Our preparation includes: –
Information Audit – carrying out a company-wide information audit to identify and assess what personal information we hold, where it comes from, how and why it is processed and if and to whom it is disclosed.
Policies & Procedures – implementing new data protection policies and procedures to meet the requirements and standards of the GDPR and any relevant data protection laws, including: –
Data Protection – our main policy and procedure document for data protection has been overhauled to meet the standards and requirements of the GDPR. Accountability and governance measures are in place to ensure that we understand and adequately disseminate and evidence our obligations and responsibilities; with a dedicated focus on privacy by design and the rights of individuals.
Data Retention & Erasure – Our retention policy and schedule ensures that we meet the ‘data minimisation’ and ‘storage limitation’ principles and that personal information is stored, archived and destroyed compliantly and ethically. We have dedicated erasure procedures in place to meet the new ‘Right to Erasure’ obligation and are aware of when this and other data subject’s rights apply; along with any exemptions, response timeframes and notification responsibilities.
Data Breaches – our breach procedures ensure that we have safeguards and measures in place to identify, assess, investigate and report any personal data breach at the earliest possible time. Our procedures are robust and have been disseminated to all employees, making them aware of the reporting lines and steps to follow.
International Data Transfers & Third-Party Disclosures – where LeviCare Limited stores or transfers personal information outside the EU, we have robust procedures and safeguarding measures in place to secure, encrypt and maintain the integrity of the data. Our procedures include a continual review of the countries with sufficient adequacy decisions, as well as provisions for binding corporate rules; standard data protection clauses or approved codes of conduct for those countries without. We carry out strict due diligence checks with all recipients of personal data to assess and verify that they have appropriate safeguards in place to protect the information, ensure enforceable data subject rights and have effective legal remedies for data subjects where applicable.
Subject Access Request (SAR) – Our SAR procedures accommodate the revised 30-day timeframe for providing the requested information and for making this provision free of charge. Our new procedures detail how to verify the data subject, what steps to take for processing an access request, what exemptions apply and a suite of response templates to ensure that communications with data subjects are compliant, consistent and adequate.
Legal Basis for Processing – All processing activities to identify the legal basis for processing and ensuring that each basis is appropriate for the activity it relates to. Where applicable, we also maintain records of our processing activities, ensuring that our obligations under Article 30 of the GDPR and Schedule 1 of the Data Protection Bill are met.
Privacy Notice/Policy – Our Privacy Notice complies with the GDPR, ensuring that all individuals whose personal information we process have been informed of why we need it, how it is used, what their rights are, who the information is disclosed to and what safeguarding measures are in place to protect their information.
Obtaining Consent – Our consent mechanisms for obtaining personal data, ensure that individuals understand what they are providing, why and how we use it and giving clear, defined ways to consent to us processing their information. We have developed stringent processes for recording consent, making sure that we can evidence an affirmative opt-in, along with time and date records; and an easy to see and access way to withdraw consent at any time.
Direct Marketing – we have revised the wording and processes for direct marketing, including clear opt-in mechanisms for marketing subscriptions; a clear notice and method for opting out and providing unsubscribe features on all subsequent marketing materials.
Data Protection Impact Assessments (DPIA) – where we process personal information that is considered high risk, involves large scale processing or includes special category/criminal conviction data; we have developed stringent procedures and assessment templates for carrying out impact assessments that comply fully with the GDPR’s Article 35 requirements. We have implemented documentation processes that record each assessment, allow us to rate the risk posed by the processing activity and implement mitigating measures to reduce the risk posed to the data subject(s).
Processor Agreements – where we use any third-party to process personal information on our behalf (i.e. Payroll, Recruitment, Hosting etc), we have drafted compliant Processor Agreements and due diligence procedures for ensuring that they (as well as we), meet and understand their/our GDPR obligations. These measures include initial and ongoing reviews of the service provided, the necessity of the processing activity, the technical and organisational measures in place and compliance with the GDPR.
Special Categories Data – where we obtain and process any special category information, we do so in complete compliance with the Article 9 requirements and have high-level encryptions and protections on all such data. Special category data is only processed where necessary and is only processed where we have first identified the appropriate Article 9(2) basis or the Data Protection Bill Schedule 1 condition. Where we rely on consent for processing, this is explicit and is verified by a signature, with the right to modify or remove consent being clearly signposted.
Data Subject Rights
In addition to the policies and procedures mentioned above that ensure individuals can enforce their data protection rights, we provide easy to access information via [our website, in the office, during induction etc] of an individual’s right to access any personal information that Levicare Limited processes about them and to request information about: –
The right to have incomplete or inaccurate data about them corrected or completed and the process for requesting this the right to request erasure of personal data (where applicable) or to restrict processing in accordance with data protection laws, as well as to object to any direct marketing from us and to be informed about any automated decision-making that we use
The right to lodge a complaint or seek judicial remedy and who to contact in such instances.
Information Security & Technical and Organisational Measures
LeviCare Limited takes the privacy and security of individuals and their personal information very seriously and take every reasonable measure and precaution to protect and secure the personal data that we process. We have robust information security policies and procedures in place to protect personal information from unauthorised access, alteration, disclosure or destruction and have several layers of security measures, including: –
GDPR Roles and Employees
LeviCare Limited have designated Sohail Yousuf as our Data Protection Officer (DPO) and have appointed a data privacy team to develop and implement our roadmap for complying with the new data protection Regulation. The team are responsible for promoting awareness of the GDPR across the organisation, assessing our GDPR readiness, identifying any gap areas and implementing the new policies, procedures and measures.
LeviCare Limited understands that continuous employee awareness and understanding is vital to the continued compliance of the GDPR and have involved our employees in our preparation plans. We have implemented an employee training program specific to the which will be provided to all employees prior to May 25th, 2018, and forms part of our induction and annual training program.
If you have any questions about our preparation for the GDPR, please contact Mr. Sohail Yousuf firstname.lastname@example.org
What is the purpose of this section?
LeviCare Limited is a “data controller”. This means that we are responsible for deciding how we hold and use personal information about you. You are being sent a copy of this privacy notice because you are applying for work with us (whether as an employee, worker or contractor). It makes you aware of how and why your personal data will be used, namely for the purposes of the recruitment exercise, and how long it will usually be retained for. It provides you with certain information that must be provided under the General Data Protection Regulation ((EU) 2016/679) (GDPR).
Data protection principles
We will comply with data protection law and principles, which means that your data will be:
Used lawfully, fairly and in a transparent way. Collected only for valid purposes that we have clearly explained to you and not used in any way that is incompatible with those purposes.
Relevant to the purposes we have told you about and limited only to those purposes. Accurate and kept up to date. Kept only as long as necessary for the purposes we have told you about.
The kind of information we hold about you
In connection with your application for work with us, we will collect, store, and use the following categories of personal information about you:
The information you have provided to us in your curriculum vitae and covering letter. The information you have provided on our application/ registration form, including name, title, address, telephone number, personal email address, date of birth, gender, employment history, qualifications. Any information you provide to us during an interview and/ or training/ shadowing day. Test results, where applicable.
We may also collect, store and use the following “special categories” of more sensitive personal information:
Information about your race or ethnicity, religious beliefs, sexual orientation and political opinions.
Information about your health, including any medical condition, health and sickness records.
Information about criminal convictions and offences.
How is your personal information collected?
We collect personal information about candidates from the following sources:
You, the candidate.
Recruitment agencies, from which we collect the following categories of data: References, Training Verification Trust I.D & Home Office -background check provider, from which we collect the following categories of data: Passports and Right to Work Compliance
Disclosure and Barring Service in respect of criminal convictions.
Your named referees, from whom we collect the following categories of data: Employment Dates, Clinical Skills, Band Level,
The following data from third parties is from a publicly accessible source – CV, Contact Details, Employment History, Qualifications, Skills.
How we will use information about you
We will use the personal information we collect about you to:
Assess your skills, qualifications, and suitability for the work OR role.
Carry out background and reference checks, where applicable.
Communicate with you about the recruitment process.
Keep records related to our hiring processes.
Comply with legal or regulatory requirements.
It is in our legitimate interests to decide whether to appoint you to role / work since it would be beneficial to our business to appoint someone to that role/ work.
We also need to process your personal information to decide whether to enter into a contract of employment or “Agreement For Work finding Services” with you.
Having received your CV and covering letter OR your application/ registration form and the results from the test which you took (if applicable), we will then process that information to decide whether you meet the basic requirements to be shortlisted for the role. If you do, we will decide whether your application is strong enough to invite you for an interview. If we decide to call you for an interview, we will use the information you provide to us at the interview to decide whether to offer you the role OR work. If we decide to offer you the role OR work, we will then take up references AND/OR carry out a criminal record AND/OR carry out ANY OTHER checks before confirming your appointment.
If you fail to provide personal information
If you fail to provide information when requested, which is necessary for us to consider your application (such as evidence of qualifications or work history), we will not be able to process your application successfully. For example, if we require a credit check or references for this role and you fail to provide us with relevant details, we will not be able to take your application further.
How we use particularly sensitive personal information
We will use your particularly sensitive personal information in the following ways:
We will use information about your disability status to consider whether we need to provide appropriate adjustments during the recruitment process, for example whether adjustments need to be made during a test or interview.
We will use information about your race or national or ethnic origin, religious, philosophical or moral beliefs, or your sexual life or sexual orientation, to ensure meaningful equal opportunity monitoring and reporting.
Information about criminal convictions
We envisage that we will process information about criminal convictions.
We will collect information about your criminal convictions history if we would like to offer you the work/ role (conditional on checks and any other conditions, such as references, being satisfactory). We may be required to carry out a criminal record check in order to satisfy ourselves that there is nothing in your criminal convictions history which makes you unsuitable for the role. In particular:
Where we are legally required by a supplier Framework Agreement, we will carry out criminal record checks for those carrying out the role / work.
If the role is one which is [listed on the Rehabilitation of Offenders Act 1974 (Exceptions) Order 1975 (SI 1975/1023)] or specified in the Police Act 1997 (Criminal Records) Regulations (SI 2002/233)], it is eligible for a standard OR enhanced check from the Disclosure and Barring Service.
If the role requires a high degree of trust and integrity- we would like to ask you to seek a basic disclosure of your criminal records history.
We have in place an appropriate policy document and safeguards which we are required by law to maintain when processing such data.
You will not be subject to decisions that will have a significant impact on you based solely on automated decision-making.
Why might you share my personal information with third parties?
We will only share your personal information with the following third parties for the purposes of processing your application: Internal Database, I.T Providers. All our third-party service providers and other entities in the group are required to take appropriate security measures to protect your personal information in line with our policies. We do not allow our third-party service providers to use your personal data for their own purposes. We only permit them to process your personal data for specified purposes and in accordance with our instructions.
We have put in place appropriate security measures to prevent your personal information from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your personal information to those employees, agents, contractors and other third parties who have a business need-to-know. They will only process your personal information on our instructions and they are subject to a duty of confidentiality. Details of these measures may be obtained from Sohail Yousuf
We have put in place procedures to deal with any suspected data security breach and will notify you and any applicable regulator of a suspected breach where we are legally required to do so.
How long will you use my information for?
We will retain your personal information for a period of 10 years after we have communicated to you our decision about whether to appoint you to role OR work. We retain your personal information for that period so that we can show, in the event of a legal claim, that we have not discriminated against candidates on prohibited grounds and that we have conducted the recruitment exercise in a fair and transparent way. After this period, we will securely destroy your personal information in accordance with our data retention policy.
Rights of access, correction, erasure, and restriction
Your rights in connection with personal information
Under certain circumstances, by law you have the right to:
Request access to your personal information (commonly known as a “data subject access request”). This enables you to receive a copy of the personal information we hold about you and to check that we are lawfully processing it.
Request correction of the personal information that we hold about you. This enables you to have any incomplete or inaccurate information we hold about you corrected.
Request erasure of your personal information. This enables you to ask us to delete or remove personal information where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal information where you have exercised your right to object to processing (see below).
Object to processing of your personal information where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground. You also have the right to object where we are processing your personal information for direct marketing purposes.
Request the restriction of processing of your personal information. This enables you to ask us to suspend the processing of personal information about you, for example if you want us to establish its accuracy or the reason for processing it.
Request the transfer of your personal information to another party.
If you want to review, verify, correct or request erasure of your personal information, object to the processing of your personal data, or request that we transfer a copy of your personal information to another party, please contact Compliance Manager in writing.
Right to withdraw consent
When you applied for this role, you provided consent to us processing your personal information for the purposes of the recruitment exercise. You have the right to withdraw your consent for processing for that purpose at any time. To withdraw your consent, please contact our privacy team on email@example.com Once we have received notification that you have withdrawn your consent, we will no longer process your application and, subject to our retention policy, we will dispose of your personal data securely
Data protection officer
We have appointed a data privacy manager to oversee compliance with this privacy notice. If you have any questions about this privacy notice or how we handle your personal information, please contact Sohail Yousuf. You have the right to make a complaint at any time to the Information Commissioner’s Office (ICO), the UK supervisory authority for data protection issues.
Head Office: Cinnamon House, Cinnamon Park, Crab Lane, Warrington Cheshire WA2 0XP
Registered Office: Brulimar House, Jubilee Road, Middleton, Manchester M24 2LX
Levicare Limited Principles on Personal Data
Our principles of data protection
Our approach to data protection is built around four key principles. They’re at the heart of everything we do relating to personal data.
Transparency: We process personal data in an open, honest and transparent way.
Enablement: We use data to enable connections between individuals and employers, finding the right role for the right person.
Security: We ensure security through good organisational practice as well as technical measures, this is at the heart of what we do
Accountability: We promote the practice of good governance, and responsibility that comes with processing personal data.
You can find out more information about the ‘GDPR’ here: https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/
This Privacy Notice is intended to set out your rights and answer any queries you may have about your personal data. If you need more information, please contact: firstname.lastname@example.org
Who We Are?
Levicare Limited is a specialist healthcare recruitment company based at Cinnamon House Warrington WA2 0XP. Where we act as a Data Controller, we are responsible for determining what personal data is processed and for what purpose. You have rights about how we process your data which are listed in the section “Your Privacy Rights” below. You can always contact us at email@example.com
What information do we collect?
From the moment you contact us, whether it be via email, telephone, visiting our website, or some other means, we start collecting information about you. In some cases this is done when you provide information to us directly, but in other times it may be collected automatically.
When visiting our website
Data Types we Collect
We may place use session cookies for our own use and management and to allow the website to function as expected. Our webservers themselves may log IP addresses as part of their normal function.
How and why we use the data
Our own cookies are sometimes used to enable functionality on the website, and if you disable these the website may not perform as expected, or you might have limited access to areas for features.
Third Parties who have access to this information
Cookies we use for our self to enable functionality on site – often referred to as ‘first party cookies’ are never shared with third parties.
IP addresses on webserver logs are never shared with third parties unless in response to an incident or if requested through a valid legal request.
The lawful basis for holding this information
IP addresses may be retained in other logs from our webserver. These are not shared with any third parties and held under the lawful basis of Legitimate Interest. This is because we have a legitimate interest to ensure potential cyber-attacks against our website are logged. The data is retained for 1 month unless an incident occurs in which case we may assess a longer retention period.
When registering or logging into our website
You can register on our website to share and receive information with us. When you register on the website, you may supply additional information in accordance with the conditions on the registration page.
Data Types we collect
We may hold the additional following information categories:
Data that can identify you
Cookies with your user ID
How and why we use the data
We hold the information you send us in order to assess job opportunities for you, and to allow you to log in securely to our website.
Third Parties who have access to this information
We will not share your information with third parties without contacting you first and asking for your written consent.
The lawful basis for holding this information
To create an account or login to our website, we must set some ‘first party session’ cookies which could be used to identify you. These are exempt from requiring consent and are just used to enable the functionality of the website.
If you upload additional personal information such as your CV, then you may reasonably expect TFS Healthcare to evaluate your skills and employment record to find suitable positions for your consideration. This personal data is therefore processed on the basis of a contract regardless of whether a position is found. We retain the information you provide for a period of 4 years after your
last job placement with us. If you wish us to remove your information, please read the section below under ‘Your Privacy Rights’
When You ‘Refer a Friend’
If you recommend a friend, we will contact that person to gain their consent to hold and process their information, and we use your name as a reference in the introduction. If the person refuses consent, their details will be deleted from our systems.
Data Types we collect
The information we request from you may include:
Your name and contact details
Your friends name and contact details
Your friend’s employment information
Your friend’s location
How and why we use the data
We hold this information to contact the friend you have referred to us and gain their consent to continue to hold their data. If we cannot contact your friend within 1 month, or if they refuse to give consent, then we delete their data.
Third Parties who have access to this information
At the stage where we are gathering consent from your friend, we do not share this information with any third parties.
The lawful basis for holding this information
The Legal basis for processing this information is Legitimate Interest when it is provided to us, and then Consent if your friend agrees to us processing their data.
Your Privacy Rights
You have rights over how we store and process your data.
You can choose not to provide us with personal data
If you choose not to provide us with personal data, you can use our website, but we cannot create an account for you, or interact with you online, including about potential jobs.
You can manage your browser cookies
Levicare Limited does not use third party cookies with the exception of Google Analytics nor cross-domain cookies that track you when you visit different websites. The cookies on our site are Non-Persistent Session (e.g. keeping you logged in during your visit to our website)
You can request that we don’t use your data for marketing to you
We may also contact you with surveys or to invite you to events. If we intend to share your information with third parties, we’ll let you know. You can opt-out from marketing by sending us an email at firstname.lastname@example.org
You have the right to access the information we hold on you
If you wish to know what information we hold on you, please email us at email@example.com and within one month we will send you information we may hold on you, for example:
The categories of data
The reason or purpose we are using your data
How long we plan to hold your data for
The categories of any third parties we may disclose your data to
Your rights on our use of your data
In some cases, there may be a conflict whereby providing your data infringes the rights and freedoms of another party, or an outstanding legal matter, which means that some of the data cannot be shared with you. In that case, we will tell you that we can’t meet your request for this reason.
You have the right to object to, or restrict the processing of your data
If you don’t want us to delete your data, but you wish for processing of some or all of it to be stopped, then you can request us to restrict the processing.
Data Portability applies when you have provided information in electronic means that is automatically processed. The functionality of our website does not include such systems.
You have the right to have all your data erased
You have the right to request that we erase all the information we have about you. Contact firstname.lastname@example.org to find out how we can do this for you. There are sometimes limitations, for example during a legal dispute where TFS may be required to retain information, or where the information is still necessary in the performance of a contract that TFS has.
You can complain
You have a right to complain about the way we process your data to the ICO, which is the UK’s Supervisory Authority. If you have a complaint, we’d like to ask if you would contact us first to see if we can resolve your concern. Otherwise, the ICO has a helpline https://ico.org.uk/global/contact-us/helpline/
We do not transfer data outside the EU
The data you provide to us on this website does not get transferred outside of the EU.
Levicare Limited website uses encrypted communications across the entire site. Password credentials are required for secure areas, and data stored on our servers are in a physically secure data centre, backed up, and encrypted.
All systems will have some weakness that a dedicated and skilled hacker can exploit, but we review our security measures regularly and ensure that identified risks are dealt with promptly.
Levicare is a Limited Company registered in England and Wales; registration number 11591420 – registered office address Brulimar House Jubilee Road Middleton Manchester M24 2LX.