Data Security Policy
This policy outlines behaviours expected of employees when dealing with data and provides a classification of the types of data with which they should be concerned.
Advento Staffing Ltd must protect restricted, confidential or sensitive data from loss to avoid reputation damage and to avoid adversely impacting its customers. The protection of data in scope is a critical business requirement, yet flexibility to access data and work effectively is also critical.
It is not anticipated that this technology control can effectively deal with the malicious theft scenario, or that it will reliably detect all data. Its primary objective is user awareness and to avoid accidental loss scenarios. This policy outlines the requirements for data leakage prevention, a focus for the policy and a rationale.
These measures must be applied to all protected personal or otherwise sensitive data. Protected personal data is defined at Annex A and is any material that links an identifiable individual with information whose release would put them at significant risk of harm or distress. It also covers any source of information relating to 1,000 or more individuals that is not in the public domain, even if the information about an individual is not considered likely to cause harm or distress:
- During the course of business the Company may hold personal data relating to individuals. The Data Protection Act 1998 requires the Company to maintain strict security in relation to personal data held by it relating to individuals whether those individuals are clients or suppliers, or prospective clients or suppliers, or prospective employees;
- No information referring to private individuals should be taken or sent from the Company’s offices and each employee must understand the importance of not divulging any such information to persons other than other employees within the Company. Employees asked to transfer personal data to recipients outside the Company (e.g. giving out a home telephone number of an employee or details of a customer) should satisfy themselves that the transfer is authorised by the Company before carrying out such a request;
- Employees should be aware that it is a criminal offence to access or disclose personal data held by the Company without authority;
- Employees who have access to or control over personal data held by the Company, e.g. employee records/lists or details relating to customers or private individuals, should ensure that access to the data within the Company is restricted on a need to know basis and that it is stored in accordance with the data security provisions set out below;
- Protected Personal Data (as defined in Annex A) which is held on paper must be locked away when not in use and offices in which it is held must be secured;
- All computers (whether remote or otherwise) are password protected, configured so that functionally is minimised to it’s intended business use only, and have up to date software patches and anti-virus software;
- All material that has been used for protected data should be subject to controlled disposal;
- All laptops, drives or removable electronic data media containing personal data should be encrypted. Laptops and drives or any other removable electronic media containing protected personal data are to be held in locked cabinets or drawers when not in use;
- It is company policy that protected personal data may not be transferred to third party owned laptops, PCs, USB keys, external drives and any other removable electronic media. Staff are not able to download information from our database apart from information which is already in the public domain. When working from home our systems are restricted in such a way that printing and saving data is not possible;
- As part of the Company’s terms and conditions of employment, employees consent to the Company holding and using personal data relating to them. Personal data includes names and addresses, bank details, health records and most of the information that it needs to hold about employees for employment purposes. On joining Advento Staffing Ltd, the employee will be required to notify the Company of such personal details. Any relevant changes to such personal information must be notified to the management;
- For the purposes of the Data Protection Act, the Company needs to specify the purposes for which we will use that information. The Company will of course only use it for legitimate purposes. Those purposes include:
- Complying with obligations to its employees. It needs personal data so it can perform activities such as contacting and paying employees, and complying with its obligations under health and safety regulations;
- Assessing employees, their performance and suitability for particular roles;
- Doing anything for the benefit of welfare of employees, their families and dependants;
- Complying with its obligations under the general law, e.g. in relation to taxation, social security, or law enforcement;
- Providing information about employees to those who require it in connection with services that they provide to it or we to them, or who do or may own the Company or who may need it in connection with the assumption by them of responsibility for any of its employees (e.g. in outsourcing arrangements);
- The prosecution or defence of any legal proceedings
- Information risk management
The data protection measures outlined in this policy are to be implemented through the following processes:
- Initial induction training for all staff;
- Regular refresher training for all staff, as required;
- Publication of data protection policy in the staff handbook and on the company intranet;
- Quarterly risk assessments as described below;
- In order to assess compliance and effectiveness, the Company will conduct a quarterly risk assessment to assure the confidentiality, integrity and availability of information.
All staff should be aware that failure to apply this data handling procedure is a serious matter, and in some situations amounts to gross misconduct.
The company actively encourages whistle-blowing so that staff can raise concerns with their team leader or managing director should they believe that the correct procedures are not being followed.
Definition of protected personal data
As a minimum, personal data includes all data falling into either category A or B below:-
A: Any information that links one or more identifiable living person with private information about them.
There should be protection for a data set that includes:-
- One or more of the pieces of information through which an individual may be identified (name, address, telephone number, driving licence number, date of birth, photograph etc.), combined with;
- Information about that individual whose release could case harm or distress, including:-
- DNA or finger prints;
- Bank/financial/credit card details;
- National Insurance number;
- Passport number/information on immigration status;
- Travel details (for example at immigration control, or Oyster records);
- Tax, benefit or pension records;
- Place of work;
- School attendance/records;
- Conviction/prison/court records/evidence;
- Groups/affiliations/political or other sensitive personal data as defined by the Data Protection Action (Section 2)
Note: this is not an exhaustive list.
B: Any source of information about 1,000 identifiable individuals or more, other than information sources from the public domain.
Note that this is a minimum standard. Information on smaller numbers of individuals may justify protection because of the nature of the individuals, source of the information, or extent of information.
The way in which we collect your data will depend on how it comes into our organisation.
This will be
• as a result of you registering with us via our website at www.adventostaffing.com
(the "Site"); or
• as a result of you responding to an advertisement posted by us on a job board, online CV library or via social media; or
• as a result of us matching your CV, as uploaded by you onto a job board, online CV library or a social media site, to a vacancy we are seeking to fill for one of our clients; or
• as a result of a personal recommendation; or
• from a company website; or
• from your business card; or
• in the course of us providing permanent and/or temporary recruitment and resourcing services; and/or consultancy services or services involving the subcontracting of statements of work, to you ("Services")
where "you" are a candidate, consultant, client contact or contact at any other organisation involved in the introduction and/or supply of a candidate's or consultant's services, such as a contact at a recruitment process outsourcing company, consultancy company, personal service company or umbrella company.
References in this policy to:
• "hirer" and "client" mean any hiring organisation to which we offer and/or provide recruitment, resourcing and/or consultancy services;
• "client contact" means a hiring manager or procurer/recipient of consultancy services at a client;
• "candidate" means a potential or actual candidate for a role with a client;
• "consultant" means a person whose services are supplied via Advento Staffing Ltd to work on temporary assignment with a hirer, or, in the case of a consultancy supply, any consultant assigned by the relevant consultancy to work on the consultancy services.
It does not cover any use of your personal information by:
• an actual or potential employer or hirer;
• an umbrella company; or
• any other organisation involved in the supply of your services or consultancy via us to a hirer,
We respect your right to privacy. Our overall aim is to ensure that our collection and use of personal information is appropriate to the provision of services to you and is in accordance with applicable data protection laws.
• The personal information we collect about you
• How we use your personal information and our lawful bases for processing your personal data
• Anonymous data
• How we share your personal information and who we share it with
• International transfers
• How long do we keep your information?
• Third party sites
• Your Security rights
• Rights to your information
• Third party sites
• Complaints, questions and suggestions
- What do Advento Staffing do?
We provide recruitment and consultancy services to candidates and consultants to help them find roles, specialising in the fields of technology, digital and change. We do this through assessing and matching people with potential opportunities.
We work with clients to provide recruitment and consultancy services to help them fill requirements for specialist skills and consultancy.
- The personal information we collect about you
Candidates and Consultants: the personal information we collect about you where "you" are a candidate or placed consultant.
Advento Staffing aims to collect the minimum data it needs to perform its role. Typically, this is name, address, job title and contact details. In addition, if you are a candidate or consultant being considered for a role it will also include your CV / resume as well as other details about your skills and experience.
• you access and browse the Site (including when you submit personal information to us through data entry fields on the Site); or
• you respond to an advert posted by us whether via a job board, LinkedIn or other social networking site; or
• we download details uploaded by you onto a job board, LinkedIn or other social networking site in relation to a vacancy we are seeking to fill for one of our clients; or
• we download details uploaded by you onto a job board, LinkedIn or other social networking site in connection with our internal market research ; or
• you contact us by phone, email or otherwise; or
• we provide Services to you or to an actual or a potential hirer of your services; or
• we contact you with a view to providing Services to you; or
• we provide on-boarding services to a hirer of your services,
we will usually collect the following information from or about you:
• phone and e-mail details;
• your bank details
• a copy of your passport details including your passport photograph;
• your current and previous employment/work details, including job title and employer;
• any professional certifications relevant to the role you seek to work in, education and qualifications, skills, career history, salary/fee range, right to work status, citizenship, and any other information relevant or required by law to enable us to provide the Services;
• any other information which you include in your CV or a completed application form;
• any information which has been published or made available on a social media profile or job board (whether by you or a third party), or in any news media;
• details of your umbrella company or personal service company;
• the contract for services we hold with your umbrella company or personal service company relating to the work you do or will do for our client, including timesheet data and charge rates relating to the work you perform under that contract;
• details of your referees and emergency contacts;
• references from third parties such as previous employers and nominated referees;
• the results of pre-employment screening or vetting checks which we are asked or required to undertake in relation to you (including the results of any Disclosure and Barring checks and any information you provide relating to current and/or spent criminal convictions carried out on behalf of the client during the on boarding process);
• any e mail communications, including attachments, which you send to us;
• the results of any right to work checks we are required to carry out by our client.
You can update your CV or personal data at any time by forwarding a copy to email@example.com
Referees and emergency contacts: the personal information we collect about you where "you" are a referee or emergency contact. We collect basic contact details (such as name, title, address, email and telephone number) so that we can contact you for a reference or as an emergency contact for one of our candidates/consultants.
Client contacts: the personal information we collect about you where "you" are a contact at one of our clients or at an MSP, umbrella company or personal service company involved in the supply of a person's services to a hirer.
We need to collect information about you as an essential part of providing our Services when:
• we contact you with a view to providing Services to you; or
• you email us expressing an interest in working with us;
• you provide us with your business card or other information provided to us, given to our employees at sales and marketing events;
• you post information or advertisements on job boards or social media websites;
• we provide Services to you as an actual or a potential hirer of your services; or
• we complete contractual documentation relevant to the Services, we will usually collect the following information from or about you:
• your name;
• your postal address;
• your phone and e-mail details;
• details of your role, title and responsibilities within your organisation;
where "you" are a client contact:
- any opinion or feedback you share with us regarding a candidate or consultant;
- details of any queries you raise with us regarding the Services;
- details of any recruitment, resourcing or consultancy requirements or plans you share with us.
At some times we regard you as a candidate and at some times as a client. Where this is the case please read the sections below relating to candidates and client contacts and how we will use your personal information.
- How we use your personal information and our lawful basis for processing your personal data
Candidates and consultants:
We collect, store and use information that we obtain in relation to you for our legitimate interests:
- so that we can contact you (via email, SMS or phone) about opportunities and assignments that we believe you will be interested in;
• to help us to provide suitable candidates and consultants for our clients who engage us to assist them fulfil their recruitment and resourcing requirements;
• to provide a channel through which you can submit your CV for general applications, to apply for specific jobs or to subscribe to our job alerts;
• to match your details with vacancies, to assist us in finding a position that is most suitable for you and to send your information to clients for potential jobs. Please note that we will always obtain verbal or written consent before
presenting your personal details to a client;
• to enter into contracts which are necessary in order for your service to be supplies or made available to a hirer;
• to provide recruitment-related support;
• to carry out market research for our internal use;
• to develop an industry-relevant database of candidates and clients to help meet our clients' resourcing requirements and connect candidates with work opportunities;
• for internal record keeping purposes;
• to carry out services that we, you or our client have requested including work-related references, qualifications and criminal references checking services, verification of the details you have provided from third party sources, psychometric evaluations or skills tests;
• to inform you of Advento [networking and other career-development related] events.
This storage and use of your personal information allows you to be contacted about roles which we think will be of interest to you, now or in the future, and we do not believe that this storage and use will unduly prejudice your rights or freedoms.
We will store and use your personal information in order to comply with relevant legal obligations to which Advento Staffing is subject, including carrying out:
• verification of your identity to comply with The Conduct of Employment Agencies and Employment Businesses Regulations 2003;
• right to work checks to comply with relevant immigration legislation;
Where you are successful in securing temporary assignment or consultancy work with one of our clients we will store and use your personal information for the purposes of completing and administering contracts with your chosen personal service company, umbrella company or consultancy company and for processing payment to such company in respect of services you (or your consultancy) have performed for our client. Such processing will be for our legitimate interests so that we can provide Services to you and our client. We do not believe that this storage and use of your personal information will unduly prejudice your rights or freedoms.
Such processing will also be necessary for the performance of a contract to which you are party (i.e. your contract with the company with whom you work to provide assignment/consultancy services) and/or in order to take steps prior to you entering into such contract, including contracts we enter into with the client relating to the provision of your services or consultancy services.
If our client requires us to collect, store and use your health data and/or any Disclosure and Baring Checks we will, on our client's behalf, seek your consent to processing such data. You can withdraw your consent at any stage but this may prevent us from being able to deliver our recruitment services to you.
Client contacts and other third parties involved in the supply of resourcing services (e.g. umbrella companies and personal service companies)
We collect, store and use your name and contact details for our legitimate interests, so that we can:
• send you the details of candidates and consultants and contact you about our services;
• maintain our business relationship with you.
This allows you to be contacted to receive and administer any Services which you or your organisation has requested.
In the case of contacts at umbrella companies and personal service companies this allows you to be contacted to receive details of current and future assignments, related timesheet data and payment details.
We do not believe that this storage and use of your personal information will unduly prejudice your rights or freedoms.
All users of the Site and our Services
We collect, store and use your personal information for the following purposes:
• to make the Site available to you; and
• to provide any Services that you request.
Sometimes, our use of your personal information is for purposes which are ancillary to the provision of the Site and then Services, or which are desirable in order to make them to operate more effectively. In those circumstances, we believe we have a legitimate interest in handling your personal information, and do not believe that this storage and use of your personal information will unduly prejudice your rights or freedoms.
The relevant circumstances are:
• detecting and preventing fraud;
• keeping our Site, apps, products and IT systems secure;
• ensuring that our own processes, procedures and systems are as efficient as possible;
• analysing and enhancing the information that we collect;
• determining the effectiveness of our promotional campaigns and advertising; and
In some, relatively limited, circumstances we need to handle your personal information in a certain way to be able to comply with our legal obligations. For example if we:
• are requested to disclose your personal information to regulatory bodies;
• need to demonstrate our compliance with applicable law;
• are subject to any enquiry from the Employment Agencies Standards Inspectorate or HMRC.
- Anonymous data
We collect anonymised details about visitors to our website for the purposes of aggregate statistics or reporting purposes. However, no single individual will be identifiable from the anonymised details we collect for these purposes.
- How we share your personal information and who we share it with
We will disclose information under the following circumstances:
• Service and Site usage information: When we share anonymous information generated by our Services with our clients. For example: average candidate salary for a specific skill set over the last 12 months.
• Third-party service providers: When we share information with third-party service companies for them to facilitate and support us in the provision of the Services. This includes:
o our IT support service providers;
o providers of credit reference, vetting and screening services;
o payment processors and software providers;
- Merger or acquisition: When we need to transfer information about you if we are acquired by or merged with another company. If we are involved in a merger, acquisition, or sale of all or a portion of its assets, you will be notified by email and/or a prominent notice on our Site of any change in ownership or uses of your personal information, as well as any choices you have regarding your personal information.
If we disclose personal data to a prospective purchaser of our business or any part of it we will ensure that your privacy is protected.
- Recruitment, resourcing and consultancy services: When we are using your personal information in the context of our recruitment, resourcing or consultancy services, then we will share your personal information with clients where we believe that you or your consultancy services will be appropriate for a particular role or vacancy with that client.
- Umbrella companies, personal service companies consultancy companies:When you inform us that you are supplying or intend to supply your services via Advento Staffing to a client through an umbrella company, personal service company or consultancy company.
- Recruitment Process Outsourcing and Managed Service Providers: In certain cases, there an organisation such as a managed service provider will act as a gateway for the supply of Services made via Advento Staffing to the hirer. Where this is the case, we will share your information with such organisations to the extent that it is necessary for the purposes of the supply.
Where personal information is shared with clients, hirers, umbrella companies, personal services companies or managed service providers in the circumstances described above, then those organisations will handle your personal information in line with their own privacy policies.
- International transfers
Data which we collect from you may be stored and processed in and transferred to countries outside of the European Economic Area (EEA). For example, this could occur if our servers are located in a country outside the EEA or one of our service providers is situated in a country outside the EEA. We also share information with our group companies, some of which are located outside the EEA. These countries may not have data protection laws equivalent to those in force in the EEA.
- How long do we keep your information for?
We will retain information about you for a period of up to 48 months from the date on which you last received contact from us.
We will delete it after that time except where we need to keep any personal information to comply with our legal obligations, resolve disputes, or enforce our agreements.
Cookies are files that are recorded in temporary Internet folders on your PC. They're a useful tool as, by recording the way you use our site, they enable us to get to know you better. For example, we’re able to recognise you when you return to the site, identify your preferences so as to provide you with a more personalised service and speed up searches that you conduct when visiting.
Further Detail on Cookies
Cookies are text files containing small amounts of information which are downloaded to your device when you visit a website. Cookies are then sent back to the originating website on each subsequent visit, or to another website that recognises that cookie. Cookies do lots of different jobs, like letting you navigate between pages efficiently remembering your preferences, and generally improve your web site experience. They can also help to ensure that adverts you see online are more relevant to you and your interests.
We can split cookies into 4 main categories:
Category 1: strictly necessary cookies
Category 2: performance cookies
Category 3: functionality cookies
Category 4: targeting cookies or advertising cookies
Category 1 - Strictly necessary cookies
These cookies are essential in order to enable you to move around the website and use its features, such as accessing secure areas of the website. Without these cookies services you have asked for, like register for job alerts, cannot be provided.
Please be aware our site uses this type of cookie
Category 2 - Performance cookies
These cookies collect information about how visitors use a website, for instance which pages visitors go to most often, and if they get error messages from web pages. These cookies don’t collect information that identifies a visitor. All information these cookies collect is aggregated and therefore anonymous. It is only used to improve how a website works.
By using our website and online services, you agree that we can place these types of cookies on your device.
Category 3 - Functionality cookies
These cookies allow the website to remember choices you make (such as your user name and password) and provide enhanced, more personal features. These cookies can also be used to remember changes you have made to text size, fonts and other parts of web pages that you can customise. They may also be used to provide services you have asked for such as watching a video or commenting on a blog. The information these cookies collect may be anonymous and they cannot track your browsing activity on other websites.
By using our website and online services, you agree that we can place these types of cookies on your device.
Category 4 - targeting cookies or advertising cookies
These cookies are used to deliver adverts more relevant to you and your interests. They are also used to limit the number of times you see an advertisement as well as help measure the effectiveness of the advertising campaign. They remember that you have visited a website and this information is shared with other organisations such as advertisers. Quite often targeting or advertising cookies will be linked to site functionality provided by the other organisations.
- Social Media
If you share our content through social media, for example by liking us on Facebook, following or tweeting about us on Twitter, those social networks will record that you have done so and may set a cookie for this purpose.
In some cases, where a page on our website includes content from a social network, such as a Twitter feed, or Facebook comments box, those services may set a cookie even where you do not click a button. As is the case for all cookies, we cannot access those set by social networks, just as those social networks cannot access cookies we set ourselves.
- Log Files
Our systems automatically gather some anonymous information about visitors, including IP addresses, browser type, language, and the times and dates of webpage visits. The data collected does not include personally information and is used, as described above, for statistical analysis, to understand user behaviour, and to administer the site.
- Google Analytics
Your information is held on servers hosted by us or our Internet Services Provider. The transmission of information via the internet is not completely secure. Although we will do our best to protect your personal data, we cannot guarantee the security of your data transmitted to our site; any transmission is at your own risk.
- Your rights to your information
You have certain rights in relation to your personal information. If you would like further information in relation to these or would like to exercise any of them, please contact us at: firstname.lastname@example.org at any time. You have the right to request that we:
• update any of your personal information which is out of date or incorrect;
• delete any personal information which we are holding about you;
• restrict the way that we process your personal information;
• prevent the processing of your personal information for direct-marketing purposes;
• provide your personal information to a third-party provider of services;
• provide you with a copy of any personal information which we hold about you; or
• consider any valid objections which you have to our use of your personal information.
We will consider all such requests and provide our response within a reasonable period (and in any event within any time period required by applicable law). Please note, however, that certain personal information will be exempt from such requests in certain circumstances.
If an exception applies, we will tell you this when responding to your request. We may request you provide us with information necessary to confirm your identity before responding to any request you make.
You can request to unsubscribe from job alerts and marketing material at any time. If you wish to contact us with respect to the above matters please email us at email@example.com
- Third party sites
- Complaints, questions and suggestions
Advento Staffing tries to meet the highest standards when collecting and using personal information. We take any complaints we receive about this very seriously. We encourage people to bring it to our attention if they think that our collection or use of information is unfair, misleading or inappropriate.
If you wish to complain about this policy or any of the procedures set out in it, please contact us at: firstname.lastname@example.org
In the EEA, you can also make a complaint to our supervisory body for data protection matters (the Information Commissioner's Office in the UK) or seek a remedy through local courts if you believe your rights have been breached.
You can find details of how to do this on the ICO website at https://ico.org.uk/concerns/ or by calling their helpline on 0303 123 1113
- Marketing/Subscription Emails
Our Site operates a marketing / subscription-based email system, used to inform subscribers about information supplied by our Site. Users can subscribe through an online automated process should they wish to do so but do so at their own discretion. Some subscriptions will be manually processed through prior written agreement with the user.
Subscriptions are taken in compliance with UK Spam Laws detailed in the Privacy and Electronic Communications Regulations 2003. All personal details relating to subscriptions are held securely and in accordance with the GDPR.
Advento Staffing also processes your data when it is in our legitimate interests to do this and when these interests do not override your rights. Those legitimate interests include providing you with information on our services and events. Please see the section on 'Your Interest' for more information.
- Your Interests
When we process your personal information for our legitimate interests, we will consider and balance any potential impact on you and your rights under data protection and any other relevant law. Our legitimate business interests do not automatically override your interests – we will not use your personal data for activities where our interests are overridden by the impact on you (unless we have your consent or are otherwise required or permitted to by law).
Guy Morley, Managing Director, Advento Staffing Ltd