This notice explains how Cardiff Union Services Limited (referred to in this notice as we, us or our) collects and uses information during the recruitment and selection process.
This notice covers the following:
1. What is personal data?

Personal data is any information that tells us something about you. This could include information such as your name, contact details, date of birth, and references.

2. How do we collect personal data?

We collect personal data about you from various sources including:

  • from you when you contact us directly through the application and recruitment process;
  • from other people when we check references or carry out background checks – if we do this we will inform you during the recruitment process of the exact checks that are carried out.
3. What information do we collect?

We collect, or may collect, the following categories of information about you:

  • Personal contact details such as name, title, address, telephone number and personal email addresses
  • Date of birth
  • Equal opportunities monitoring information such as age range, gender, race, ethnicity, religion, health and sexual orientation
  • Recruitment information (including copies of right to work documentation, references and other information in your CV or cover letter or otherwise provided as part of the application process)
  • Information about criminal convictions and offences committed by you
4. How do we use your information?

We use your information for the following purposes:

  • To make decisions about your recruitment and appointment
  • To check you are legally entitled to work in the UK
  • To assess your qualifications for a particular job or task
  • To conduct data analytics studies to review and better understand job application rates
  • To carry out equal opportunities monitoring
5. What is the legal basis that permits us to use your information?

Under data protection legislation we are only permitted to use your personal data if we have a legal basis for doing so as set out in the data protection legislation. We rely on the following legal bases to use your information for employment/engagement related purposes:

  • Where we need information to enter into a contract with you
  • Where we need to comply with a legal obligation
  • Where it is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests

The Table in no. 14 of this notice provides more detail about the information that we use, the legal basis that we rely on in each case and your rights.

6. What is Sensitive Data?

Some information is classified as "special" data under data protection legislation.  This includes information relating to health, racial or ethnic origin, religious beliefs or political opinions, sexual orientation and trade union membership. This information is more sensitive and we need to have further justifications for collecting, storing and using this type of personal data. There are also additional restrictions on the circumstances in which we are permitted to collect and use criminal conviction data. We may process special categories of personal data and criminal conviction information in limited circumstances with your explicit consent, in which case we will explain the purpose for which the information will be used at the point where we ask for your consent.

7. What happens if you do not provide information that we request?

We need some of your personal data in order to conduct the recruitment and selection process. If you do not provide such information, we may not be able to continue with the recruitment process or offer you employment/engagement. We explain when this is the case at the point where we collect information from you.

8. How do we share your information?

We share your personal data in the following ways:

  • Where we use third party services providers who process personal data on our behalf in order to provide services to us. This includes recruitment agents and IT systems providers.
  • We will share your personal data with third parties where we are required to do so by law or to comply with our regulatory obligations.
  • With other entities in our group as part of our regular reporting activities and in the context of a business reorganisation or group restructuring exercise.
  • If we sell any part of our business and/or integrate it with another organisation your details may be disclosed to our advisers and to prospective purchasers or joint venture partners and their advisers.

Where we share your personal data with third parties we ensure that we have appropriate measures in place to safeguard your personal data and to ensure that it is solely used for legitimate purposes in line with this privacy notice.

9. How do we keep your information secure?

Your employment related data may be stored in any of the following:

 

  • Secure storage on network drives. These are shared computer drives hosted by Cardiff University who have appropriate firewalls in place. Access to the drives are password protected and limited to the team of staff who may process the data.

 

  • Folders are kept within a locked filling cabinet within the HR office. Access to the offices is restricted to a limited number of employees, and access to the filing cabinet is restricted solely to those that may process the information.

 

  • Some information may be shared via email, this is only done via the secure outlook 365 system which is password protected and has suitable firewalls in place. Passwords are applied to certain files when sharing via email.

 

  • Data is stored within the PeopleHR system. This data and the company’s use of it is compliant with the GDPR regulations and there are extensive protection systems in place to ensure its security. Detailed information regarding this can be found on the company’s website via https://security.peoplehr.com/.

 

  • Very occasionally, when other options are not suitable, a portable storage device such as a memory stick might be used. In these circumstances, the device would be encrypted with password protection, and only used for the period of time required.

 

  • Limited elements of your data might be stored in other systems, which you have access to or are required to use. For example, your name and basic details might be held in the system which manages access control for the building.

We will ensure access to personal data is restricted to employees working within our group on a need to know basis.  Training will be provided to any employees working within the group who need access to your personal data to ensure it is secured at all times. Suitable procedures are in place to ensure information is only kept as long as it is required, after which it is destroyed in a secure fashion.

10. When do we transfer your information overseas?

When data is transferred to countries outside of the UK and the European Economic Area those countries may not offer an equivalent level of protection for personal data to the laws in the UK. Where this is the case we will ensure that appropriate safeguards are put in place to protect your personal data.

 

Personal data is not currently sent or stored outside of the European Union. It is possible that a data transfer or storage method such as dropbox might be used, which may mean in these circumstances, that the information would be stored within the United States. Due diligence would be taken before using a method within the United States.

 

It is most unlikely that we would transfer personal information abroad, and in such circumstances we would not do so without your permission.

 

If you would like further information of the adequacy mechanisms that we use to protect your personal data please contact the Head of ICT and Web Development.

11. For how long do we keep your information?

As a general rule we may keep some basic personal data about candidates for the duration of the recruitment and selection process and for a period of 12 months after candidates have been notified whether their application has been successful. However, where we have statutory obligations to keep personal data for a longer period or where we may need your information for a longer period in case of a legal claim, then the retention period may be longer. [Full details of the retention periods that apply to your information are set out in our Data Retention Policy which is available from the HR Department.

12. Your rights in relation to your information

You have a number of rights in relation to your personal data, these include the right to:

  • be informed about how we use your personal data;
  • obtain access to your personal data that we hold;
  • request that your personal data is corrected if you believe it is incorrect, incomplete or inaccurate;
  • request that we erase your personal data in the following circumstances:
    • if we are continuing to process personal data beyond the period when it is necessary to do so for the purpose for which it was originally collected;
    • if we are relying on consent as the legal basis for processing and you withdraw consent;
    • if we are relying on legitimate interest as the legal basis for processing and you object to this processing and there is no overriding compelling ground which enables us to continue with the processing;
    • if the personal data has been processed unlawfully (i.e. in breach of the requirements of the data protection legislation);
    • if it is necessary to delete the personal data to comply with a legal obligation.
  • ask us to restrict our data processing activities where you consider that:
    • personal data is inaccurate;
    • our processing of your personal data is unlawful ;
    • where we no longer need the personal data but you require us to keep it to enable you to establish, exercise or defend a legal claim;
    • where you have raised an objection to our use of your personal data;
  • request a copy of certain personal data that you have provided to us in a commonly used electronic format. This right relates to personal data that you have provided to us that we need in order to take steps to enter into a contract with you and personal data where we are relying on consent to process your personal data;
  • object to our processing of your personal data where we are relying on legitimate interests or exercise of a public interest task to make the processing lawful. If you raise an objection we will carry out an assessment to determine whether we have an overriding legitimate ground which entitles us to continue to process your personal data;
  • not be subject to automated decisions which produce legal effects or which could have a similarly significant effect on you.

If you would like to exercise any of your rights or find out more, please see the contact information below in section 12. The Table at the end of this notice provides more detail about the information that we use, the legal basis that we rely on in each case and your rights.

13. How to raise a query, concern or complaint

If after reading this page you still have queries, concerns or wish to raise a complaint you should contact the Data Protection Officer in the first instance at the following:

Ben Eagle
Data Protection Officer
Deputy Chief Executive
Cardiff University Students’ Union
University Union
Park Place
Cardiff
CF10 3QN
Email: studentsunion@cardiff.ac.uk 
Tel: 02920 781 400

If you remain dissatisfied then you have the right to apply directly to the Information Commissioner for investigation. The Information Commissioner can be contacted at: -

Information Commissioner’s Office,
Wycliffe House,
Water Lane,
Wilmslow,
Cheshire,
SK9 5AF
www.ico.org.uk

The Information Commissioner's Office also provides useful advice and guidance on data protection.

14. View our lawful basis for how we use your personal data
Purpose
Data used
Lawful basis
Which rights apply?*
Recruitment decisions
Personal contact details, national insurance number, recruitment information, employment records, and compensation history.
Legitimate interest. It is in our interests to ensure we recruit the best possible candidates in order to achieve our business goals and objectives.
The generally applicable rights plus the right to object.
Right to work checks
Information relating to your right to work status, national insurance number, passport number, nationality, tax status information, and personal contact details.
Legal obligation. It is in our legal obligation to ensure that those who work for us have the right to work in the UK as well as to establish the statutory excuse to avoid liability for the civil penalty for employing someone without the right to undertake the work for which they are employed.
The generally applicable rights plus the right to object.
Performance reviews and appraisals, salary reviews and promotion decisions
Compensation history, performance history, disciplinary and grievance information and salary.
Contractual necessity and legitimate interest. It is in our interests as well as the interest of our employees /workers /contractors to have performance and salary/fee reviews to ensure employees/workers/contractors are being adequately compensated which will in turn motivate them to deliver a high standard of work, ultimately having a positive impact on achieving our business goals.
The generally applicable rights plus the right to object.
Administration of your contract and benefits, including payment of salary/fee and expenses
Compensation history, national insurance number, personal contact information, bank account details, payroll records and tax status information, start and end date of employment/engagement and date of birth.
Contractual necessity.
The generally applicable rights plus the right to data portability.
Administration of pension schemes
Compensation history, national insurance number, personal contact information, bank account details, payroll records and tax status information, start and end date of employment/engagement, date of birth and contribution entitlements.
Legal obligation, contractual necessity and legitimate interest. It is in our interests to adequately incentivise our employees to motivate them to deliver a high standard of work, ultimately having a positive impact on achieving our business goals. It is in the interests of the trustees/scheme administrator to be able to effectively run the pension scheme.
The generally applicable rights plus the right to data portability and the right to object.
Compliance with our statutory duties to ensure a safe place of work and to ensure that you are fit for work
Information about your health, including any medical condition, health and sickness records and location of employment or workplace.
Legal obligation.
The generally applicable rights only.
Management of sickness absence
Personal contact details, employment/engagement records (sickness hours/days) and information about your health.
Legal obligation and contractual necessity.
The generally applicable rights plus the right to data portability.
To monitor compliance with our policies
Personal contact details, information about your use of our information and communication systems, CCTV footage and other information obtained through electronic means such as swipecard records, disciplinary and grievance information and performance information.
Legitimate interest. It is in our interests to ensure employees/workers/contractors are complying with our policies as non-compliance with policies can result in termination of employment/engagement, ultimately affecting our day to day operations and business plans.
The generally applicable rights plus the right to object.
Fraud and crime prevention
Information about criminal convictions and offences committed by you, personal contact details and CCTV footage and other information obtained through electronic means such as swipecard records.
Public interest and legitimate interest. It is in our interests as well as the interests of our employees/workers/contractors to ensure the prevention of fraud and crime is monitored. This will ensure a safe workplace for all.
The generally applicable rights plus the right to object.
Diversity monitoring
Gender, marital status and dependents, location of employment or workplace and information about your race or ethnicity, religious belief and sexual orientation.
Public interest.
The generally applicable rights plus the right to object.
Disciplinary and grievance procedures
Personal contact details, disciplinary and grievance information and performance information.
Legitimate interests. It is in our legitimate interests to manage the performance of employees and ensure that disciplinary action is taken where appropriate.
The generally applicable rights plus the right to object.
To deal with legal disputes
Personal contact details, employment/engagement records, compensation history, performance information, disciplinary and grievance information, photographs, CCTV footage and other information obtained through electronic means and information about criminal convictions and offences committed by you.
Legitimate interest. It is in our interests to process personal data to make and defend legal claims to ensure that our legal rights are protected.
The generally applicable rights plus the right to object.
Business management and business planning
Information about your use of our information and communication systems, employment/engagement records, location of workplace, salary and benefit information and personal contact details.
Legitimate interests.  It is in our interests to undertake this processing to ensure we can improve any business operations which will ultimately improve the overall quality of work/the workplace. Employees/workers/contractors will ultimately benefit as the workplace and its procedures may be strengthened.
The generally applicable rights plus the right to object.
Exit management at the end of your employment/engagement
Personal contact details, payroll records, tax status information, end date of employment/engagement, and employment/engagement records.
Legitimate interest. It is in our interests as well as the interests of our employees/workers/contractors to undertake exit management steps to ensure the employees/workers/contractors can express any feedback to us which we can consider and decide whether to implement to improve the workplace for other employees/workers/contractors.
The generally applicable rights plus the right to object.

 

*The following generally applicable rights always apply: right to be informed, right of access, right to rectification, right to erasure, right to restriction and rights in relation to automated decision making. For more detail about your rights and how to exercise them please see section 11. Your rights in relation to your information.

We may update this notice from time to time.
Contact details
Our contact details are as follows:

Address:          Cardiff University Students’ Union, Park Place, Cardiff CF103QN
Telephone:       02920 781400

We have appointed an operational data protection officer who has responsibility for advising us on our data protection obligations. You can contact the data protection officer using the following details:

Raechel Mattey
Data Protection Officer
Deputy Chief Executive
Cardiff University Students’ Union
University Union
Park Place
Cardiff
CF10 3QN
Email: studentsunion@cardiff.ac.uk 
Tel: 02920 781 400