Privacy Notice
This Privacy Notice describes how we comply with the UK General Data
Protection Regulation (UK GDPR) and the Data Protection Act 2018 (DPA 2018).
This privacy notice will help you understand how we collect, use and protect your personal information. If you have any queries about this privacy notice or how we process or protect your personal information, please contact the Data Protection Officer at dpo@athona.com
‘The Company’ refers to Athona Ltd, Athona Education Ltd and Athona Clinical Services Ltd.
Who we are
The Company is a recruitment business specialising in the medical, nursing, health and education sectors. We provide work-finding services to our clients and work-seekers. The Company must process personal data (including sensitive personal data) so that it can provide these services – in doing so, the Company acts as a ‘data controller’ his means that we are responsible for deciding how we hold and use personal information about you. We are required under data protection legislation to notify you of the information contained in this privacy notice in accordance with data protection law.
It is important that you read this notice, together with any other privacy notice we may provide on specific occasions when we are collecting or processing personal information about you, so that you are aware of how and why we are using such information.
We will comply with data protection law. This says that the personal information we hold about you must be:
- Personal data must be processed lawfully, fairly and transparently.
- Personal data can only be collected for a specified purpose.
- Personal data must be adequate, relevant and limited to what is necessary for processing. Personal data must be accurate and kept up to date.
- Personal data must be kept in a form such that the data subject can be identified only as long as is necessary for processing.
- Personal data must be processed in a manner that ensures its security.
- The accountability principle requires you to take responsibility for what you do with personal data and how you comply with the other principles
You may give your personal details to the Company directly, such as on an application or registration form, attendance at an event or via our website, or we may collect them from another source such as job boards and social media. The Company must have a legal basis for processing your personal data. For the purposes of providing you with work-finding services and/or information relating to roles relevant to you we will only use your personal data in accordance with the terms of the following statement.
1. How we will use information about you
We will only use your personal information when the law allows us to. Most commonly, we will use your personal information in the following circumstances:
- Where we need to perform the contract we have entered into with you.
- Where we need to comply with a legal obligation.
- Where it is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests.
- We may also use your personal information in the following situations, which are likely to be rare:
- Where we need to protect your interests (or someone else’s interests).
- Where it is needed in the public interest (or for official purposes).
2. Collection and use of personal data
a. Purpose of processing and legal basis
The Company will collect your personal data (which may include sensitive personal data if you give this to us) and will process your personal data for the purposes of providing you with work-finding services. This includes for example, contacting you about job opportunities, assessing your suitability for those opportunities, ensuring you are compliant to work in regulated activities, updating our databases, putting you forward for job opportunities, arranging payments to you and developing and managing our services and relationship with you and our clients.
Types of personal data that we have collected or you have provided to us:
- Full name and any previous names
- Address and address history
- Contact details
- Gender
- Date of birth
- Regulatory Body number and status if applicable
- Qualifications
- Training history
- Work history
- Education history
- Recruitment information (information included on your CV or application form including referees)
- Right to work status including nationality
- Bank account details, payroll records and tax status information
- Salary, annual leave, pensions and benefits information
- National Insurance number
- Start date and end dates of employment
- Location of employment or workplace
- Performance information, references, complaints, investigations.
- CCTV Footage and other information obtained by electronic means i.e. swipe cards
- Information about your use of information systems and communication systems
- Where information is relevant to the position you are applying for, we may conduct Online / Social Media Checks as part of our due diligence.
- Photographs
- Types of sensitive personal data that you have provided to us:
- Information about your race or ethnicity, religious beliefs, sexual orientation or political opinions.
- Medical history
- Immunisation history
- Disability
- Criminal convictions
- Regulatory body investigation or sanction history
- Next of Kin and emergency contact information
- Marital status and dependants
- National Insurance number
Most of the personal information we hold about you is that which we have collected directly from you, for example:
- Each time you apply for a role via the Company
- Each time you provide your availability to take up another position with the Company.
- Each time you interact with us over the phone or respond to email, sms or other media communications.
- When you complete your registration as a temporary worker or interested in permanent placements
- When you make enquiries with our payroll team or compliance team.
We collect personal information about you through events you attend, interests you show, application and recruitment process, either directly from candidates or sometimes from an employment agency, background check provider, CV portal or online platform. We may sometimes collect additional information from third parties including former employers, credit reference agencies or other background check agencies i.e. Identity and Right to Work Checks, Disclosure and barring service, PVG, Access NI, Overseas Police Checks, DBS Update Service checks, regulatory body checks and status updates for your profession.
We will collect additional personal information in the course of job-related activities throughout the period of you working for us.
In some cases we may be required to use your data for the purpose of investigating, reporting and detecting crime and also to comply with laws that apply to us. We may also use your information during the course of audits to demonstrate our compliance with certain industry standards or specific contractual terms relating to the supply of temporary workers to regulated activities.
The legal bases we rely upon to offer these services to you are:
- Where we have a legitimate interest
- To comply with a legal obligation that we have
- To fulfil a contractual obligation that we have with you
b. Legitimate interest
This is where the Company has a legitimate reason to process your data provided it is reasonable and does not go against what you would reasonably expect from us. Where the Company has relied on a legitimate interest to process your personal data our legitimate interests is/are as follows:
- Providing work-finding services to you, including sending your information to our clients where you have demonstrated an interest in doing that particular type of work but not expressly consented to us passing on your cv;
- Managing our database and keeping work-seeker records up to date;
- Contacting you to seek your consent where we need it (sensitive data)
- Contacting you with information about similar services that you have used from us recently; and
- Passing work-seeker’s information to regulatory bodies or other government agencies.
c. Recipient/s of data
The Company will process your personal data and/or sensitive personal data with the following recipients:
- Healthcare or education establishments that we introduce or supply work seekers to. Any public information sources and third-party organisations that we use to carry out suitability checks on work-seekers e.g. Companies House, the Disclosure and Barring Service (DBS), regulatory body checks and status updates for your profession.
- this list is not exhaustive.
- Our carefully selected third parties for the purposes of pre-employment screening checks, occupational health screening, and or receiving training to ensure you are compliant with regulatory and contractual requirements.
- Your former or prospective new employers that we must obtain or provide references to
- Your former employers or training providers that we must seek verification of the authenticity of the training and course content
- Umbrella companies that you ask us to pass your information to
- Other recruitment agencies or parties in the supply chain (e.g. master/neutral vendors, second tier suppliers, payroll portals, direct engagement portals or clients which can include uploading your data and sensitive data to their systems for the purposes of work finding services);
- Our insurers
- Our legal advisers
- Social networks
- Our IT and CRM providers
- Government, law enforcement agencies and other regulators e.g the Police, Home Office, HMRC, Trade unions;
- The Recruitment and Employment Confederation (and any other trade body that we are a member of who may have access to our candidates’ data)
- Any other third parties who carry out audits to ensure that we run our business correctly or adhere to the contacts we have provided you work seeking services through.
- Any other organisations that you ask us to share your data with (subject to compliance with the DPA 2018)
d. Statutory/contractual requirement
In order to provide you work seeking services in Regulated Activities your personal data is required by both law and contractual requirements (e.g. our client may require this personal data to undertake their own statutory or regulatory checks (i.e. Identity and Right to Work Checks, DBS Update Service checks, regulatory body checks and status updates for your profession as a requirement which is necessary to enter into a contract with you.
Situations in which we will use your personal information
We need all the categories of information in the lists above (see ‘the kind of information we hold about you’) primarily to allow us to perform our contract with you and to enable us to comply with legal obligations. In some cases we may use your personal information to pursue legitimate interests of our own or those of third parties, provided your interests and fundamental rights do not override those interests. The situations in which we will process your personal information are listed below.
- Making a decision about your recruitment or appointment
- Determining the terms on which you work for us
- Checking you are legally entitled to work in the UK
- Paying you and, if you are an employee, deducting tax and National Insurance contributions and if applicable pension contributions
- Providing any benefits or services to you i.e. training, referral fees, appraisal, confirmation or revalidation services.
- Liaising with your pension provider
- Administering the contract we have entered into with you
- Business management and planning, including accounting and auditing
- Conducting performance reviews, managing performance and determining performance requirements
- Making decisions about salary reviews and compensation
- Assessing qualifications for a particular job or task, including decisions about promotions
- Gathering evidence for possible grievance or disciplinary hearings
- Making decisions about your continued employment or engagement
- Making arrangements for the termination of our working relationship
- Education, training and development requirements
- Dealing with legal disputes involving you, or other employees, workers and contractors, including accidents at work
- Ascertaining your fitness to work
- Managing sickness absence
- Complying with health and safety obligations
- To prevent fraud
- To monitor your use of our information and communication systems to ensure compliance with our IT policies
- To ensure network and information security, including preventing unauthorised access to our computer and electronic communications systems and preventing malicious software distribution
- To conduct data analytics studies to review and better understand employee retention and attrition rates
- Equal opportunities monitoring
Some of the above grounds for processing will overlap and there may be several grounds which justify our use of your personal information.
You are obliged to provide the personal data, to notify us of any changes to your personal or professional circumstances, and maintain full compliance of the contractual requirements throughout the duration of your placement or introduction to our clients, and if you do not the consequences of failure to provide the data are:
- Breach of contract with the Company
- Withdrawal of employment or offer of employment
- Non-compliance with statutory and regulatory requirements
- Risk referral to law enforcement agencies, government agencies or other regulators for your profession.
We will only use your personal information for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If we need to use your personal information for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so.
Please note that we may process your personal information without your knowledge or consent, in compliance with the above rules, where this is required or permitted by law.
3. Overseas Transfers
The Company may transfer only the information you provide to us to countries outside the UK and / or the European Economic Area (‘EEA’) including India for the purposes of providing you with work-finding services including. We will take steps to ensure adequate protections are in place to ensure the security of your information. The EEA comprises the EU member states plus Norway, Iceland and Liechtenstein.
4. Data retention
The Company will retain your personal data only for as long as is necessary for the purpose we collect it. Different laws and contractual obligations may also require us to keep different data for different periods of time, enquiries about specific retention periods should be sent to the dpo@athona.com examples of the core retention periods are listed below:
- The Conduct of Employment Agencies and Employment Businesses Regulations 2003, require us to keep work-seeker records for at least one year from (a) the date of their creation or (b) after the date on which we last provide you with work-finding services.
- We are required to retain workers records in accordance with the National Staffing Frameworks for 2 years post framework, therefore the maximum retention period is 6 years post the end of the agreed framework, and frameworks typically run for 4 years.
- We are required to keep your payroll records, holiday pay, sick pay and pension’s auto-enrolment records for as long as is legally required by HMRC and associated national minimum wage, social security and tax legislation.
- We are required to retain records of all healthcare or education professionals that have worked on behalf of the Company in regulated activities for the purposes of safeguarding enquiries, providing information to regulatory bodies, responding to complaints, investigations, inquests and or legal challenge indefinitely.
5. Your rights
Please be aware that you have the following data protection rights:
- The right to be informed about the personal data the Company processes on you;
- The right of access to the personal data the Company processes on you;
- The right to rectification of your personal data;
- The right to erasure of your personal data in certain circumstances;
- The right to restrict processing of your personal data;
- The right to data portability in certain circumstances;
- The right to object to the processing of your personal data that was based on a public or legitimate interest;
- The right not to be subjected to automated decision making and profiling; and
- The right to withdraw consent at any time.
Where you have consented to the Company processing your personal data and sensitive personal data you have the right to withdraw that consent at any time by contacting the Data Protection Officer at dpo@athona.com or by telephone on 01277 217777
There may be circumstances where the Company will still need to process your data for legitimate contractual or legal purposes. We will inform you if this is the case. Where this is the case, we will restrict the data to only what is necessary for the purpose of meeting those specific reasons.
If you believe that any of your data that the Company processes is incorrect or incomplete, please contact us using the details above and we will take reasonable steps to check its accuracy and correct it where necessary.
You can also contact us using the above details if you want us to restrict the type or amount of data we process for you, access your personal data or exercise any of the other rights listed above.
6. Automated decision-making
The Company use automated profiling to ensure that you are only contacted or only receive information that is relevant to your training, qualifications and skills to match you to suitable opportunities or specific interests. We may also utilise your post code or preferred geographical location when matching against suitable opportunities or specific events that we wish to share with you.
Without this small degree of automated profiling, you could potentially receive information that is irrelevant therefore we deem this as essential process to protect you from receiving irrelevant or unwanted communications.
7. Complaints or queries
If you wish to complain about this privacy notice or any of the procedures set out in it please contact The Data Protection Officer at:
Tel: 01277 217777
Email: dpo@athona.com
Or write to:
The Data Protection Officer
Athona Ltd
2nd Floor Kingsgate House
1 King Edward Road
Brentwood
Essex
CM14 4HG
You also have the right to raise concerns with Information Commissioner’s Office on 0303 123 1113 or at https://ico.org.uk/concerns/, or any other relevant supervisory authority if you believe that your data protection rights have not been adhered to.
This notice does not form part of any contract of employment or other contract to provide services. We may update this notice at any time.