HR Connect – EmploymentCheck Privacy Notice
Last updated August 2025
This Privacy Notice will be reviewed on a regular basis or when a change in legislation and/or practices dictates and any changes will be notified to you by posting an updated version on our websites and/or by contacting you via email.
We recommend that you regularly check for changes and review this policy when visiting our website.
Introduction
The Client Organisation has entered into a Service Level Agreement with EmploymentCheck for the service provision of processing employment checks. The online EmploymentCheck system is used to collect and use certain personal information about you to process checks such as Disclosure and Barring Service (DBS) checks, Right to Work (RTW) checks and Pre-employment Reference requests.
Who are we?
EmploymentCheck is a trading style of Commercial Services Kent (CSK) Ltd (Reg No. 5858177), part of Commercial Services Group, a company registered in England and Wales.
We understand that your privacy is important to you and that you care about how your personal data is used. We respect and value the privacy of all our customers and their employees and other people with whom we interact in the course of undertaking our services.
For the purposes of the services provided by CSK to the Client Organisation:
· The Client Organisation are responsible as ‘controller’ of your personal information with whom we liaise in relation to our contract with our client. Please refer to the client organisation’s privacy policy as the data ‘controller’.
· CSK are responsible as the ‘processor’ for the personal information we gather as part of the DBS and RTW service and have no direct relationship with the individual(s) whose personal data we process under the direction of client organisations.
This Privacy Notice offers both our customers and their employees with meaningful and accessible guidance on our approach to handling personal data.
About the information we collect
The table set out below summarises the information we collect for this service, how and why we do so, how we use it and with whom it may be shared.
We seek to ensure that our information collection and processing is always proportionate. We will notify you of any changes to information we collect or to the purposes for which we collect and process it.
|
How we collect the information |
Why we collect the information |
How we use and share the information |
|
|
Personal information: such as name, address, telephone number, email address, date of birth, national insurance number, identification documents. |
From you |
To comply with legal obligations. To perform the employment contract. Legitimate interest: to verify your identity and to progress your application and keep you informed of progress and outcomes.
|
To comply with DBS application requirements in order to submit your application to the DBS. To enable validation of your identity as part of your DBS or Right to Work in the UK application. To enable the client organisation to keep you informed of the progress of your application and outcome. Information shared with the DBS, the Police and other regulatory authorities as required. Information shared with Experian for external ID validation if required (where you are unable to provide sufficient evidence to meet DBS requirements). |
|
Your declaration of whether you have any convictions, cautions, reprimands or warnings |
From you |
To comply with legal obligations. To perform the employment contract.
Legitimate interests: For reasons of substantial public interest (protecting the public against dishonesty, safeguarding children and individuals at risk). Your consent.
|
To comply with DBS application requirements in order to submit your application to the DBS. Information shared with the DBS, the Police and other regulatory authorities as required. |
|
The outcome of your external ID validation check (pass/fail) |
From Experian |
To perform the employment contract. To comply with legal obligations. Legitimate interest: to verify your identity.
|
To comply with DBS application requirements in order to submit your application to the DBS. To enable validation of your identity as part of your application. Information shared with the DBS. |
|
The outcome of your digital identity check (pass/fail) |
From Yoti |
To perform the employment contract. To comply with legal obligations. Legitimate interest: to verify your identity.
|
To comply with DBS application requirements in order to submit your application to the DBS. To enable validation of your identity as part of your DBS or Right to Work in the UK application. Information shared with the DBS. |
|
Your disclosure certificate information. |
From the DBS |
To perform the employment contract. To comply with legal obligations. Legitimate interest: to verify the criminal records information provided by you. For reasons of substantial public interest (protecting the public against dishonesty, safeguarding children and individuals at risk). Your consent. |
To enable the client organisation to make an informed recruitment / retention decision. To carry out statutory checks. Information shared with DBS, the Police and other regulatory authorities as required. Information shared with the nominated manager from the Client Organisation. |
Acting as an Umbrella Body for DBS checks
As an Umbrella Body (one which countersigns DBS applications and receives Disclosure results on behalf of our Client Organisations), CSK take all reasonable steps to ensure that they comply fully with the DBS Code of Practice. We will also take all reasonable steps to satisfy ourselves that we handle, use, store, retain and dispose of Disclosure information in full compliance with the DBS Code and in full accordance with this policy. Further details are set out in our Policy Statement on the Secure Storage, Handling, Use, Retention & Disposal of Disclosure Information (see Annex A).
Where information may be retained
Some of the personal information you provide to us may be transferred to countries outside of the UK, or the EU/EEA. Where this occurs, CSK will make restricted transfer under UK “adequacy regulations” to protect individuals rights and freedoms for their personal data.
Where the UK has no “adequacy regulations” then the restricted transfer will be subject to appropriate safeguards whereby standard contractual clauses have been entered into with the organisation receiving the data.
How long your personal data will be kept
An automated purging process will identify records which have reached the end of their retention schedule.
DBS Checks
Purging of personal and sensitive data will be conducted 6 months following receipt of your disclosure and after a check has been archived by the client organisation or the systems automated archive function.
Right to Work Checks
Purging of personal and sensitive data will be conducted 6 months after a check has been archived by the client organisation or the systems automated archive function.
Once personal and sensitive data has been removed from the application, a record of the Right to Work check will be kept on the EmploymentCheck system until the end of the contract term.
Reference Checks
Purging of personal and sensitive data 6 months after a check has been archived by the Customer’s admin users or after a check has been automatically archived by the system.
Who we share your personal information with
We will share personal information with law enforcement or other authorities if required by applicable law.
We engage the following trusted third party providers, with whom data may be shared (as required) to enable the delivery of this service:
- Cantium Business Solutions Ltd (IT provider)
- ANS Group Limited (system hosting)
- Experian (identity verification purposes)
- YOTI Ltd (identity verification purposes)
Access to data is only granted where authorised and specifically required in line with our contract with them. System data is hosted within the UK by an ISO 27001 accredited supplier and supplier information security standards meet DBS requirements.
Where an external ID check is required in order to meet the DBS’s ID verification requirements we will share your personal data with Experian in order to undertake this check. For further information please see Experian’s Information Notice.
Where Digital ID verification is undertaken to evidence your identity for either a DBS check or Right to Work in the UK, we will share your personal data with Yoti in order to undertake this check. For further information please see Yoti’s Identity Verification within the UK Digital Identity and Attribute Trust Framework (UKDIATF) Notice.
Your Rights
Under the Data Protection Act 2018 you have a number of rights which allow you to:
· Your right of access - You have the right to ask us for copies of your personal data, however there are some exemptions which means you may not receive all the information you ask for.
· Your right to rectification - You have the right to ask us to rectify personal data you think is inaccurate. You also have the right to ask us to complete information you think is incomplete.
· Your right to erasure - You have the right to ask us to erase your personal data in certain circumstances.
· Your right to restriction of processing - You have the right to ask us to restrict the processing of your personal data in certain circumstances.
· Your right to object to processing - You have the right to object to the processing of your personal data in certain circumstances.
· Your right to data portability - You have the right to ask that we transfer the personal data you gave us to another organisation, or to you, in certain circumstances.
· Your right to withdraw consent – When we use consent as our lawful basis you have the right to withdraw your consent.
If you make a request, we have one calendar month to respond to you. If a request is deemed to be complex or a number of requests have been received from an individual, the response time may be extended by up to 2 months.
We will always seek to comply with your request however we may be required to hold or use your information to comply with legal duties.
Please note: your request may delay or prevent us delivering a service to you.
For further information about your rights, including the circumstances in which they apply, see the guidance from the UK Information Commissioners Office (ICO) on individuals’ rights under the UK General Data Protection Regulation.
If you would like to exercise a right, please contact your Client Organisation’s Data Protection Team.
Consent - Withdrawal
In some circumstances where you have provided your consent for the processing of your criminal records information you have the right to withdraw your consent at any time by notifying the Client Organisation. On receipt of notification from the Client Organisation that you have withdrawn your consent we will no longer process your information for that purpose, unless we have another legitimate basis for doing so in law.
Keeping your personal information secure
We have appropriate security measures in place to prevent personal information from being accidentally lost, used or accessed in an unauthorised way. We limit access to your personal information to those who have a genuine business need to know it. Those processing your information will do so only in an authorised manner and are subject to a duty of confidentiality.
We also have procedures in place to deal with any suspected data security breach. We will notify you and any applicable regulator of a suspected data security breach where we are legally required to do so.
Who to Contact
Please contact the Client Organisation’s Data Protection Team to exercise any of your rights, or if you have a complaint about why your information has been collected, how it has been used or how long we have kept it for.
The UK General Data Protection Regulation also gives you right to lodge a complaint with a supervisory authority. The supervisory authority in the UK is the Information Commissioner who may be contacted with any concern on telephone 03031 231113.
Annex A - Policy Statement on the Secure Storage, Handling, Use, Retention & Disposal of Disclosure Information
General principles
As an organisation using the Disclosure and Barring Service (DBS) to help Client Organisations assess the suitability of applicants for positions of trust, Commercial Services Kent (CSK) complies fully with the DBS Code of Practice regarding the correct handling, use, storage, retention and disposal of Disclosures and Disclosure information. It also complies fully with its obligations under the Data Protection Act 2018, General Data Protection Regulation and other relevant legislation:
- in relation to the circumstances in which it seeks criminal records information;
- by being concise, clear and transparent about how it obtains and uses such information, and how (and when) it is deleted once it is no longer required; and
- by ensuring a written policy on the secure handling of information provided by DBS, electronically or otherwise, is made available to individuals at the point of requesting them to complete a DBS application form or asking consent to use their information to access any service DBS provides.
CSK’s data protection officer (DPO), is responsible for informing and advising CSK and its staff on its data protection obligations, including in relation to criminal records information, and for monitoring compliance with those obligations. If you have any questions or comments about the data protection content of this policy or if you need further information, you should contact the Client Organisation Data Protection Team.
Storage & Access
Paper form Disclosure information is always kept separately and securely, in lockable, nonportable, storage containers with access strictly controlled and limited to those who are entitled to see it as part of their duties.
On-line Disclosure information is kept within the EmploymentCheck on-line system. Access to these systems is strictly controlled and only granted to those who need this as part of their duties.
Handling
In accordance with section 124 of the Police Act 1997, Disclosure information is only shared with those who are authorised to receive it in the course of their duties. We maintain a record of all those to whom Disclosure information has been revealed and we recognise that it is a criminal offence to pass this information to anyone who is not entitled to receive it.
Usage
Disclosure information is only used for the specific purpose for which it was requested and for which the applicant's full consent has been given.
Retention
Personal information kept within the EmploymentCheck on-line system is purged after a period of 6 months from the date the application is archived (the recruitment decision made).
Disposal
Once the retention period has elapsed, we will ensure that any Disclosure information whether this be paper form or on-line information is immediately and suitably destroyed by secure means or deleting within the EmploymentCheck on-line system. While disclosure documentation is waiting to be disposed of we will ensure that this is kept in a secure lockable, non-portable storage container or securely within the on-line system through means of restricted access.