Nova Search & Selection Privacy Policy

INTRODUCTION

This Privacy Policy explains what we do with your personal data, whether we are in the process of helping you find a job, continuing our relationship with you once we have found you a role, providing you as a client or a candidate with a service, receiving a service from you, using your data to ask for your assistance in relation to one of our candidates or you are visiting our website.

It describes how we collect, use and process your personal data, and how, in doing so, we comply with our legal obligations to you. Your privacy is important to us, and we are committed to protecting and safeguarding your data privacy rights.

This Privacy Policy applies to the personal data of our website users, candidates, clients, suppliers and other people whom we may contact in order to find out more about our candidates.

For the purpose of applicable data protection legislation (including but not limited to the General Data Protection Regulation (Regulation (EU) 2016/679) (the “GDPR”), the company responsible for your personal data is Nova Search & Selection, 10 Austyns Place, High Street, Ewell, Surrey, KT17 1SQ.

It is important to point out that we may amend this Privacy Policy from time to time. Please just visit this page on our website if you want to stay up to date, as we will post any changes there.

If you are dissatisfied with any aspect of our Privacy Policy, you may have legal rights and, where relevant, we have described these as well.

CANDIDATE DATA

In order to provide the best possible employment opportunities that are tailored to you, we need to process certain information about you. We only ask for details that will genuinely help us to help you, such as your name, age, contact details, education details etc. Where appropriate and in accordance with local laws and requirements, we may also collect information related to your health, diversity information or details of any criminal convictions.

Here is a more detailed look at the information we may collect. The information described below is, of course, in addition to any personal data we are required by law to process in any given situation. Name, age/date of birth, sex/gender, photograph, marital status, contact details, education details, employment history, emergency contacts and details of any dependents, referee details, immigration status (whether you need a work permit), nationality/citizenship/place of birth, a copy of your driving license and/or passport/identity card, social security number, and any other tax related information, diversity information, including racial or ethnic origin, religious or other similar beliefs, and physical or mental health, including disability related information, details of any criminal convictions, details about your current remuneration, pensions and benefits arrangements, information on your interests and needs regarding future employment, both collected directly and inferred, for example from jobs viewed or articles read on our website, extra information that you choose to tell us, extra information that your referees choose to tell us about you, extra information that our clients may tell us about you, or that we find from other third party sources such as job sites, IP address. 

How do we collect your personal data?

There are the main ways in which we collect your personal data:

1. Directly from you and

2. From third parties

To the extent that you access our website or read or click on an email from us, we may also collect certain data automatically or through you providing it to us.

There are numerous ways you can share your information with us, it all depends on what suits you. These may include, entering your details on the Nova Search website or via an application form as part of the registration process, leaving a hard copy CV at a Nova Search recruitment event, job fair or office; emailing your CV to a Nova Search consultant, or being interviewed by them; applying for jobs through a job board, which then redirects you to the Nova Search website; inputting information through a social media channel such as Facebook or Twitter.

We may receive personal data about a Candidate from other sources. Such as, your referees may disclose personal information about you, our Clients may share personal information about you with us; we may obtain information about you from searching for potential Candidates from third party sources, such as LinkedIn and other job sites; if you ‘like our Facebook page or ‘follow’ us on Twitter, we will receive your personal information from those sites.

Your rights

Even if we already hold your personal data, you still have various rights in relation to it. To get in touch about these, please email Kristina@novasearch.co.uk or call 0208-3937413.

As a data subject, you have the following rights under the GDPR, which this policy and Nova Search and Selection’s use of personal data have been designed to uphold.

• The right to be informed about Nova Search & Selection’s collection and use of personal data;

• The right of access to the personal data Nova Search & Selection holds about you;

• The right to rectification if any personal data Nova Search & Selection holds about you is inaccurate or incomplete;

• The right to be forgotten – i.e. the right to ask Nova Search & Selection to delete any personal data we hold about you (if you would like us to delete it, please contact us using the details in the ‘Opting Out’ section of this policy);

• The right to restrict (i.e. prevent) the processing of your personal data;

• The right to data portability (obtaining a copy of your personal data to re-use with another service or organization);

• The right to object to Nova Search & Selection using your personal data for particular purposes. If we are using your data because we deem it necessary for our legitimate interests and you do not agree, you have the right to object. We will respond to your request within 30 days.

• Rights with respect to automated decision making and profiling. Where we have obtained your consent to process your personal data for certain activities (for example, for profiling your suitability for certain roles), or consent to market to you, you may withdraw your consent at any time. 

How do we use your personal data?

The main reason for using your personal details is to help you find employment or other work roles that might be suitable for you. The more information we have about you, your skillset and ambitions, the 3 more bespoke we can make our service. Where appropriate, and in accordance with local laws and requirements, we may also use your personal data for things like marketing, profiling and diversity monitoring. Where appropriate, we will seek your consent to undertake some of these activities.

We generally use candidate date in four ways. Recruitment activities; Marketing activities; Equal Opportunities Monitoring and To help us to establish, exercise or defend legal claims.

Who do we share your personal data with?

We may share your personal data with various parties, in various ways and for various reasons. Primarily we will share your information with prospective employers to increase your chances of securing the job you want.

Other Sources of Data

We may also process information about you where it is available from public sources. For example, if you have a professional profile online, we may combine that type of information with the information you provide directly to us.

Subject Access Request (SAR)

You have the right to request a copy of the information we hold for you on our systems. In order to receive this information, we will need verification of your identity, and for this we will accept a photocopy of your passport certified by a solicitor or bank, plus an original copy of a utility bill showing your current address. SAR’s should be submitted to the Data Protection Officer, Kristina Lushey, kristina@novasearch.co.uk, 0208-3937413.

How long do we keep your personal data for?

We will delete your personal data from our systems if we have not had any meaningful contact with you (or where appropriate, the company you are working for or with) for two years (or for such longer period as we believe in good faith that the law or relevant regulators require us to preserve your data). After this period, it is likely your data will no longer be relevant for the purposes for which it was collected.

When we refer to ‘meaningful contact’ , we mean for example, communication between us (either verbal, or written) or where you are actively engaging with our online services. If you are a Candidate, we will consider there to be meaningful contact with you if you submit your updated CV onto our website, or if you communicate with us about potential roles, either by verbal or written communication, or click through from any of our marketing communications. Your receipt, opening or reading of an email or other digital message from us will not count as meaningful contact – this will only occur in cases where you click-through or reply directly.

CONSENT/OPT-IN

In certain circumstances, we are required to obtain your consent to the processing of your personal data in relation to certain activities. Depending on exactly what we are doing with your information, this consent will be opt-in consent or soft opt-in consent.

Article 4 (11) of the GDPR states that (opt-in) consent is “any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her. “In plain language, this means that:-

• You have to give your consent freely, without us putting you under any type of pressure.

• You have to know what you are consenting to – so we’ll make sure we give you enough information.

• You should have control over which processing activities you consent to and which you don’t. We provide these finer controls within our privacy preferences and you need to take positive and affirmative action in giving your consent.

• We will keep records of the consents that you have given.

• We have already mentioned that, in some cases, we will be able to rely on soft opt-in consent. We are allowed to market products or services to you which are related to the recruitment or HR services we provide, as long as you do not actively opt-out of these communications.

• As we have mentioned, you have the right to withdraw your consent to these activities. You can do so at any time by contacting Kristina Lushey (DPO), kristina@novasearch.co.uk, 0208- 3937413. 

CLIENT DATA

If you are a Nova Search & Selection customer, we need to collect and use information about you, or individuals at your organization, in the course of providing you services such as finding candidates who are the right fit for you or your organization or providing an HR Consultancy Service whereby we may be involved with processing personal data regarding the company’s employees. The Company only collects, processes, and holds personal data for the specific purposes set out in this Policy (or for other purposes expressly permitted by the GDPR).

There are two main ways in which we collect your personal data:

1. Directly from you the client, or data subjects (company employees)

2. From third parties (e.g. our candidates) and other limited sources (e.g. online and offline media).

To the extent that you access our website or read or click on an email from us, we may also collect certain data automatically or through you providing it to us.

We both share the same goal, to make sure that you have the best staff for your organization. We will receive data from you directly in two ways, either where you contact us proactively, usually by phone or email and/or where we contact you, either by phone or email. 

How do we use your personal data?

Specified, Explicit, and Legitimate Purposes The main reason for using information about clients is to ensure that the contractual arrangements between us can be properly implemented so that the relationship can run smoothly. This may involve identifying candidates who we think will be right fit for you or your organization. As a customer of Nova Search & Selection, you are entering into an agreement which gives us a legitimate basis to process your data (in line with GDPR requirements).

• We may use your personal information to send invoices to you and collect payments from you. 

• Send you general non marketing commercial communications.

• Devise case studies or use your testimonials on the website.

• Send you CV’s for job vacancies that you have legitimately placed with us.

Essentially we use client information for Recruitment Activities; Marketing Activities; and To help us to establish, exercise or defend legal claims.

HR Service

Where we offer an HR Consultancy Service to the client, we may have need or have access to employee personal data for a variety of reasons.

• Recording and processing staff details, including new employees, current employees and former employees.

• Data subjects are kept informed at all times of the purpose or purposes for which Nova Search uses their personal data.

• Data is only held for as long as may be necessary.

• Personal data is collected, held and processed as per the table below.

Personal Data Access

Reason for Access

Legal Basis

Basic personal information and contact details (including name, address, date of birth, gender, telephone number, email address and next of kin/ emergency contact details)

 

Basic personal information, to allow the organisation to maintain accurate employee records and contact details. For HR and business administration purposes. For defence against potential legal claims.

Necessary for the performance of a contract or to enter into a contract. Necessary for compliance with a legal obligation. Necessary for the legitimate interests of the organisation

 

Including CVs, application forms, interview notes, test results, proof of right to work in UK (such as passports and visas), driving licence, evidence of skills and qualifications, and references.

 

Recruitment records - to assess an individual's suitability for work and to determine to whom to offer employment. To comply with legislative and regulatory requirements. For HR and business administration purposes. For defence against potential legal claims.

Necessary for the performance of a contract or to enter into a contract.
Necessary for compliance with a legal obligation.
Necessary for the legitimate interests of the organisation .

 

Recruitment records containing special categories of personal data (including details of any disabilities disclosed and reasonable adjustments) and criminal records data (including results of criminal record checks).

 

Recruitment records containing special categories of personal data.

 

Necessary to carry out obligations or exercise rights under employment law.
Special categories of data and data on criminal convictions and offences are retained and erased in accordance with the organisation's policy on special categories of data and data on criminal convictions and offences.

Offer letters, contracts of employment, written statements of terms and related correspondence.

 

Offer Letters/Contracts of Employment - To maintain a record of employees' contractual and statutory rights.

 

Necessary for compliance with a legal obligation. Necessary for the performance of a contract or to enter into a contract. Necessary for the legitimate interests of the organisation.

Financial and tax information (including pay and benefit entitlements, bank details and national insurance numbers).

 

To pay employees and make appropriate tax payments. For HR and business administration, and financial planning purposes. For defence against potential legal claims.

Necessary for the performance of a contract or to enter into a contract. Necessary for compliance with a legal obligation.

 

Disciplinary and grievance records (including records of investigations, notes of disciplinary or grievance meetings and appeal hearings, correspondence with employees and written warnings).

 

To maintain a record of the operation of disciplinary and grievance procedures and their outcome. For HR and business administration purposes. For defence against potential legal claims.

Necessary for compliance with a legal obligation. Necessary for the legitimate interests of the organisation.

 

Absence and leave records containing special categories of personal data (including details of absence or leave taken, the reasons for absences, the type of leave, information about medical or health conditions, reasonable adjustments, records of absence management discussions, correspondence with employees and written warnings).

 

To maintain a record of the operation of absence procedures. To ensure that employees receive statutory and contractual sick pay or other pay entitlements (such as maternity or other family-related pay) and benefits. To meet health and safety obligations. To comply with the requirement to make reasonable adjustments. For HR and business administration purposes. For defence against potential legal claims.

Necessary to carry out obligations or exercise rights under employment law.

Special categories of data and data on criminal convictions and offences are retained and erased in accordance with the organisation's policy on special categories of data and data on criminal convictions and offences.

 

Performance records (including appraisal documents, performance reviews and ratings, targets and objectives, performance improvement plans, records of performance improvement meetings and related correspondence, and warnings).

 

Performance records. To maintain a record of the operation of performance management systems and performance improvement processes. For HR and business administration purposes. For defence against potential legal claims.

 

Necessary for compliance with a legal obligation. Necessary for the legitimate interests of the organisation.

 


Accountability and Record-Keeping

The Company’s Data Protection Officer (DPO) is Kristina Lushey.

The Data Protection Officer shall be responsible for overseeing the implementation of this Policy and for monitoring compliance with this Policy, the Company’s other data protection-related policies, and with the GDPR and other applicable data protection legislation.

Adequate, Relevant, and Limited Data Processing

We will only collect and process personal data for and to the extent necessary for the specific purpose or purposes of which data subjects have been informed (or will be informed).

Accuracy of Data and Keeping Data Up-to-Date

We shall ensure that all personal data collected, processed, and held by it is kept accurate and up-todate. This includes, but is not limited to, the rectification of personal data at the request of a data subject.

The accuracy of personal data shall be checked when it is collected and at regular intervals thereafter. If any personal data is found to be inaccurate or out-of-date, all reasonable steps will be taken without delay to amend or erase that data, as appropriate.

Data Retention

We shall not keep personal data for any longer than is necessary in light of the purpose or purposes for which that personal data was originally collected, held, and processed. When personal data is no longer required, all reasonable steps will be taken to erase or otherwise dispose of it without delay.

Secure Processing

We shall ensure that all personal data collected, held, and processed is kept secure and protected against unauthorised or unlawful processing and against accidental loss, destruction, or damage.

Who do we share your personal data with?

We will share your data primarily to ensure that we provide you with a suitable pool of candidates. 

Data Security - Storage

We shall ensure that the following measures are taken with respect to the storage of personal data:

• All electronic copies of personal data should be stored securely using passwords and data encryption;

• All hardcopies of personal data, along with any electronic copies stored on physical, removable media should be stored securely in a locked box, drawer, cabinet, or similar;

• All personal data stored electronically should be backed up at regular intervals with backups stored onsite. All backups should be encrypted;

• No personal data should be stored on any mobile device (including, but not limited to, laptops, tablets, and smartphones), whether such device belongs to the Company or otherwise without the formal written approval of the Managing Director and, in the event of such approval, strictly in accordance with all instructions and limitations described at the time the approval is given, and for no longer than is absolutely necessary; and

• No personal data should be transferred to any device personally belonging to an employee and personal data may only be transferred to devices belonging to agents, contractors, or other parties working on behalf of the Company where the party in question has agreed to comply fully with the letter and spirit of this Policy and of the GDPR (which may include demonstrating to the Company that all suitable technical and organisational measures have been taken).

Data Security - Disposal

When any personal data is to be erased or otherwise disposed of for any reason (including where copies have been made and are no longer needed), it should be securely deleted and disposed of. 

Data Security - Use of Personal Data

We shall ensure that the following measures are taken with respect to the use of personal data:

• No personal data may be shared informally and if an employee, agent, sub-contractor, or other party working on behalf of the Company requires access to any personal data that they do not already have access to, such access should be formally requested from the Managing Director;

• No personal data may be transferred to any employees, agents, contractors, or other parties, whether such parties are working on behalf of the Company or not, without the authorisation of the Managing Director; 

• Personal data must be handled with care at all times and should not be left unattended or on view to unauthorised employees, agents, sub-contractors, or other parties at any time;

• If personal data is being viewed on a computer screen and the computer in question is to be left unattended for any period of time, the user must lock the computer and screen before leaving it; and

Data Security - IT Security

We shall ensure that the following measures are taken with respect to IT and information security:

• All passwords used to protect personal data should be changed regularly and should not use words or phrases that can be easily guessed or otherwise compromised. All passwords must contain a combination of uppercase and lowercase letters, numbers, and symbols;

• Under no circumstances should any passwords be written down or shared between any employees, agents, contractors, or other parties working on behalf of the Company, irrespective of seniority or department. If a password is forgotten, it must be reset using the applicable method. IT staff do not have access to passwords;

• All software (including, but not limited to, applications and operating systems) shall be kept upto-date. 

Organisational Measures

We shall ensure that the following measures are taken with respect to the collection, holding, and processing of personal data: All employees, agents, contractors, or other parties working on behalf of the Company shall be made fully aware of both their individual responsibilities and the Company’s responsibilities under the GDPR and under this Policy, and shall be provided with a copy of this Policy;

SUPPLIER DATA

We collect your personal data during the course of our work with you. The main reasons for using your personal data are to ensure that the contractual arrangements between us can be properly implemented so that the relationship can run smoothly, and to comply with legal requirements.

To the extent that you access our website or read or click on an email from us, we may also collect certain data automatically or through you providing it to us. We will collect the details for our contacts within your organization, such as names, telephone numbers and email addresses. We will also collect bank details, so that we can pay you. We may also hold extra information that someone in your organization has chosen to tell us.

We will only store and update your details on our database, so that we can contact you in relation to our agreements; offer services to you, or to obtain support and services from you; to perform certain legal obligations; to help us to target appropriate marketing campaigns and to help us to establish, exercise or defend legal claims.

We will not, as a matter of course, seek your consent when sending marketing messages to a corporate postal or email address.

PEOPLE WHOSE DATA WE RECEIVE FROM CANDIDATES, SUCH AS REFEREES AND EMERGENCY CONTACTS

We collect your contact details only where a candidate puts you down as their emergency contact, or where a candidate gives them to us in order for you to serve as a referee.

How do we use your personal data?

We use referee’s personal data to help our candidates to find employment which is suited to them. If we are able to verify their details and qualifications, we can make sure that they are well matched with prospective employers. We may also use referee’s personal data to contact them in relation to recruitment activities that may be of interest to them. We use the personal details of a candidate’s emergency contact in the case of an accident or emergency affecting that candidate.

All we need from referees is confirmation of what you already know about our Candidate so that they can secure the job they really want. Emergency contact details give us somebody to call in an emergency. To ask for a reference, we will obviously need the referee’s contact details (such as name, email address and telephone number). We will also need those details if our Candidate has put you down as their emergency contact in the event of an accident.

WEBSITE USERS

We collect your data automatically via cookies when you visit our website, in line with cookie settings in your browser. If you continue, you consent to this, but you may change your cookie settings at any time.

A cookie consists of information sent by a web server to a web browser, and stored by the browser. The information is then sent back to the server each time the browser requests a page from the server. This enables the web server to identify and track the web browser.

If you want to check or change what types of cookies you accept, this can usually be altered within your browser settings.

How to reject cookies

• If you don’t want to receive cookies that are not strictly necessary to perform basic features of our site, you may choose to opt-out by changing your browser settings.

• Most web browsers will accept cookies, but if you would rather we didn’t collect data in this way, you can choose to accept all or some, or reject cookies in your browser’s privacy settings. However rejecting all cookies means that you may not be able to take full advantage of all our website’s features. Each browser is different, so check the ‘help’ menu of your browser to learn how to change your cookie preferences.

How do we use your personal data?

We use your data to help us improve your experience of using our website, for example, by analyzing your recent job search criteria to help us to present jobs to you that we think you will be interested in. If you are also a candidate or client of Nova Search, we may use data from your use of our website to enhance other aspects of our communications with, or service to you.

Unless you specify otherwise, we may share your information with providers of web analytics services, marketing automation platforms and social media services to make sure any advertising you receive is targeted to you.

CANDIDATES/CLIENTS/WEBSITE USERS/SUPPLIERS - How do we safeguard your personal data?

We care about protecting your information. That’s why we put in place appropriate measures that are designed to prevent unauthorized access to and misuse of your personal data. These include measures to deal with any suspected data breach. All customer data is backed up at regular interviews, and individual passwords are changed regularly and never shared.

If you suspect any misuse or loss of or unauthorized access to your personal information, please let us know immediately by emailing hello@novasearch.co.uk.

Access to your personal data is only provided to our staff and third parties who help us to process data and, in order to help with the recruitment process, to prospective employers.

Do we pass data to third parties?

Where necessary we may pass data to third parties, specifically Recruit so Simple (https://recruitsosimple.com), our recruitment tool that helps us to process data and to prospective or intended employers for the purposes of recruitment. Recruit so Simple takes reasonable technical and organizational precautions to prevent the loss, misuse, or alteration of your personal information. All electronic transactions made to or from them will be encrypted using SSL technology. They will never ask us for our password (except to log in to their website). Their infrastructure is hosted by Amazon Web Services (AWS), which provides industry-leading security and has a long list of internationally recognized certifications and accreditations including ISO 27017 for cloud security, IS0 27018 for cloud privacy, SOC1, SOC2, SOC3, PCI DSS Level 1 and many others.

We hold all CV’s and client information on Recruit so Simple, transferring the data to the database as soon as it is received into our email system, which goes through Recruit so Simple. Thanks to Recruit so Simple, we can easily track documents which have been sent from the system, including when and who they were sent to. This means we can supply information easily and efficiently if we receive a Subject Access Request.

Nova Search and Selection may transfer only the information you provide to us to countries outside the European Economic Area (EEA) for the purposes of providing you with work-finding services. We will take steps to ensure adequate protections are in place to ensure the security of your information. The EEA comprises the EU member states plus Norway, Iceland and Liechtenstein.

In certain circumstances, Nova Search and Selection may be legally required to share certain data held by us, which may include your personal data, for example, where we are involved in legal proceedings, where we are complying with legal obligations, a court order, or a governmental authority.

Data Breach Notification

All personal data breaches must be reported immediately to the Company’s Data Protection Officer, Kristina Lushey, whom you should advise kristina@novasearch.co.uk or 0208-3937413. 11

• If a personal data breach occurs and that breach is likely to result in a risk to the rights and freedoms of data subjects (e.g. financial loss, breach of confidentiality, discrimination, reputational damage, or other significant social or economic damage), the Data Protection Officer must ensure that the Information Commissioner’s Office is informed of the breach without delay, and in any event, within 72 hours after having become aware of it.

• In the event that a personal data breach is likely to result in a high risk to the rights and freedoms of data subjects, the Data Protection Officer must ensure that all affected data subjects are informed of the breach directly and without undue delay.

• Data breach notifications shall include the following information:

• The categories and approximate number of data subjects concerned;

• The categories and approximate number of personal data records concerned;

• The name and contact details of the Company’s data protection officer (or other contact point where more information can be obtained);

• The likely consequences of the breach;

• Details of the measures taken, or proposed to be taken, by the Company to address the breach including, where appropriate, measures to mitigate its possible adverse effects. 

Our Contact Details:

Kristina Lushey

DPO

Nova Search & Selection

10 Austyns Place

High Street

Ewell

Surrey

KT17 1SQ

Tel: 0208-3937413

Email: Kristina@novasearch.co.uk

General email: hello@novasearch.co.uk

Information Commissioners Office

Wycliffe House

Water Lane

Wilmslow

Cheshire

SK9 5AF

Tel: 0303-123-1113

Email: casework@ico.org.uk

Live chat.