Applicant Privacy Notice

Processing your personal data

What categories of personal data does the British Red Cross Society ("British Red Cross") collect about me and why?

"Personal data" means any information relating to you.  During the application process, the British Red Cross will collect, process and use your personal data, for a range of different purposes. For example:

What personal data?


  • Identification - your name, nationality, national insurance number, bank details
  • Contact details
  • Education and work experience
  • Organisational data
  • Information collected as part of your interview process
  • Background check information
  • Other application data (e.g. information contained in your CV and obtained from recruiters
  • CCTV images.

Why?

  • To process your application
  • To determine your eligibility for the role you have applied for
  • To conduct background checks as part of your application
  • To communicate with you about future job opportunities
  • To comply with the law and our obligations
  • To communicate with you and with the British Red Cross employees and third parties
  • To comply with our financial and regulatory obligations.

It's important to know that the British Red Cross may also need to process sensitive personal data about you such as health and medical data, criminal records data, and race or ethnicity data.

Arrow icon Read the detailed Applicant Privacy Notice


Who might the British Red Cross share my personal data with, and what happens if they are transferred out of the UK?

We might also need to transfer your data to other third parties - e.g. potential business partners, acquiring entities, suppliers, customers, or government bodies. Our policy is to limit who has access to that data as much as we can. If we need to transfer data out of your jurisdiction, the British Red Cross will take all necessary measures to ensure your data is adequately protected.

Arrow icon Find out who your data is shared with

How long will the British Red Cross keep my personal data for?

We won't keep it for any longer than we need to. We will keep your data to either comply with the law or to ensure that we are complying with our obligations to you and other third parties. 

Arrow icon How long will the British Red Cross keep my data for?


What rights do I have in respect of my personal data?

You have a number of rights in relation to your data. These include a right to access, correct and erase your data as well as more technical rights to restrict the way we process it, and to transfer your data.

Arrow icon Read about your rights in more detail

 

Who can I contact if I have questions?

If you have concerns or questions regarding your personal data, please contact the Information Governance Team:

Emaildataprotection@redcross.org.uk

Phone0344 871 1111

Post: British Red Cross, 44 Moorfields, London, EC2Y 9AL

The British Red Cross Society Applicant Privacy Notice

British Red Cross Society, of 44 Moorfields, London, EC2Y 9AL ("British Red Cross") has prepared this Applicant Privacy Notice ("Notice") for applicants to roles with the British Red Cross. In connection with your application we have to process your personal data. We think that it is very important that you understand how we use your personal data, and we take our obligations in this regard very seriously.

The purpose of this Notice is therefore to give you information about how the British Red Cross collects, processes, stores and otherwise uses information about you, and your rights in relation to that information.

The British Red Cross needs to process your personal data in order to process your application for employment. There are also statutory requirements we have to comply with in relation to your application.
If we are not able to carry out the processing activities we describe in this Notice we may not be able to continue with your application. Of course, we hope it would never come to that, and this is simply information we are obliged to provide to you as part of this Notice.

We need to ask for your specific consent to process your personal data in a particular way in certain circumstances, such as for the purpose of conducting background checks prior to you commencing employment with us, to enable relevant third parties to release information about you as part of those checks. Please sign and complete the consent form at the end of this Notice to confirm you consent to us processing your data for the purposes of carrying out the relevant background checks listed. Note that consent is not required for checks under the Misconduct Disclosure Scheme – see below.

Although we are seeking your consent in relation to certain background checks, we will have a legitimate or contractual reason for further processing of your personal data.

When we say "the British Red Cross", "we" or "us" in this document, we mean the the British Red Cross entity that you're applying to work for. We may update this document from time to time, for example if we implement new systems or processes that involve the new use of personal information.

In this Notice you will see reference to "GDPR" - that refers to the European Union General Data Protection Regulation which is a European law governing your rights in relation to your personal data, and how organisations should protect it. This law has been enacted in the UK by the Data Protection Act 2018.


Index

To help you find information quickly on any particular question you might have, we have set out an index.


Arrow icon What categories of personal data does the British Red Cross collect about me?

Arrow icon Who might the British Red Cross share my personal data with?

Arrow icon How long will the British Red Cross keep my data for?

Arrow icon What rights do I have in respect of my personal information?

Arrow icon Who can I contact about this stuff?


What categories of data does the British Red Cross collect about me?

"Personal data" means any information relating to you. the British Red Cross will collect, process and use the following categories and types of personal data about you:

  • Identification data, such as your name, citizenship, nationality, passport/ID data, photo (if voluntarily provided by you), drivers' licence information, national insurance number
  • Personal information, such as your date and place of birth, emergency contact details, and gender
  • Contact details, such as your home address, telephone number and email address
  • Education and work experience, such as contact details for your current/former employer, information about your educational background, your work experience and other experience
  • Other application data, such as the information included in your application form/CV
  • Information collected as part of the interview process, such as notes taken from your interview or information provided from recruitment agencies
  • Background check information, such as information obtained through reference checks and confirmation about your work/educational background.

together "Applicant Data".

In addition to the collection, processing and use of the Applicant Data, the British Red Cross collects, processes and uses the following special categories of personal information about you which we describe as "Sensitive Applicant Data":

  • Health and medical data, such as information on disability
  • Criminal records data, in the event that the British Red Cross has conducted or received the results of criminal records background checks in relation to you, where relevant and appropriate to your role
  • Race or ethnicity data such as information contained in your passport or other citizenship and right to work documentation and information which you have voluntarily provided to the the British Red Cross for the purposes of our equal opportunities and diversity monitoring and initiatives
  • Sexual life data where this has been provided voluntarily to the British Red Cross for the purposes of our equal opportunities and diversity monitoring and initiatives.

Sensitive Applicant Data (in particular criminal records data and sexual life data) may also be processed as part of the British Red Cross' participation in the Inter-Agency Scheme for the Disclosure of Safeguarding-related Misconduct in Recruitment Process within the Humanitarian and Development Sector (the “Misconduct Disclosure Scheme”). The purpose of the Misconduct.

Disclosure Scheme is to enable participating humanitarian, development and other civil society organisations to share upon request relevant information about people who have found to have been involved in or committed sexual exploitation, sexual abuse or sexual harassment during employment or in a governing role, for the purpose of making informed recruitment/appointment decisions. More details about the Misconduct Disclosure Scheme are available on the Steering Committee for Humanitarian Response website.

If you apply for employment with the British Red Cross, we may need to request references under the Misconduct Disclosure Scheme from organisations you have previously worked for. This would involve us processing your personal data, and potentially also Sensitive Applicant Data, as outlined above.

For the avoidance of doubt, the British Red Cross does not deem it appropriate or necessary to ask for/obtain your consent to running background checks under the Misconduct Disclosure Scheme.

Read about the British Red Cross's assessment of the privacy impacts of the Misconduct Disclosure Scheme, including the lawful basis for processing relied upon.

 

Why does the British Red Cross need to collect, process and use my Applicant Data and Sensitive Applicant Data and what is the legal basis for doing so?

We collect and use Applicant Data and Sensitive Applicant Data for a variety of reasons linked to processing your application for a role with us (the "Processing Purposes"). However, we can only collect and use this data if we have a valid legal basis for doing so, and we are required to explain the various legal bases that we rely on to you.

To give you the full picture, we have set out each of the reasons why we collect and use Applicant Data, i.e. the Processing Purposes, and mapped these against the different legal bases that allow us to do so. We appreciate that this is quite a lot of information to take in, so please bear with us.

Processing purposes

1. Administering and processing your application (including processing a job offer should you be successful)  including identification data, contact details, information about your qualifications and employment history, and information obtained during your interview and information contained in your CV.

Legal Bases

Processing Purposes 1 to 3:

  • Necessary for performing a contract with you as the data subject
  • Compliance with legal obligations which the British Red Cross is subject to in relation to employment law
  • Legitimate interests of the British Red Cross
  • Your consent as data subject.

2. To determine your eligibility for the role you applied for, including identification data, contact details, information about your work and education experience, information obtained during your interview and information contained in your CV.

3. Conducting background checks as part of your application, including identification data, contact details, information about your qualification and employment history.

4. Complying with applicable laws and employment-related requirements along with the administration of those requirements, such as income tax, national insurance deductions, and employment and immigration laws which involves the processing of identification data and contact details.

Processing Purposes 4 to 5:

  • Compliance with legal obligations which the British Red Cross is subject to, particularly in relation to tax law, employment law, social security law and immigration law
  • Legitimate interests of the British Red Cross.

5. Monitoring and ensuring compliance with applicable policies and procedures and laws, which involves the processing of your identification data and contact details, including the operation of a whistleblowing hotline.

 

6. Communicating with you, the British Red Cross employees and third parties, including informing you of future opportunities with the British Red Cross (such as existing or potential business partners, suppliers, customers, supporters, volunteers, service users or government officials), including communicating future employment opportunities,  which involves the processing of identification data and your contact details.

 
  • Necessary for performing a contract with you as the data subject - we need to be able to communicate with you so that we needed to enter into a contract with you
  • Compliance with legal obligation to which data controller is subject; and · Legitimate interests of the British Red Cross
  • Legitimate interests of the British Red Cross.

7. Responding to and complying with requests and legal demands from regulators or other authorities in or outside of your home country which involves the processing of identification data and contact details.

Processing Purpose 7:

  • Compliance with legal obligations which the British Red Cross is subject to.

8. Complying with corporate financial responsibilities, including audit requirements (both internal and external) and cost/budgeting analysis and control which involves the processing of identification data, contact details, information about the role you have applied for, including the role's salary and benefits.

 

Below are the Processing Purposes and corresponding Legal Bases for Sensitive Applicant Data:

Processing Purpose 8:

  • Legitimate interests of the British Red Cross,  i.e. we need to ensure that we manage our business effectively
  • Compliance with legal obligations which the British Red Cross is subject to.

Processing Purpose

1. To accommodate your application and interview and for compliance with legal obligations, we may use health and medical data.

Legal Bases

  • Your explicit consent as required by data protection law
  • Necessary to carry out the obligations and to exercise specific rights of the British Red Cross or you in the field of employment and social security and social protection law as permitted by data protection law.

 

2. Criminal records and other background checks (including under the Misconduct Disclosure Scheme) in relation to you in the process of your application, where relevant and appropriate to the role you are applying for.

  • Your explicit consent as allowed by data protection law
  • Necessary to carry out the obligations and to exercise specific rights of the British Red Cross (or you) in the field of employment and social security and social protection law as permitted by data protection law
  • Necessary for reasons of substantial public interest as permitted by data protection law.

3. Conducting background checks as part of your application, including identification data, contact details, information about your qualification and employment history.

  • Necessary for reasons of substantial public interest as permitted by data protection law.

We appreciate that there is a lot of information to take in, and we want to be as clear with you as possible over what this means. Where we talk about "legitimate interests" of the British Red Cross or third parties, this can include:

  • Assessing your suitability for employment/engagement with the British Red Cross
  • Implementation and operation of an organisational structure and information sharing
  • Right to freedom of expression or information, including in the media and the arts
  • Prevention of fraud, misuse of company IT systems, or money laundering
  • Operation of a whistleblowing scheme
  • Physical security, IT and network security
  • Internal Investigations
  • Compliance with our legal obligations.

When relying on the legitimate interests basis for processing your personal data, we will balance the legitimate interest pursued by us and any relevant third party with your interest and fundamental rights and freedoms in relation to the protection of your personal data to ensure it is appropriate for us to rely on legitimate interests and to identify any additional steps we need to take to achieve the right balance.

Who might the British Red Cross share my personal data with?

The British Red Cross may transfer personal data to third parties, including to entities within and outside the British Red Cross for the Processing Purposes as follows:

  • Regulators, authorities, and other third parties. As necessary for the Processing Purposes described above, personal information may be transferred to regulators, courts, and other authorities (e.g., tax and law enforcement authorities), independent external advisors (e.g., auditors), insurance providers, pensions and benefits providers, internal compliance and investigation teams (including external advisers appointed to conduct internal investigations)
  • Data processors. As necessary for the Processing Purposes described above, personal data may be shared with one or more third parties, whether affiliated or unaffiliated, to process personal information under appropriate instructions ("Data Processors"). The Data Processors may carry out instructions related to recruitment, workforce administration, IT system support and maintenance, payroll and compensation, training, compliance, and other activities, and will be subject to contractual obligations to implement appropriate technical and organisational security measures to safeguard the personal information, and to process the personal information only as instructed.

For a full list of the third parties that we may share your data with, please contact us as set out below.

As you may expect, some of the recipients we may share Applicant Data and Sensitive Applicant Data with may be located in countries outside of Europe. In some cases, this may include countries located outside the European Union and/or European Economic Area ("EAA").

Some countries where recipients may be located already provide an adequate level of protection for this data (e.g. those within the EEA). Nonetheless, for transfers to entities outside of the EEA, the British Red Cross will be bound by the EU Standard Contractual Clauses pursuant to Article 46(2)(c) GDPR, which the European Commission has assessed as providing an adequate level of protection for personal data, to ensure that your data is protected adequately.

If recipients are located in other countries without adequate protections for personal data, the British Red Cross will take all necessary measures to ensure that transfers out of the EEA are adequately protected as required by applicable data protection law. This will include using appropriate safeguards such as the EU Standard Data Protection Clauses. You can ask for a copy of such appropriate safeguards by contacting us as set out below ("Who can I contact about this stuff?").

How long will the British Red Cross keep my personal information for?

It is our policy not to keep personal information for longer than is necessary. We may, for example, keep your personal information for a reasonable time after your application process is completed, in case we have future job opportunities that we consider you are suitable for. Where personal information is kept, that period will be determined based on the applicable law. For further information, please refer to the British Red Cross Records Management Policy or the Records Retention Schedule or contact us as set out below to request further details on how long the British Red Cross will retain different categories of personal information.

What rights do I have in respect of my personal information?

You have a number of rights in relation to your Applicant Data and Sensitive Applicant Data. These can differ by country, but can be summarised in broad terms as follows:

(i) Right of access

You have the right to confirm with us whether your personal data is processed, and if it is, to request access to that personal data including the categories of personal data processed, the purpose of the processing and the recipients or categories of recipients. We do have to take into account the interests of others though, so this is not an absolute right, and if you want to request more than one copy we may charge a fee.

(ii) Right to rectification

You may have the right to rectify inaccurate or incomplete personal data concerning you. We encourage you to review this information regularly to ensure that it is accurate and up to date.

(iii) Right to erasure (right to be forgotten)

You may have the right to ask us to erase personal data concerning you.

(iv) Right to restriction of processing

In limited circumstances, you may have the right to request that we restrict processing of your personal data, however where we process Applicant Data and Sensitive Applicant Data for the Processing Purposes we think we have a legitimate interest in processing which may override a request that you make.

(v) Right to data portability

You may have the right to receive personal data concerning you, which you have provided to us, in a structured, commonly used and machine-readable format and you may have the right to transmit that data to another entity.

(vi) Right to object and rights relating to automated decision-making

Under certain circumstances you may have the right to object, on grounds relating to your particular situation, at any time to the processing of your personal data, including profiling, by us and we can be required to no longer process your personal data. This may include requesting human intervention in relation to an automated decision so that you can express your view and to contest the decision.

To exercise any of these rights, please contact us as stated below 

You also have the right to lodge a complaint with the competent data protection supervisory authority, which in the UK is the Information Commissioner's Office (the 'ICO'). If you would like to make a complaint in relation to how we have handled your personal information, please follow our complaints procedure. If you are not happy with the response you receive, then you can raise your concern with the ICO:

Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF

Alternatively you can visit their website.

We are registered with the Information Commissioner’s Office as a Data Controller under number Z5379882.

 

Who can I contact about this stuff?

If you have concerns or questions regarding this Notice or if you would like to exercise your rights as a data subject, you can get hold of the right person here:

Emaildataprotection@redcross.org.uk

Phone0344 871 1111

Post: British Red Cross, 44 Moorfields, London, EC2Y 9AL