Adviza delivers services for young people and adults across the South of England including the Thames Valley, Berkshire, Buckinghamshire, Oxfordshire and the South West.

1. Purpose

The purpose of this policy is to explain our approach to ensuring we comply with the Data Protection Act 2018 (which incorporates the General Data Protection Regulations – UK-GDPR) when we are collecting, processing and storing personal data.

Adviza is committed to a policy of protecting the rights and privacy of individuals (including staff, clients and others) in accordance with all Data Protection laws [1], the Human Rights Act 1998, the Privacy and Electronic Communications (EC Directive) Regulations 2003 and the Common law of Confidentiality.

This policy ensures that Adviza, our employees, associates, volunteers and (where applicable) subcontractors:

  • Comply with Data Protection Law and follow good practice.
  • Protect the rights of all data subjects.
  • Are open and transparent about how we process personal data.
  • Protect ourselves from the risks of a data breach.
2. Scope

The policy applies to all Adviza personal data processing activities and to all staff, volunteers, associates and (where appropriate) subcontractors who process any personal data. Any breach of Data Protection Laws, other relevant law or the company’s policies is considered to be a disciplinary offence and in that event Adviza disciplinary procedures will apply.
As a matter of good practice, it is expected that other agencies and individuals working with Adviza (and have access to personal data) will have read and comply with this policy.

Adviza needs to process certain information about its staff, clients and other individuals it has dealings with for a range of purposes (e.g. to recruit and pay staff, to record progress and training) and to comply with contractual and legal obligations. Clients and staff have the right to confidentiality and therefore information that identifies individuals should be shared only when there are clear and valid reasons for doing so. Whether personal information is collected and used on paper or electronically, it must be processed in accordance with the law.

3. Key terms and definitions

The following terms are used in this document:

Caldicott Guardian – means designated health or social care professional (usually a senior manager) responsible for ensuring that the (Caldicott) principles governing the sharing of patient-identifiable information are adhered to within their organisation.

Consent (of the data subject) – means any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.

Criminal Offence Data – means personal data relating to criminal convictions and offences, or related security measures and includes data about criminal allegations, proceedings or convictions.

Data controller – means a ‘person’ who (either jointly or in common with other persons) determines the purposes for which and the manner in which any personal data is, or is to be processed.

Data processor – means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.

Data subject – any living individual who is the subject of personal data.

Gillick Competence – whether or not a child is capable of giving the necessary consent will depend on the child’s maturity and understanding and the nature of the consent required. The child must be capable of making a reasonable assessment of the advantages and disadvantages of the treatment proposed, so the consent, if given, can be properly and fairly described as true consent." (Gillick v West Norfolk, 1984)

Personal data – means any information relating to an identified or identifiable natural person (data subject) directly or indirectly. This could include an identifier such as a name, identification number, location data, online identifier or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person.

Processing – means any operation or set of operations which is performed on personal data (whether or not by automated means) such as collection, recording, organisation, structuring, storage, adaptation, retrieval, use, dissemination or otherwise making available, restriction, erasure or destruction.

Special Category Data – is broadly similar to the concept of sensitive personal data under the previous law. It includes an individual’s:

  • race;
  • ethnic origin;
  • politics;
  • religion;
  • trade union membership;
  • genetics;
  • biometrics (where used for ID purposes);
  • health;
  • sex life; or
  • sexual orientation.
4. Legal framework for data protection

Below is a brief summary of the laws relevant to the processing and sharing of personal information.

The Data Protection Act 2018 (Including General Data Protection Regulation – UK GDPR)

The Data Protection Act 2018, governs the protection and use of personal information identifying living individuals. The Act establishes data subjects’ rights in relation to the handling of their personal data, by data controllers and data processors.

Data controllers and data processors must handle this information in accordance with standards in the Act known as the Data Protection Principles. These principles require data to be:

  • processed lawfully, fairly and in a transparent manner in relation to individuals;
  • collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes;
  • adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
  • accurate and, where necessary, kept up to date;
  • kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; and
  • processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.

For more information see https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/principles/

These Data Protection Laws are regulated by the Information Commissioner who has a role in promoting good practice and enforcing them by investigating breaches (for more information about the Act, see www.ico.org.uk 

The Data Protection Act provides the following rights for individuals (see https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/ for more details):

The right to be informed about the collection and use of their personal data, including the purposes for processing their personal data, retention periods for that personal data, and who it will be shared with. This is called “privacy information” and must be provided to individuals at the time we collect their personal data from them or within one month of obtaining personal data.

  • The right of access to their personal data (see below)
  • The right to have inaccurate personal data rectified, within one month of a valid request to do so.
  • The right to have personal data erased in certain circumstances (known as “the right to be forgotten”) within one month of a valid request to do so.
  • The right to restrict processing in certain circumstances within one month of a valid request to do so (after which the data can be stored but not otherwise be processed).
  • The right to data portability, which allows individuals to obtain and reuse their personal data for their own purposes across different services.
  • The right to object to:
  • processing based on legitimate interests or the performance of a task in the public interest/exercise of official authority (including profiling);
  • direct marketing (including profiling); and
  • processing for purposes of scientific/historical research and statistics.
  • Rights in relation to automated decision making and profiling (which does not apply to any of Adviza’s activities).
  • The right to complain to the Information Commissioner’s Office.

Under the Act, data controllers have a general obligation to implement technical and organisational measures to show that they have considered and integrated data protection into processing activities and that data is processed securely. This is known as “privacy by design”

Common Law of Confidentiality

The common law of confidentiality provides a measure of protection for individuals against unauthorised disclosure of personal information.

Of importance is that, where information has been given to another on the understanding that it will remain confidential, this must be respected unless there is a substantial public interest which overrides this right to confidence.

Human Rights Act 1998

The Human Rights Act incorporated the European Convention on Human Rights into English law. It is unlawful for a public authority to act in a way that is incompatible with these rights. Of relevance is the right contained in Article 8 which states that:

1. Everyone has the right to respect for his private and family life, his home and his correspondence.
However, this right is not absolute. The second part of Article 8 recognises that the right to privacy must be balanced with other public interests. It is important, however, that any decision to override the right to privacy in the public interest must be proportionate to the aim.

Privacy and Electronic Communications (EC Directive) Regulations 2003

The Privacy and Electronic Communications Regulations (PECR) sit alongside the Data Protection Laws. They give people specific privacy rights in relation to electronic communications and include specific rules on:

  • marketing calls, emails, texts and faxes;
  • cookies (and similar technologies);
  • keeping communications services secure; and
  • customer privacy as regards traffic and location data, itemised billing, line identification, and directory listings.

The Data Protection Laws still apply and the PECR just set out some extra rules for electronic communications but there are some differences and Adviza must make sure it complies with both. In particular, it’s important to realise that PECR apply even if we are not processing personal data. For example, many of the rules protect companies as well as individuals, and the marketing rules apply even if you cannot identify the person you are contacting.

PECR restrict unsolicited marketing by phone, fax, email, text, or other electronic message. There are different rules for different types of communication and the rules are generally stricter for marketing to individuals than for marketing to companies. Usually specific consent is needed to send unsolicited direct marketing. The best way to obtain a valid consent is to ask customers to tick opt-in boxes confirming they are happy to receive marketing calls, texts or emails from Adviza. The PECR are not covered further in this policy and more detail can be found at https://ico.org.uk/for-organisations/guide-to-pecr/.

5. Types of data retained and when it may be shared

There are three levels of information retained by Adviza:

1. Statistical information i.e. information from which the individual cannot be identified;

2. Basic personal information e.g. name, address, date of birth, telephone number and/or email address; and

3. Additional personal information

Statistical Information

Statistical information may be shared within Adviza and externally for the following purposes:
To provide management information in order to

  • Monitor service delivery
  • Monitor outcomes and effectiveness of the service
  • Plan service delivery effectively
  • Provide partner agencies with the information to inform their planning and delivery of provision.

The sharing of this aggregate information may be undertaken without seeking consent as individuals cannot be identified from the information. Care must be taken not to identify individuals inadvertently i.e. where information is so specific that it becomes possible for someone to identify an individual through their circumstances or where an individual could be identified when combining the statistical information with other readily available information (e.g. using a pin map to identify teenage parents in a village or ward where there is only one teenage parent).

Basic Personal Details

The following basic personal details are retained by Adviza in order to identify and keep in touch with clients, staff and others who come into contact with Adviza:

  • First name(s) and surname
  • Date of birth
  • Address including postcode
  • Telephone number – at home and mobile (if available)
  • E-mail address (if available)
  • Social media contact details.

This personal information may need to be shared with other agencies where Adviza needs to work with these agencies on the client’s behalf to provide the full range of services to address that person’s needs. Basic information will be shared immediately with the other agency to ensure that all agencies involved are talking about the same person. The data subject must be informed of the sharing of basic information and, in most cases, a formal agreement must be in place with the other agency.

Additional Personal Information

Other personal information may be recorded which the data subject has shared with his/her Adviser. This may include (but is not limited to) the following, depending on the requirements of the service/purpose for data processing in question:

  • A record of assessments
  • Action plans or development plans
  • Gender
  • Ethnicity
  • Relevant health information
  • Special educational needs statement or Education Health & Care Plan (EHCP) where appropriate
  • Information regarding Special Educational Needs and Disabilities (SEND)
  • Current status (e.g. in learning, self-employed, retired, unemployed, on apprenticeship, not known)
  • Name of adviser
  • Date and type of contact e.g. guidance interview, telephone, email, group session
  • Names of persons in contact with the person, organisation and contact details.(Subject to written consent where required, in cases where sensitive information may be disclosed relating to a type of organisation, such as if a person is referred to a Drug Action Team or youth offending Team, or is in the care of Social Services.)

This information is kept so that Adviza can make sure that it provides appropriate support to the client. This information may also include “special category data” as defined above.

This additional personal information may be shared with other organisations to help the person progress. This information will be only be shared where there is a lawful basis for doing so and usually with the person’s consent (see below).

6. Lawful basis for processing

Under the Data Protection Act a data controller must have at least one valid lawful basis in order to process personal data. There are six lawful bases for processing and no single basis is ’better’ or more important than the others – which basis is most appropriate to use will depend on the purpose of processing the personal data and relationship with the individual. The lawful basis for processing personal data also has an effect on the data subject’s rights (see below).
The six lawful bases are:

1. Consent: the individual has given clear consent for us to process their personal data for a specific purpose
2. Contract: the processing is necessary for a contract we have with the individual, or because they have asked you to take specific steps before entering into a contract
3. Legal obligation: the processing is necessary for us to comply with the law (not including contractual obligations)
4. Vital interests: the processing is necessary to protect someone’s life
5. Public task: the processing is necessary for us to perform a task in the public interest or for our official functions, and the task or function has a clear basis in law
6. Legitimate interests: the processing is necessary for our legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests.
Most lawful bases require that processing is ‘necessary’ (i.e. if the data controller can reasonably achieve the same purpose without the processing, then there is no lawful basis for processing and the data must not be collected and processed).

Adviza has prepared an audit of the personal data it processes that records the lawful basis for processing in each instance. When personal data not already included in the audit is proposed to be collected and processed, Adviza will determine the lawful basis before beginning processing, and document it in the data audit.
The lawful basis for processing can also affect which rights are available to individuals. For example, some rights will not apply:

However, an individual always has the right to object to processing for the purposes of direct marketing, whatever lawful basis applies.

Adviza’s privacy notices (see below) will include the lawful basis for processing as well as the purposes of the processing.
Adviza will only process special category data after identifying both a lawful basis for general processing and an additional condition for processing this type of data (an Article 9 condition). The available conditions for processing special category data are (in broad terms - see https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/lawful-basis-for-processing/special-category-data/ for more details):

a) the data subject has given explicit consent to the processing of those personal data for one or more specified purposes;

b) processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law … providing for appropriate safeguards for the fundamental rights and the interests of the data subject;

c) processing is necessary to protect the vital interests of the data subject or of another natural person where the data subject is physically or legally incapable of giving consent;

d) processing is carried out in the course of its legitimate activities with appropriate safeguards by a foundation, association or any other not-for-profit body with a political, philosophical, religious or trade union aim and on condition that the processing relates solely to the members or to former members of the body or to persons who have regular contact with it in connection with its purposes and that the personal data are not disclosed outside that body without the consent of the data subjects;

e) processing relates to personal data which are manifestly made public by the data subject;

f) processing is necessary for the establishment, exercise or defence of legal claims or whenever courts are acting in their judicial capacity;

g) processing is necessary for reasons of substantial public interest, on the basis of the law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject;

h) processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of the law or pursuant to contract with a health professional;

i) processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices, on the basis of the law which provides for suitable and specific measures to safeguard the rights and freedoms of the data subject, in particular professional secrecy;

j) processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes based on the law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject.

Adviza will only process criminal conviction data or data about offences after having satisfied itself that there is both a lawful basis for general processing and that the following additional condition for processing this type of data will be met (the Article 10 condition - see https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/lawful-basis-for-processing/criminal-offence-data/ 

7. Data processors

Whenever a controller uses a processor it needs to have a written contract in place. The contract is important so that both parties understand their responsibilities and liabilities. The Data Protection Act sets out what needs to be included in the contract, including:

  • The subject matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of data subject, and the obligations and rights of the controller.
  • Contracts must also include as a minimum the following terms, requiring the processor to:
  • only act on the written instructions of the controller;
  • ensure that people processing the data are subject to a duty of confidence;
  • take appropriate measures to ensure the security of processing;
  • only engage sub-processors with the prior consent of the controller and under a written contract;
  • assist the controller in providing subject access and allowing data subjects to exercise their rights under the Act;
  • assist the controller in meeting its obligations in relation to the security of processing, the notification of personal data breaches and data protection impact assessments;
  • delete or return all personal data to the controller as requested at the end of the contract; and
  • submit to audits and inspections, provide the controller with whatever information it needs to ensure that they are both meeting their obligations, and tell the controller immediately if it is asked to do something infringing the Act or other data protection law of the laws of another jurisdiction where data may be processed.

Processors must only act on the documented instructions of a controller. They will however have some direct responsibilities under the Act and may be subject to fines or other sanctions if they don’t comply.

This applies to all Adviza’s data processors including subcontractors, associates, service providers (e.g. payroll, databases, IT services etc.). An appropriate data processing agreement must be in place before Adviza shares any personal data with anyone who will be acting as a data processor. Where Adviza is the data processor and another organisation (such as a commissioner) is the data controller, the consent of the controller must be obtained before a sub-processor can be engaged and a similar contract must be in place between Adviza and the sub-processor.

Further Details on the specific Processing Activities and the Systems and Suppliers Adviza uses can be found in Appendices A-E of this document.

8. Policies for informatoin processing and sharing

Consent

Consent is a very important element of developing trust in working relationships with clients. Equally, we recognise that we often won’t need consent to process personal data because we have a different lawful basis.
Where consent is required, we recognise that the Act sets a high standard for consent and that consent means offering individuals real choice and control. Genuine consent should put individuals in charge, build trust and engagement, and enhance our reputation. Under the Act, consent requires a positive opt-in and the data subject has the right to withdraw that consent. Therefore, Adviza will not use pre-ticked boxes or any other method of default consent and consent requests will be separate from other terms and conditions.

When seeking consent, we will:

  • Use clear, plain language that is easy to understand.
  • Be specific and detailed so that we get separate consent for separate things.
  • Name our organisation and any third-party controllers who will rely on the consent.
  • Make it easy for people to withdraw consent and tell them how.
  • Keep evidence of consent – who, when, how, and what we told the data subject.
  • Keep consents under review, and refresh them if anything changes.
  • Avoid making consent to processing a precondition of a service.

We will not seek consent from staff and volunteers for processing their personal data, instead relying on contractual obligations, legal obligations and the legitimate interests of Adviza, the data subject and third parties (e.g. government agencies) as lawful bases for processing this information.

Confidentiality

Information sharing can take place without the consent of the data subject, i.e. where there is another lawful basis for doing so. In all cases, we will ensure that information sharing is reasonable and expected by the data subject, making it clear in the privacy notice (or request for consent) why the information is being shared and who is involved. In general, we will only share additional personal data (see above), particularly special category or confidential information (i.e. where we explicitly offer a confidential service to clients), with the data subject’s consent, unless there is a legal or contractual obligation for us to do so.

Relevant age for providing consent to information sharing

Under the Data Protection Laws only children aged over 13 can make their own decisions about their information, unless there is a reason to suggest otherwise. For children under that age consent must be obtained by their parent/legal guardian and, if consent is obtained from children online, age verification measures must be in place.
Staff will need to use their professional judgement to decide if a client above the legal minimum age is competent to make their own decisions. When it comes to young people, staff should work in line with what is known as the ‘Gillick Ruling’ (see key terms for further information).

Refusal of consent

If a client refuses to share sensitive information with another agency then this should be noted on the client record and that information must not be shared unless any of the conditions in the next section apply.

Withdrawing consent

We will ensure that it is as easy for a data subject to withdraw their consent as it was for them to give it, for example having a prominent statement on the same web-page as that used to gain consent in the first place.

Disclosing information Without Consent

Personal information should only be disclosed for the purposes identified in this section and in accordance with what the individual has been told. There are expectations if the information is required for the following purposes:

  • Where there are child protection/safeguarding issues involved;
  • Where there is a significant threat to life;
  • Where the client needs urgent medical treatment;
  • Where terrorism is a concern;
  • Where the disclosure is necessary for the prevention of crime, the apprehension or prosecution of offenders, or the assessment or collection of any tax or duty or of any imposition of a similar nature;
  • The disclosure consists of information which is required by law to be made publicly available;
  • The disclosure is required by law or by order of the court; or
  • The disclosure is made in connection with legal proceedings.

These limits to confidentiality should be made clear to the client at the earliest opportunity and where confidentiality has to be broken, staff should seek to ensure that the client is informed first or as soon as possible afterwards (unless they have been instructed to otherwise by an appropriate authority (e.g. the Police).

Further sharing of personal data

The second principle of the Data Protection Act states that “collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes”.

The purpose for sharing data under this policy should be compatible with the provision of Adviza Services. That is, Adviza and its partner agencies can only share information relevant to the services provided for clients, e.g. around their training or support in career progression. Where it is proposed to share data a non-compatible purpose, it is the obligation of Adviza and its partner agencies to seek the consent from the client for the secondary use of the personal data.

When data is being shared with partner agencies for purposes compatible with the provision of Adviza’s services on a regular and systematic basis, Adviza will complete appropriate data sharing/processing agreements with those agencies. This will also be pursued as best practice, where such data sharing is only on an ad hoc basis, recognising that there may be circumstances (e.g. urgency) where this is not possible).

Minimal identifiable information

In line with the third principle of Data Protection, “personal data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.” It is essential that the data collected by Adviza and its partner agencies that is shared with other parties is the minimum identifiable information necessary for the purpose of providing appropriate Adviza services to the client.

Accuracy of the data

It is the responsibility of Adviza and its partner agencies to ensure and maintain the accuracy of personal information they share with other organisations under this policy. Where an organisation becomes aware that information they have provided may be inaccurate, they must take steps to inform all partner agencies of the updated data. Information discovered to be inaccurate must be notified to the originating organisation.

Where a data subject has requested inaccurate personal data to rectified, or completed if it is incomplete, we will ensure we do so, free of charge, within one month of a valid request to do so. We will only refuse to comply with a request for rectification if the request is manifestly unfounded or excessive, taking into account whether the request is repetitive in nature and giving our justification (ensuring that we notify the individual within one month of receiving their request). In some such cases we may, instead of refusing the request, charge a "reasonable fee" to deal with the request based on the administrative costs of complying with the request (ensuring that we notify the individual within one month of receiving their request).

Right to be forgotten

Under the Data Protection Act individuals have the right to request that their personal data is erased. The right is not absolute and only applies in certain circumstances. The right to erasure does not apply in a range of other circumstances (see https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/right-to-erasure/ for more detail).

Adviza will comply, free of charge, with any valid request to erase a data subjects’ personal data within 1 month of receipt of the request and inform all third-parties to whom the data has been disclosed, asking them to do likewise.
We will only refuse to comply with a request for erasure if the request is manifestly unfounded or excessive and giving our justification (ensuring that we notify the individual within one month of receiving their request). In some such cases we may, instead of refusing the request, charge a "reasonable fee" to deal with the request based on the administrative costs of complying with the request (ensuring that we notify the individual within one month of receiving their request).

Right to restrict processing

Under the Data Protection Act individuals have the right to request the restriction or suppression of their personal data. The right is not absolute and only applies in certain circumstances. The right to restriction does not apply in a range of other circumstances (see https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/right-to-restrict-processing/ for more detail).

Adviza will comply (i.e. store but not process data), free of charge, with any valid request to restrict processing a data subjects’ personal data within 1 month of receipt of the request and inform all third-parties to whom the data has been disclosed, asking them to do likewise.

We will only refuse to comply with a request for restriction if the request is manifestly unfounded or excessive and giving our justification (ensuring that we notify the individual within one month of receiving their request). In some such cases we may, instead of refusing the request, charge a "reasonable fee" to deal with the request based on the administrative costs of complying with the request (ensuring that we notify the individual within one month of receiving their request).

Right to portability

The Act introduces a right for individuals to obtain and reuse their personal data for their own purposes across different services. The right is not absolute and only applies in certain circumstances. The right to portability does not apply in a range of other circumstances (see https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/right-to-restrict-processing/ for more detail).

Adviza will comply, free of charge, with any valid request to provide personal data under this right within 1 month of receipt of the request or explain why we are not doing so informing the data subject of their right to complain to the Information Commissioners’ Officer and to judicial remedy.

Right to object

The Act introduces a right for individuals to object to:

  • processing based on legitimate interests or the performance of a task in the public interest/exercise of official authority (including profiling);
  • direct marketing (including profiling); and
  • processing for purposes of scientific/historical research and statistics.

Adviza will offer a way for individuals to object online and stop processing the personal data if such an objection is received unless:

  • we can demonstrate compelling legitimate grounds for the processing, which override the interests, rights and freedoms of the individual; or
  • the processing is for the establishment, exercise or defence of legal claims; or
  • we are conducting research where the processing of personal data is necessary for the performance of a public interest task.

We will always stop processing personal data for direct marketing purposes as soon as we receive an objection. There are no exemptions or grounds to refuse.

For more detail see https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/right-to-object/.

Security of Personal Information

The sixth principle of Data Protection requires that appropriate measures should be in place to protect the personal information from unauthorised access, unlawful processing, or accidental loss, damage or destruction. Our IT Policy (IT3) provides specific details on our approach to data security, together with the specifications of our suppliers (e.g. database suppliers) and our security accreditations (i.e. Cyber Essentials).

Adviza and its partner agencies are responsible for the security of information we hold. We and each partner agency must take all reasonable care and employ appropriate physical, technical and organisational safeguards to protect the personal data under this data protection policy. Partner agencies must agree on the standards required for protecting the data, for example, the storage safeguards for information in hardcopy and electronic format, security of data in transmission and security standards for access to the data. As a minimum, partner agencies should only allow direct access to their database to staff that have password access to the system. Paper records should be located in a secure, non-portable filing system that is not accessible to the public and can be locked when not in use. Higher safeguards will be required where the personal data is of a sensitive nature.

Adviza employees all deal on a daily basis with other peoples’ personal data and have an absolute responsibility to keep this information as safe and secure as possible. This care must be exercised whether staff are working in the office, travelling, attending external meetings or working in schools, job centres etc. when particular extra vigilance is required. Appropriate training on Data protection will be provided to all Adviza staff and associates.

From time to time Adviza may commission consultants to undertake research aimed at informing the development of the Adviza service. In addition, Adviza often uses sub-contractors to deliver services. When contracting with consultants or sub-contractors, contracts should specify that all client information used will remain the property of Adviza and that during the course of the research/delivery of service, consultants and sub-contractors will abide by the Adviza data protection policy.

Storing paper documents

Paper records must only be kept for as long as necessary and shredded for disposal thereafter (with appropriate records kept of all such disposals). In public areas paper documents should not be left out unattended and should be kept in locked storage when not in use or overnight. Documentation including personal data should be kept in locked cabinets certified to SEAP class 2.

What kinds of data are especially sensitive?

All information about identifiable individuals is subject to the Data Protection Laws. However, extra care should be taken with the following types of personal data:

  • Data which is classed as ‘special category data’ or ‘criminal conviction data’ under the GDPR and other Data Protection Laws.
  • Large amounts of personal data - for example a database containing 1,000 or more entries. This could have a more serious impact if accidentally lost.
  • Information which is more likely to cause distress to an individual if it is accidentally lost - for example, information about someone’s personal circumstances.

Almost all information provided by Adviza or relating to Adviza clients would fall into this category.

Recognising this, Adviza has conducted, and will maintain, a Data Protection Impact Assessment in respect of all ‘special category data’ or ‘criminal conviction data’ it holds. Data Protection Impact Assessments will be carried out in all other circumstances required by the Data Protection Laws (see https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/accountability-and-governance/data-protection-impact-assessments/).

What are the implications if personal data is accidentally lost?

Data losses of any scale must initially be reported through the line management structure. Any incidents involving the loss of data must also be notified to the Head of Information Systems or another member of the Senior Leadership Team.If personal data is transported between centres, from work to home or to other locations, there is inevitably an extra degree of risk that the information will accidentally be lost. This applies whether the information is in paper form, on a memory stick, or a laptop, and even if passwords are used to protect documents. Therefore, such physical transportation of data should not take place unless absolutely unavailable.

If personal data is lost, there could be the following implications:

  • The data could be found and read by someone outside Adviza. This would be an ‘unauthorised disclosure’ of personal data and a breach of the Data Protection Laws. Such a loss may also cause distress to the subjects of the data and in some cases may even put them at risk.
  • Unless, the breach is “unlikely to result in a risk for the rights and freedoms of data subjects” Adviza must report the loss to the Information Commissioner within 72 hours if feasible (and if not a justification must be provided).
  • Any breach of personal data for which Adviza is a data processor must be notified to the controller without undue delay after becoming aware of the breach.
  • We could face enforcement action (including hefty fines) by the Information Commissioner, the details of which will be made public. This has already happened to a number of organisations including Government departments, NHS Trusts and a number of charities. This will inevitably lead to bad publicity and damage to Adviza’s reputation.
  • Individual staff can also be liable for breaches of the Data Protection Laws, as well as Adviza itself.
  • Mitigating actions are likely to be required to recover the data and/or minimise its impact on the data subject.
  • Where there is a high risk to the rights and freedoms of the data subject, the controller (usually Adviza) must communicate the breach to the data subject without undue delay.

Our Security Incident Policy (SIP1) provides specific details on our approach to data breaches.

Guidance for handling personal data when based in an Adviza office

Accessing and personal data within the Adviza environment carries less risk than transporting data externally but care must still be taken to protect information.

  • It is safer to view information electronically rather than print it out and data must always be saved to the network rather than to a local disk.
  • Printed material must only be kept for as long as necessary and shredded for disposal. In public areas it should not be left out unattended and should be kept in locked storage overnight or when not in use, in locked cabinets certified to SEAP class 2.
  • In public areas, extra care must be taken to ensure that personal information, either on a screen or in paper form, is not visible to visitors.
  • Notes made in diaries or notebooks about clients and their personal details, or notes documenting meetings with or about clients, should be transferred to the database or a secure filing system as soon as possible. The original notes should be destroyed.

Scanning and storing hard copy documents.

When receiving documents from another agency or creating a written document from a template, scan the document and copy it into the database within the record. Delete the scanned version that sits on your PC/laptop and/or within Citrix. This method should be appropriate for the majority of hard copy documents received or generated.

A few documents may contain very sensitive data which is not appropriate to put onto the database. These documents must be kept safe within a locked cabinet in an appropriate Adviza Centre. These documents should be reference material to enable you to provide appropriate actions and support to the client concerned. There should be no need to transport these documents.

Guidance for transporting personal data

Adviza accepts that it is impossible to eliminate the transport of all personal data, but by following the guidance in this checklist it should be possible to reduce it to a minimum:

  • Ask yourself if it is really necessary to carry personal data. If it is unavoidable it is safer to carry information on an Adviza laptop (which is encrypted and secure) than in paper form or on a memory stick.
  • If you need to carry paper data to another work centre or for a meeting, only take the documents you need.
  • All documents should be in a folder so that individual pieces cannot get dropped inadvertently, and carry the folders in a briefcase or bag.
  • When travelling by car store the document folder(s) and/or laptop in the boot of the car so that they are out of sight. It is obvious laptops are targets for burglary, but so are briefcases/bags/ folders as they could contain credit cards etc.
  • When travelling, try to keep the information with you at all times rather than leaving it in a car or otherwise unattended

Client’s access to their information

Under the Act, data subjects have rights to have access to personal information about them held by any organisation.

These requests – “subject access requests” (SAR)– must be fulfilled within 1 calendar month and no charge can be made for providing the data (unless the request is manifestly unfounded or excessive, particularly if it is repetitive, in which case a reasonable fee can be charged based on the administrative cost of providing the information and justification must be provided).

Each partner agency has responsibility for ensuring that data subjects are informed that they have the right to see a copy of the information it holds and are provided with access to personal information held about them in accordance with the requirements of the Data Protection Laws.

If a client requests to see their records, they can either be provided with a printed version or be shown them on screen.

This does not have to be immediate but must be provided within 1 calendar month.

Retention of personal data

The fifth principle of Data Protection requires that personal data should be kept only “a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the Act in order to safeguard the rights and freedoms of individuals.”
Paper records will be disposed of in such a way that they cannot be identified (e.g., by use of a shredding machine).

Electronic records and any back up files will be electronically deleted from the hard drive of the computer system. Adviza annually archives and deletes client records from the databases we use, in accordance with the company’s data retention schedule (included in the data audit. Partner agencies will take responsibility for secure destruction of personal data.

Further details on our approach to document retention and archiving are provided in our Archive and Document Retention Policy (DR01).

Recording of information for a named individual

When information is received from a source other than directly from the client the source must be recorded and the data subject informed that Adviza is processing their personal data (if they have not already been so informed).

All requests for information and disclosures must be recorded. The log of shared data is held by the system administrator.
Recording of information in bulk from another organisation.

All requests for information in bulk and disclosures in bulk must be recorded in the log held by the data controller.
This is to ensure there is an audit trial for data emanating from another organisation.

9. Further obligations

Data Protection Officer

Adviza has appointed a Data Protection Officer. This is part of the remit of the post of Head of Information Systems.

Registration with the Information Commissioner’s Office

Adviza completes a Notification to the Office of the Information Commissioner as required under the Data Protection Laws, on an annual basis.

Staff obligations

It is the responsibility of all staff, who have authorised access to the data covered by this policy, to be are aware of their obligations to safeguard that information under the Data Protection Laws and related legislation. Staff should be aware that any breach of this policy could be a matter for disciplinary action, and that it may provide ground for a complaint under the Data Protection Laws against them, which may result in criminal or civil action against them.

Complaints procedures

Adviza has a clear and transparent complaints procedure. If any data subject is unhappy about how information held about them has been shared they should make a formal complaint to the Adviza Data protection officer in the first instance, and then the Information Commissioner.

10. Review of the policy

This policy will be reviewed annually. However, such reviews will not prevent ongoing continuous improvement.

11. Contact for the policy

For all enquiries regarding this policy, please contact:
Data Protection Officer, Adviza, 11th Floor, Ocean House, the Ring, Bracknell, Berkshire RG12 1AX.

[1] In this policy Data protection Laws means the Data Protection Act 2018, incorporating the General Data Protection Regulation (UK - GDPR) and any national implementing laws, regulations and secondary legislation, any successor legislation to the Data Protection Act 2018

Appendix A: People who use Adviza services

What information do we collect?

Adviza offers a wide range of services to specific client groups and the public. We have to hold the details of the people who have requested a service in order to provide it. However, we only use these details to provide the service the person has requested and for other closely related purposes (for example, we might use information to find out if a client is happy with the level of service they received). These details can include (depending on the specific service in question):

  • Identity data: first name, last name, date of birth, age, gender
  • Contact details: email address, telephone number, address
  • Usage data: information about how you use our services and website
  • Special category data: ethnicity, health (we only collect and process special category data where we have a lawful basis for doing so).

Adviza has a legitimate purpose in requesting that you provide equal opportunities information. It will greatly assist us in monitoring equality of opportunity if you can provide this information. Our aim is to ensure that no one experiences disadvantage because of individual characteristics or circumstances. If you object to providing a response to a particular equal opportunities question for any reason, you can state 'I do not wish to declare'. This will not affect your access to the service.

This information will only be made available to staff and third parties (such as funders) who need it to monitor our equal opportunities compliance. Any information you provide that is not required to deliver the service will be used only to produce and monitor equal opportunities statistics. Equal opportunities information may include:

1. Age
2. Sex
3. Race
4. Disability
5. Pregnancy
6. Marital status
7. Sexual orientation.
8. Gender reassignment
9. Religious background

Your personal information will generally be retained only for as long as we have a lawful basis for processing. This will vary depending on the service we provide to you and will range from months to years in accordance with our Document Retention Policy (available on request) and where we are required to do so by funders’ requirements or the law.

What is the legal basis for processing your personal data?

A significant number of our services are provided under contracts or funding agreements from statutory authorities, such as local authorities and government departments and agencies. In these cases, the main legal basis for processing personal data is that it is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in Adviza. In some cases, Adviza will be processing personal data as a data processor and in others as a data controller (and sometimes as both).

In most other cases, we will be processing your personal data to fulfil our contractual, or other obligations to you (the latter being in your and our legitimate interest) or to fulfil our legal obligations. Where safeguarding considerations apply, we may also be processing your personal data in your vital interests.

Where none of these lawful bases for processing apply and for most processing of Special Category data (i.e. sensitive data such as information about race, ethnic origin, politics, religion, trade union membership, health, sex life or sexual orientation) we will only process your personal data with your explicit, specific, informed and freely given consent (or for clients aged under 13 with the consent of a parent/guardian). Consent can be withdrawn at any time and we will ensure you are given an easy way of doing this or you can email our Data Protection Officer at [email protected] to withdraw your consent.

In some cases, we will process Special Category data:

  • for the purposes of employment, social security and social protection law;
  • to protect your vital interests where you are physically or legally incapable of giving consent;
  • for the establishment, exercise or defence of legal claims; or
  • for the purposes of preventive or occupational health, the assessment of the working capacity of an employee, medical diagnosis or the provision of health or social care or treatment.

Any processing of personal data relating to criminal convictions and offences will only be carried out under the control of official authority or when the processing is authorised by law.

People who use our Webchat services

We use a third-party provider, LivePerson, to supply and support our Webchat services, which we use to handle customer enquiries in real time. LivePerson’s privacy policy is available at: https://www.liveperson.com/policies/privacy.

If you use Webchat we will collect your name, email address (optional) and the contents of your Webchat session. This information will generally be retained for 2 years but may be retained for longer in accordance with our Document Retention Policy (available on request) where we are required to do so by funders’ requirements or the law. It will not be shared with any other organisations other than as specified in this Privacy Notice.

You can request a transcript of your Webchat session if you provide your email address at the start of your session or when prompted at the end.

Sharing with Public Authorities

We share personal data with public authorities or those exercising authority on their behalf, when required to do so by law or contractual obligations to them, usually in their capacity as Data Controller or to enable them to exercise their statutory duties. Such authorities include the Education and Skills Funding Agency, the Department for Work and Pensions, Schools or a Local Authority. You will be notified of any public authorities with whom we may share your personal data when you first engage with any of our services to which this applies.

All such authorities with whom we share personal data process that data in accordance with their own Privacy Notices, which they will issue to you when required to do so.

Use of data processors

The main data processors engaged in processing personal data on our behalf for this category of data subject are:

Cognisoft (YETI)

Cognisoft provide secure database services for us. The database they provide is called YETI and is used to record, store and analyse the personal data we process in connection with the delivery of the National Careers Service. Cognisoft’s Privacy Notice is available at https://www.cognisoft.co.uk/about_cognisoft/privacy/ 

Cvision (IYSS)

Cvision provide secure database services for us. The database they provide is called IYSS and is used to record, store and analyse the personal data we process in connection with the delivery of information, advice and guidance services to young people. Cvision’s Privacy Notice is available at http://cvision.ltd/privacy-policy/ 

Salesforce

Saleforce provide secure database services for us. The database they provide is used to record, store and analyse the personal data we process in connection with the delivery of counselling services. Salesforce’s Privacy notice is available at https://www.salesforce.com/uk/company/privacy/ 

Morrisby Careers Guidance Platform

After either completing a serious of questions online or a paper version, the information gathered is analysed against hundreds of possible career options. A report is generated and this information is analysed and forms part of a discussion with you around next steps and options. Your answers to the questions are recorded and stored by Morrisby (whose Privacy Notice is available at https://www.morrisby.com/privacy) and supplied to us.

Subcontractors

As part of our commitment to providing the best service to our clients, we work closely with many partners and sub-contractors who provide a wide range of services and support to those clients in accordance with the requirements of our funders. You will be notified of any subcontractors or partners with whom we may share your personal data when you first engage with any of our services to which this applies.

We carry out robust due diligence to ensure that your data is kept safe and secure and is only processed in accordance with the requirements of the data controller which may be Adviza or another organisation such as: the Education and Skills Funding Agency, the Department for Work and Pensions or a Local Authority.

All subcontractors and partners with whom we share personal data process that data in accordance with this Privacy Notice (as Data Processors) or will issue you with their own Privacy Notice when we share your personal data with them.

Smart Survey

From time to time we use SmartSurvey to conduct surveys and gather feedback from clients. They will, therefore, process any personal data provided by us to enable surveys to be sent out or by you in response to a survey. SmartSurvey’s Privacy Notice is available at https://www.smartsurvey.co.uk/articles/gdpr-compliant-with-data-collection https://www.smartsurvey.co.uk/privacy-policy.

Personal information gathered in this way will generally be retained by us for 2 years after you withdraw your consent but may be retained for longer in accordance with our Document Retention Policy (available on request) where we are required to do so by funders’ requirements or the law.

Appendix B: Marketing

What information do we collect?

We may collect, store and use the following kinds of personal information:

  • information about your computer and about your visits to and use of our online services (including your IP address, geographical location, browser type and version, operating system, referral source, length of visit, page views and online services navigation);
  • information that you provide to us for the purpose of registering with us (including your name, email address and telephone number);
  • information that you provide to us for the purpose of contacting us, e.g. through a contact form (including your name, email address and telephone number); and
  • information that you provide to us for the purpose of subscribing to our information services and/or newsletters (including your email address).

What is the legal basis for processing your personal data?

We provide people with information about special features of our website, our services and any other information we think may be of interest to them. We process personal data for these purposes only with your explicit, specific, informed and freely given consent (or for clients aged under 13 with the consent of a parent/guardian).

If you agree to us providing you with marketing information, you can always withdraw your consent at any time by clicking the unsubscribe link in the footer of any email you receive from us or by contacting us at [email protected].

We will not use your personal information for marketing purposes if you have indicated that you do not wish to be contacted by us for such purposes. However, we will retain your details on a suppression list to help ensure that we do not continue to contact you.

Use of data processors

Campaign Monitor

We use a third-party provider Campaign Monitor to deliver some of our newsletters and marketing communications. We gather statistics around email opening and clicks using industry standard technologies including clear gifs to help us monitor and improve our e-newsletter. For more information, please see Campaign Monitor’s https://www.campaignmonitor.com/policies/ 

Personal information used for marketing purposes will generally be retained by us for 2 years after you withdraw your consent but may be retained for longer in accordance with our Document Retention Policy (available on request) where we are required to do so by funders’ requirements or the law.

People who contact us via social media

We use a third-party provider, Hootsuite to manage our social media interactions via our Facebook, Twitter and LinkedIn channels.

If you send us a private or direct message via social media the message will be stored on Hootsuite and the social media channel used for 12 months. It will not be shared with any other organisations.

People who call us

When you call Adviza we collect Calling Line Identification (CLI) information.

People who email us

We can encrypt and protect email traffic. If not encrypted you should be aware that any emails we send or receive may not be protected in transit.

We will also monitor any emails sent to us, including file attachments, for viruses or malicious software. Please be aware that you have a responsibility to ensure that any email you send is within the bounds of the law.

People who use our Webchat service

We use a third-party provider, LivePerson, to supply and support our Webchat services, which we use to handle customer enquiries in real time.

If you use Webchat we will collect your name, email address (optional) and the contents of your Webchat session. This information will generally be retained for 2 years but may be retained for longer in accordance with our Document Retention Policy (available on request) where we are required to do so by funders’ requirements or the law. It will not be shared with any other organisations other than as specified in this Privacy Notice.

You can request a transcript of your Webchat session if you provide your email address at the start of your session or when prompted at the end.

Smart Survey

From time to time we use SmartSurvey to conduct surveys and gather feedback from clients. They will, therefore, process any personal data provided by us to enable surveys to be sent out or by you in response to a survey. SmartSurvey’s Privacy Notice is available at https://www.smartsurvey.co.uk/articles/gdpr-compliant-with-data-collection https://www.smartsurvey.co.uk/privacy-policy.

Personal information gathered in this way will generally be retained by us for 2 years after you withdraw your consent but may be retained for longer in accordance with our Document Retention Policy (available on request) where we are required to do so by funders’ requirements or the law.


Appendix C: People who make a complaint or enquiry to us

What information do we collect?

When we receive a complaint from a person we make up a file containing the details of the complaint. This normally contains the identity of the complainant and any other individuals involved in the complaint.

We will only use the personal information we collect to process the complaint and to check on the level of service we provide. We do compile statistics showing information like the number of complaints we receive, but not in a form which identifies anyone.

We usually have to disclose the complainant’s identity to whoever the complaint is about. This is inevitable where, for example, the accuracy of a person’s record is in dispute. If a complainant does not want information identifying him or her to be disclosed, we will try to respect that. However, it may not be possible to handle a complaint on an anonymous basis.
We will keep personal information contained in complaint files in line with our retention policy. This means that information relating to a complaint will be retained for 7 years from closure. It will be retained in a secure environment and access to it will be restricted according to the ‘need to know’ principle.

Similarly, where enquiries are submitted to us we will only use the information supplied to us to deal with the enquiry and any subsequent issues and to check on the level of service we provide.

What is the legal basis for processing your personal data?

We process personal data when dealing with complaints and enquiries to meet our and your legitimate interest in our being able to comply with your request and meet our obligations to you.



Appendix D: Job applicants, current and former Adviza employees

Adviza is the data controller for the information you provide during the process unless otherwise stated. If you have any queries about the process or how we handle your information please contact us at [email protected].

What will we do with the information you provide to us?

All of the information you provide during the process will only be used for the purpose of progressing your application, or to fulfil legal or regulatory requirements if necessary.

We will not share any of the information you provide during the recruitment process with any third parties for marketing purposes or store any of your information outside of the European Economic Area. The information you provide will be held securely by us and/or our data processors whether the information is in electronic or physical format.

We will use the contact details you provide to us to contact you to progress your application. We will use the other information you provide to assess your suitability for the role you have applied for.

What information do we ask for, and why?

We do not collect more information than we need to fulfil our stated purposes and will not retain it for longer than is necessary.

The information we ask for is used to assess your suitability for employment. You do not have to provide what we ask for but it might affect your application if you don’t.

Application stage

We will ask you for your personal details including name and contact details. We will also ask you about your previous experience, education, referees and for answers to questions relevant to the role you have applied for. Our recruitment team will have access to all of this information.

You will also be asked to provide equal opportunities information. This is not mandatory information – if you do not provide it, it will not affect your application. This information will not be made available to any staff outside of our recruitment team, including hiring managers, in a way which can identify you. Any information you provide, will be used only to produce and monitor equal opportunities statistics.

Shortlisting

Our hiring managers shortlist applications for interview and contact prospective candidates and are therefore provided with name and contact details. They will not be provided with your equal opportunities information if you have provided it.

Assessments

We might ask you to participate in assessment days; complete tests or occupational personality profile questionnaires; and/or to attend an interview – or a combination of these. Information will be generated by you and by us. For example, you might complete a written test or we might take interview notes. This information is held by Adviza.

If you are unsuccessful following assessment for the position you have applied for, we may ask if you would like your details to be retained in our talent pool for a period of 6 months. If you say yes, we may proactively contact you should any further suitable vacancies arise.

Conditional offer

If we make a conditional offer of employment, we will ask you for information so that we can carry out pre-employment checks. You must successfully complete pre-employment checks to progress to a final offer. We are required to confirm the identity of our staff, their right to work in the United Kingdom and seek assurance as to their trustworthiness, integrity and reliability.

You will therefore be required to provide:

  • Proof of your identity – you will be asked to attend our office with original documents, we will take copies
  • Proof of your qualifications – you will be asked to attend our office with original documents, we will take copies
  • You may be asked to complete a criminal records declaration to declare any unspent convictions. We will provide your name and email address to GBG Disclosures who will contact you to complete an application for an appropriate
  • Criminal Record check via the Disclosure and Barring Service, which will verify your declaration of unspent convictions
  • We will contact your referees, using the details you provide in your application, directly to obtain references
  • We will also ask you to complete a questionnaire about your health. This is to establish your fitness to work. This is done through a data processor (please see below).

If we make a final offer, we will also ask you for the following:

  • Bank details – to process salary payments
  • Emergency contact details – so we know who to contact in case you have an emergency at work
  • Pension information - so we can enrol you in the appropriate pension scheme.

How long is the information retained for?

If you are successful, the information you provide during the application process will be retained by us as part of your employee file for the duration of your employment plus 6 years following the end of your employment. This includes your criminal records declaration, fitness to work, records of any security checks and references.

If you are unsuccessful at any stage of the process, the information you have provided until that point will be retained for 6 months from the closure of the campaign.

Information generated throughout the assessment process, for example interview notes, is retained by us for 6 months following the closure of the campaign.

Equal opportunities information is retained for 6 months following the closure of the campaign whether you are successful or not.

How we make decisions about recruitment?

Final recruitment decisions are made by hiring managers and members of our recruitment team. All of the information gathered during the application process is taken into account.

Online testing is marked and a result is generated automatically. However, if you wish to challenge the mark you have received, the result can be checked manually.

You are able to ask about decisions made about your application by speaking to your contact within our recruitment team or by emailing [email protected].

Secondments

We also offer opportunities for people to come and work with us on a secondment basis. We accept applications from individuals or from organisations who think they could benefit from their staff working with us.

Applications are sent directly to the ICO. Once we have considered your application, if we are interested in speaking to you further, we will contact you using the details you provided.

We might ask you to provide more information about your skills and experience or invite you to an interview.

If we do not have any suitable work at the time, we will let you know but we might ask you if you would like us to retain your application so that we can proactively contact you about possible opportunities in the future. If you say yes, we will keep your application for 6 months.

What is the legal basis for processing your personal data?

We process personal data (including Special Category data) for this category of data subject for the purposes of:

  • carrying out obligations under employment, health and safety, social security or social protection law, or a collective agreement. Such protection and justification for processing also applies to personal data relating to our volunteers;
  • fulfilling our contractual obligations to the data subject as employer/volunteer manager; and
  • fulfilling our legal obligations.

Use of data processors/data sharing

The main data processors engaged in processing personal data on our behalf and third parties with whom we share data for this category of data subject are:

Cascade and Proactis

If you accept a final job offer from us, some of your personnel records will be held on our Cascade and Proactis databases which are external HR and finance records systems. Here is a link to their Privacy Notices: Cascade: https://www.cascadehr.co.uk/privacy-policy/  Proactis: http://www.proactis.com/Footer-Links/Privacy 

RSM Payroll Services and pension administrators

If you are employed by Adviza, relevant details about you will be provided to RSM Payroll Services who provide payroll services to Adviza. This will include your name, bank details, address, date of birth, National Insurance Number and salary.
Likewise, your details will be provided to the administrators of the pension scheme into which you will be enrolled. You will be auto-enrolled into the pension scheme and details provided to the relevant administrators will include your name, date of birth, National Insurance number and salary. Here is their privacy statement: https://www.rsmuk.com/privacy-and-cookies 

GBG Disclosures

If you are required to have a Disclosure and Barring Service check (DBS) for your role with Adviza, your name and email address with be passed to GBG Disclosures, an umbrella body for the Disclosure and Barring Service. Here is a link to their privacy statement: https://www.onlinedisclosures.co.uk/legal/privacy-policy/ 

Sodexo

We use Sodexo to provide childcare vouchers for qualifying staff. Here is a link to their privacy statement: https://uk.sodexo.com/home/legal-privacy.html 

Occupational Health

Occupational health assessments for current employees are carried out by Staywell Occupational Health. Here is a link to their privacy statement: https://www.staywelloh.co.uk/privacy-policy 

Public authorities

We provide data to Her Majesty’s Revenue and Customs and other public authorities as required by law.

Appendix E: Visitors to our websites and users of online services

Please see our privacy policy which covers the following websites:
https://www.adviza.org.uk, www.eclips-online.co.uk,