Privacy Policy

Candidate Privacy Notice

1. Purpose and Scope

When we refer to “we” or “us” in this privacy notice we are referring to Unlimit Health, a charitable company registered in England and Wales with company number 11775313 and charity number 1182166.

We are a controller of your personal data, which means we are responsible for deciding how we hold and use data about you. We are registered with the Information Commissioner Office with registration number ZB009119.

This privacy notice explains how and why we use your personal data during and after the recruitment process.

2. Definitions

Personal data means any personal information that you give us from which you can be identified, such as your name, your home address, your personal email contact details, or your telephone number. Personal data does not include information where your identity has been removed (i.e. anonymous data).

Special category data means personal data about your race, ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, health, sex life or sexual orientation. These types of personal data require a higher level of protection.

Criminal offence data means personal data relating to criminal convictions and offences (for example, information about criminal activity, allegations, investigations and proceedings) and can include information about unproven allegations and information relating to the absence of convictions. It also covers related security measures, such as personal data about penalties and conditions or restrictions placed on an individual as part of the criminal justice process. Criminal offence data also requires a higher level of protection.

3. Your personal data

We may collect and use the following types personal data about you in connection with your application:

full name and title
personal contact details (home address, home telephone number, mobile telephone number, personal email address)
information you have provided to us in your application form or CV and covering letter, including date of birth, gender, employment history, qualifications
information you provide to us during an interview
information provided in references
where applicable, information about criminal convictions and offences

We may also collect and use special category data such as:

information about your race or ethnicity, religious beliefs, sexual orientation and political opinions
information about your health, including any medical condition

We collect the majority of this personal data directly from you during the recruitment process. We also collect additional personal data from third parties including:

recruitment platforms or recruitment consultants if you apply for the role through one of these
criminal records checks carried out through the Disclosure and Barring Service;
your named referees
publicly accessible data from the Insolvency Service, Companies House and/or the Charity Commission

If you fail to provide information when requested, which is necessary for us to consider your application (such as evidence of qualifications or work history), we will not be able to process your application successfully. For example, if we require references or a criminal record check for this role and you fail to provide us with relevant details, we will not be able to take your application further.

4. How we use your personal data

We will only use your personal data when law allows us to. Our reasons for using your personal data may sometimes overlap and there may be several lawful grounds which justify our use of your personal data.

We will use your personal data where we have a legitimate interest and we are satisfied that your interests and fundamental rights do not override our interests, including to:

assess your skills, qualifications, and suitability for the role
carry out background and reference checks
communicate with you about the recruitment process
keep records related to our hiring processes

We may also use your personal data:

where we need to comply with legal or regulatory requirements
where we have your consent
where we need to protect your vital interests (or someone else’s vital interests)

5. How we use special category data

We may use your special category data when we:

use information about your physical or mental health, or disability status, to ensure your health and safety and/or to provide appropriate adjustments during the recruitment process
use information about your race or national or ethnic origin, religious, philosophical or moral beliefs, or your sexual life or sexual orientation, to ensure meaningful equal opportunity monitoring and reporting

We rely on the following lawful grounds when we use your special category data in this way:

with your explicit written consent
where it is needed in the public interest, such as for equal opportunities monitoring

Less commonly, we may use special category data where it is needed in relation to legal claims, to protect your vital interests (or someone else’s vital interests) in circumstances where you are not capable of giving your consent, or where you have already made the information public.

6. How we use criminal offence data

We will collect and use criminal offence data when it is appropriate, taking into account the nature of your role and where we are legally able to do so. In particular, where:

we are legally required to carry out criminal record checks for those carrying out the role;
the role is one which is eligible for a standard or enhanced check from the Disclosure and Barring Service;
the role requires a high degree of trust and integrity.

We rely on the following lawful grounds when we use your criminal offence data in this way:

there is a substantial public interest; or
you have given your explicit consent

If we decide to offer you the role after interview, we will then carry out a criminal record check before confirming your appointment.

We have in place an appropriate policy and safeguards which we are required by law to maintain when processing such data. You can find a copy of this policy at the end of this document in Schedule I.

7. Automated decision-making

Automated decision-making takes place when an electronic system uses your personal data to make a decision without human intervention.

We do not envisage using solely automated means to make any decisions that will have a significant impact on you during the recruitment process. We will notify you in writing if this changes.

8. Change of purpose

We will only use your personal data for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If we need to use your personal data for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so.

Please note that we may process your personal data without your knowledge or consent where this is required or permitted by law.

9. Sharing your personal data

We may share your personal data with third parties, including our third-party service providers. We require third parties to respect the security of your data and to treat it in accordance with the law.

10. Data security

We have put in place measures to protect the security of your personal data and to prevent it from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your personal data to those employees, agents, contractors and other third parties who have a business need-to-know. They will only process your personal data on our instructions and they are subject to a duty of confidentiality.

11. Transferring data outside the UK

We will not transfer your personal data outside the UK for the purposes of recruitment.

12. Retention

We will retain your personal data for the following periods:

if your application is unsuccessful, for 6 months after we have communicated our decision to you; or
if your application is successful, for 6 years after you leave employment with us.

We retain your personal data for the periods referred to above so that we can show, in the event of a legal claim, that we have not discriminated against candidates on prohibited grounds and that we have conducted the recruitment exercise in a fair and transparent way.

If we wish to retain your personal data on file, on the basis that a further opportunity may arise in future and we may wish to consider you for that, we will write to you separately seeking your consent to retain your personal data for a further fixed period on that basis.

These retention periods may be extended or reduced if required by applicable law or we deem it necessary, for example, to defend legal proceedings or if there is an outstanding investigation relating to the data.

13. Your rights

Under certain circumstances by law you have the right to:

Request access to your personal data (commonly known as a subject access request). This enables you to receive a copy of the personal data we hold about you and to check that we are lawfully processing it.
Ask us to correct personal data that we hold about you which is incorrect, incomplete or inaccurate.
Ask us to erase your personal data from our files and systems where there is no good reason for us continuing to hold it.
Object to us using your personal data to further our legitimate interests (or those of a third party) or, less commonly, where we are using your personal data for direct marketing purposes.
Ask us to restrict or suspend the use of your personal data, for example, if you want us to establish its accuracy or our reasons for using it.
Ask us to transfer your personal data to another person or organisation.

If you want to exercise any of these rights, please contact dpo@unlimithealth.org.uk. We may need to request additional information from you to help us confirm your identity and ensure your right to access the data (or to exercise any of your other rights) – this is to ensure that your personal data is not disclosed to any person who has no right to receive it.

If you have given your consent to us processing your personal data, you have the right to withdraw your consent at any time. To withdraw your consent, please contact dpo@unlimithealth.org.uk. Once we have received notification that you have withdrawn your consent, we will no longer process your personal data and, subject to our retention policy, we will dispose of your information securely.

14. Questions or Queries

If you have any questions about this privacy policy or how we handle your personal data, please contact dpo@unlimithealth.org.uk.

You have the right to make a complaint at any time to the Information Commissioner’s Office (ICO), the UK supervisory authority for data protection.

Schedule 1

Appropriate Policy – Special Category Data and Criminal Offence Data

15. About this policy

This policy explains how Unlimit Health (“we”, “us”, the “Charity”) protect special category data and criminal offence data. This policy supports our Data Protection Policy.

This policy applies to all employees, workers, volunteers, consultants, trustees, applicants and anyone else working for or on behalf of the Charity (“you”). It does not form part of your contract of employment or any other contract for services and we may amend it at any time.

When we talk about processing we mean any activity that involves the use of personal data. Processing includes obtaining, recording or holding personal data, or carrying out any operations on the data such as organising, amending, retrieving, using, disclosing, erasing or destroying it. Processing also includes sharing or transferring personal data with third parties, for example partners such as the Ministries of Health that we work with.

You must comply with this policy when you handle special category data or criminal offence data on behalf of the Charity. A breach of this policy may result in disciplinary action under the Charity’s Disciplinary Policy.

If you have any questions about this policy or if you have any concerns that this policy is not being, or has not been, followed please contact dpo@unlimithealth.org.uk.

16. How we define personal data and special categories of personal data

When we talk about personal data we mean any information which relates to a living person who can be identified from that data either on its own, or when taken together with other information which is likely to come into our possession. It includes identifiers such as a person’s name or ID number and expressions of opinion about a person’s actions or behaviour.

We use the term special category data to mean personal data that reveals an individual’s racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, physical or mental health conditions, sexual life, sexual orientation, biometric or genetic data.

Personal data includes data where the information that identifies the individual has been replaced by a key or code that is kept separately (pseudonymised personal data).

Personal data does not include anonymous data, i.e. data that has had the identity of an individual permanently removed.

17. Why we process special category data and criminal offence data

We process special category data and criminal offence data for a range of reasons, including:

carrying out research and sharing the results of that research
dealing with sensitive issues such as whistleblowing or safeguarding complaints
assessing fitness to work or perform services for the Charity
complying with health and safety obligations and our obligations under the Equality Act 2010
checking people’s right to work in the UK
carrying out safer recruitment checks to verify that people are suitable to be appointed to a certain role, or to continue in that role

Our recruitment, staff and trustee privacy notices contain more detailed information about how we process special category data and criminal offence data. You can find copies of these privacy notices on SharePoint here or SCI Global > Governance> Policies and Procedures > Policies> Finalised Policies.

18. Personal data protection principles

Our Data Protection Policy explains what the data protection principles are and how the Charity must demonstrate compliance with those principles, including keeping our Record of Processing Activities (ROPA).

When we process special category data or criminal offence data, in addition to the requirements explained in our Data Protection Policy, we must also satisfy one of the specific processing conditions for special category or criminal offence data. We have identified the legal ground and specific processing condition relied on for each processing activity and you can find a record of this in our ROPA.

When collecting special category data or criminal offence data from individuals, including if we collect it indirectly (for example from a third party or publicly available source), we always provide those individuals with the appropriate privacy notice.

We will carry out a data protection impact assessment (DPIA) where we are proposing to use personal data that are likely to result in high risk to individuals’ interests or which involve novel types of processing. For example, the MER team has carried out a DPIA because it processes special category data collected by third parties as part of its day to day work and combines these data sets for future research and related purposes.

19. Retention and erasure of special category data or criminal offence data

We take the security of special category data and criminal offence data very seriously. We have administrative, physical and technical safeguards in place to protect personal data against unlawful or unauthorised processing, accidental loss or damage. Where special category data or criminal offence data are processed, we always ensure that:

the processing is recorded in our ROPA;
when we no longer require the data for the purpose for which it was collected, we will delete it or render it permanently anonymous without delay;
where records are destroyed we will ensure that they are safely and permanently disposed of.

Date 22/09/2021

Action Policy introduced

Comment

Date

Action Policy updated

Comment [provide details of who made changes/what changes were made]

Cookies

Cookies are small pieces of data that are used to optimise your browsing experience. Below is a list of the types of cookies we use on our site.

Functional and required cookies

These are necessary for the website to function correctly when you navigate the site and make certain requests, such as filling in forms. You can set your browser to block or alert you about these types of cookies, but some parts of the site will not work. These cookies don’t store any personally identifiable information.

Cookie name	Duration	Purpose
Crumb	Session	Prevents cross-site request forgery (CSRF). CSRF is an attack vector that tricks a browser into taking unwanted action in an application when someone’s logged in.
RecentRedirect	30 minutes	Prevents redirect loops if a site has custom URL redirects.
CART	2 weeks	Shows when a visitor adds a product to their cart
hasCart	2 weeks	Indicates that the visitor has a cart.
Locked	Session	Prevents the password-protected screen from displaying if a visitor enters the correct site-wide password.
SiteUserInfo	3 years	Identifies a visitor who logs into a customer account
SiteUserSecureAuthToken	3 years	Authenticates a visitor who logs into a customer account
Commerce-checkout-state	Session	Stores state of checkout while the visitor is completing their order.
squarespace-popup-overlay	Persistent	Prevents the Promotional Pop-Up from displaying if a visitor dismisses it
squarespace-announcement-bar	Persistent	Prevents the Announcement Bar from displaying if a visitor dismisses it
Test	Session	Investigates if the browser supports cookies and prevents errors.

Analytics and performance cookies

These cookies collect information about how you interact with our site and count visits and traffic sources. They enable us to measure and improve the performance of our site and help us identify which pages are the most and least popular. This data is completely anonymous but you can disable these cookies.

Cookie name	Duration	Purpose
_ga	2 years	Used to distinguish users.
_gid	24 hours	Used to distinguish users.
_gat	1 minute	Used to throttle request rate.
AMP_TOKEN	30 seconds to 1 year	Used to retrieve a Client ID from AMP Client ID service.
gac	90 days	Contains campaign related information for the user.
utma	2 years	Used by Google Analytics to identifying unique visitors.
utmt	10 minutes	Used to throttle request rate.
utmb	30 minutes	Used by Google Analytics to determine visitor session.
utmc	Session	Used by Google Analytics to determine visitor session.
utmz	6 months	Used by Google Analytics to track traffic sources and navigation.
utmv	2 years	Used to store visitor-level custom variable data.
ss_cid	2 years	Identifies unique visitors and tracks a visitor’s sessions on a site.
ss_cvr	2 years	Identifies unique visitors and tracks a visitor’s sessions on a site.
ss_cvisit	30 minutes	Identifies unique visitors and tracks a visitor’s sessions on a site.
ss_cvt	30 minutes	Identifies unique visitors and tracks a visitor’s sessions on a site.
ss_cpvisit	2 years	Identifies unique visitors and tracks a visitor’s sessions on a site.
ss_cookieAllowed	30 days	Remembers if a visitor agreed to placing Analytics cookies on their browser if a site is restricting the placement of cookies.

Targeting and marketing cookies

These may be set through our site by our advertising partners, such as Facebook Pixel and Google Analytics. We use data from Google’s Remarketing and Advertising Reporting features to collect interest and demographics-based advertising or third-party audience data (such as age, gender and interests) to inform our marketing strategy. This data and the cookies active on our site are used to deliver ads relevant to you in and outside of our site and measure the effectiveness of social media advertising. They also limit the number of times that you see an ad and help us measure the effectiveness of our marketing campaigns. It’s never our intention to spam you, just to provide you with content we think you’d like to see. They do not store any personally identifiable information and expire after 90 days.

You can turn off all these cookies at any time. This can be done through the settings of your browser. If you do, you may notice that the site doesn’t work as well and you may not be able to use every service.

To opt out of any Google Analytics features used on this site, you can use Google Analytics’ opt-out tool.