Guidance

Employment Agency Standards Inspectorate: privacy notice

Published 18 December 2020

This notice sets out how we will use your personal data, and your rights. It is made under Articles 13 and/or 14 of the General Data Protection Regulation (GDPR).

Who we are

The Employment Agency Standards Inspectorate (EAS) in the Department for Business, Energy and Industrial Strategy (BEIS). EAS processes personal data for the purposes of compliance and enforcement and in line with our statutory functions under the Employment Agencies Act 1973 and the Conduct of Employment Agencies and Employment Businesses Regulations 2003. EAS is the government regulator for the private recruitment sector, regulating all employment agencies and employment businesses that provide work-finding services in Great Britain. EAS strategic aim is to: -

• advise both work-seekers and businesses about the legislation in place, to support and protect both parties to the employment relationship
• protect vulnerable work-seekers where their employment rights may be denied
• enforce legislation, where serious and/or repeated non-compliance is identified

What data we collect

EAS collects personal data. The personal data we collect from you will include:

• name
• contact details
• any evidence provided

when you use our website for general enquiries, subscribe for updates, or submit a complaint on line through the GOV.UK webpages, or when you contact us offline such as by telephone, SMS, email, or post.

We will only use your personal data to:

(i) provide the information or service you have requested

(ii) to process your enquiry; and (iii) as permitted or required by law.

The personal data you provide to EAS will be processed in accordance with the principles of the UK Data Protection Act 2018 including Part 3, Law Enforcement Processing and the General Data Protection Regulations (GDPR). EAS is a ‘competent authority’ for the purpose of Law Enforcement processing.

Recipients of your data - who we share your data with

Your personal data may be checked with other government departments, authorities and agencies, who have the legal right to access and receive information held by EAS and to also provide to us relevant information.

No third parties have access to your personal information unless the law allows them to do so. Your personal data may be checked with other government departments, authorities and agencies who have the legal right to access and receive information held by EAS and to also provide to us relevant information.

If you do not want information that identifies you to be shared with the organisation you have raised a concern about, we will try to respect that. However, it is not always possible to handle a concern on an anonymous basis so we may contact you to discuss this.

If you are acting on behalf of someone making a complaint, we will ask for information to satisfy us of your identity and if relevant, ask for information to show you have authority to act on someone else’s behalf.

Your personal data may be shared or disclosed to another party outside BEIS, if is necessary to:

• gather the information we need to make a decision
• impose a sanction - for example, prosecution or prohibition proceedings brought by EAS
• reviewing the sanction process

How we get your information

Most of the personal information we process is provided to us directly by you for one of the following reasons:

• you have raised a concern / complaint / enquiry with us
• you have made an information request to us
• you subscribe to our e-newsletter / e-bulletin
• you are representing your organisation

We also receive personal information indirectly, in the following scenarios:

• we have contacted an organisation about a complaint you have made, and it gives us your personal information in its response
• a complainant refers to you in their complaint correspondence
• whistle-blowers include information about you in their reporting to us
• we have gathered personal information as part of a regulatory investigation or intervention
• from other regulators or law enforcement bodies
• we have seized or obtained personal information as part of an investigation

Why we need it

We need information from you to investigate your concern properly and fulfil our regulatory function. Our request for complaint information is designed to prompt you to give us everything we need to understand what’s happened. We need to know the details of your concern, so we can investigate it properly.

What we do with it

We will use your personal information to investigate your complaint. When we receive a complaint from you, we will review its contents and decide if the complaint indicates a breach of the Employment Agencies Act 1973. If the matter falls outside the scope of the Employment Agencies Act 1973, we will inform you accordingly and your specific complaint will be recorded and filed on an electronic case file/folder. If the case is investigated, we will set up an electronic case file. In both cases, this normally includes your contact details and any other information you have given us about the other parties in your complaint.

Legal basis

The legal basis for processing the personal data under the Data Protection legislation is where the processing is necessary:

• for law enforcement purposes
• for the performance of a task carried out for that purpose by a competent authority
• for compliance with a legal obligation
• for the performance of a contract
• for the protection individuals’ vital interests and safety
• where you have provided consent
• legitimate interests

If you fail to provide personal information

If you fail to provide your personal data in connection with a complaint you have brought, we will not be able to process the complaint.

Failure to disclose may impair our ability to take account of your side of the argument if you fail to provide the information.

Report bad practices as a whistle-blower

We need enough information from you to investigate your protected disclosure to us, including any evidence you have to support it.

When we receive a disclosure from a customer we will set up an electronic case file containing the details. This normally includes your identity; contact details and any other information you have given us about individuals involved in the disclosure. We will treat the information you provide confidentially.

You can contact us anonymously if you prefer but your details will not be given out when we progress your disclosure unless you give your permission. We need to know the details of your complaint so that we can decide on the organisation’s compliance with the relevant legislation and fulfil our regulatory function. We will treat the information you provide as confidential and will not disclose it without lawful authority.

If possible, we will give you feedback about any action we take because of your disclosure. However, this feedback will be restricted.

Section 9 of the Employment Agencies Act 1973 sets out the legal enforcement powers of EAS officers. These powers are to enter employment agency and/or employment business premises, ask questions of any person on the premises, inspect, copy or remove for copying any record held on the premises. We have a duty of confidence to the organisations we regulate. We are legally prevented (under s9 of the 1973 Act) from sharing much of the information they have supplied to us.

Investigations for law enforcement purposes

As part of our statutory functions, we investigate, and we can prosecute individuals and organisations for alleged criminal offences committed under the legislation we regulate (the Employment Agencies Act 1973 and associated regulations).

EAS is a competent authority for the purpose of Part 3 of the DPA 2018 which applies to the processing of personal data by such authorities for law enforcement purposes.

These purposes are set out at section 31 of the DPA 2018 and are the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, which might include the safeguarding against and the prevention of threats to public security. Our processing is either done because it is necessary for the performance of a task relating to one of these purposes or with the consent of the individual.

We process personal data for the purposes of law enforcement of the legislation for which we are regulator in the following 3 areas:

• criminal investigations
• intelligence
• financial recovery

Our processing can also include sensitive processing, which means processing special category data for law enforcement purposes. Where this is the case we rely on either the consent of the individual or, provided the processing is strictly necessary for the law enforcement purposes, on a condition set out in Schedule 8 of the DPA 2018.

When we are inspecting your business

Our purpose for processing this information is to have a contact point at your organisation and to tell you the outcome of the investigation or inspection visit.

The legal basis we rely on to process your personal data is article 6(1)(e) of the GDPR, which allows us to process personal data when this is necessary to perform our public tasks as a regulator.

When we conduct an inspection, investigation, or an advisory visit, we will take the name and contact details of your organisation’s main point of contact. We may also take details of other staff members during the visit process. We use the data collected to complete the inspection/investigation/advisory visit and evidence the information provided.

We do not publish details of our findings although we might publish a summary of the audits in our annual report (including sectors and numbers of infringements found across all EAS interventions) we have completed and this will not contain any personal data. We will publish aggregated data of the fact that we have conducted inspection/investigative/advisory visits, but this will not contain any personal data.

Security and storage

EAS takes the security of all personal data very seriously and will process your personal data and information securely by using suitable technical and organisational controls to prevent unauthorised processing and against accidental loss, misuse, destruction, or damage. Your personal data is only accessed and used by staff in the performance of their duties.

From time to time EAS will use authorised processors to process personal data on its behalf. EAS ensures that any such processing only takes place under contract with the correct security and compliance measures in place and under our direct instructions to ensure that your privacy and data protection rights continue to be protected.

How long we keep your data

We will keep your personal data for 7 years safely and securely on a case file in line with the BEIS retention policy.

Information you have provided to EAS will be used for the purposes of seeking compliance with the Employment Agencies Act 1973. As this information will be used for the investigation of potential criminal offences using our enforcement powers, under section 9 of the 1973 Act, it will be retained for that purpose if we proceed to contacting the agency on your behalf.

Section 8 of the Data Protection Act 2018, provides a statutory exemption to the removal of personal data held that is necessary for the performance of a task carried out in the public interest or in the exercise of the controller’s official authority includes processing of personal data that is necessary for:

(a) the administration of justice
(b) the exercise of a function of either House of Parliament
(c) the exercise of a function conferred on a person by an enactment or rule of law
(d) the exercise of a function of the Crown, a Minister of the Crown, or a government department
(e) an activity that supports or promotes democratic engagement

We will consider the removal of personal data, on a case by case basis, if your complaint is withdrawn and a specific request is made to remove your data.

International transfers

As your personal data is stored on our IT infrastructure and shared with our data processors Microsoft and Amazon Web Services, it may be transferred and stored securely outside the European Economic Area. Where that is the case it will be subject to equivalent legal protection through the use of Model Contract Clauses.

Your rights

You have the right to:

• request information about how your personal data are processed, and to request a copy of that personal data
• request that any inaccuracies in your personal data are rectified without delay
• request that any incomplete personal data are completed, including by means of a supplementary statement
• request that your personal data are erased (with some exceptions) if there is no longer a justification for them to be processed
• in certain circumstances (for example, where accuracy is contested) request that the processing of your personal data is restricted
• object to the processing of your personal data

A full list of your rights under the General Data Protection Regulation (GDPR) is available on the Information Commissioner’s Office (ICO) website.

Contact us or make a complaint

Contact the BEIS Data Protection Officer (DPO) if you:

• have any questions about anything in this document
• think that your personal data has been misused or mishandled

Contact the DPO:

BEIS Data Protection Officer
Department for Business, Energy and Industrial Strategy
1 Victoria Street
London
SW1H 0ET

Email dataprotection@beis.gov.uk

You can also make a complaint to the Information Commissioner (supervisory authority), who is an independent regulator.

Information Commissioner's Office

Email icocasework@ico.org.uk

Contact form https://ico.org.uk/glo...

Telephone 0303 123 1113

Textphone 01625 545 860

Any complaint to the Information Commissioner is without prejudice to your right to seek redress through the courts.