This privacy notice covers the Transport for Wales Rail Services (TfWRS) part of the Keolis Amey group of companies and sets out how we handle your personal data when you apply for a role with us. TfWRS respects your privacy and is committed to protecting your personal data.
We currently use software tools to aid in our recruitment process such as iTrent. This means that your personal data is processed by iTrent (the ‘data processor’) on behalf of TfWRS, following the instructions TfWRS sets out.
The data we collect
The personal data we may collect from you includes:
- contact details such as name, title, addresses, telephone numbers, and personal email addresses
- copies of driving license, passport, birth certificates and proof of current address, such as bank statements and council tax bills
- evidence of how you meet the requirements of the job, including CVs and references
- evidence of your right to work in the UK and immigration status
- diversity and equal opportunities monitoring information – this can include information about your race or ethnicity, religious beliefs, sexual orientation, disability and other ‘special category data’
- information about your health, including any medical needs or conditions
- other information required for some applications
- if you contact us regarding your application, a record of that correspondence
- details of your use of our recruitment tools and services, such as your candidate profile and alerts for vacancies
- we will also keep copies of interview notes during the recruitment process
Our legal basis for using your data
- Legitimate Interest As a prospective candidate you have expressed an interest in working for our organisation.
- Contract Processing your data is necessary to move your application forward before signing a contract of work. This concerns employment or pre-employment checks.
- Legal obligation The law requires TfWRS to check that candidates are entitled to work in the UK.
- Processing criminal convictions and sensitive information. We collect, use and hold sensitive information such as criminal convictions on the lawful bases of contract and legal obligation.
- Processing special category data
Personal data is defined as ‘special category’ when it reveals racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership. It includes: - genetic data - biometric data that uniquely identifies a person - data concerning health - data concerning someone’s sex life or sexual orientation, we will usually only process this data by consent however in certain circumstances we have a legal obligation to process this data.
We may process this data if it’s necessary for complying with equal opportunity laws or any lawful obligation.
Any other special category of data we process we will seek your explicit consent first.
COVID 19 and Social Distancing
The current lock down situation has meant that we have had to change our recruitment processes to protect our team and candidates. This means that if you are brought forward for interview this will be by internet-based means such as Microsoft Teams. We will therefore be hosting these sessions using audio and video of us and you. For the needs of recruitment this will be recorded and kept for a period of 28 days and then transcribed with footage being deleted. You have the right to object to video and related technology being used.
Why we need your data
We need your data in order to:
- move your application forward
- check that you’re the right candidate for the role
- get in contact with you
- send you notifications for vacancy roles or job alerts
- Any offers of employment are subject to candidates passing a Medical Assessment as required and in line with our regulators
How your personal information is collected
We usually collect your personal information when you enter it in www.comeaboard.com. We might also collect information from third parties.
These may include:
- former employers and people named by candidates as references
- credit reference agencies
- the Disclosure and Barring Service (DBS)
- Sterling Talent and other background check agencies
- Medigold or other similar providers will carry out a medical assessment when needed and mandated by relevant authorities
During the application process you’ll be asked eligibility questions. You won’t have to disclose sensitive information, and everyone still has an equal opportunity to apply. The system will automatically decline your application if you don’t meet the eligibility criteria.
Personal information you provide in the recruitment process will be made available to our recruitment team members. If you are successfully hired, we will upload your details to our HR system. As a member of staff you will sign a contract of employment and agree to additional terms on how your data is handled and stored.
We will also share your data for statistical analysis (it will be anonymised first).
We may also share data with a legal authority (police etc.) if we are required to do so by law – for example, by court order, or to prevent fraud or other crime.
For certain roles there is a requirement for online and role specific testing to be completed. TFWRS shares this data with SHL and other relevant bodies as applicable. We may have to share with other parties, but we will not do this without informing you.
Transferring information outside the EU
We will not transfer your personal data outside the EU without your specific consent
We have put in place measures to protect the security of your information.
Third parties will only process your personal information on our instructions and where they have agreed to treat the information confidentially and to keep it secure.
We have put in place appropriate security measures to prevent your personal information from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we only give access to your personal information to those employees, agents, contractors and other third parties who need to work on your recruitment process.
We have put in place procedures to deal with any suspected data security breach and will notify you and any applicable regulator of a suspected breach where we are legally required to do so.
All data provided to us is fully encrypted and stringent access controls are in place.
All candidates must login to the recruitment portal to confirm ongoing application stataus.
We will only retain your personal information for as long as necessary to fulfil the purposes we collected it for - recruitment.
This will depend on:
- the amount, nature, and sensitivity of the personal data
- the potential risk of harm from unauthorised use or disclosure of your personal data
- the purposes for which we process it
- whether we can achieve those purposes in other ways
- certain roles have a longer period of fulfilment due to the nature these will therefore be processed for longer (please see our retention policy for more information)
For documents supporting recruitment, application and sifting the retention period is 18 months.
If your application is not successful, personally identifiable data is removed 18 months after your most recent application via a digital purge of data. We may with your consent request to hold your data for longer as other future roles may suit your application. For certain roles, we have talent pools of potential job candidates. If you’re successful throughout the recruitment process, you will be held in our talent pool until a role becomes available. If your application is successful and you are offered a role with us, your data will be kept and transferred to the systems we administer for employees and retained in accordance with our Employee Privacy Notice.
You have the right to:
- request access to your personal information (known as a ‘data subject access request’ or DSAR) - you’ll receive a copy of the personal information we hold about you, so you can check that we are lawfully processing it. It also allows you to request an electronic copy of any data you have provided in a structured, commonly used and machine-readable format
- request that we correct incomplete or inaccurate personal information that we hold about you
- request we delete or remove your personal information - you can do this when there is no good reason for us to keep it - you can ask us to delete or remove your personal information where you have exercised your right to object to processing (see below)
- withdraw your consent for any data processed under the lawful basis of consent (see below)
- object to the processing of your personal information where we are relying on any legal basis other than contract or a lawful obligation
- request we restrict the processing of your personal information - you can ask us to stop processing your personal information, for example if you want us to establish its accuracy or the reason for processing it
To make any of these requests or to ask us to transfer a copy of your personal information to another party, contact our Data Protection Officer email@example.com
Accessing your data
You will not have to pay a fee to access your personal information or to exercise any of the other rights. However, if your request for access is clearly unfounded or excessive, we may:
- charge a reasonable fee
- refuse the request
We will need some information to confirm your identity. This is to ensure that your personal information is not disclosed to someone who has no right to access it. Typically it will be copies of 2 forms of ID, one photo ID (eg passport) and one proof of address (eg utility bill). These copies will be destroyed after your request is satisfied.
Questions and complaints
If you have any questions about this privacy notice contact the Data Protection Officer: firstname.lastname@example.org
The Data Protection Officer provides advice and monitors TfWRS’s use of personal information. If you have any concerns about how your personal data has been handled, please contact the DPO:
Data Protection Officer
St Mary’s House
If you have a complaint, you can also contact the Information Commissioner, who is an independent regulator set up to uphold information rights.
Information Commissioner's Office
Contact form https://ico.org.uk/global/contact-us/
Telephone 0303 123 1113
Textphone 01625 545860
Changes to this privacy notice
We may change this privacy notice. When we make changes to this notice, the ‘last updated’ date at the top of this page will also change. Any changes to this privacy notice will apply to you and your data immediately. If these changes affect how your personal data is processed, we will take reasonable steps to let you know.