Cardiff Metropolitan University is a thriving and financially sustainable University which continuously recruits for a number of key positions. The University uses an online application process to enable you, the candidate, to apply for the job(s) of your choice.
The following Privacy Notice describes how your data is managed by Cardiff Metropolitan University for the purpose of the application process in accordance with data protection legislation - the UK General Data Protection Regulation (GDPR) and the Data Protection Act 2018 (DPA18).
1. Introduction
Cardiff Metropolitan University is the Data Controller and is committed to protecting the rights of individuals in line with the UK GDPR and the DPA18. Its Privacy Statement can be found here.
2. Data Protection Contact
Cardiff Metropolitan University’s Information and Data Compliance Officer can be contacted via the following routes (if you have any further queries regarding the processing of your data):
Email: SWeaver@cardiffmet.ac.uk and/or dataprotection@cardiffmet.ac.uk.
3. Overview
By means of this notice, the University wishes to notify you of the following:
- The personal data and special category data it collects;
- Why this data is collected and processed;
- Who has access to this data including who the University shares the data with;
- The legal basis for processing personal and special category data;
- Technical and organisational measures to ensure personal data remains secure;
- Retention periods; and
- General information.
4. Personal Data Collected
• Address
• Contact mobile/telephone number
• Date of birth
• Email
• Name
• National Insurance Number
• Right to Work in the UK details (Evidence of Right to Work)
5. Special Category Data Collected
(Special category data is personal data that needs more protection because it is sensitive)
• Personal data revealing racial or ethnic origin
• Personal data revealing religious or philosophical beliefs
• Data concerning sexual orientation
Cardiff Metropolitan University collects and monitors anonymised equality data on all nine protected characteristics as specified in the Equality Act 2010. It is also a legal requirement for the University to monitor against all protected characteristics, as part of the Public Sector Equality Duty in Wales.
The University is committed to promoting and implementing best practice in Equality and Diversity (E&D) to provide a working and learning environment to enable both staff and students to reach their full potential.
The University wishes to work beyond the legislative requirements in the delivery of E&D policies and aims for equality of opportunity to be embedded in everything it does.
Cardiff Metropolitan University is an organisation where diversity is valued, equality is promoted, and services are delivered to support all staff and students.
6. Criminal Offence Data Collected
• Unspent convictions
7. What the University uses your Personal Data for
Personal data is collected to identify and contact you following the submission of an application for a vacancy. Subsequently, that information may be used to correspond with you throughout the recruitment process.
a) Satisfactory Evidence of Right to Work in the UK
All employers in the UK have a responsibility to prevent illegal working. The law on preventing illegal working is set out in sections 15 to 25 of the Immigration and Nationality Act 2006 (the 2006 Act), section 24B of the Immigration Act 1971, and Schedule 6 of the Immigration Act 2016. Upon offer of employment and before an employee can commence an employment, we will request satisfactory evidence of your Right to Work in the UK.
b) Employment Reference Details
The University will carry out employment references to help validate your employment history and to assist with assessing if individuals can do the job they will be required to perform. With your permission, People Services will request at least two employment references.
c) Qualifications and Professional Accreditations
The University requires evidence of all essential qualifications and/or professional registrations to ensure that individuals have the credentials and skills to perform the job they are employed to do. In certain professions, evidence of an individual’s professional registrations is a statutory obligation.
d) Medical/Health Information
Where applicable the University requests information and conducts medical assessments to ensure, as far as possible, that employees are physically and mentally fit to perform the role for which they have been selected without risk to their own health and safety, or the health and safety of others. Additionally, this information is used to determine what reasonable adjustments can be made to support employees in their role, where possible.
e) E&D Data
E&D data is used to:
- Monitor and evaluate the impact of the E&D Strategic Equality Plan (SEP);
- Inform and guide equality assessment;
- Shape recruitment practice of staff and students;
- Ensure fair representation of staff and students; and
- Improve University initiatives.
8. Sharing Information with Other Organisations
Your application data is held in the University’s staff recruitment applicant tracking system called Stonefish Software Ltd. Stonefish Software Ltd uses Space Data Centres in Nottingham, UK to store your personal data. Space Data has implemented technical and organisational measures, including ISO27001 and ISO9001 accreditation, to ensure the security of your personal data. Your data will not be transferred outside of the UK. In addition, Space Data has secure Tier 3 hosting with unlimited bandwidth and 99.99% uptime, together with high spec power, cooling systems, high-speed data connections and enterprise-grade firewalls.
If you would like any more information about Stonefish Software Ltd and/or Space Data Centres, please contact dataprotection@cardiffmet.ac.uk.
If you become an employee, your data is stored in the University’s People Services Software System called iTrent. iTrent is a MHR UK & Ireland product; MHR’s Privacy Policy can be found here.
Cardiff Metropolitan University uses the Home Office’s UK Visas and Immigration Sponsorship Management Portal which is part of Gov.uk, whose Privacy Statement can be found here. This portal may be used in situations where candidates require sponsorship. Permission to share your personal details with the Home Office will be obtained at the point of requirement.
Where a role is identified as requiring a DBS check, and upon offer of employment, Cardiff Metropolitan University uses First Advantage Online Disclosures to conduct its DBS checks. Its Privacy Policy can be found here.
Cardiff Metropolitan University uses Insight Health Screening Ltd to conduct medical health assessments. Its Privacy Policy can be found here.
No other third parties will have access to your personal data unless the law allows them to do so.
9. Cardiff Metropolitan University’s Legal Basis for Processing Your Personal Data
a) To process your personal data, Cardiff Metropolitan University must ensure that it is compliant with one of the ‘Lawful Bases’ for processing under Article 6 of the UK GDPR. This means that it must have a lawful reason for using/storing personal information for the purposes outlined in Section 7 of this notice.
Article 6.1(a) – Consent (The University can only conduct Right to Work checks with the permission of the candidate)
The data subject has given consent to the processing of his or her personal data for one or more specific purposes.
Article 6.1(e) – Performance of a Public Task
Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Controller.
b) To process your special category data, Cardiff Metropolitan University must ensure that it is compliant with one of the ‘Lawful Bases’ for processing under Article 9 of the UK GDPR.
Article 9.2(b) – Employment
The processing is necessary for the purposes of performing or exercising obligations or rights which are imposed or conferred by law on the controller or the data subject in connection with employment, social security, or social protection.
c) To process criminal offence data, Cardiff Metropolitan University must ensure that it meets a Schedule 1 condition for processing in the DPA18.
Schedule 1, Part 1 (1) – Employment, Social Security and Social Protection
The processing is necessary for the purposes of performing or exercising obligations or rights which are imposed or conferred by law on the controller or the data subject in connection with employment, social security, or social protection.
10. Security of Processing
As the Controller, Cardiff Metropolitan University has implemented technical and organisational measures to ensure personal data processed remains secure, however absolute security cannot be guaranteed. Should you have a concern about a method of data transmission, the University will take reasonable steps to provide an alternate method. For more information about IT security at Cardiff Metropolitan University, and keeping your data safe, please click here.
Information relating to special category data, such as protected characteristics, is stored securely following strict data protection principles. Information is only ever published, in reports for example, in an anonymous format.
11. Retention of Personal Data
Record | Retention Period | Disposal Method |
---|
External candidate profiles on StoneFish. | 12 months from profile creation. | Automatically disposed if no activity after 12 months. |
Unsuccessful external candidate application records on StoneFish. | 12 months from last account activity. | Application anonymised. |
Unsuccessful internal candidate application records on StoneFish. | As per staff data protection policy. | 7 years post leaving date. |
Employee records. | As per staff data protection policy. | 7 years post leaving date. |
All records are disposed of in accordance with Cardiff Metropolitan University’s Records Management Policy.
12. Individual Rights
The lawful basis for processing can affect which Rights are available to individuals.
Using Consent as the lawful basis for processing, your Individual Rights include:
- The Right to Access
- The Right to Rectification
- The Right to Erasure
- The Right to Portability
- The Right to Withdraw Consent
Using Performance of a Public Task as the lawful basis for processing, your Individual Rights include:
- The Right to Access
- The Right to Rectification
- The Right to Object
- The Rights Related to Automated-Decision Making inc. Profiling
For more information about these Rights, please click here.
13. General
Cardiff Metropolitan University has a Data Protection Policy, which can be found here.
If you wish to make a complaint about the way your personal data has been processed you can find details of how to do so here.
If this process does not resolve your issue, or if you wish to take your complaint further, you have the right to contact the Information Commissioner. The contact details are:
Information Commissioner’s Office – Wales
2nd Floor, Churchill House
Churchill Way
Cardiff
CF10 2HH
0330 414 6421
www.ico.org.uk