GDPR Privacy Notice
PRIVACY NOTICE - CONSULTANT DATA (INDIVIDUALS)

This privacy notice tells you what to expect in relation to personal information about you which is collected, handled, and processed by St. Vincent’s Health and Public Sector Consulting Limited. We acknowledge and agree that any personal data of yours that we handle will be processed in accordance with all applicable data protection laws in force. Currently, the Data Protection Act 1998 applies. With effect from 25 May 2018, the General Data Protection Regulation (GDPR) will come into force.

Overview

  • We will only collect and process the right amount of your personal data from you for the specific purposes that we need it.
  • We only use your personal data for clearly defined purposes.
  • We have identified the legal basis for the processing of your personal data.
  • The service we provide means we do need to share your personal data with other organisations.
  • We endeavour to keep your personal data safe and secure at all times.
  • We may have to transfer your personal data outside of the UK and EU.
  • We only keep your personal data for a set period of time.
  • You can keep in control of your personal data through the various rights you have.
  • We are happy to speak to you about what we do with your personal data.

Personal data collected

To enable us to provide a tailored service specific to meet your needs and find you the most appropriate job opportunities our clients have to offer we need to collect some or all the following information from you:

Information collected and processed for delivery a service contract is as follows:

  • Your name
  • Your address
  • Your e-mail address
  • Your telephone number
  • CV/work history
  • Job preferences, including role, geographical location, and salary
  • Any other work-related information you provide, for example education or training certificates

Information with respect to individuals that have worked for us previously (e.g. employees, contractors), or may work for us is as follows:

  • Passport
  • Permits and visas (where applicable)
  • Date of birth
  • National insurance number
  • Outcome of criminal record checks and security clearance for certain roles
  • Medical information (where applicable)
  • References
  • Financial information (e.g. payroll details and terms, HMRC data, pension scheme details, statutory payments)

Usually we collect this personal data directly from you, however we do sometimes collect this from other sources.

By using our website and sending any email communications our systems may obtain your IP address.

Collecting personal data directly from you

You may provide your personal data to us via one of the following ways:

  • Emailing your CV direct to one of our employees

Collecting personal data from other sources

We may obtain information about you via one of the following ways:

  • We search professional networking sites, such as LinkedIn, and job boards to establish if there are any potential candidates who would be suitable for a job vacancy we are looking to fill.
  • Referral from an existing candidate – they may share your personal data with us and ask us to contact you as you are interested in new career opportunities.

What we use your personal data for and the legal basis we rely on

We collect and use your personal data for the following purposes:

  • For contract purposes, primarily to deliver a service agreement for one of our clients.
  • For marketing purposes, for example to re-contact you in the future to inform you of new opportunities.

Contract purposes

We need to know certain information about you to enable us to fulfill our services contracts with our clients. We will gather this information from you or collect from other sources such as LinkedIn and company websites.


If you have submitted your CV directly to us, we will read and assess this to identify if your career history, skills and experience are a suitable match for our client’s needs.  We may not have any suitable clients for you.  If you are not contacted within 6 months of sending your CV to us, please accept this as your CV has not been suitable and it will have been removed from our database.

Legal Basis - Consent

When you have made the initial contact with us, for example by sending your details to one of our consultants you will have consented to us processing your personal data for the purpose of delivering a service agreement for one of our clients.

We will always obtain your consent to submit your personal data to any of our clients.

Legal Basis - Legitimate Interests

We do not think it is unreasonable for an individual to expect to be contacted by a consultancy if they publish details about their professional profile and career history on professional networking sites, such as LinkedIn. We often review professional networking sites to identify any potential consultants who may be suitable to deliver a service agreement (or part thereof) for one of our clients. If we identify such a consultant, we will make initial contact with them to introduce ourselves and the opportunity available.

We have documented our decision-making for relying on legitimate interests for this purpose in a Legitimate Interest Assessment to ensure our legitimate interests are not over-ridden by the rights of individuals whose personal data is to be processed. If you would like to know more about the assessment we undertook please contact our Data Protection Manager.

You have the right to object to us processing your personal data on this basis, to exercise this right please contact our Data Protection Manager.

Marketing purposes

We pride ourselves on offering a tailored service to our consultants. We therefore want to keep you informed of any new business opportunities that become available that you may be interested in.

You can change your marketing preferences at any time by contacting our Data Protection Manager.

Legal Basis - Legitimate Interests

We do not think it is an unreasonable expectation for candidates to receive information from ourselves about new opportunities that might be suitable for them. GDPR allows us to use legitimate interests as the lawful basis for direct marketing purposes where this does not breach other e-privacy laws. As there is a relationship in place between ourselves and consultants we can legitimately rely on soft opt-in rules under the Privacy & Electronic Communication Regulations 2003 to undertake email direct marketing.

We have documented our decision-making for relying on legitimate interests for this purpose in a Legitimate Interest Assessment to ensure our legitimate interests are not over-ridden by the rights of individuals whose personal data is to be processed. If you would like to know more about the assessment we undertook please contact our Data Protection Manager.

You have the right to object to us processing your personal data on this basis, to exercise this right please contact our Data Protection Manager.

Who we will share your personal data with

We will share your personal data with:

  • Scene One Search and Selection Limited.
  • St. Vincent’s Healthcare Consulting Limited.
  • our existing clients who have job vacancies to fill; and
  • prospective clients who we feel may be able to provide a suitable career opportunity for you.

We will always ask for your consent to send your personal data to existing or prospective clients.

Your personal data may be accessed and seen by our third-party outsourced IT provider, whilst they undertake work on our behalf. We have a data processor contract in place which sets out both parties responsibilities and obligations under GDPR.

If you enter personal data into our website then it may be accessed and seen by our third-party website host and web data storage provider, whilst they undertake work on our behalf. We have a data processor contract in place which sets out both parties responsibilities and obligations under GDPR.

How we keep your personal data safe

St. Vincent’s Health and Public Sector Consulting Limited Search and Selection Limited take the security of your personal data seriously and we have put in place the most appropriate organisational and technical measures to safeguard personal data. Our measures include:

  • Encrypting devices and servers where appropriate
  • Password access to computers and mobile devices
  • Secure premises
  • Restricting access to those staff who need to see the information
  • Internal policies and procedures on data protection and information security
  • Staff training

When we use third-party providers to process and/or store personal data we undertake relevant assessments of their business to establish their level of compliance with GDPR and only use those that provide sufficient guarantees to implement appropriate technical and organisational measures to safeguard personal data.

Other trusted third parties that we may share your data with are as follows: HM Revenue and Customs (HMRC), pension scheme providers, legal advisors, and other companies for the purpose of undertaking pre-engagement checks for the role and for paying you.

Our website, emails, databases and data storage are all on servers based in the UK and EU.

Transferring personal data outside of the UK and EU

If a client is located outside of the UK and EU, St. Vincent’s Health and Public Sector Consulting Limited may need to transfer your personal data to that country. As we have said before we always get your consent to give your personal data to one of our clients and you will be made aware that the business is not located within the UK or EU.

How long we will keep your personal data for

We have documented retention periods for all the information we obtain and process.

We will keep your personal data for as long as we have an active communication with you, and once this ceases we will keep your personal data for 5 years before it is deleted from our systems/securely destroyed.

Your rights

You have various rights in relation to how we process your personal data.

  • You can access the personal data we keep about you and be given specific information about the processing.
  • You can ask us to update inaccurate personal data we hold about you.
  • You can ask us to delete your personal data but only when specific grounds apply.
  • You can ask us to restrict the processing of your personal data, for example if you are contesting the accuracy of it.
  • You can object to the processing of your personal data if you do not agree with our legitimate interest grounds and for direct marketing purposes.
  • You can transfer your personal data from us to another service provider but only when certain grounds apply.

We do not undertake any automated decision-making, including profiling.

Should you wish to exercise any of your rights please contact our Data Protection Manager.

If you are not happy with the way we have been processing your personal data or have not dealt with one of your rights correctly when you have asked us to you may lodge a complaint with the Information Commissioners Office (ICO). The ICO has several ways in which you can get in touch with them, including post, email, and online forms. To find out how click here.

Our contact details

You can contact our Data Protection Manager via one of the following ways:

Telephone: +44 (0)141 370 2313
Post: St. Vincent’s Health and Public Sector Consulting Limited, Queens House, 2nd Floor, 19 St Vincent Place, Glasgow, G1 2DT
Email: info@stvincentsconsulting.com

“Whether it’s structured analysis, business or work process modelling, use cases or software re-engineering St Vincent’s Consulting are a safe pair of hands. I would recommend them to anyone.”

Paul Dollan, Lead Business Analyst