Date Notice Last Updated: 04/11/2024
Babraham Research Campus is a “data controller”. This means that we are responsible for deciding how we hold and use personal information about you. We are providing this privacy notice because you are (1) applying for work with us (whether as an employee, worker or contractor), or (2) you are already employed or under contract with us. The purpose of this document is to inform you about the use of your personal data, both now and in the future. It is primarily focused on the recruitment process and the onward maintaining appropriate records. It is also important to note the typical duration for which this data will be retained. This is information that must be provided under the UK Data Protection Act 2018 and the UK General Data Protection Regulation (UK GDPR).
Please note the effective date at the top of this notice. We may amend this Notice from time to time and will inform you in advance of the effective date of any material changes that we intend to implement.
Babraham Research Campus is responsible for processing your personal data and is the data controller.
Our main address is Babraham Hall, Babraham, Cambridge CB22 3AT, UK, Babraham CB22 3AT.
How is your personal information sourced?
Most of the personal data that we process about you has been provided by you directly to us. We may also collect personal data about applicants from other third parties and services including:
In connection with your application for working with us, or with your ongoing appointment; we will collect, store, and use the following categories of personal information about you as set out in the table below. This also identifies our lawful basis for the specified purposes and conditions for any special category data.
Categories of Personal Data |
Purpose of Processing |
Lawful Basis |
Special Condition* |
Name, address and previous addresses, personal telephone number, and personal email address
|
To communicate with you in relation to your application with us and to maintain identifiable records of our recruitment process.
Maintaining a HR record for those that are employed.
Incident Management |
Legitimate Interests |
Not applicable |
National Insurance ID number |
To administer your salary, expenses, taxes and financial benefits |
Legal obligation |
Not applicable |
Copy of your passport / or alternative Identification Info (Birth Cert and supporting docs) |
To verify your eligibility to work for us, and to verify your identification. |
Legal obligation |
Not applicable |
Date of birth |
Identification purposes and to monitor recruitment / equality statistics.
|
Legitimate interest |
Not applicable |
Gender |
To monitor recruitment / equality statistics
|
Legitimate interest |
Not applicable |
Details of work permit |
To assess your suitability for a role with us |
Legal obligation |
Not applicable |
Immigration and Nationality Background /Criminal Record checks for roles within a regulated activity, for example; biotech, biological sciences and human tissue. |
To meet guidelines and regulatory requirements of Campus Tenants |
Legal obligation(s):
Right to Work
Animals (Scientific Procedures) Act 1986 Human Tissue Act 2004 |
Processing is necessary for the purposes of performing or exercising obligations or rights imposed or conferred by employment, social security or social protection laws (Schedule 1, Part 1, paragraph 1 of the DPA). |
Social Media Background check |
Review of social media profiles; including posts, likes and connections to identify and mitigate any risk to campus tenants |
Legitimate interest
|
Processing is necessary for the purposes of performing or exercising obligations or rights imposed or conferred by employment, social security or social protection laws (Schedule 1, Part 1, paragraph 1 of the DPA). |
Education history |
To assess your skills, qualifications, and suitability for a role with us.
|
Legitimate interest
|
Not applicable |
Qualifications |
|||
Professional registration details |
|||
CV |
|||
Previous experience |
|||
Work history |
|||
References |
|||
Health data related to injuries or sickness or that otherwise impact your ability to perform your job |
For medical-related matters e.g. making reasonable adjustments |
Necessary for the performance of your planned employment agreement with us.
|
Processing is necessary for health or social care purposes, e.g., the assessment of the working capacity of an employee (Schedule 1, Part 1, paragraph 2 of the DPA). |
Vaccination status (Hep B) |
To ensure those with roles at higher risk to exposure to bloodborne viruses have the suitable level or protection. |
Necessary for the performance of your planned employment agreement with us.
|
Processing is necessary for health or social care purposes, e.g., the assessment of the working capacity of an employee (Schedule 1, Part 1, paragraph 2 of the DPA). |
Disability |
To monitor equality of opportunities and diversity within our recruitment process.
To identify any necessary adjustments that would be required should we proceed to offer stage.
|
Legitimate interest |
Processing is necessary for the purposes of identifying or keeping under review the existence or absence of equality of opportunity or treatment between groups of people with a view to enabling such equality to be promoted or maintained (Schedule 1, Part 2, paragraph 8 of the DPA). ** Processing is necessary for purposes of promoting or maintaining diversity in the racial and ethnic origins of individuals who hold senior positions (Schedule 1, Part 2, paragraph 9 of the DPA). |
Physical or mental health |
|||
Religious or philosophical beliefs |
|||
Race/ethnicity
|
|||
Sexual orientation |
|||
CCTV images |
To ensure your safety and that of the Campus and our tenants |
Legitimate interest |
Not applicable |
Biometric -Fingerprint |
Necessary for access to high-level restricted Campus locations (for limited roles). |
Legitimate interest |
Processing is necessary for the purposes of performing or exercising obligations or rights imposed or conferred by employment, social security or social protection laws (Schedule 1, Part 1, paragraph 1 of the DPA). |
Next of kin and family connections |
Contact details in case of emergencies, etc |
Legitimate interest |
Not applicable |
Site Access Control data (e.g., swipe in/out time from access-controlled doors) |
To monitor access and ensure security within premises |
Legitimate interests (for maintaining campus security) |
Not applicable |
ANPR / Vehicle Identification Information |
To manage campus access, parking and security |
Legitimate Interest |
Not applicable |
N.B. We may need to process data as necessary in connection with any legal claims or prospective legal claims. (Schedule 1, Part 3, paragraph 33 of DPA.)
** The categories of personal data listed (sexual orientation, health data, religion or racial or ethnic origin) shall not be used for the purposes of measures or decisions in relation to your employment or any other purposes not identified. Please note that you can always inform us in writing if you would prefer us not to process these categories of your personal data for the purpose identified.
If you fail to provide personal information
If you fail to provide the information when requested, which is necessary for us to consider your application, or to maintain your appointment at BRC (such as evidence of qualifications or work history), we will not be able to process your application or maintain your records successfully. For example, if we require a reference or a background check and you fail to provide us with relevant details, we will not be able to take your application further.
During recruitment, we may set certain criteria necessary for a role; for example, qualifications or number of years' experience. These requirements will be explicit within the job ad, and the platform will filter out those who do not meet these criteria.
Aside from this solo example, there are no other instances where you would be subject to decisions that have a significant impact on you based solely on automated decision-making.
Data Sharing: Partners /Third-Party Recipients
Why might you share my personal information with third parties?
The purposes for which we may share personal data relating to our applicants and staff with trusted third-party vendors and business partners, are set out below.
Partner Organisations
We may share your personal data with the Babraham Institute (BI) for the purposes set out below. Your personal data will only be accessible by competent employees of BI who, within their job responsibility may execute the purposes described in the table in Section 4 and have a need to know this information. These transfers are protected by the obligations set out in data sharing agreements that we have entered into with them. This agreement covers personal data transferred for the following purposes:
Babraham Research Campus also shares personal data with trusted service providers and business partners pursuant to contractual agreements with them. These agreements will, as necessary, include appropriate safeguards to protect any personal data that we share with them. We may share employee personal data with third parties that perform services and carry out functions on our behalf and under our instruction as a data processor. These third parties include:
We may also disclose applicant and staff personal data to third parties acting as independent data controllers. All of these recipients are themselves responsible to determine the purposes and means of the processing and for the lawfulness of the processing. These third parties include:
We have put in place appropriate security measures to prevent your personal information from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your personal information to those employees, agents, contractors and other third parties who have a business need-to-know. They will only process your personal information on our instructions, and they are subject to a duty of confidentiality.
We have put in place procedures to deal with any suspected data security breach and will notify you and any applicable regulator of a suspected breach where we are legally required to do so.
The data we collect from you may be processed from or transferred and stored outside the UK in countries with less protective Data Protection laws. To address this, we ensure additional safeguards are in place to with our processors. If we transfer your data from the UK to a country that does not meet UK GDPR adequacy standards, we will use the following legal mechanism(s) to enable the transfer and protect your data, rights and freedoms;
How long will you use my information for?
Candidates: We will retain your personal information for a period of twelve months after we have communicated to you our decision about whether to appoint the role. We retain your personal information for that period so that we can show, in the event of a legal claim, that we have not discriminated against candidates on prohibited grounds and that we have conducted the recruitment exercise in a fair and transparent way.
Staff: In line with the Chartered Institute of Personnel and Development (CIPD) guidelines for retention of employment records, we will retain your personal information for a period of 6 years from the end of employment.
After these periods, we will securely destroy your personal information in accordance with our data retention schedule.
If we wish to retain your personal information on file, on the basis that a further opportunity may arise in future and we may wish to consider you for that, we will write to you separately, seeking your explicit consent to retain your personal information for a fixed period on that basis.
Your rights in connection with personal information
Under certain circumstances, by law you have the right to:
Request access to your personal information (commonly known as a “data subject access request”). This enables you to receive a copy of the personal information we hold about you and to check that we are lawfully processing it.
Request correction of the personal information that we hold about you. This enables you to have any incomplete or inaccurate information we hold about you corrected.
Request erasure of your personal information. This enables you to ask us to delete or remove personal information where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal information where you have exercised your right to object to processing (see below).
Object to processing of your personal information where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground. You also have the right to object where we are processing your personal information for direct marketing purposes.
Request the restriction of processing of your personal information. This enables you to ask us to suspend the processing of personal information about you, for example if you want us to establish its accuracy or the reason for processing it.
Request the transfer of your personal information to another party.
If you want to review, verify, correct or request erasure of your personal information, object to the processing of your personal data, or request that we transfer a copy of your persona information to another party, please contact our Data Protection Officer in writing (see below for contact details)
We have appointed a Data Protection Officer (DPO) to oversee compliance with this privacy notice. If you have any questions about this privacy notice or how we handle your personal information, please contact the DPO via DPO@babraham.co.uk
You also have the right to make a complaint at any time to the Information Commissioner’s Office (ICO), the UK supervisory authority for data protection issues.