Candidate and Employee Privacy Notice

Date Notice Last Updated: 04/11/2024

What is the purpose of this document?

Babraham Research Campus is a “data controller”. This means that we are responsible for deciding how we hold and use personal information about you. We are providing this privacy notice because you are (1) applying for work with us (whether as an employee, worker or contractor), or (2) you are already employed or under contract with us. The purpose of this document is to inform you about the use of your personal data, both now and in the future. It is primarily focused on the recruitment process and the onward maintaining appropriate records. It is also important to note the typical duration for which this data will be retained. This is information that must be provided under the UK Data Protection Act 2018 and the UK General Data Protection Regulation (UK GDPR).

Please note the effective date at the top of this notice. We may amend this Notice from time to time and will inform you in advance of the effective date of any material changes that we intend to implement.

Identity of The Data Controller

Babraham Research Campus is responsible for processing your personal data and is the data controller.

Our main address is Babraham Hall, Babraham, Cambridge CB22 3AT, UK, Babraham CB22 3AT.

How is your personal information sourced?

Most of the personal data that we process about you has been provided by you directly to us. We may also collect personal data about applicants from other third parties and services including:

  1. a) former employers;
  2. b) education establishments from which you have received qualifications;
  3. c) background check providers and criminal records check providers;
  4. d) professional bodies (where necessary to confirm membership/accreditation);
  5. e) law enforcement agencies, government agencies, regulators or any other person having appropriate legal authority;
  6. f) your named referees; and
  7. g) recruitment agencies.
  8. h) Social Media (e.g. LinkedIn, Twitter)

Information we hold about you

In connection with your application for working with us, or with your ongoing appointment; we will collect, store, and use the following categories of personal information about you as set out in the table below. This also identifies our lawful basis for the specified purposes and conditions for any special category data.

Categories of Personal Data

Purpose of Processing

Lawful Basis

Special Condition*

Name, address and previous addresses, personal telephone number, and personal email address

 

To communicate with you in relation to your application with us and to maintain identifiable records of our recruitment process.

 

Maintaining a HR record for those that are employed.

 

Incident Management

Legitimate Interests

Not applicable

National Insurance ID number

To administer your salary, expenses, taxes and financial benefits

Legal obligation

Not applicable

Copy of your passport / or alternative Identification Info (Birth Cert and supporting docs)

To verify your eligibility to work for us, and to verify your identification.

Legal obligation

Not applicable

Date of birth

Identification purposes and to monitor recruitment / equality statistics.

 

Legitimate interest

Not applicable

Gender

To monitor recruitment / equality statistics

 

Legitimate interest

Not applicable

Details of work permit

To assess your suitability for a role with us

Legal obligation

Not applicable

Immigration and Nationality

Background /Criminal Record checks for roles within a regulated activity, for example; biotech, biological sciences and human tissue.   

To meet guidelines and regulatory requirements of Campus Tenants

Legal obligation(s):

 

Right to Work

 

Animals (Scientific Procedures) Act 1986

Human Tissue Act 2004

Processing is necessary for the purposes of performing or exercising obligations or rights imposed or conferred by employment, social security or social protection laws (Schedule 1, Part 1, paragraph 1 of the DPA). 

Social Media Background check

Review of social media profiles; including posts, likes and connections to identify and mitigate any risk to campus tenants

Legitimate interest

 

Processing is necessary for the purposes of performing or exercising obligations or rights imposed or conferred by employment, social security or social protection laws (Schedule 1, Part 1, paragraph 1 of the DPA). 

Education history

To assess your skills, qualifications, and suitability for a role with us.

 

Legitimate interest

 

Not applicable

Qualifications

Professional registration details

CV

Previous experience

Work history

References

Health data related to injuries or sickness or that otherwise impact your ability to perform your job

For medical-related matters e.g. making reasonable adjustments

Necessary for the performance of your planned employment agreement with us.

 

Processing is necessary for health or social care purposes, e.g., the assessment of the working capacity of an employee (Schedule 1, Part 1, paragraph 2 of the DPA).

Vaccination status (Hep B)

To ensure those with roles at higher risk to exposure to bloodborne viruses have the suitable level or protection.

Necessary for the performance of your planned employment agreement with us.

 

Processing is necessary for health or social care purposes, e.g., the assessment of the working capacity of an employee (Schedule 1, Part 1, paragraph 2 of the DPA).

Disability

To monitor equality of opportunities and diversity within our recruitment process.

 

To identify any necessary adjustments that would be required should we proceed to offer stage.

 

Legitimate interest

Processing is necessary for the purposes of identifying or keeping under review the existence or absence of equality of opportunity or treatment between groups of people with a view to enabling such equality to be promoted or maintained (Schedule 1, Part 2, paragraph 8 of the DPA). **

Processing is necessary for purposes of promoting or maintaining diversity in the racial and ethnic origins of individuals who hold senior positions (Schedule 1, Part 2, paragraph 9 of the DPA).

Physical or mental health

Religious or philosophical beliefs

Race/ethnicity

 

Sexual orientation

CCTV images

To ensure your safety and that of the Campus and our tenants

Legitimate interest

Not applicable

Biometric -Fingerprint

Necessary for access to high-level restricted Campus locations (for limited roles).

Legitimate interest

Processing is necessary for the purposes of performing or exercising obligations or rights imposed or conferred by employment, social security or social protection laws (Schedule 1, Part 1, paragraph 1 of the DPA).

Next of kin and family connections

Contact details in case of emergencies, etc

Legitimate interest

Not applicable

Site Access Control data (e.g., swipe in/out time from access-controlled doors)

To monitor access and ensure security within premises

Legitimate interests (for maintaining campus security)

Not applicable

ANPR / Vehicle Identification Information

To manage campus access, parking and security

Legitimate Interest

Not applicable

 

N.B. We may need to process data as necessary in connection with any legal claims or prospective legal claims.  (Schedule 1, Part 3, paragraph 33 of DPA.)

** The categories of personal data listed (sexual orientation, health data, religion or racial or ethnic origin) shall not be used for the purposes of measures or decisions in relation to your employment or any other purposes not identified. Please note that you can always inform us in writing if you would prefer us not to process these categories of your personal data for the purpose identified.

If you fail to provide personal information 

If you fail to provide the information when requested, which is necessary for us to consider your application, or to maintain your appointment at BRC (such as evidence of qualifications or work history), we will not be able to process your application or maintain your records successfully. For example, if we require a reference or a background check and you fail to provide us with relevant details, we will not be able to take your application further.

Automated Decision-Making

During recruitment, we may set certain criteria necessary for a role; for example, qualifications or number of years' experience. These requirements will be explicit within the job ad, and the platform will filter out those who do not meet these criteria.

Aside from this solo example, there are no other instances where you would be subject to decisions that have a significant impact on you based solely on automated decision-making.

Data Sharing: Partners /Third-Party Recipients

Why might you share my personal information with third parties? 

The purposes for which we may share personal data relating to our applicants and staff with trusted third-party vendors and business partners, are set out below.

Partner Organisations

We may share your personal data with the Babraham Institute (BI) for the purposes set out below. Your personal data will only be accessible by competent employees of BI who, within their job responsibility may execute the purposes described in the table in Section 4 and have a need to know this information. These transfers are protected by the obligations set out in data sharing agreements that we have entered into with them. This agreement covers personal data transferred for the following purposes:

  1. To allow BI to carry out processing functions on our behalf including the storage and hosting of personal data for security purposes, including system back-up and failover.
  2. To provide services for the operations of Babraham Research Campus (e.g. Payroll, Pension, Benefits, Background Checks/Security Clearance, IT Services and Support);
  3. To advise on guidance for terms of employment;
  4. To assess matters that relate to employment, such as assistance in internal investigations in relation to compliance with internal policies and rules; and
  5. For regulatory purposes.

Third Party Suppliers

Babraham Research Campus also shares personal data with trusted service providers and business partners pursuant to contractual agreements with them. These agreements will, as necessary, include appropriate safeguards to protect any personal data that we share with them. We may share employee personal data with third parties that perform services and carry out functions on our behalf and under our instruction as a data processor. These third parties include:

  1. Recruitment Agencies;
  2. IT service providers;
  3. HR information system providers; and
  4. cloud storage service providers.

We may also disclose applicant and staff personal data to third parties acting as independent data controllers. All of these recipients are themselves responsible to determine the purposes and means of the processing and for the lawfulness of the processing. These third parties include:

  1. Life insurance providers;
  2. Health insurance providers;
  3. Workplace pension;
  4. Occupational Health;
  5. our auditors, lawyers, consultants, law enforcement and other public authorities (such as tax and social security bodies and healthcare organisations);
  6. the police, prosecutors, courts and tribunals;
  7. current or previous employers;
  8. educational establishments;
  9. third parties whose details you provide to us as references; and
  10. background check providers and criminal records check providers;

Data Security

We have put in place appropriate security measures to prevent your personal information from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your personal information to those employees, agents, contractors and other third parties who have a business need-to-know. They will only process your personal information on our instructions, and they are subject to a duty of confidentiality.

We have put in place procedures to deal with any suspected data security breach and will notify you and any applicable regulator of a suspected breach where we are legally required to do so. 

International Transfer

The data we collect from you may be processed from or transferred and stored outside the UK in countries with less protective Data Protection laws. To address this, we ensure additional safeguards are in place to with our processors. If we transfer your data from the UK to a country that does not meet UK GDPR adequacy standards, we will use the following legal mechanism(s) to enable the transfer and protect your data, rights and freedoms;

Data Retention

How long will you use my information for? 

Candidates: We will retain your personal information for a period of twelve months after we have communicated to you our decision about whether to appoint the role. We retain your personal information for that period so that we can show, in the event of a legal claim, that we have not discriminated against candidates on prohibited grounds and that we have conducted the recruitment exercise in a fair and transparent way.

Staff: In line with the Chartered Institute of Personnel and Development (CIPD) guidelines for retention of employment records, we will retain your personal information for a period of 6 years from the end of employment.

After these periods, we will securely destroy your personal information in accordance with our data retention schedule.

If we wish to retain your personal information on file, on the basis that a further opportunity may arise in future and we may wish to consider you for that, we will write to you separately, seeking your explicit consent to retain your personal information for a fixed period on that basis.

Rights Of Access, Correction, Erasure, And Restriction

Your rights in connection with personal information 

Under certain circumstances, by law you have the right to: 

Request access to your personal information (commonly known as a “data subject access request”). This enables you to receive a copy of the personal information we hold about you and to check that we are lawfully processing it.

Request correction of the personal information that we hold about you. This enables you to have any incomplete or inaccurate information we hold about you corrected.

Request erasure of your personal information. This enables you to ask us to delete or remove personal information where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal information where you             have exercised your right to object to processing (see below).

Object to processing of your personal information where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground. You also have the right to object where we are processing your personal information for direct marketing purposes.

Request the restriction of processing of your personal information. This enables you to ask us to suspend the processing of personal information about you, for example if you want us to establish its accuracy or the reason for processing it.

Request the transfer of your personal information to another party.

If you want to review, verify, correct or request erasure of your personal information, object to the processing of your personal data, or request that we transfer a copy of your persona information to another party, please contact our Data Protection Officer in writing (see below for contact details)

Data Protection Officer

We have appointed a Data Protection Officer (DPO) to oversee compliance with this privacy notice. If you have any questions about this privacy notice or how we handle your personal information, please contact the DPO via DPO@babraham.co.uk

You also have the right to make a complaint at any time to the Information Commissioner’s Office (ICO), the UK supervisory authority for data protection issues.