Guidance

Charity Commission privacy notice for prospective employees, workers and contractors

Updated 6 May 2022

© Crown copyright 2022

This publication is licensed under the terms of the Open Government Licence v3.0 except where otherwise stated. To view this licence, visit nationalarchives.gov.uk/doc/open-government-licence/version/3 or write to the Information Policy Team, The National Archives, Kew, London TW9 4DU, or email: psi@nationalarchives.gov.uk.

Where we have identified any third party copyright information you will need to obtain permission from the copyright holders concerned.

This publication is available at https://www.gov.uk/government/publications/charity-commission-privacy-notice-for-prospective-employees-workers-and-contractors/privacy-notice-for-prospective-employees-workers-and-contractors

We process personal data in order to carry our function as the independent regulator of Charities for England and Wales. Our objectives, functions and powers are set out in the Charities Acts 1992, 2006, 2011 and 2016.

References to ‘the Charities Acts’ in this document mean those acts.

You should be aware that if you are accepted for a role with us, your data will be processed in accordance with privacy notice for current and former employees, workers and contractors.

This privacy notice explains how the Charity Commission processes your personal data. It also sets out some of your rights and entitlements in respect of that personal data.

Prospective employees, workers & contractors privacy notice

This privacy notice applies to prospective employees, workers and contractors, and it explains how and why we, as a data controller will use your personal data and it also sets out some of your rights and entitlements. It is written to be as easy to read as possible and does not provide exhaustive detail of every aspect of how we collect or use your personal data.

This notice does not form part of any contract of employment or other contract to provide services. This notice can be updated at any time. If you need further information about the use of your personal data please email DPIRLiverpool@charitycommission.gov.uk.

The personal data we collect

When you apply to work with us, you will usually apply via the Civil Service Recruitment Portal. We are Joint Data Controllers with them. Read the Civil Service Recruitment Privacy Notice.

We will collect, store, and use the following personal information about you:

  • identity details such as your names, title, date of birth, gender, marital status, nationality and immigration status. Copy of driving licence, passport, national insurance number
  • contact details including your addresses, telephone numbers, and personal email addresses
  • answers to any sifting or filtering questions
  • the information you have provided to us in your CV and covering letter
  • the information you have provided on our application form education history, employment history, and qualifications
  • any information you provide to us during an interview
  • information provided by referees
  • test answers, scores or results when we ask you to undergo testing as part of our recruitment process
  • no data such as interview notes are retained- only what is uploaded to the recruitment portal and available to you

We will also collect, store, and use the following “special categories” of more sensitive personal information:

  • race or ethnicity, religious beliefs, sexual orientation and political opinions
  • health, including a health declaration and details of any reasonable adjustments you may require
  • information about criminal convictions and offences

We will only collect information about criminal convictions or allegations of criminal behaviour where it is appropriate given the nature of the role you’re applying for and where we are legally able to do so.

We will tell you if we intend to collect, store or use information about criminal convictions or offences.

For more information on this type of date please access our HR Special Category Data policy.

How we will use your personal data

We will use the personal data we collect about you to:

  • assess your skills, qualifications, and suitability for the role
  • carry out background and reference checks, where applicable
  • communicate with you about the recruitment process
  • keep records related to our hiring processes
  • comply with legal or regulatory requirements

We will use your particularly sensitive personal information (other than criminal convictions) in the following ways:

  • your disability status will be used to consider whether we need to provide appropriate adjustments during the recruitment process, for example whether adjustments need to be made during a test or interview
  • your race or national or ethnic origin, religious, philosophical or moral beliefs, or your sexual life or sexual orientation, will be used to ensure meaningful equal opportunity monitoring and reporting

We will use information about criminal convictions/offences in the following ways:

  • to make decisions on your suitability to work for the Commission or decide what work you can do for us
  • to carry out security and vetting checks such as DBS or UKSV

We process personal data in a variety of different ways. The table below sets out the legal bases we rely on for processing.

We may process your personal data on more than one basis depending on the purpose we are using your data. Please email RIGA@charitycommission.gsi.gov.uk if you need details about the specific legal basis we rely on to process your personal data.

It is rare we rely on your consent to process your data. However, where we do, you have the right to withdraw your consent at any time. You can find out more information about exercising your rights in the Exercising your rights section below.

Legal Basis for Processing
Personal Data (Article 6(1) GDPR) Sensitive Personal Data/Criminal Conviction Data (Article 9(2) GDPR)
(a) the data subject has given consent to the processing of his or her personal data for one or more specific purposes

(b) processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract

(c) processing is necessary for compliance with a legal obligation to which the controller is subject

(e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller Article		 (a) the data subject has given explicit consent to the processing of those personal data

(b) processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law in so far as it is authorised by Union or Member State law

(e) processing relates to personal data which are manifestly made public by the data subject

(f) processing is necessary for the establishment, exercise or defence of legal claims or whenever courts are acting in their judicial capacity

(g) Processing is necessary for reasons of substantial public interest, on the basis of Union or Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject

(h) processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services

If you fail to provide personal information

If you fail to provide information which is necessary for us to consider your application (such as evidence of qualifications or work history), we will not be able to process your application successfully. For example, if we require a credit check or references for this role and you fail to provide us with relevant details, we will not be able to take your application further.

Automated decision making

In some circumstances we may use psychometric testing as part of our recruitment process. However, we will not make decisions that will have a significant impact on you based solely on automated decision-making.

Data sharing

We will only share your personal information with the following third parties for the purposes of processing your application:

  • CS Jobs
  • Capita
  • a number of different and varying recruitment agencies

All our third-party service providers are required to take appropriate security measures to protect your personal information in line with our policies. We do not allow our third-party service providers to use your personal data for their own purposes. We only permit them to process your personal data for specified purposes and in accordance with our instructions.

Pre-employment Check- Internal Fraud Database

We will receive notification through our third-party supplier, Government Recruitment Services (GRS) if your name is on the Cabinet office Internal Fraud database. Read the Government Recruitment Services Privacy Notice. We will not proceed with any job offer if this is the case. The only information we will receive or hold about you on the GRS system is that you have failed the pre-employment checks on this basis.

How long we retain personal information for

We will only retain your personal information for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements.

To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.

Information about us

Our Data Protection Officer (DPO) is a permanent employee of the Charity Commission. Our DPO is responsible for monitoring our compliance with data protection legislation, and is the point of contact for concerns you may have over how we are processing personal data, and any incidents you wish to report to us.

The Charity Commission DPO contact details are:

Data Protection Officer
The Charity Commission
Brendon House
35-36 Upper High Street
Taunton, Somerset
TA1 3PN

Email DPO@charitycommission.gsi.gov.uk

The UK supervisory authority for data protection is the Information Commissioner’s Office (‘the ICO’). We are registered with the ICO under registration number [Z5640596].

You have the right to make a complaint at any time to the Information Commissioner’s Office (ICO), and more information can be found on the ICO website.

Under certain circumstances, you have rights under data protection laws in relation to your personal data. You should be aware that these rights are subject to the restrictions set out Part 2 of Schedule 2 to the Data Protection Act 2018.

In particular they do not apply to personal data processed for the purposes of discharging functions conferred by or under the Charities Act 1992, 2006 or 2011 where exercising those rights would prejudice the proper discharge of that function.

You will not have to pay a fee to access your personal data (or to exercise any of the other rights). However, we may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive. Alternatively, we may refuse to comply with your request in these circumstances.

The right of access to your personal data

You have the right to receive confirmation about whether or not your personal information is being processed, and, where it is, access to the personal data and certain information, including:

  • the purposes of the processing
  • the categories of personal data concerned
  • where possible, the envisaged period the personal data will be stored, or, if not possible, the criteria used to determine that period
  • where the personal data was not collected from you any available information as to its source
  • the existence of automated decision-making, including profiling; and meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject

These rights are subject to certain exemptions and may not be available in all cases.

The right to rectify your personal data

You have the right to correct inaccurate personal data about you without undue delay. This includes the right to have incomplete personal data completed.

The right to erasure of your personal data

You may have the right to require us to erase your personal data without undue delay if:

  • the personal data is no longer necessary in relation to the purpose it was collected or processed
  • you withdraw your consent and there is no other legal ground for the processing
  • you object to further processing and there are no overriding legitimate grounds for the processing
  • the personal data has been unlawfully processed
  • the personal data has to be erased for compliance with a legal obligation to which we are subject

The right to object to processing of your personal data

You have the right to object to the processing of your data and if you do, we may be prevented from further processing your personal data unless certain conditions are met.

The right to restrict processing of your personal data

In certain circumstances you may have the right to restrict further processing of your personal data. In this case, we may only further process your personal data for storage, with your consent, for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State.

The right to data portability

Where you have provided information to us and where that information is processed by automated means pursuant to a contract, you may have the right to have that information provided to you in a machine-readable format. This so you are able to re-use your personal data across different services.

Exercising your rights

If you wish to exercise any of the rights set out in this privacy notice, please contact the Records, Information Governance and Assurance team by emailing DPIRLiverpool@charitycommission.gov.uk.

We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights). This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response.

We try to respond to all legitimate requests within 28 days. Occasionally it may take us longer if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.

We may not always be able to release all of the information you have asked for. This might be because certain information is exempt from release to the public.

You can ask us to review our response within 28 days of receiving it. Please email DPIRLiverpool@charitycommission.gov.uk.

It helps us if you tell us why you think our decision is wrong and exactly what additional information you would like us to release.

Back to top