Client Privacy Policy

CLIENT PRIVACY NOTICE

1. What is this policy about?

S3 Life Science Recruitment (“S3 Life Science/we/us”) needs to obtain and keep certain information about not only its candidates but also its clients to allow it to offer recruitment services.  Laws about data protection set out rules on how personal information relating to individuals is obtained, processed, disclosed to others and transferred outside of the EU.  S3 Life Science is committed to complying with the Data Protection Act 1998 (DPA), the General Data Protection Regulation (known as GDPR) and any subsequent national data protection law which in due course replaces or amends the DPA and GDPR.  Collectively we refer to these as the Data Protection Legislation.

This particular privacy notice explains the types of information which S3 Life Science holds about individuals at its clients and corporate customers – and sets out your rights in relation to that information.

2. What type of information is covered by data protection laws? 

The law protects all information which relates to an individual i.e. personal data.

Some categories of information are considered special information because they relate to race or ethnic origin, political opinions, religious beliefs or other beliefs of a similar nature, trade union membership, physical or mental health or sexual life or biometric or genetic information.  Such “special category” information is sensitive, and accordingly it is given special protection. Similar additional safeguards are also applied to information about criminal allegations, proceedings and convictions and associated security measures.

3. Principles of Data Protection

S3 Life Science will ensure that it complies with the data protection principles:-

1. fair, lawful and transparent processing of information;
2. processing for specified, explicit and legitimate purposes;
3. information is adequate, relevant and limited to what’s necessary for the purpose for which it is obtained or maintained;
4. information is accurate and kept up to date, with inaccurate information being corrected or deleted promptly;
5. information is not kept for any longer than is necessary;
6. all information is kept securely;
7. information will not be transferred outside of the EU unless appropriate safeguards are in place.

“Processing” essentially means operating on data – in other words actively doing something with it.  The kinds of processing caught by the Data Protection Legislation includes collecting, recording, organising, structuring, storing, changing, retrieving, using, sharing, combining and deleting.

4. Types of personal information held about individuals at your organisation and the grounds on which we process such personal information

1. At Registration Stage

To create a relationship with us you need to register and execute an agreement for our services which will cover each assignment we undertake for and with you.  We will require you to provide information including your organisation’s relevant contact name, email address and/or mobile number.

2. Client (employer) Profiles

We include a logo and link to particular employers which can include testimonials, case studies and personal details (names, titles, email addresses).  You don’t have to have an employer profile on our site however, your profile information helps you to get more from our services and more interest from candidates.  It’s your choice whether to include sensitive information on your profile and to make that sensitive information public. Please do not post or add personal data to your profile that you would not want to be publicly available.

3. Day to day contract management of the contract between us

As a client (employer) contracting with us for our services we need to collect and use information about you, or individuals at your organisation, in the course of providing you services such as: (i) finding candidates who are the right fit for you or your organisation; (ii) providing you with additional advice, support and services, and (iii) contacting you and notifying you of content published by S3 Science or otherwise relevant to you (such as updates to our downloads and guidance section).  To the extent that you access our website we will also collect certain data from you (through cookies for example).  Please refer to our Cookie policy [http://s3science.com/cookies-policy/] for details of how we use cookies.

We will use the personal information provided about individuals at your organisation in our legitimate interests of being able to offer recruitment services to work seekers and clients seeking workers. We will also use information where it’s relevant for actual or anticipated legal claims.

We will only use personal information about individuals at your organisation for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If we need to use your personal information for an unrelated purpose, we will tell you and we will explain the legal basis which allows us to do so.

5. From whom is personal information collected? 

We expect that most personal information collected about you, your staff, your contact-points or agents will be collected directly from you as the client.  A number of elements of the personal data we collect from you are required to enable us to fulfil our contractual duties to you or to others. Other items may simply be needed to ensure that our relationship can run smoothly.  Depending on the type of personal data in question and the grounds on which we may be processing it, should you decline to provide us with such data, we may not be able to fulfil our contractual requirements or, in extreme cases, may not be able to continue with our relationship.

In terms of candidates’ personal data, we use Horus Security Consultancy Limited to undertake security screening of candidates which may be of interest to you.  Once they have produced a security report they will store it on their database to which we have access.  Here is a link to their privacy policy as it may be of interest to you as a client and potential employer of our candidates:

https://www.horus-security.co.uk/privacy-policy

We also use Acorn Occupational Health Limited to assess a candidate’s fitness for work.  Here is a link to their privacy policy as it may be of interest to you as a client and potential employer of our candidates:

http://www.acornoh.co.uk/privacy/

6. Storing your information

We keep all the information about our clients in our RMS Tracker recruitment software and Sage.

We use Tracker software for managing our candidate database.  Here is a link to their privacy statement:

http://www.tracker-rms.com/privacy-statement/

We also keep staff payroll and business accounting information on Sage software. Here is a link to their privacy notice:

https://www.sage.com/company/privacy-notice-and-cookies

We use RightSignature when we need you to sign documents electronically.  This may be required for contract execution, recruiting a candidate, or agreeing to any bespoke arrangements relating to your file and account.   Here is a link to their privacy policy.

https://rightsignature.com/privacy-policy

Internally at S3 Life Science we ensure that all information about candidates is stored electronically and securely (see Security below).

7. Keeping your information up to date

You need to help us to ensure that the information which we hold about individuals at your organisation is up to date and correct so as soon as any details change (such as phone numbers and email addresses) you should tell us immediately.

8. Rights of Individuals at your organisation

Individuals at your organisation have the following rights in relation to the personal information which we hold about them:

1. Right to withdraw consent

Where individuals have consented to us processing their personal information, they are entitled to withdraw that consent at any time.  If an individual at your organisation wishes to do so they should contact gdpr@s3science.com or complete the out-opt form on our website explaining which information they are referring to. We will stop processing this particular personal information as soon as possible after receiving the withdrawal except to the extent that we need to keep the information for regulatory purposes or in connection with legal proceedings.

1. Right to object including to direct marketing

When clients like you contact us about new vacancies we may contact suitable candidates whose data is stored on our databases to establish if they are interested in the new opportunity.  Equally where we take on new candidate who we think will be particularly suitable for a particular client we may contact the client to ask if they would be interested in the candidate.

Even if you have agreed to us contacting you for marketing purposes, individuals at your organisation may object to us processing their personal data for direct marketing purposes at any time.  They may object to being contacted in a particular manner in which case, they should let us know which ways they are happy to be contacted (e.g. by email) and which means they are not happy with us using (e.g. text message).  If individuals at your organisation do object, we will stop processing your personal information as requested immediately.

Individuals at your organisation have the right to object, for reasons relating to their particular situation, to us processing their personal information, where we are processing their personal data for reasons of our legitimate interests (including employer profiling and statistical research into employment trends).  When we receive any objection to processing on this ground, we will restrict access to the relevant information (see paragraph e below) while we assess whether our legitimate interests override your objection.  If we can demonstrate that they do or the information is needed for legal claims, we are allowed to continue to process the personal information; otherwise we will stop processing it.  Where we are processing personal information for other reasons such as compliance with our regulatory obligations we will continue to hold as much information as we need to in order to satisfy those obligations.

If you wish to object to us processing information about you for any of the above purposes please contact gdpr@s3science.com or complete the opt out form on our website.

1. Right of access – data subject access request 

This is commonly known as simply a “subject access request”. The purpose of a subject access request is for individuals at your organisation to know about the personal information which we hold about them and to check that we are lawfully processing it.

Usually we will not charge a fee for providing a copy of the information which individuals request about themselves but we may charge an administrative fee if individuals ask for further copies of the information or if the request is manifestly unfounded or excessive, in particular if it is repetitive.

If individuals at your organisation wish to make a subject access request they should contact gdpr@s3science.com .  Please be specific in your request.  If you make a very general request we may ask you to specify which information you would like to see.

1. Right to request correction

If individuals at your organisation think that any personal information about them which we hold is incorrect or incomplete they have the right to request that the information is changed. If individuals wish to correct any information we hold about them please contact gdpr@s3science.com  If we disagree that the information is incorrect, we will explain why. In that scenario, we have the right to retain the information and the individual can ask us to add a supplementary statement.

1. Right to request deletion – so called “right to be forgotten”

In the following situations individuals at your organisation have the right to have their personal information deleted:

1. Where the personal information is no longer necessary for the purpose for which it was originally collected/processed;
2. When we have asked for consent to process personal information and that consent has been withdrawn;
3. When the individual objects to the processing (see paragraph d below) and there is no overriding legitimate interest for continuing the processing;
4. When the personal information was unlawfully processed; or
5. When the personal information has to be erased in order to comply with a legal obligation.

If individuals at your organisation wish to request that some information relating to them is deleted they should contact gdpr@s3science.com .

1. Right to restrict processing

If individuals at your organisation tell us that they think some personal information we hold about them is incorrect or incomplete or they object to us processing their personal information for reasons of our legitimate interests (including profiling), we will restrict access to the relevant personal information while we assess whether or not it is incorrect/incomplete or whether we are allowed to continue processing the personal information. This means that we will continue to store the relevant personal information but we won’t use it for any other purposes.

1. Right to transfer of your information 

Where individuals at your organisation have provided information to us and we are processing it via automated means either based on their consent or for the performance of a contract with the individual, they have the right to request that the information is provided to them, or to someone else, in a commonly used electronic form.

If individuals at your organisation wish to us to provide such information to them in this manner they should contact gdpr@s3science.com.

9. Sharing personal information about individuals at your organisation

Internally, we will limit access to the majority of personal information to colleagues who need to know the information to be able to perform their role such as our account managers, client liaison functions, and as the recruiters who will be working with you.

In limited and infrequent circumstances, we will share information (without address or contact details) with candidates who has a potentially suitable skills-match with your needs.  If the candidate is keen in submitting an application they may be invited to meet with you or your representative, at which point personal information about individuals at your organisation such as name, email address and contact details will be shared and notified to the candidate.

Third party access and storage will take place, as we have described above.  Such storage will primarily affect candidates more than you as a client and could involve certain records being kept or shared with Horus and Acorn during the recruitment process and Tracker, RightSignature and Sage for more internal administrative purposes.

We may share some of personal information about individuals at your organisation with other people outside of S3 Life Science where this is required by law (e.g. an audit of our records), or where we have a legitimate business interest (such as with our legal advisors).

Where we share personal information with external service providers we protect it by requiring those service providers to take appropriate security measures to protect your personal information in line with our policies. We also tell our external service providers that they can only use personal information for the purpose of providing the service to us and not for their own purposes. We only allow them to process personal information for specified purposes and in accordance with our instructions.

We may also need to share personal information about individuals at your organisation with a regulator or to otherwise comply with the law.

10. Transfer of your personal information out of the EU 

Within the EU all businesses have to protect personal information in the same way as employers do in the UK.  However, outside of the EU data protection laws vary from country to country, some have similar laws to the EU, others have very different laws.

Some of the providers we mentioned above (including Tracker and RightSignature) are based outside of the EU which means that information about individuals at your organisation will be transferred to the US. We will only transfer your personal information outside of the EU where there is adequate protection for your information or for legal claims.

11. Security

A very important part of looking after the personal information which we hold is ensuring that it’s secure.

We have considered how to protect personal information from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed inappropriately.  We have put in place measures to achieve these objectives.

All personal information will be held on secure databases or in locked filing cabinets.

However, data transmission over the internet and email cannot be guaranteed to be entirely secure. As a result, we cannot guarantee the security of personal information and submission of information to us is therefore at your risk.

12. Breach of security

If we discover that our security measures have failed and this results in personal information being lost, destroyed, corrupted or disclosed or someone accessing the information or passing it on without proper authorisation, we will assess the risk that such a breach may have on you.  If the breach will result in a high risk of a negative impact for you we will tell you and we will tell the Information Commissioner

13. Deleting personal information 

We would like to keep your information on our database not only to help us service your future assignments and business needs, but it will also help with any auditing of our services and any contract management queries (and contract claims) that arise in future between us.  We will therefore keep your information for 6.5 years from the date the last assignment was concluded.

14. Contact information

S3 Life Science processes personal information about you (known as the “data controller”). Address:  BCM Box 1899, London WC1N 3XX, Telephone 08448 844 686.

We have appointed Sharmaine Clarke as our data protection officer. Sharmaine can be contacted at gdrp@s3science.com. If you have any queries relating to your personal information or your responsibilities with respect to other people’s personal information please contact gdpr@s3science.com.

The Information Commissioner is the UK supervisory authority with responsibility for data protection.  Various ways of contacting the Information Commissioner are detailed on their website: https://ico.org.uk/global/contact-us/. You can complain to the Information Commissioner at any time.

15. Date of and changes to this notice

This policy is dated May 2018.

We reserve the right to update this notice at any time. We will post updates to this notice on our Intranet and send you an updated copy. We may also notify you in other ways from time to time about the processing of your personal information.