Guidance

Privacy notice for job applicants applying for a role at the Department for Business and Trade (DBT)

Published 20 July 2020

Purpose of this privacy notice

DBT is committed to protecting the privacy and security of your information. This privacy notice describes how we collect and use personal information about you in accordance with the UK Data Protection legislation, including the Data Protection Act 2018 and The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (UK GDPR).

DBT is a ‘controller’. This means that we are responsible for deciding how we hold and use personal information about you.

This notice explains what personal data (information) we will hold about you, how we collect it, and how we will use and may share information about you during the application process. We are required to notify you of this information, under data protection legislation. Ensure that you read this privacy notice and any other similar notice we may provide to you from time to time when we collect or process personal information about you.

Scope of this privacy notice

If you are applying:

• for a role as Permanent Secretary (Band 4) at the DBT your recruiter and controller of your information is the Cabinet Office, refer to the Civil Service HR privacy notice
• for a senior Civil Service role at band levels 3 (Director General), or 2 (Director), or 1 (Deputy Director) working for DBT, then DBT is the recruiter and controller of your information, refer to this privacy notice
• for a Civil Service role at Band 6 or lower in all business areas except for Digital, Data and Techonology (DDaT), DBT is the controller of your information jointly with the Cabinet Office. The Government Recruitment Service (GRS) manage the recruitment on our behalf. Read the overview of GRS privacy notice
• for a Civil Service role at Band 6 or lower in DDaT, then DBT is the recruiter and controller of your information, refer to this privacy notice
• for a contractor, consultant, temporary role with us via a third-party recruitment agency, DBT is the controller of your information jointly with the third-party agency who are recruiting you to work with us. Refer to the privacy notice issued by the third-party recruitment agency you are recruited directly by to work on DBT business
• for a non-Civil Service role overseas (as a ‘locally engaged’ staff member who work on DBT business), the Foreign & Commonwealth Office (FCO) is your recruiter and the controller of your information. Refer to the FCO’s privacy notice

What data we collect about you

In connection with your application for work with us, we will process (collect, store, and use) the following categories of personal information about you.

When you create an account we collect:

• your name
• your email address
• your employer (existing civil servants only)
• your line manager’s email address (optional - for existing civil servants only to verify their employment)
• staff number (existing civil servants only)

For existing civil servants who are priority movers we may process:

• full contact details, including address
• employer, role, grade and location
• employment history
• diversity and inclusion information

When you view a job advert, we may automatically collect:

• your referral source - the website where you saw the job advert
• details of the pages you have viewed - including how long you spend on a page, and which links you select
• information about your computer - such as the web browser used and device type
• your approximate geographic location based on your IP address

When you make an application, we may ask for:

• full contact details, including address, and mobile phone number
• eligibility - nationality and immigration status
• employment history
• qualifications, licences, and professional memberships
• diversity and inclusion information
• CV and personal statement
• Disability Confident Scheme and reasonable adjustment requirements
• National Insurance number

When you are invited to an interview, we may ask you to provide:

• evidence of your identity and right to work in the UK - such as your passport, utility bills or other documentation
• a completed non-taxable travel and expenses form for an HR supported costs interview scheme if offered by a participating organisation. This will require bank details, travel details and a copy of any receipts related to interview travel, to allow verification and reimbursement of appropriate travel costs

When you undergo pre-employment checks we may ask for:

• contact details for your referees
• National Insurance number
• date of birth
• public sector pension history
• health declaration
• evidence of time spent outside of the UK
• details of any self-employment
• evidence of current Disclosure and Barring Service (DBS) certificate
• bankruptcy details
• addresses for the last 10 years
• passport details
• driving licence details
• previous names you have been known by
• workplace discipline information
• criminal history

If you are already working for the Civil Service and moving from another government department, we may also ask for:

• 2 most recent consecutive payslips
• current National Security Vetting clearance
• current employee number

In order to help test the effectiveness and fairness of new questions for our online tests, you may be presented with a few trial questions as part of your online test and/or you may be contacted to complete a separate trial test.

The list above only applies for applications made through the Civil Service jobs system. Some advertisers may use their own application systems, when their privacy notice will apply.

When you contact us with feedback or an enquiry we will process:

• your email address
• details of your request

How is your personal information collected

Information that you give us

You give us information about yourself, your work experience and other relevant experience, your education, your qualifications, your circumstances and your references:

• during the talent acquisition process
• by completing application forms and any background check forms
• by filling in our surveys or submitting requests via our digital platforms
• by signing on and using our digital platforms and tools
• by communicating with us via email, letter, phones and smartphones
• by entering our buildings and passing through our security and CCTV monitoring systems

Further, we may collect information about your health in order to make reasonable adjustments to the talent acquisition process for you.

Information that we collect about you

We may collect information about you from our internal government sources and publicly available sources, for example:

• from other government departments (for example if you have previously worked for the government)
• from the DBS
• from Companies House, if you have been a director of limited companies
• from the Financial Conduct Authority, such as if you have previously covered an approved role
• from Cifas
• from regulatory bodies (if you are a member of a regulated profession)

We may also collect data about you available via the internet, for example:

• through a Google search
• news and social media reports
• entries in online directories

Information that you ask us to collect from third parties

If you specifically ask us to collect information from a third party, we will do so in accordance with your request, which we may ask you to put in writing.

Information that we obtain from our digital platforms

If you use our websites as part of the talent acquisition process, we may process the information that you share with us. For example, if you are applying for a role in Digital, Data and Technology (DDaT) at Band 6 or lower, we may collate information about you using a platform hosted by an external agency, JobVite. Refer to JobVite privacy policy for details.

We may be using this system and workflow for contractor recruitment through third party agencies. For more details on how third party agencies protect your data, refer to the third party agent’s privacy notice.

Information we obtain from call recordings

We may monitor and/or record calls for the purposes of training, improving our quality and service standards and resolving issues with customers, clients or colleagues.

For details of when we may share call recordings with third parties, see the section ‘How we may share your information’.

Information we obtain from CCTV images and building access

We operate CCTV at all our premises. While you are on-site at any of our offices, you may be recorded by our CCTV system.

For details of when we may share CCTV images with third parties, see the section ‘How we may share your information’.

We also collect information about which areas of our premises you visit through our building access systems. We may combine the information that you give us with the information we collect about you from any of the sources listed.

Why we need your data and how we use it

We will typically collect and use this information:

• to manage the recruitment process for DBT for band levels 3, 2, and 1. This includes a job board, online application service, sift tests, interview scheduling, and pre-employment checking service
• to assess your suitability for a role
• to enable the creation of user accounts
• to provide SMS updates on the recruitment process
• for civil servant candidate accounts, to allow users to view and apply for internal and across-government vacancies
• to offer a job alert email service
• to offer a priority mover service to help civil servants find new roles when they are at risk of redundancy
• to provide technical support to candidates and recruiters
• to send your contract of employment to your email address, if the employing department chooses this as an option
• to monitor the effectiveness of recruitment processes - this could include statistical analysis of system usage, or research into the experience of applicants and other system users, or analysing referral sources to see which provide the most diverse applicants
• to undertake pre-employment checking and onboarding activity before you start in a role in the Civil Service (including health, pension questionnaire, character declaration)
• to complete a ‘fit-for-work’ disclaimer regarding the coronavirus (COVID-19) pandemic
• to comply with the Baseline Personnel Security Standard (BPSS) and other National Security Vetting requirements

We seek to ensure that our information collection and processing is always proportionate. We will notify you of any changes to the information we collect or to the purposes for which we collect and process it.

Legal basis of processing

The legal basis for processing your personal data is:

• contractual: it is necessary for the performance of a contract to which you are a party - an employment contract. This relates to information that we need to recruit and employ you
• contractual: it is necessary to take steps at your request prior to entering into a contract for employment. This relates to information that we collect as part of the application and selection process
• legal obligation: it is necessary to comply with a legal obligation placed on us as the data controller - we are required to report on equality of opportunity; and onboarding processes have specific requirements

• public task: processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the data controller. In this case, Civil Service Jobs facilitates recruitment of high-quality candidates to roles across government departments, agencies and other public bodies. It provides recruitment tools and processes that support Civil Service recruitment strategy, and we also monitor the effectiveness of recruitment processes

• consent: if we rely on your consent to process your personal information for the purposes of recruitment, you have the right to withdraw your consent for processing for that purpose at any time by contacting the DPO at data.protection@trade.gov.uk
• legitimate interests: where our processing of your information is based solely on our legitimate interests (or those of a third party), you have the right to object to that processing if you give us specific reasons why you are objecting, which are based on your particular situation

If you object, we can no longer process your information unless we can demonstrate legitimate grounds for the processing, which override your interests, rights and freedoms, or the processing is for the establishment, exercise or defence of legal claims.

Refer to the section on ‘Your rights’ for more information on how to exercise your right to object or contact our DPO at data.protection@trade.gov.uk.

Special category personal data

Special category personal data is data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership.

It also includes the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation.

The legal basis for processing your special category personal data is:

• it is necessary for reasons of substantial public interest:
  • for the exercise of a function of the Crown, a minister of the Crown, or a government department
  • for the exercise of a function conferred on a person by an enactment
  • for the exercise of a function of either House of Parliament
  • for the administration of justice
  • and an appropriate policy document is in place
• it is necessary for:
  • the purposes of performing or exercising our obligations or rights as the controller
  • your obligations or rights as the data subject, under employment law, social security law or the law relating to social protection
  • our requirement under the Equality Act 2010 to make appropriate reasonable adjustments for candidates with a disability
• it is necessary for the purposes of identifying or keeping under review the existence or absence of equality of opportunity or treatment. Diversity and inclusion data is used anonymously: ethnicity, religion, community background (Northern Ireland vacancies only), and sexual orientation
• it is necessary for archiving purposes, scientific or historical research purposes or statistical purposes, and it is in the public interest. Analysis of applications and recruitment outcomes (including online tests), impact on protected groups, timescales for recruitment, and other research may be carried out
• you have given us your explicit consent

You have the right to withdraw your consent at any time. To withdraw your consent, contact the DPO at data.protection@trade.gov.uk. Once we have received notification that you have withdrawn your consent, we will no longer process your application.

The processing by us of personal data relating to criminal convictions and offences or related security measures is not carried out under official authority, but is authorised because it meets the following condition:

• it is necessary for reasons of substantial public interest. This is ensuring that individuals with access to official information and assets will meet the required standards of propriety

For further details on how we handle special category personal data and information relating to criminal convictions and offences contact our data.protection@trade.gov.uk

How we may share your information

We will only share your personal information with third parties for the purposes of processing your application. All our third party service providers and other entities in the group are required to take appropriate security measures to protect your personal information in line with our policies.

We do not allow our third party service providers to use your personal data for their own purposes. We only permit them to process your personal data for specified purposes and in accordance with our instructions.

Your personal data that will be shared by us:

Account data:

• our technical supplier and their approved staff
• our technical supplier’s hosting provider
• profiles may be shared with departments who have vacancies available for priority movers

Once you have made an application, your information may be shared with:

• approved internal DBT staff members managing vacancies (including recruiters and interview panel members)
• our third party processor JobVite (only for DDaT roles at Band 6 or lower)
• Government Recruitment Service (GRS - managing the Civil Service recruitment system and onboarding)
• the third party recruitment agency involved in the application process, if applicable
• the recruiting departments or profession
• our technical supplier and their hosting provider
• Capita
• Government Recruitment Information Database (GRID)
• customer relationship management system
• email survey tools
• providers of individual leadership assessments, psychometric tests and staff engagement exercises
• Civil Service Commission, Advisory Committee on Business Appointments, Office of the Commissioner for Public Appointments - to ensure that recruitment processes are correctly followed
• the GOV.UK notify service for sending email and text messages

If you meet the required standard but the recruiting department is unable to offer you the job, you may be given the option of being added to a reserve list. Reserve lists may be shared with other Civil Service departments who are recruiting for similar roles.

If you undergo pre-employment checks prior to appointment, your data may be shared with:

• Government Recruitment Service
• customer relationship management system
• Capita
• Capita Security Watchdog
• DBS
• AccessNI criminal record checks
• Disclosure Scotland criminal record checks
• occupational health providers
• APS Group Translation Services
• Civil Service Pensions
• the recruiting department
• the recruiting department’s shared service provider (if a third party supplier is used)
• the UK Security Vetting team, as well as the Security Cluster department for the relevant employer (which will be either HMRC, DWP, Home Office, MoD, or the FCO)

If you request support with your application or for a technical issue:

• approved staff from Cabinet Office
• approved staff from our technical supplier
• customer relationship management system
• project management tools
• technical suppliers of online tests

As your personal data will be stored on our IT infrastructure it will also be shared with our data processors who provide email and document management and storage services to us.

When AccessNI is used

As an organisation using AccessNI to help assess the suitability of applicants for positions of trust, the Government Recruitment Service complies fully with AccessNI’s Service Level Agreement regarding the correct handling, use, storage retention and disposal of disclosure Applications and disclosure information.

We also comply fully with obligations under the Data Protection Act 2018 and other relevant legislative requirements with regards to the safe handling, storage, retention and disposal of disclosure information.

As we no longer receive a copy certificate from AccessNI, written consent will be obtained from the applicant when requesting and retaining a copy of a disclosure certificate. Disclosure information is kept securely, in lockable, non-portable, storage containers with access strictly controlled and limited to those who are entitled to see it as part of their duties.

In accordance with section 124 of the Police Act 1997, disclosure information is only passed to those who are authorised to receive it in the course of their duties. We maintain a record of all those to whom disclosures or disclosure information has been revealed. We recognise it is a criminal offence to pass this information to anyone who is not entitled to receive it.

Disclosure information is only used for the specific purpose for which it was requested and for which the applicant’s full consent has been given.

Once a recruitment (or other relevant appointment, regulatory or licensing) decision has been taken, we do not keep disclosure information for any longer than is necessary. We comply with AccessNI’s Service Level Agreement to return the original disclosure certificate to the applicant once a decision, recruitment or otherwise has been made and will be retained no longer than the agreed period.

Once the retention period has elapsed, we will ensure that any disclosure information is immediately destroyed by secure means. While awaiting destruction, disclosure information will not be kept in any unsecured receptacle. We will not keep any photocopy or other image of the disclosure or any copy or representation of the contents of a disclosure or any other relevant non-conviction information supplied by police.

However, despite the above, we may keep a record of the date of issue of a disclosure, the name of the subject, the type of disclosure requested, the position for which the disclosure was requested, the AccessNI unique reference number of the disclosure certificate and the details of the recruitment decision.

How long we keep your data

Your personal data will be kept by us for the following duration:

Application records and associated files (including CVs, letters, emails, comment and feedback) will be deleted 2 years after the vacancy is archived. A vacancy becomes archived when there are no active applications and either:

• the vacancy is manually archived by a recruiter; or
• the vacancy is automatically archived 1 year after the advertised closing date

Candidate accounts - you can, at any time, choose to close your account. This will:

• remove your ability to login to the account
• withdraw any active applications
• delete partially-completed applications which haven’t been submitted
• disable the automatic sending of job alerts

Closed accounts are deleted and cannot be restored, however previously submitted applications will be retained until deletion for the period described above.

Candidate accounts that are active will remain in the system unless the candidate deletes them (or makes a request for deletion). An account will become inactive if the user has not logged in for 2 years.

Vacancy manager accounts

ATS account holders are required to periodically reconfirm that they still require access, otherwise the account will become inactive.

Inactive accounts will be deleted 3 years after the last time the user logged in. Active accounts will remain in the system.

To view a copy of our retention and disposal policy, contact our DPO at data.protection@trade.gov.uk.

Automated decision making

Your personal data will be subject to automated decision making when online psychometric tests are used. Some vacancies use online psychometric tests in the early stages of recruitment. 3 tests are commonly used:

• verbal reasoning
• numerical reasoning
• Civil Service Judgement test

Decisions are made on who to invite to later stages based on automated scoring and sifting processes. In addition, test scores and other applicant data are regularly captured for statistical and research analysis purposes.

Your score is calculated from the responses you give during the test, and no other information about you is used. We compare your score to those gained by a peer group who previously took the test, to give you a percentile.

The vacancy will have a minimum percentile requirement, and if your score is lower than this, you will be rejected and your application will not be considered further.

Your rights

Your rights in connection with personal information

You have the right to request information about how your personal data is processed, and to request a copy of that personal data.

You have the right to request a copy of any personal data you have provided, and for this to be provided in a structured, commonly used and machine-readable format:

• your personal data is available to view in your application centre at any time
• you can request a copy of your personal data, in machine-readable format, by emailing the Data Protection team (details in ‘Contacting us’ section) - this request may take up to four weeks to process

You have the right to request that any inaccuracies in your personal data are rectified without delay:

• you can edit your contact details in your application centre at any time
• you can also edit contact details on submitted applications
• to request corrections to an application you have submitted, email the contact listed on the advert for that vacancy - however only minor updates are usually considered

You have the right to request that any incomplete personal data are completed, including by means of a supplementary statement:

• you can add additional contact details via your application centre at any time
• in most cases, you will be unable to submit an application if mandatory information is missing
• check your application carefully before submitting it, as your application will be assessed on the information you provide at that point

You have the right to request that your personal data is erased if there is no longer a justification for it to be processed:

• you can close your account at any time, from your Application Centre - this will:
• withdraw any submitted applications
• delete any unsubmitted applications
• stop job alerts being sent to you
• delete your account data and remove your ability to log into your account again

Any applications you have made in the past will be kept for audit purposes under our data retention policy

You have the right in certain circumstances (for example, where accuracy is contested) to request that the processing of your personal data is restricted:

• if your data is restricted from processing, you cannot be considered for a job
• if your request relates to an application, email the contact listed on the job advert
• if your request relates to your account, contact the Data Protection team.

You have the right to object to the processing of your personal data where it is processed for direct marketing purposes:

• your data is not processed for direct marketing purposes

You have the right to object to the processing of your personal data:

• you can object to processing, although you will then be unable to be considered for a job

You have the right, in relation to automatic decision making (including profiling), to obtain human intervention in the outcome, to express your point of view, and to contest the decision reached by automatic profiling.

• you can email the contact listed on the advert for the job you have applied for

If you want to review, verify, correct or request erasure of your personal information, object to the processing of your personal data, or request that we transfer a copy of your personal information to another party, contact the DPO in writing at data.protection@trade.gov.uk. For full contact details, refer to section ‘Contacting us’.

We will always do our best to respond to your request within one month of receiving it and any additional information we need to confirm your identity and understand your request.

However, sometimes we may need some more time to deal with your request, particularly if it is complicated. Where this happens, we will write to you within one month and let you know why we need some more time and when we will provide you with our response.

If we are unable to carry out your request, we will send you a response explaining why.

How we protect your data and keep it secure

As your personal data is stored on Civil Service IT infrastructure, and shared with their data processors who provide email, and document management and storage services, it may be transferred and stored securely outside the European Economic Area. Where that is the case it will be subject to equivalent legal protection.

We have appropriate security measures in place to prevent personal information from being accidentally lost, or used or accessed in an unauthorised way. We limit access to your personal information to those who have a genuine business need to know it. Those processing your information will do so only in an authorised manner and are subject to a duty of confidentiality.

We also have procedures in place to deal with any suspected data security breach. We will notify you and any applicable regulator of a suspected data security breach where we are legally required to do so. This will be done in line with our data protection policy. For a copy, write to our DPO at data.protection@trade.gov.uk (for full contact details, refer to section ‘Contacting us’).

Accessibility

If you require a paper copy of this privacy notice, or a large print copy, or to hear it in audio version, contact the Data Protection Officer at:

Data Protection Officer

Department for Business and Trade
Old Admiralty Building
Admiralty Place
London
SW1A 2DY

Email data.protection@businessandtrade.gov.uk

Complaints

You have a right to complain to us if you think we have not complied with our obligation for handling your personal information. You can contact our Data Protection Officer at:

If you are not satisfied with the DBT response you have a right to complain to the Information Commissioner’s Office (ICO).

You can report a concern by visiting the ICO website. If you consider that your personal data has been misused or mishandled, you may make a complaint to the Information Commissioner, who is an independent regulator. The Information Commissioner can be contacted at:

Information Commissioner’s Office

Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF

Email casework@ico.org.uk

Tel 0303 123 1113

Textphone 01625 545860

Monday to Friday 9am to 4:30pm

Any complaint to the Information Commissioner is without prejudice to your right to seek redress through the courts.

Contacting us

If you have any questions about this privacy notice or how we handle your personal information, contact us:

Data Protection Officer

Department for Business and Trade
Old Admiralty Building
Admiralty Place
London
SW1A 2DY

Email data.protection@businessandtrade.gov.uk

Changes to this privacy notice

We reserve the right to update this privacy notice at any time and we will provide you with a new privacy notice if we make any substantial updates.