Privacy notice for prospective, current and former employees
The Ethical Standards Commissioner (ESC) is committed to protecting your personal data and managing it in line with the UK General Data Protection Regulation (UK GDPR).
Personal data means any information about an individual from which that person can be identified. It does not include data where the identity has been removed (anonymous data). There are "special categories" of more sensitive personal data which require a higher level of protection.
This privacy notice describes how we collect and use personal information about prospective, current and former employees. It explains how we’ll store and handle your data and keep it safe.
Further information about how we process personal data is available in our main Privacy Policy.
When do we collect your personal information? Toggle accordion
We collect personal information about you through the application and recruitment process, including directly from you as a candidate. We may collect information from third parties including but not restricted to:
- your referees
- current or former employers
- employment agencies
- your employer in the case of a secondment.
We may carry out background checks and may use a background check provider such as Disclosure Scotland.
We will collect additional personal information about you throughout the period of your employment. This information will relate to both the management of our contract with you and to job-related activities.
We may continue to collect and process information about you after you have left the organisation. Most commonly this relates to payroll, tax and pension records as well as to provide references to future employers.
What information will we hold about you? Toggle accordion
As a prospective, current or former employee, we will hold a range of personal data about you.
We will collect, store and use the following information about you:
- Personal contact details such as name, title, addresses, telephone numbers, and personal email addresses
- Date of birth
- Gender
- Socio-economic background
- Next of kin and emergency contact information
- National Insurance number
- Bank account details, payroll records and tax status information
- Details of payments and expenses
- Pension records
- Details of hours/days that you have worked or are contracted to work
- Details of any absences
- Start and end dates
- Location of workplace
- Details of equipment issued to you
- Copy of driving licence, passport or other ID
- Recruitment information (including copies of right to work documentation, references and other information included in a CV, application form or covering letter/email or as part of the application process)
- Professional experience, qualifications and employment records (including job titles, work history, working hours, training records and professional memberships)
- Performance management records
- Information about your use of our information and communications systems
- Photographs, images and videos
- CCTV footage and other information obtained through electronic means such as swipecard records
We may also collect, store and use the following "special category" and more sensitive personal information:
- Information about age, disability, gender reassignment, race, religion or belief, sex, sexual orientation, marriage and civil partnership and pregnancy and maternity.
- Information about your physical or mental health, including any medical condition, health and sickness records and any assessments about your fitness to work.
- Information about criminal convictions and offences.
- Complaints or grievances raised by you or about you.
- Disciplinary records.
What will we do with the information you provide to us? Toggle accordion
We will only use your personal information when the law allows us to. Most commonly, we will use your personal information in the following circumstances:
- progressing your application
- improving our employment practices
- allowing us to make reasonable adjustments to assist you in the recruitment process and/or continuing employment
- managing performance and/or
- fulfilling contractual, legal or regulatory requirements relating to your employment.
We need the information described above to allow us to manage our contract with you and to enable us to comply with legal obligations, for example fulfilling our statutory functions.
The main situations in which we will process your personal information are:
- Making a decision about your appointment
- Determining the terms on which you are employed
- Checking you are legally entitled to work in the UK
- Paying you and administering expenses
- Administering the contract we have entered into with you
- Business management and planning, including accounting and auditing
- Conducting performance reviews, managing performance and determining performance requirements
- Making decisions about payments and expenses
- Assessing qualifications for a particular task or role
- Communicating and sharing information with other staff, the Courts, regulatory authorities, governmental or quasi-governmental organisations or generally as required by law
- Gathering evidence for dealing with complaints about you or by you
- Making decisions about your continued employment
- Making arrangements for the termination of our working relationship
- Education, training and development requirements
- Dealing with legal disputes involving you, or our employees, workers and contractors, including accidents at work
- Ascertaining your fitness to carry out your employment
- Managing absence
- Complying with health and safety obligations
- Preventing crime including fraud
- Ensuring our safety and the safety, security or confidentiality of our employees, workers and contractors, those involved in the complaints process and other third parties
- Monitoring your use of our information and communication systems to ensure compliance with our IT policies
- Ensuring network and information security, including preventing unauthorised access to our computer and electronic communications systems and preventing malicious software distribution
- Equalities monitoring and more generally complying with our obligations under the Equality Act 2010
- Complying with legal obligations to publish expenditure and other information as a public body.
In some cases, we may use your personal information to pursue legitimate interests of our own or those of third parties, provided your interests and fundamental rights do not override those interests.
Please note that we may process your personal information without your knowledge or consent, where this is required or permitted by law.
We will record and store your information in our electronic filing systems. You can find out more in the Storing your personal information section of our Privacy Policy.
What happens if you fail to provide personal information? Toggle accordion
If you fail to provide certain information when requested, we may not be able to fulfil the terms of your employment, such as paying you or providing a benefit, or we may be prevented from complying with our legal obligations, such as to ensure the health and safety of our workers.
Handling special category information Toggle accordion
The categories of personal data the ESC processes include normal category and special category personal data.
Special category personal data includes information about:
- an individual’s race
- ethnic origin
- political or religious views
- sex life or sexual orientation
- trade union membership
- physical or mental health
- genetic or biometric data
We ask people to share some of this information with us, through the completion of a monitoring form. This helps us to improve how we recruit and manage our employees and to meet our commitments on equality. At the recruitment stage, we do not link personal information, such as names or other information that could identify you, with this data. As an employee, we may need information in these categories to manage your contract of employment. We will only process this type of information if relevant and lawful.
The ESC undertakes to handle this type of personal data in line with all data protection laws in a way that reflects the greater risk to individuals when special category personal data is handled.
Handling information about criminal convictions Toggle accordion
We will only collect and/or process information about criminal convictions if it is appropriate given the nature of the role and where we are legally able to do so.
Where appropriate, we will collect information about criminal convictions as part of the process for appointing you, primarily from Disclosure Scotland or we may be notified of such information directly by you in the course of you working for us. We will use information about criminal convictions and offences in the following ways:
- To assess whether you are suitable to carry out your appointment (including whether you are prohibited or barred from doing so by any applicable law or our Code of Conduct or other applicable policies).
- To assess whether you pose a threat to the health, safety, security or confidentiality of the ESC, our employees, contractors and workers or any third person.
- To prevent crime including fraud.
- To ensure our safety and the safety, security or confidentiality of our employees, workers and contractors and other third parties.
- To monitor your use of our information and communication systems to ensure compliance with our IT policies.
- To ensure network and information security, including preventing unauthorised access to our computer and electronic communications systems and preventing malicious software distribution.
Who will we share your information with? Toggle accordion
We will share personal information about you with third parties. We do so when required by law, where it is necessary to administer our contract with you or where we have another legitimate interest in doing so.
We require third parties to respect the security of your personal information and to treat it in accordance with UK data protection legislation. We may transfer your personal information outside the UK. If we do, you can expect a similar degree of protection.
The ESC is covered by Freedom of Information laws. This means that anyone can ask us for the information that we hold. We must release this unless there is a good reason not to. It is very unlikely that we would release the personal data of employees. In the event that we must do so we would first inform the employee or seek their opinion.
We contract with a range of suppliers to provide key HR and other services. These include:
Thomson Cooper
As an employee, relevant details about you will be provided to Thomson Cooper, who provide payroll services to the ESC. As a minimum, this will include your name, bank details, address, date of birth, National Insurance Number and salary. Thomson Cooper operate an online portal for employees to access payslips and other information. The system is operated by Iris Payroll Professional and is called myePayWindow. You will be given the opportunity to review its privacy notice when first registering an account and thereafter under ‘My Settings’. Copies of both the user and company privacy notices are available internally.
HMRC
We will share your information with HMRC to allow them to collect personal taxation and National Insurance payments.
MyCSP
Likewise, your details will be provided to MyCSP who are the administrators of the Civil Service Pension Scheme. You will be auto-enrolled into this pension scheme. As a minimum, the details provided to MyCSP will be your name, date of birth, National Insurance number and salary.
AXA Health
AXA Health provides employees with mental health and wellbeing support. Staff can access online support materials and call a confidential Helpline for assistance. We do not provide AXA with any personal data. Employees may choose to provide personal data in order for AXA to better provide support. You can find out more about how AXA Health will manage your personal data in their privacy policy.
Scottish Legal Aid Board (SLAB)
SLAB are our landlords and provide a number of facilities management services, including the provision of swipe cards to access the building, disability access to the building and training courses. Only necessary, relevant information will be provided to them. They also operate a CCTV system for monitoring the security of the building.
IT services
ESC contracts with a range of providers to supply IT services. As a minimum, employee names and work contact details are shared in order to enable them to provide the service.
Internal audit
ESC contracts the services of an internal auditor. The internal auditor may review your personal information as part of their duties, for example when reviewing HR or payroll records.
From time to time we may enter into contracts for other services, for example occupational health or legal services, which may involve the processing of your personal data.
We may share your personal information with other third parties such as government or regulatory bodies or to otherwise comply with the law. These include:
External audit
Our external auditor is appointed by the Auditor General for Scotland and has the legal right to review any material the ESC holds. HR and payroll records are reviewed on a regular basis.
The Scottish Parliament and other staff members
Contact details for staff members are held in our business continuity plan, which outlines the action to take in an emergency. The plan is shared with the Scottish Parliament and other staff.
Health & Safety Executive
The details of certain accidents which occur in the workplace must be reported to the Health & Safety Executive. This may include personal details of the parties involved.
Police forces and prosecuting authorities
There may be occasion where we are obliged to share information with the police and/or prosecuting authorities.
How do we keep your information safe? Toggle accordion
We have put in place measures to protect your information. These measures are detailed in our Information Security Policy, which is available internally or on request.
In addition, we limit access to your personal information to those employees, agents, contractors and other third parties who have a business need to know.
Third-party service providers are required to take appropriate security measures to protect your personal information in line with our policies. We only permit them to process your personal data for specified purposes and in accordance with our instructions. They will not share your personal information with any organisation apart from us unless they are statutorily required to, for example paying tax and national insurance to HMRC. They will hold it securely and retain it for an agreed period.
We have put in place procedures to deal with any suspected data security breach and will notify you and any applicable regulator of a suspected breach where we are legally required to do so.
How long is the information kept for? Toggle accordion
If you are appointed, the information you provide and we collect during the recruitment process will be retained as part of your personnel file. We will keep this for the duration of your employment and for a further five years following the end of your employment. Your pension details are kept indefinitely.
If you are unsuccessful, the information you have provided to us and that we have generated about you will be retained for six months from the closure of the recruitment campaign. We may seek permission to retain your contact details in order to advise you of subsequent job opportunities.
Diversity information is retained for six months following the closure of the recruitment campaign whether you are successful or not.
If you are seconded to the organisation, any information gathered will be retained for the duration of your secondment and a further five years following the end of your secondment.
We do not collect more information than we need to fulfil our stated purposes and will not retain it for longer than is necessary. We have a retention schedule which sets out how long we will hold information.
Your rights in relation to your personal data Toggle accordion
Under certain circumstances, you have the right to:
- Request access to your personal information (commonly known as a " subject access request"). You can receive a copy of the personal information we hold about you and check that we are lawfully processing it.
- Request correction of the personal information that we hold about you. You can have any incomplete or inaccurate information we hold about you corrected.
- Request erasure of your personal information. You can ask us to delete or remove personal information where there is no good reason for us continuing to process it.
- Object to our processing your personal information. You can ask us to stop using the personal data we hold about you. Please bear in mind that we may not be able to do so, for example if we are required by law to use it.
- Request the restriction of our processing your personal information. You can ask us to suspend the processing of personal information about you, for example if you want us to establish its accuracy or the reason for processing it.
- Request the transfer of your personal information to another party.
- Withdraw consent to our processing your personal information. In the limited circumstances where we ask for your consent to use your personal data, you have the right to withdraw that consent at any time.
Requests to exercise any of your rights in relation to your personal data should be made in writing to the email or postal addresses given below.
When exercising these rights, we may ask you to confirm your identity. This is to ensure that personal information is not disclosed to any person who has no right to receive it.
How to contact us Toggle accordion
If you want to exercise your rights or ask us about anything in this privacy notice, or in relation to any other matter regarding our use of personal data, you can email us business@ethicalstandards.org.uk or write to the Head of Corporate Services, Ethical Standards Commissioner, Thistle House, 91 Haymarket Terrace, Edinburgh EH12 5HE.
Complaints Toggle accordion
We take any complaints we receive about the way we process personal information seriously. We encourage people to bring it to our attention if they think that our processing of personal data is unfair or inappropriate. We would also welcome any suggestions for improving our procedures.
If we are unable to resolve any issues internally you can contact our Data Protection Officer: Tel: (office hours) 0131 348 6080 and Email: DPOservice@parliament.scot
You also have the right to make a complaint to the Information Commissioner.
How we manage job applicants' information Toggle accordion
What information do we ask for and why?
The information we ask for is used to assess your suitability for employment and to improve our employment practices. You don’t have to provide what we ask for but it might affect your application if you don’t.
The contact details you provide will be used by us to inform you about the progress of your application.
Application stage
We ask you for your personal details including name and contact details. We will also ask you questions related to your suitability for the role that you have applied for. Such questions may be about your previous experience, education, referees and/or other information relevant to the role you have applied for. You may be asked to supply a CV.
You will also be asked to provide diversity information. This is not mandatory and if you don’t provide it, it will not affect your application. It does help us to assess whether our employment practices have different impacts on people depending on their protected characteristics which include age, disability, gender reassignment, race, religion or belief, sex, sexual orientation, marriage and civil partnership and pregnancy and maternity. This information will not be made available to anyone outside our office in a way which can identify you. Any information you do provide, will be used only to monitor our performance in relation to diversity.
If you have a disability and want us to make reasonable adjustments to allow you to apply for a role with us, the applicant information pack will tell you how you can do so. We will use the information you provide to us to ensure that you are treated equally and not disadvantaged by the any of the processes we use to assess the suitability of applicants.
Shortlisting and Assessments
We will shortlist applications for interview.
We might ask you to complete tests or questionnaires and/or attend an interview – or a combination of these. Information will be generated by you and by us. For example, you might complete a written test or we might take interview notes. This information is held securely.
If you are unsuccessful, we will retain your details for a period of six months to enable us to answer any questions about the recruitment exercise.
We may ask if you would like us to retain your contact details for an agreed period to allow us to contact you should any further suitable vacancies arise.
Conditional offer
If we make a conditional offer of employment we will ask you for information so that we can carry out pre-employment checks. These must be successfully completed to progress to a final offer. We are required to confirm the identity of our staff, their right to work in the United Kingdom and we are entitled to seek assurance as to their trustworthiness, integrity and reliability.
Depending on the role for which you have applied, we may require you to provide any or all of the following (the information we require will be set out in writing as part of any conditional offer):
- Proof of your identity – you will be asked to attend our office with original documents, we will take copies.
- Proof of your qualifications – you will be asked to attend our office with original documents, we will take copies.
- You will be asked to complete a criminal records declaration to declare any unspent convictions.
We may provide your email address to the Government Recruitment Service who will contact you to complete an application for a Basic Criminal Record check via Disclosure Scotland which will verify your declaration of unspent convictions.
We will contact your referees, using the details you provide in your application, directly to obtain references
If we make a final offer, we will also ask you for the following:
- Bank details – to process salary payments
- P45 or similar and your National Insurance Number – to make appropriate taxation payments
- Emergency contact details – so we know whom to contact in case you have an emergency at work
- Information relating to any previous membership of a Civil Service or public service pension scheme – so we can send you a questionnaire to determine whether you are eligible to re-join your previous scheme.
- Declaration of interests form – to identify any potential conflicts which may affect your ability to perform your role.
Post start date
Our Code of Conduct requires all staff to declare if they have any potential conflicts of interest, or if they are active within a political party. The information will be held on your personnel file.
Find out how we manage other types of personal data: