General privacy notice for candidates applying for a public appointment role at DBT
Updated 3 September 2024
1. Purpose of this privacy notice
The Department for Business and Trade (DBT) is committed to protecting the privacy and security of your information. This notice sets out how we will use your personal data as part of our legal obligations under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 (DPA). It is supplemented by the information available in DBT’s ‘Personal Information Charter’.
DBT is the data controller of the information you provide in your application for a public appointment role, whether you are applying for a regulated or non-regulated public appointment. This means that we are responsible for deciding how we hold and use personal information about you.
It is important that you read this privacy notice so that you are aware of how and why we are using your information.
2. What is personal data
Personal data is any information relating to an identified or identifiable natural living person, otherwise known as a ‘data subject’.
A data subject is someone who can be recognised, directly or indirectly, by information such as:
- a name
- an identification number
- location data
- an online identifier
- data relating to their physical, physiological, genetic, mental, economic, cultural, or social identity
These types of identifying information are known as ‘personal data’.
Data protection law applies to the processing of personal data, including its collection, use and storage.
3. What personal data we collect about you
In connection with your application, we may collect:
- your contact details, for example name, address, email address, contact phone number
- your date of birth
- your curriculum vitae (CV) and personal statement
- previous and current employment and education history
- qualifications, licences and professional memberships
- other background information relevant to your application including sift and interview assessments
- diversity data including ethnicity and disability background
- conflicts of interest related information including political activity and trade union membership
- information obtained from public sources
- information about your health in order to make any necessary reasonable adjustments to the appointments process for you
- contact details for referees
As part of our due diligence checks, we may also collect information about you from other government and publicly available sources.
They include:
- other government departments
- the Disclosure and Barring Service (DBS)
- Companies House, if you have been a director of limited companies
- the Financial Conduct Authority, such as if you have previously covered an approved role
- Cifas
- regulatory bodies (if you are a member of a regulated profession)
We may also collect data about you available via the internet, for example through:
- a Google search
- news and social media reports
- entries in online directories
All personal data is handled under the Government Security Classification Scheme for handling for Official data and non-personal data may be retained according to the Public Records Act 1958.
If you consent, we may contact you in order to make you aware of other public appointments for which we are seeking applicants. We may share your CV and contact details with the Centre of Public Appointments in the Cabinet Office. They may alert you to any other public appointment opportunities arising in the future. They may also share your personal data with other government departments so that they can contact you about such opportunities.
4. How we obtain the information
The personal data we collect and process is principally provided to us directly by you during the recruitment process.
You provide this by:
- returning a CV and personal statement
- completing application forms and any background check forms
- filling in our surveys or submitting requests via our digital platforms
- signing on and using our digital platforms and tools
- communicating with us via email, letter, phones and smartphones
- entering our buildings and passing through our security and CCTV monitoring systems
We may also collect personal information (as part of due diligence processes) from public statements and social media, blogs or any other publicly available information and from DBS checks (if your application progresses to latter stages of recruitment).
5. Purposes for processing your personal data
We use your personal information to help us ensure that DBT is able to select and appoint high quality candidates for public appointments.
We process your data via robust recruitment processes, in line with public appointments best practice as set out in the Governance Code for Public Appointments.
We process your data to:
- manage the public appointments process for DBT
- assess your suitability for a role
- provide technical support to candidates and recruiters
- send your contract of employment to your email address, if the employing department chooses this as an option
- monitor the effectiveness of recruitment processes - this could include statistical analysis of system usage, or research into the experience of applicants and other system users, or analysing referral sources to see which provide the most diverse applicants
- undertake due diligence, pre-employment checking and onboarding activity before you start in a role
6. Our legal basis for processing your data
The legal basis for processing your personal data is:
- public task - Article 6(1)(e) of the UK GDPR: processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the data controller. In this case, the processing of your personal data is necessary in order to consider applications for a public appointment role
- consent - Article 6(1)(a) of the UK GDPR: if we rely on your consent to process your personal information for the purposes of recruitment, you have the right to withdraw your consent for processing for that purpose at any time. You can do withdraw your consent by contacting the Data Protection Officer at data.protection@businessandtrade.gov.uk.
You can find out more about these bases for processing personal data by consulting the Information Commissioner’s Office.
7. Special category personal data
Special category personal data is data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership. It also includes the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation.
The types of special category personal data we may process are:
- diversity data including ethnicity and disability background
- political activity/opinions and trade union membership
- health information and sexual orientation
- religious background
- political opinions and activity
The condition for processing your special category personal data is: Article 9(2)(g) UK GDPR: It is necessary for reasons of substantial public interest (with a basis in law) in order to meet statutory and government purposes and regulatory requirements.
The relevant corresponding condition in Schedule 1 of the DPA is: the processing is necessary for the purposes of identifying or keeping under review the existence or absence of equality of opportunity or treatment between groups of people specified in relation to that category with a view to enabling such equality to be promoted or maintained.
Read further detail on how we handle special category personal data.
8. What happens if you do not provide this data
If you do not provide your personal data, you will not be considered for a public appointment.
9. How we may share your information
The data collected may be shared with the following organisations for the purpose detailed above:
- external recruitment consultancy (if applicable and if contracted to handle a specific recruitment campaign)
- the Advisory Assessment Panel (AAP) for each campaign
- the Arm’s Length Body (ALB) to which the role/s and campaign relates (if applicable)
- the Office of the Commissioner for Public Appointments (OCPA) (if applicable)
- ministers
- the Cabinet Office (in accordance with Governance Code of Public Appointments)
- the Prime Minister’s Office (if applicable)
- the Palace (if a King’s appointment)
- the Privy Council (if Privy Council approval is required)
All our third-party service providers and other government departments or public bodies are required to take appropriate security measures to protect your personal information in line with our policies.
We do not allow third parties to use your personal data for their own purposes. We only permit them to process your personal data for the purposes specified in this notice and in accordance with our instructions.
Anonymised diversity data for Public Appointment applicants and appointees will also be shared with Cabinet Office and OCPA. This recruitment is in order to meet the Public Sector Equality Duty as set out in section 149 of the Equality Act 2010.
We will also share your data if we are required to do so by law or regulation – for example by court order, or to prevent fraud or other crime.
10. How long we keep your data
We will only retain your personal data in line with DBT’s retention policy and the Public Records Act 1958. Recruitment records for unsuccessful candidates are retained for 3 years from end of recruitment process. Anonymised diversity data will be kept for up to 10 years. The data of successful (that is appointed) candidates is kept in line with personnel record keeping requirements (usually 85 years for personnel files).
11. Automated decision making or profiling
We will not use your data for any automated decision making (in other words making a decision based solely by an automated process without any human involvement) or profiling (automated processing of personal data to evaluate certain aspects about an individual).
12. Overseas data transfer
Your personal data is stored on Civil Service IT infrastructure, and shared with their data processors who provide email, and document management and storage services. As a result, it may be transferred and stored securely outside the European Economic Area. Where that is the case, it will be subject to equivalent legal protection.
13. How we protect your data
We have appropriate measures in place to prevent personal information from being accidentally lost, or used or accessed in an unauthorised way. We limit access to your personal information to those who have a genuine business need to know it. Those processing your information will do so only in an authorised manner and subject to a duty of confidentiality.
We also have procedures in place to deal with any suspected data security breach. We will notify you and any applicable regulator of a suspected data security breach where we are legally required to do so. This will be done in line with our data protection policy.
For a copy email our Data Protection Officer at data.protection@businessandtrade.gov.uk.
14. Your data protection rights
You have rights over your personal data under the UK GDPR and the DPA 2018.
These rights include the right:
- to request information about how your personal data are processed and to request a copy of that personal data (and for this to be provided in a structured, commonly used and machine-readable format)
- to request that any inaccuracies in your personal data are rectified without delay
- to request that any incomplete personal data are completed, including by means of a supplementary statement
- to request that your personal data is erased if there is no longer a justification for it to be processed
- in certain circumstances (for example, where accuracy is contested) to request that the processing of your personal data is restricted
- to object to the processing of your personal data, although you will then be unable to be considered for the public appointment
You can exercise your rights by writing to data.protection@businessandtrade.gov.uk.
15. Complaints
The contact details for the data our Data Protection Officer (DPO) are:
Data Protection Officer
Department for Business and Trade Old Admiralty Building Admiralty Place
London
SW1A 2DY
Email data.protection@businessandtrade.gov.uk
If you are not satisfied with the way we have handled your personal data and want to make a complaint, please write to the department’s DPO or the Data Protection Manager at the relevant agency. You can contact the department’s DPO using the details above.
16. How to contact the Information Commissioner’s Office
If you believe that your personal data has been misused or mishandled, you may make a complaint to the Information Commissioner, who is an independent regulator. You may also contact them to seek independent advice about data protection, privacy and data sharing.
Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF
Email casework@ico.org.uk
Tel 0303 123 1113
Textphone 01625 545860
Monday to Friday 9am to 4:30pm
Any complaint to the Information Commissioner is without prejudice to your right to seek redress through the courts.
17. Accessibility
For alternative formats, contact DBT’s DPO for:
- a paper version
- a large-print version
- an audio version
18. Contact Information
If you have any questions about this privacy notice and how your personal information will be processed, contact:
- dbtappointments@businessandtrade.gov.uk for queries about a specific role
- DBT’s DPO for queries on data protection
Data Protection Officer
Department for Business and Trade Old Admiralty Building Admiralty Place
London
SW1A 2DY
Email data.protection@businessandtrade.gov.uk
19. Changes to our privacy notice
We may make changes to this privacy policy. In that case, the ‘last updated’ date at the bottom of this page will also change. Any changes to this privacy policy will apply to you and your data immediately.
If these changes affect how your personal data is processed, DBT will take reasonable steps to let you know.