This privacy notice describes how the Behavioural Insights Group (“BIT”) collects and uses personal data about you in the context of an application to work for BIT in any capacity, including as an employee, worker, consultant, contractor, intern or for any form of placement or work experience. We encourage you to read this notice carefully, together with any other privacy notice we may provide on specific occasions when we are collecting or processing personal data about you, so that you are aware of how and why we are using such information. If you provide us with personal data of a family member or other third party in connection with your recruitment application then this notice also covers the use of their information, and you should make this notice available to them.
This notice does not constitute an offer of employment, does not form part of any contract (including any contract of employment) and does not confer any contractual right on you, or place any contractual obligation on us. We may update this notice from time to time, and will let you know when we do so.
For the majority of its recruitment BIT uses the recruitment platform, Be Applied Ltd (“Applied”). Applied is therefore a data processor for BIT. See here for Applied’s privacy notice.
1. What information do we hold about you?
The sort of information we hold on you will vary depending on the role applied for, your location and the conditions attached to the role (if any). However, typically it will include the following:
- Your personal details – for example your name, date of birth, gender, nationality, second nationality, personal contact details (e.g. home address, telephone number, e-mail), current role and salary, other data included on a CV / résumé;
- Qualifications – qualifications, professional memberships or charterships, languages spoken, competencies and skills (ability to drive, first aid etc.);
- Immigration and right to work data – including national ID number, social security or national insurance number, visa or work permit;
- Equality and diversity data – where permitted under local law, data regarding race, ethnic origin and sexuality (stored anonymously for equal opportunities monitoring and reporting purposes except where required to establish, exercise or defend legal rights). This data will not used by BIT to assess applicants or determine hiring decisions;
- Data created during the assessment process – for example interview notes, assessment results and Be Applied Ltd responses; and
- Vetting and verification information – including references, birth certificate, drivers licence, background checks (including of publicly available information and public social media profiles) and criminal record disclosure (see below).
Criminal Record Declarations and DBS checks
As part of your recruitment application, depending on your role and location, you may be asked to complete a Criminal Record Declaration as part of the Government Baseline Personnel Security Standard (“BPSS”) which is required for many of our business contracts with the UK Public Sector. In addition, we may also need to check your criminal record through the Disclosure and Barring Service (a “DBS check”) where this is permitted by law (see section 3). If you are based outside of the UK, we may carry out other criminal record checks, consistent with local law.
Someone else’s personal details
Sometimes, you might provide us with another person’s personal data – e.g. details of a referee or of a family member or friend to contact in the event of an emergency situation.
In such cases, we require you to inform the individual what personal data you are giving to us. You must also give them our contact details and let them know that they should contact us if they have any queries about how we will use their personal data.
2. How is your information collected?
Some of the information we hold will have been provided directly by you, but some may come from other sources, such as referees, recruitment agencies or Be Applied Ltd.
3. Why do we hold your personal data and on what legal grounds?
We hold and use your personal data for a number of purposes connected with the recruitment process, as detailed in the table below.
In certain countries, including the UK, data protection law specifies a number of legal grounds on which we can hold and use personal data. In addition, processing of “special categories of personal data” (including data relating to health, sexual life, racial or ethnic origin or religious beliefs) is always justified on the basis of a specific further ground. For each use of personal data, we have set out the corresponding legal ground(s). Grounds which are specific to special category data or criminal record data are marked with an (*).
Relevant legal ground(s) on which we process the information
|To review eligibility to work (including conducting right to work checks)||· It is necessary for us to comply with a legal obligation
· It is necessary for us to comply with an obligation in the field of employment law (*)
|To assess your application (including by carrying out interviews and assessments)||· It is in our legitimate interest as a business in order to gauge your competence for the role and your compatibility with the culture and values of BIT|
|To carry out background and educational checks (including by communicating with referees)||· It is in our legitimate interest as a business in order to verify the information provided as part of your application and to protect BIT and its staff from deception and fraud|
|To seek criminal record disclosure (via BPSS or DBS checks) where required for your role or client contract and authorised by law||· It is necessary for our obligations as an employer, and or to prevent unlawful acts, including fraud (*)|
|To conduct an equal opportunities monitoring programme||· It is necessary for the purposes of identifying or keeping under review the existence or absence of equality of opportunity or treatment between employees|
|To maintain emergency contact details||· It is in our legitimate interest as a business and as your employer, and our interests are not overridden by your interests, fundamental rights or freedoms|
|To exercise our rights to defend, respond to or conduct prospective or actual legal claims or proceedings||· It is necessary for the establishment, exercise or defence of legal claims (*)
· It is in our legitimate interests as a business and as your employer, and our interests are not overridden by your interests, fundamental rights or freedoms
If you do not provide personal data then, depending on the purpose for which the data is required, we may be unable to comply with our legal obligations, as indicated in the above table. This may mean we are unable to process your application any further. If you are uncertain, we can tell you more about the specific implications a decision to withhold personal data.
If in the future we intend to process your personal data for a purpose other than that which it was originally collected we will provide you with information on that purpose and any other relevant information.
4. Who do we disclose personal data to?
We may transfer information about you to other group companies for purposes connected with your recruitment. For example, if you apply for a job with a particular BIT company, but one of the hiring managers responsible for assessing your application works for another BIT company. Information will only be shared within the group on a need-to-know basis. As of the date of last review of this notice, the group of companies comprise:
- Behavioural Insights Ltd
- Behavioural Insights Ventures Ltd
- Behavioural Insights (US) (Inc)
- Behavioural Insights (Australia) Ltd
- Behavioural Insights (New Zealand) Ltd
- Behavioural Insights (Singapore) Pte Ltd
- Behavioural Insights (Canada) Ltd
- Behavioural Insights Trustee Company Ltd
We will disclose information about you to third party service providers who assist us with the purposes described in section 3.
Where BIT engages third parties to process personal data on its behalf, those third parties do so on the basis of BIT’s written instructions, are under a duty of confidentiality and are obliged to implement appropriate technical and organisational measures to ensure the security of data. These third parties may have routine access to your personal data to perform certain functions, or may merely host your personal data as part of a “cloud based” solution (such as G-Suite by Google).
We may also need to share your information with government bodies such as the Home Office or HMRC to comply with legal obligations, for example in relation to matters such as immigration, or in response to court orders or requests from law enforcement.
Your personal data may also be disclosed to advisors, potential transaction partners or interested third parties in connection with the consideration, negotiation or completion of a corporate transaction or restructuring of the business or assets of any part of BIT.
We may transfer information about you to Behavioural Insights Ltd’s shareholders as part of our regular reporting activities on company performance and for purposes connected with your employment or the management of the company’s business.
If your application is successful, personal data collected during the recruitment process will be shared with certain interconnecting systems (such as HR information, payroll and benefits systems) in order to onboard you and create personnel records.
You can ask to review a copy of the HR Information Asset Register for more details.
5. International transfers
Due to the global nature of BIT and its work, your personal data may be shared with BIT entities (listed in section 4) which are based in each of the countries in which BIT operates. These countries may not have data protection laws which are comparable with the country of your residence. However, in all cases where we permit international transfers of your personal data, we will ensure appropriate safeguards are implemented, or the transfer is otherwise lawful under data protection law (for example, because a specific derogation applies).
There are adequacy decisions from the European Commission in respect of transfers of personal data from the EU (including the UK) to New Zealand and Canada. This means that New Zealand and Canada are deemed to provide an adequate level of protection for your personal data if we transfer personal data to Behavioural Insights (New Zealand) Ltd and Behavioural Insights (Canada) Ltd. For a full list of adequacy decisions, please check the European Commission’s website.
In relation to other international transfers of personal data within the BIT group, we have put in place standard contractual clauses to ensure an adequate level of protection for your personal data if we transfer personal data to any of those entities.
In certain other limited and necessary circumstances, your information may be transferred internationally (including outside of the EU), for example to service providers, or to international organisations who make valid legal requests for your information.
If you need more information about any international transfer of your personal data, you can contact the Data Protection Officer. You have a right to request a copy of any data transfer agreement under which your personal data is transferred, or to otherwise have access to the safeguards which we use. Any data transfer agreement made available to you may be redacted for reasons of commercial sensitivity.
6. How long do we store personal data for?
Our general principle is that we will only store personal data for as long as it is necessary to satisfy the purpose for which it was collected by us or provided by you.
If your recruitment application is successful, we will retain a copy of your application (including your CV / résumé) for the duration of your employment. If your application is unsuccessful, we will retain your application for no more than one year in order to keep you in mind for similar vacancies which may arise in that time. Please let us know if you do not want us to do this and we will delete your application and any associated documentation about you as soon as possible.
Please note that, in certain cases, legal or regulatory obligations may require us to retain specific records from your application for longer periods of time (for example, right to work checks for successful applicants). For more details, please contact the Data Protection Officer by writing to firstname.lastname@example.org.
In other cases, we may deliberately retain records in order to resolve queries or disputes which we think may arise from time to time.
7. Security of your personal data
We implement reasonable physical, technical and administrative security measures designed to protect your personal data from loss, misuse, alteration, destruction or damage.
We take steps to limit access to your personal data to BIT personnel who need to have access to it for one of the purposes listed in section 3.
You also have an important role to play in protecting the security of your personal data, and you should take care about whom you share personal data connected with your recruitment application with.
8. Your rights
Depending on data protection laws which are applicable to the BIT entity processing your personal data, you have certain rights with regard to your personal data. These may include the right to:
- request access to your personal data (commonly known as a “data subject access request”);
- request correction or rectification of the personal data we hold about you;
- request erasure of your personal data where there is no good reason for us to continue to process it;
- object to processing of your personal data where BIT is relying on a legitimate interest (see section 3) and there us something about your particular situation which makes you want to object to processing on this ground;
- request the restriction of processing of your personal data. This enables you to ask us to suspend the processing of personal data if, for example, you want BIT to establish its accuracy or the reason for processing it;
- to obtain a portable copy of your personal data, or to have a copy transferred to a third party controller, where our legal ground for processing the data is based on a contract or consent (see section 3).
These rights are not absolute and relevant exemptions or restrictions may apply, but if you want to exercise any of the above rights, please contact the Data Protection Officer by writing to email@example.com.
Ordinarily, you will not have to pay a fee to access your personal data (or to exercise any of the other rights). However, we may charge a reasonable fee if your request is clearly unfounded or excessive. Alternatively, we may refuse to comply with the request in such circumstances.
Please note that if (in the very limited circumstances where we may ask for your consent) you have provided consent for the processing of your data you have the right (in certain circumstances) to withdraw that consent at any time which will not affect the lawfulness of the processing before your consent was withdrawn.
If you are based in the UK, you have the right to lodge a complaint to the Information Commissioner’s Office if you believe that we have not complied with the requirements of applicable data protection laws with regard to your personal data but we would be grateful for the opportunity to discuss and handle your complaint first.
Identity and contact details of controller and DPO
The Behavioural Insights entity with primary responsibility for your personal data (and the responsible “data controller” under applicable data protection laws) will be the entity which has advertised the vacancy you have applied for. However, from time to time other Behavioural Insights entities may also need to process your personal data, consistent with the purposes stated in this notice.
In the UK the “data controller” is Behavioural Insights Ltd, and in other countries it is as follows:
- US: Behavioural Insights (US) (Inc)
- Australia: Behavioural Insights (Australia) Ltd
- New Zealand: Behavioural Insights (New Zealand) Ltd
- Singapore: Behavioural Insights (Singapore) Pte Ltd
- Canada: Behavioural Insights (Canada) Ltd
We use the term data controller to designate the entity which is responsible for deciding how we hold and use personal data about you. Not all entities listed above are subject to data protection laws which have the concept of a “data controller”.
If you have any concerns as to how your data is processed you can contact: Data Protection Officer at firstname.lastname@example.org. or you can write to Data Protection Officer, 2nd Floor, 4 Matthew Parker Street, LONDON SW1H 9NP.
For further information about data protection law and your rights, you may find it helpful to refer to the website of the Information Commissioner’s Office.
Date of last review: 17 January 2020