Data controller: Global Canopy Foundation, 3 Frewin Chambers, Frewin Court, Oxford, OX1 1HZ
Global Canopy (GC) collects and processes personal data relating candidates for job adverts to manage the application process. GC is committed to being transparent about how it collects and uses that data and to meeting its data protection obligations.
What information does GC collect?
GC organisation collects and processes a range of information about you. This includes
- your name, address and contact details, including email address and telephone number, date of birth;
- details of your qualifications, skills, experience and employment history, including start and end dates, with previous employers and with the organisation;
- Your current level of remuneration, including benefit entitlements;
- information about your nationality and entitlement to work in the UK;
- information about medical or health conditions, including whether or not you have a disability for which the organisation needs to make reasonable adjustments; and
- information about your responses to interview questions and other tests carried out during the recruitment process.
- equal opportunities monitoring information including information about your ethnic origin, sexual orientation and religion or belief.
GC may collect this information in a variety of ways. For example, data might be collected through application forms, CVs or resumes; obtained from your passport or other identity documents such as your driving licence; from forms completed by you, from correspondence with you; or through interviews, calls, meetings or other assessments.
In some cases, GC may collect personal data about you from third parties, such as references supplied by former employers, information from employment background check providers, information from credit reference agencies and information from criminal records checks permitted by law.
Data will be stored in a range of different places, including in your personnel file, in GC’s HR management systems and in other IT systems (including the organisation's email system).
Why does the organisation process personal data?
The organisation needs to process data to consider your application and decide whether to make a job offer. It also uses the data to respond to your queries with respect to potential jobs.
In some cases, the organisation needs to process data to ensure that it is complying with its legal obligations. For example, it is required to check an employee's entitlement to work in the UK,
In other cases, the organisation has a legitimate interest in processing personal data. Processing this data allows the organisation to:
- run recruitment and promotion processes;
- obtain occupational health advice, to ensure that it complies with duties in relation to individuals with disabilities, meet its obligations under health and safety law;
- ensure effective general HR and business administration;
- respond to and defend against legal claims.
- Some special categories of personal data, such as information about health or medical conditions, is processed to carry out employment law obligations (such as those in relation to employees with disabilities).
Where the organisation processes other special categories of personal data, such as information about ethnic origin, sexual orientation or religion or belief, this is done for the purposes of equal opportunities monitoring. This is to carry out its obligations and exercise specific rights in relation to recruitment and employment.
Who has access to data?
Your information may be shared internally, including with members of the HR and recruitment team managers in the relevant business area in which you might work, the management team and IT staff if access to the data is necessary for performance of their roles.
The organisation shares your data with third parties in order to obtain pre-employment references from other employers, obtain employment background checks from third-party providers and obtain necessary criminal records checks from the Disclosure and Barring Service. The organisation may also share your data with third parties in the context of a transfer of some or all of its business. In those circumstances the data will be subject to confidentiality arrangements.
GC also shares your data with third parties that process data on its behalf, in connection with the provision of professional advice, recruitment agencies, with partners for managing human resources on common projects and the provision of occupational health services.
GC also shares your data with auditors, donors and their agents in order to account for how GC has used the funds it received.
Your data may be transferred to countries outside the European Economic Area (EEA) where GC’s information storage and processing systems are based overseas. (For example, information stored in emails on the Google-servers). Data is transferred outside the EEA on the basis of legally binding agreements with the data processors to whom the data is transferred. The agreements, require that Data is only processed according to GC’s instructions, and Data privacy is managed in accordance with GDPR.
How does the organisation protect data?
The organisation takes the security of your data seriously. The organisation has internal policies and controls in place to try to ensure that your data is not lost, accidentally destroyed, misused or disclosed, and is not accessed except by its employees in the performance of their duties. This includes keeping information in password protected areas of its filing and information systems, and by have specific locked places for storing
Where the organisation engages third parties to process personal data on its behalf, they do so on the basis of written instructions, are under a duty of confidentiality and are obliged to implement appropriate technical and organisational measures to ensure the security of data.
For how long does the organisation keep data?
The organisation will hold your personal data for up-to 24 months.
If you become an employee then the data received from you during the recruitment process will be transferred to Global Canopy’s employment files. The Employee privacy notice explains what data is held and why – and your rights with respect to it. The employee privacy notice will be shared with you during your induction.
Your rights and obligations
As a data subject, you have a number of rights. You can:
- access and obtain a copy of your data on request;
- require the organisation to change incorrect or incomplete data;
- require the organisation to delete or stop processing your data, for example where the data is no longer necessary for the purposes of processing; and
- object to the processing of your data where the organisation is relying on its legitimate interests as the legal ground for processing.
If you would like to exercise any of these rights, please contact the Finance Director : Tom Espley firstname.lastname@example.org,
If you believe that the organisation has not complied with your data protection rights, you can complain to the Information Commissioner.
What if you do not provide personal data?
You have some obligations under your employment contract to provide the organisation with data. In particular, you are required to report absences from work and may be required to provide information about disciplinary or other matters under the implied duty of good faith. You may also have to provide the organisation with data in order to exercise your statutory rights, such as in relation to statutory leave entitlements. Failing to provide the data may mean that you are unable to exercise your statutory rights.
Certain information, such as contact details, your right to work in the UK and payment details, have to be provided to enable the organisation to enter a contract of employment with you. If you do not provide other information, this will hinder the organisation's ability to administer the rights and obligations arising as a result of the employment relationship efficiently.
Employment decisions are not based solely on automated decision-making.