1. CANDIDATE NOTICE STATEMENT
This policy is designed to provide information on how we deal with the privacy of job applicants who apply to Sophos for a job and the personal data we hold about them during the recruitment process.
2. OBJECTIVES
• To provide you with details of what information we may collect about you and to give you confidence in how we will use this information; and
• To comply with legal requirements including privacy laws.
3. ABOUT THIS DOCUMENT
3.1 We take your privacy seriously and we are fully committed to protecting your personal data and we recognise our responsibility to keep any information about you safe and secure at all times. We will only process your personal data in accordance with Data Protection Legislation and we will adhere to the principles (as applicable) contained in the Data Protection Legislation.
3.2 Sophos (referred to as “we”, “us”, “our”) will process and collect personal data and special categories of personal data about you and we recognise the need to treat that data in an appropriate and lawful manner, in accordance with applicable Data Protection Legislation.
3.3 The purpose of this notice is to provide you with information regarding the types of personal data and special categories of personal data that we hold and process about you and why.
3.4 Processing includes collecting, using, holding, storing, recording and destroying your personal data and special categories of personal data.
3.5 This notice is subject to change and any change will be notified on this page.
4. WHAT DO ‘PERSONAL DATA’ AND ‘SPECIAL CATEGORIES OF PERSONAL DATA’ MEAN?
4.1 “Personal data” includes information relating to a living person, who can be identified directly or indirectly by such information (e.g. name, ID number, location data, an online identifier, one or more factors specific to the physical, physiological, genetic, mental, economic or social identity of that person).
4.2 “Special categories of personal data” relates to personal information about you of a more private nature and means genetic data, biometric data, data concerning a person’s sex life or orientation, racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership and health.
4.3 The personal data and special categories of personal data about you held and processed by us may be held automated/electronic filing systems.
5. WHAT DO WE DO WITH YOUR PERSONAL DATA AND ON WHAT LEGAL BASIS?
5.1 We use the personal data you provide to us for different reasons. These can be summarised as follows:
(a) To comply with our legal obligations. This includes the following information:
• eligibility to work in the country you are applying for a position in as required by immigration laws, such as residency and work permit status, nationality, passport and visa documentation;
• formal identification documentation relating to you, such as a passport or driving licence, to verify your identity;
• legal claims made by you or against you, in order to comply with the court process and court orders;
• relevant checks to validate driving licence information if the job role you apply for involves you driving company vehicles; and
• relating to the occurrence, investigation or prevention of fraud.
(b) To pursue our legitimate interests as a business. This includes the following information:
• your contact details such as your name, address, telephone number and personal email address which will be used to communicate with you in relation to the recruitment process;
• your resume / CV and any education history and employment records, professional qualifications and certifications in order for us to consider your suitability for a job vacancy you are applying for;
• details of the job role you are applying for any interview notes made by us following an interview with you, in order to assess your suitability for that role;
• pay and benefit discussions with you to help determine whether a job offer may be made to you;
• the results of any pre-employment checks carried out
• voicemails, emails, correspondence, your resume / CV, and other communications created, stored or transmitted by you on or to our computer or communications equipment in order to progress the application through the recruitment process;
• CCTV at our business premeses to ensure business efficiencies, the protection of company property and for health and safety reasons; and
• network and information security in order for us to take steps to protect your information against loss, theft or unauthorised access.
(d) Where you have consented for us to do so. This includes as follows:
• to understand and assess your suitability for a role.
6. WHAT DO WE DO WITH YOUR SPECIAL CATEGORIES OF PERSONAL DATA AND ON WHAT LEGAL BASIS?
6.1 We process your special categories of personal data for different reasons. These can be summarised as follows:
(a) To enable you and us to perform our respective obligations or exercise our respective rights in respect of employment and social security and social protection law. This includes the following:
• equal opportunities monitoring information (for example race, ethnic origin, sex or religious information). Any such information is used in an anonymised form for statistical purposes only and is not used in relation to your application for employment with us; and
• health information to assess and/or to comply with our obligations under employment, equal opportunities and health and safety legislation (for example a requirement to make reasonable adjustments to the interview process with you).
(b) To establish, defend or exercise legal claims in an employment tribunal or any other court of law;
(c) For occupational medicine reasons or where we are assessing your working capacity. This includes the following:
• medical and health information/records/reports (for example, to assess whether any reasonable adjustments are required for you during the recruitment process, carrying out any medical assessment required for your role, pension and any insurance benefits);
• sickness absence records, such as statement of fitness to work, reasons for absence and self-certification forms; and
• records of return to work interviews/meetings.
7. BACKGROUND CHECKS
7.1 We may process, in carrying out our obligations in employment and social security and social protection law, personal data relating to carrying out background checks (including criminal conviction personal data) where necessary for a particular role within the business.
8. OTHERS WHO MAY RECEIVE OR HAVE ACCESS TO YOUR PERSONAL DATA
8.1 We may share your personal data internally for the purposes set out above to HR employees involved in the recruitment process and/or line managers in the business who are involved in the recruitment process for the job role(s) you are applying.
8.2 We may share your personal data with sub-processors where necessary to facilitate assessments for your desired role.
8.3 For successful applicants who become employees, we may share your personal data and special categories of personal data to third parties, agents, subcontractors and other organisations, as listed below, for the purposes of providing services to us or directly to you on our behalf
(a) occupational health providers;
(b) financial product providers;
(c) pension providers;
(d) insurance providers;
(e) employee benefits providers; and
(f) providers of legal services
8.4 We may share your personal data with the relevant local government and law enforcement agencies in order to comply with our legal obligations.
8.5 When we use third party suppliers or providers, we only disclose to them any personal information that is necessary for them to provide their service and we have a contract in place that requires them to keep your information secure and not to use it other than in accordance with our specific instructions.
9. RECEIVING YOUR PERSONAL DATA
We may obtain personal data and/or special categories of personal data about you from third party sources, such as recruitment agencies, job boards, recruitment assessment centres, referees and occupational health professionals. Where we receive such information from these third parties, we will only use it in accordance with this notice. In some cases, they will be acting as a controller of your information and therefore we advise you to read their privacy policy.
10. WHERE DO WE STORE YOUR PERSONAL DATA OR SPECIAL CATEGORIES OF PERSONAL DATA?
10.1 Your personal data and special categories of personal data is stored electronically on our secure servers which are located within the United States of America ("USA").
10.2 For citizens of the European Economic Area (EEA): We transfer your personal data or special categories of personal data to, or store it in, countries located outside of the EEA and as such, we ensure that appropriate safeguards are in place for that transfer and storage as required by Data Protection Legislation. This is because some countries outside of the EEA do not have adequate data protection laws equivalent to those in the EEA. These safeguards will include imposing contractual obligations on the recipient of your personal information or ensuring that the recipients are subscribed to international frameworks that seek to ensure adequate protection.
11. HOW LONG DO WE KEEP YOUR PERSONAL DATA?
11.1 We keep your personal data and special categories data for as long as is necessary to fulfil our legal obligations and in accordance with Data Protection Legislation.
11.2 When you apply for a job vacancy which we have advertised, we will compile and keep an electronic file containing information about you which relates to your application for a job with us. Your information will be kept secure and will be used for the purposes of your job application.
11.3 If you are offered and you accept a job with us, your personal information will be transferred to an electronic personnel file. When your employment with us ends, we will retain your personal data in accordance with our data retention policy. The retention period varies depending on the role(s) which you have held during your employment with us, and your personal data will be permanently and securely deleted at the end of this retention period.
11.4 If you are unsuccessful in your application for a job with us, Sophos will, by default, remove your information within 12 months. However, if you have consented to Sophos retaining your information for the purpose of considering you for future opportunities, Sophos will retain your data. We will reseek your consent every 12 months using the email address you have provided for us.
12. YOUR DUTIES
12.1 We encourage you to ensure that the information that we hold about you is accurate and up to date by keeping us informed of any changes to your personal data. You can do this by updating yur details within our Applicant Tracking System.
13. YOUR RIGHTS
13.1 Under Data Protection Legislation, you have certain rights as a "data subject".
13.2 You may make a formal request for access to personal data and/or special categories of personal data that we hold about you at any time. This is known as a Subject Access Request ("SAR"). A SAR must be made in writing and we must respond within a certain time period (being a month under the GDPR). Please note that under some data protection laws, we are permitted to extend the time period for responding where in our view your request is complex or numerous in nature. We may also charge a reasonable fee where in our view your request is manifestly unfounded or excessive.
13.3 You also have other rights under Data Protection Legislation including:
(a) to have your personal data corrected where it is inaccurate;
(b) to have your personal data erased where it is no longer required. Provided that we do not have any continuing lawful reason to continue processing or holding your personal data, we will make reasonable efforts to comply with your request;
(c) to request your personal data be transferred to another person;
(d) to restrict the processing of your personal data where you believe it is unlawful for us to do so, you have objected to its use and our investigation is pending or you require us to keep it in connection with legal proceedings.
(e) to object to the processing of your personal data, particularly where we rely on “legitimate business interests” as a lawful reason for the processing of your data. We have a duty to investigate the matter within a reasonable time and take action where this is warranted. Except for the purposes for which we are sure we can continue to process your personal data, we will temporarily stop processing your personal data in line with your objection until we have investigated the matter. If we agree that your objection is justified in accordance with your rights, we will permanently stop using your data for those purposes. Otherwise, we will provide you with our justification as to why we need to continue using your data;
(f) to withdraw consent to processing (where we rely on this as a lawful basis for processing). If you withdraw your consent, our use of your personal data before you withdraw is still lawful;
(g) to receive a copy of certain personal data in a portable format; and
(h) to complain to a supervisory body – if you are concerned about the way we have processed your personal data, you may complain to your local data protection regulatory body. Sophos is a UK-based organisation and our lead supervisory body is the Information Commissioner’s Office ("ICO") – www.ico.org.uk.
13.4 Where we intend to process your personal data for a purpose other than as set out in this notice, we will provide you with information about the purpose prior to processing your personal data.
13.5 The way we process your personal data and the legal basis on which we rely to process it may affect the extent to which these rights apply. If you would like to exercise any of these rights, please address them in writing to dataprotection@sophos.com.
14. QUESTIONS
14.1 If you have any questions about any matter relating to data protection or the personal data and/or special categories of personal data that that we process about you, please contact us at dataprotection@sophos.com.
15. CONTACT US
15.1 You can contact us at any time by sending an email to dataprotection@sophos.com.