED SUPPORT OR ASSISTANCE: e-tips® users raising support tickets have their query and data facilitated through Zendesk. B2bBuyer® users raising support tickets have their query and data facilitated through OTRS.
- CLIENTS WHO ARE WISH TO SEE DATA TRENDS ON THEIR RECRUITMENT ACTIVITY: Depending on the client, and the software system their recruitment activity transacts through, data analysis will run through either Power BI, STARS or Envision.
- SUPPLIER DATA: Unless you specify otherwise, we may share your information within our company and associated third parties such as our service providers and organisations to whom we provide services
- WEBSITE USERS: Unless you specify otherwise, we may share your information with providers of web analytics services
- WORKING CANDIDATE DATA: In order to fulfil our legal obligations, we may need to share your details with third parties like HMRC to ensure your taxation is correct and to ensure adherence with regulations requirements like Oil Reporting.
Do we transfer any data outside of the EEA?
Yes in one instance. Personal data including: Name of Worker, PO Number, Department Code, Start and End Date, Customer Charge Rate, Reports to Manager and Report to Managers’ email address relating to workers accepted for a position with Ford Motor Company (FMC) may be transferred outside of the EEA at the request of FMC (acting as controller). Acting as data processor we consider this transfer outside of the EEA to be permitted in accordance with Article 49.
How do we safeguard your personal data?
We care about protecting your information. That's why we put in place appropriate measures that are designed to prevent unauthorised access to, and misuse of, your personal data.
How long do we keep your personal data for?
As a data processor, we abide by our data controller’s requirements on all data retention policies and facilitate these requirements unless we believe in good faith that the law or other regulation requires us to preserve it (for example, because of our obligations to tax authorities or in connection with any anticipated litigation).
The exception to this is as follows:
e-tips® and b2bBuyer® logins: As we are the data controller, and in order to preserve the security of the e-tips® system, we delete user logins annually if a login has not taken place in six months.
Agencies who may be interested in joining our panel: We keep your details unless you request for us to remove this, due to the nature of contract wins occurring over a number of years based in the areas in which you can supply.
Information gathered during any Audit Process that may take place: We consider all documents sent by agencies to the Audit team in reference to a specific audit relevant and should be accessible until the next audit is due, in line with contractual requirements. In standard cases, this is 12 months, with the exception of the following clients who have different specified audit frequencies. In these cases documents are kept for their audit cycle. For example 6 month.
All emails containing information which falls into the above categories will be assigned a deletion policy in line with the timescales listed above, and an audit will be carried out every 6 months to ensure all relevant emails have been deleted.
For audits which take place on site, documentation is merely reviewed then and there.
How can you access, amend or take back the personal data that you have given to us?
Even if we already hold your personal data, you still have various rights in relation to it and you can contact GDPR2018@depoel.co.uk in order to raise these rights. We will seek to deal with your request without undue delay, and in any event in accordance with the requirements of any applicable laws. Please note that we may keep a record of your communications to help us resolve any issues which you raise. We may also need to refer you to a data controller to help assess your rights (for example if you are a candidate that works through a recruitment agency panel for a client hiring organisation, as depending on the circumstances it is your recruitment agency panel or the client hiring organisation that will be the data controller who is best placed to assess your rights).
- Subject Access Request: If you are interested to find out what data we hold on you and/or wish to request that we modify, update or delete this information, please contact the team at GDPR2018@depoel.co.uk at any point and we will be happy to advise.
Please note that in order to comply with your request, we may ask you to verify your identity, or ask for more information about your request and we may decline your request, where we are legally permitted to do so, but we will explain why if we do so.
- Right to object: If we are using your data because we deem it necessary for our legitimate interests to do so, and you do not agree, you have the right to object. We will respond to your request within 30 days (although we may be allowed to extend this period in certain cases). Generally, we will only disagree with you if certain limited conditions apply.
- Right to withdraw consent: Where we have obtained your consent to process your personal data for certain activities (for example, for having an e-tips® login in) you may withdraw your consent at any time.
- Right to erasure: In certain situations, you have the right to request us to "erase" your personal data. We will respond to your request within 30 days (although we may be allowed to extend this period in certain cases and we may, should a worker contact us directly, need to refer this request to the appropriate data controller to assess – for example the client hiring organisation or the recruitment agency panel) and will only disagree with you if certain limited conditions apply (these will typically be around competing legislation for example health and safety or HMRC requirements). If we do agree to your request, we will delete your data but will generally assume that you would prefer us to keep a note of your name on our register of individuals who would prefer not to be contacted. That way, we will minimise the chances of you being contacted in the future where your data are collected in unconnected circumstances. If you would prefer us not to do this, you are free to say so.
- Right of data portability: If you wish, you have the right to transfer your data from us to another data controller. We will help with this – either by directly transferring your data for you, or by providing you with a copy in a commonly used machine-readable format.
- Right to lodge a complaint with a supervisory authority: You also have the right to lodge a complaint with your local supervisory authority. This is:
Information Commissioner's Office
Telephone: 0303 123 1113 or 01625 545745