The Audit & Risk Recruitment Company’s (ARRC) Data Protection Policy states that ARRC will protect personal data that it collects, stores, processes, shares that it lawfully processes regarding candidates, clients, suppliers, employees and other third parties. It will apply appropriate logical and physical controls which will be reviewed and updated regularly. Regular training and education will be mandatory for all Directors and employees.
The ARRC Data Protection Policy states that the company
“will inform data subjects about how it will use and protect their personal data through the publication of a Privacy Notice on its website and through its consent management processes
This will include informing them about;
- The purpose or purposes for which ARRC intend to process that personal data.
- The types of third parties, if any, with which ARRC will share or disclose that personal data to.
- The means, if any, with which data subjects can limit the use and disclosure of their personal data.”
This Privacy Notice seeks to achieve the above policy and is part of ARRC’s overall approach to Information Security and Data Protection.It does not replace or supplant any part of ARRC’s Data Protection Policy or its Information Security Policy.
This Notice will be accessible on the ARRC website and copies may be obtained from the company’s officers upon formal request. This notice and relevant related parties may be provided to specific third parties upon formal request to help fulfil Data Protection compliance and related activities.
3. Information collected by ARRC
We may collect and process the following data about the information you give us. You may give us information about you by filling in forms and providing your CV on our website or by corresponding with us by phone, email, through the online contact form or otherwise such as through social media methods. This includes information you provide when you register to use our site, subscribe to our service, use social media functions on our site or when you report a problem with our site. The personal information you give us may include (but not be limited to) your name, address, email address and phone number, personal description, job history, qualifications, CV and in some cases your photograph. On occasion, we need to obtain your passport information and visa and work permit information where relevant.
4. Information collected by other job websites on our behalf.
We advertise some of our opportunities on other relevant websites which specialise in internal audit and risk. They will collect similar information about you and your use of the site when reviewing and applying for roles. If you upload your CV, the site will be responsible for securing your data and you should refer to their privacy notices. We are not responsible for the privacy policies or practices of those third parties. The site will usually retain your CV and details based on its privacy notice. ARRC receive a message and a copy of your CV from the site after you have applied for the role in question.
We may combine this information with information you give to us and information we collect about you. We may use this information and the combined information for the purpose of processing your interest and application for roles.
5. Information collected or supplied through social media methods.
An amount of our data collection is via freely available networking apps.Our preference is for you to provide any personal data such as CVs directly to us through the other methods described above. We recognise however, that these other channels provide convenience.ARRC maintains a company profile through which data may be shared.However, if you send CV and other personal information to the profile of an employee of ARRC, sharing of that information will be with the personal profile of that individual. Whilst all ARRC employees will then input information into our systems, ARRC does not have control over how these apps secure, process and retain such data.
6. How Information is used
For candidates we will use this information in our dedicated database to process your application.This database is operated by a third party which specialises in recruitment software.Security methods including login and authentication controls are employed. We therefore retain some personal data within this database and in the emailed attachments that you may have sent us.If you provide your details as an update or to generally register and not in response to a specific advertised role, we will retain your details on your database so that we can contact you in the future.
We will only send your details on to the client company which is looking for candidates with your express consent. This permission will be recorded even if you provide consent verbally.
ARRC recognises that the majority of candidates wish to maintain contact with us over long periods of time, even after they have secured a role or position.ARRC will manage this through its consent management processes.ARRC will keep your latest submitted CV and details for up to 3 years.We review this information regularly to keep it up to date and current.This may require us to contact you and re-confirm your consent.If your circumstances alter, we will not make any changes unless you contact us with the updated information.You may contact us at any time to update your information and contact preferences and you have the right to withdraw your consent for us to hold your data at any time. We may however, maintain contact information through social media platforms such as LinkedIn, although this may be via any direct connections you may have made with ARRC employees past and present.
ARRC occasionally runs seminars and networking events.We will only market these events to you if you have specifically registered for them on our website, have responded to a general notice of the event on social media platforms, or you have given us consent to contact you for such purposes using information you have previously provided to us. You can withdraw or amend that consent at any time.
We may disclose personal information:
- To the extent that we are required to do so by law or requested to do so by the regulatory authorities.
- In connection with any legal proceedings or prospective legal proceedings
- In order to establish, exercise or defend our legal rights (including providing information to others for the purposes of fraud prevention)
- To the purchaser (or prospective purchaser) of any business or asset which we are (or are contemplating) selling
- To any person who we reasonably believe may apply to a court or other competent authority for disclosure of that personal information where, in our reasonable opinion, such court or authority would be reasonably likely to order disclosure of that personal information.
7. International Data Transfers
ARRC conducts its business within the European Economic Area. All data stored is within the UK and the EEA. However, ARRC utilises cloud-based systems and its staff have access to company email through company provided equipment which technically allows information to be accessed from most international locations with internet access. Access is provided through systems secured through security systems including authentication methods. ARRC recognises that some candidates may be based outside of the EEA. ARRC will apply GDPR principles to any exchange of personal data between it and the candidate, with due regard to any local jurisdiction.
8. Security of Personal Information
We take all reasonable steps to secure information and personal data, from alteration, misuse and loss. Whilst information received from you and sent from us may use encrypted email methods, we cannot guarantee the security of our client systems or the internet. All reasonable steps are taken with our client companies to ensure your CV and personal data whether emailed or uploaded into client portals is subject to secure methods. The control over those systems once in the client domain is their responsibility. You remain responsible for ensuring your password and user details confidential when using our website or similar third-party sites. An ARRC employee will never ask you for your password details.
ARRC maintains an Information Security Policy which is the umbrella policy for our Data Protection and Privacy policies. All staff are trained on keeping information secure and complying with the policy.
9. Your rights
You may request us to provide any information that we hold about you and who it has been shared with. We will respond within the legal requirement of one month.
We may require proof of your identity beforehand.
In summary your rights are:
- Right to be informed
- Right of Access
- Right to Rectification
- Right to restrict processing
- Right to data portability
- Right to object
- Right not to be subject to automatic decision making
- All systems enable all rights to be acted upon
ARRC will obtain your express consent using its consent management procedures.Consent will be positive and recorded on our systems.Changes to consent including the express wish not to be contacted going forward will be recorded.
We may obtain and record your consent using email, during a consent reconfirmation process or verbally. Verbal consent will be formally confirmed in writing.
11. Governance and Related Policies
This policy will be reviewed and any changes approved by the ARRC board at least annually and updated to reflect changes in regulation or business activity. The revised Policy Notice will be uploaded onto the ARRC website following any approval or re-approval.
Related policies and procedures include:
- Data Protection Policy
- Information Security Policy
- Data Retention Policy
- Consent Procedures