Use of data processors
Data processors are third parties who provide elements of our recruitment service for us. We have contracts in place with our data processors. This means that they cannot do anything with your personal information unless we have instructed them to do it. They will not share your personal information with any organisation apart from us. They will hold it securely and retain it for the period we instruct.
Individuals are responsible for helping the organisation keep their personal data up to date. Individuals should let the organisation know if data provided to the organisation changes, for example if an individual moves house or changes their bank details. Individuals may have access to the personal data of other individuals and of our customers and clients in the course of their engagement. Where this is the case, the organisation relies on individuals to help meet its data protection obligations.
Individuals who have access to personal data are required:
- to access only data that they have authority to access and only for authorised purposes;
- not to disclose data (whether inside or outside the organisation) except to individuals who have appropriate authorisation;
- to keep data secure (for example by complying with rules on access to premises, computer access, including password protection, and secure file storage and destruction);
- not to remove personal data from the organisation’s premises, or (without permission/clearance) devices containing or that can be used to access personal data, without adopting appropriate security measures (such as encryption or password protection) to secure the data and the device; and
- not to store personal data on local drives or on personal devices that are used for work purposes.
Failing to observe these requirements may amount to a disciplinary offence, which will be dealt with under the organisation’s disciplinary procedure. Significant or deliberate breaches of this policy, such as accessing colleague or customer data without authorisation or a legitimate reason to do so, may constitute gross misconduct and could lead to dismissal without notice.
Under the UK’s Data Protection law, you have rights as an individual which you can exercise in relation to the information we hold about you.
Access to personal information
Legislation provides the right of access to personal data at reasonable intervals so that anybody can be aware of, and verify, the lawfulness of the processing – the right of access. Everglade UK tries to be as open as it can be in terms of giving people access to their personal information. Individuals can find out if we hold any personal information by making a ‘data subject access request’ under the UK’s data protection laws. If we do hold personal information about you we will:
- Give you a description of it;
- Tell you why we are holding it;
- Tell you who it could be disclosed to; and
- Let you have a copy of your personal information being processed in an intelligible form, but not necessarily copy documents with non-personal information within which your personal data might be contained;
- Where possible the length of time we will hold it;
- We will redact personal information of others unless they have explicitly consented to it being passed to you, as well as company sensitive and other information that is not your personal information, as deemed appropriate.
Responses to Data Subject Access Requests will be made within one month from receipt of the request, with any necessary extension up to a further two months being communicated to the requester, with an explanation as to why that is necessary. To make a request to EvergladeUK for any personal information we may hold you need to put the request in writing addressing it to our Privacy Office at the address provided below, or by emailing your request to firstname.lastname@example.org. To ensure we continue to ensure the confidentiality of your information, you will need to provide sufficient verification as to your identity prior to any information being released. If we do hold information about you, you can ask us to correct any mistakes (Right of Rectification) by, once again, contacting the Privacy Office. Where you object to processing and there are no overriding legitimate grounds for the processing or you withdraw consent on which processing is based and there are no other legal grounds for processing then where no exemption exists you have the right to the erasure of that personal data. There are circumstances where you may not have a right of erasure, such as Everglade need to comply with a legal obligation or in the establishment, exercise or defence of a claim and Everglade UK will communicate any such circumstances with you as may be appropriate to your request. You have a certain rights to restriction of processing of personal data:
- if you believe it to be inaccurate and for the time it takes for EvergladeUK to verify its accuracy;
- Where processing is unlawful, but you prefer restriction of processing rather than erasure;
- If Everglade no longer needs the personal data for the purposes of processing, but you require it for the establishment, exercise or defence of a legal claim;
- You have objected to processing pending the verification that the legitimate grounds of Everglade to continue processing override your grounds of objection.
You have the right to object to your information being processed for direct marketing purposes, which includes profiling to the extent that it is related to such direct marketing. Your data will not be retained for the sole purpose of being able to identify you for the purposes of data subject access rights.