How we handle your personal job application data at The London Clinic

There are a number of reasons why we need to use your personal data to manage your application for employment. This notice applies if you are applying for work with us (whether as an employee, worker or contractor). It summarises how we process your data, and what we do and don’t do with it up to the point of a candidate becoming an employee at the Clinic.  

1. Who ‘we’ are 

When we outline to you how we take care of your data you will notice we use the words ‘the Clinic’, ‘we’, ‘us’ or ‘our’. This means we are referring to The London Clinic (also known as Trustees of the London Clinic Limited). We are a limited company and charity registered in England and Wales. Find out more information about our company and charity status.  

For the purposes of you using our website we are the ‘Data Controller’ of your personal data. We are responsible for deciding how we hold and use your data, for taking care of your data and ensuring that anyone we work with, who might need to access your data, also takes care of it and follows our rules. If there is ever a situation where another organisation or person is the Data Controller of your data, we will let you know.   

Before we explain what data we collect, why we collect it and what we do with your data, if you have any questions or concerns, you can reach our Data Protection Officer via  dataprotection@thelondonclinic.co.uk.  

What we do with your data

Yes, if you are a job applicant or your details have been provided to us via a third party, for example a job vacancy website or recruiters. 

Yes, either in relation to your immigration status, interview reasonable adjustments, or details of a professional body you are a member of, which is considered special category data.

Yes, via various physical and digital methods, including this notice. 

No, we do not typically rely on consent as our lawful basis for processing your data.  

No, we do not use your data for analytical purposes. 

Generally no, however we will share your data with your referee(s).

No, never! 

Yes, The London Clinic has an extensive Records Retention Policy to ensure we only keep information only for as long as we need to. 

Yes, alongside applying industry best practice, the Clinic are Cyber Essentials certified and compliant with the NHS’s Data Security and Protection Toolkit (‘DPST’). 

Yes, all staff receive training on a regular cycle. 

Yes, we only permit access to those with a legitimate power or reason to access your information. 

Yes, where your rights apply, we will process your request accordingly, and where they do not apply, we will explain this to you.  

2. What data we collect from you 

We will need different pieces of information from you for different purposes which will be driven by your interaction with us. We will always keep the data we need down to a minimum, and internally will ensure that only those with a legitimate need to see your data can do so.  

As a summary, the sorts of data we collect from you in connection with your application for work falls into the following categories:  

This will include your basic contact details and ways for us to identify you. For example, your name, home address, email address, date of birth etc.  

Why?

Personal ‘home’ details are used to contact you and liaise with you on the progression and outcomes of your application.   

 

This will include the contact details for any referees and other individuals we may need to contact.  

Why?

We need to have details of whom to contact to seek references and other professional background checks should your application be successful.  

This will include any information provided during your interview, other information included in your CV or cover letter or as part of the application process, information on any professional memberships that you have as well as your training and educational records.  

Why?

We need to ensure that we can assess your skills, qualifications and suitability for the work and ensure you are appropriately qualified for the work. This includes verification of any professional memberships where required.  

This will include information on your right to work e.g. immigration status, and/or any criminal convictions relevant to your working in a healthcare setting.   

Why?

This is so that we can meet our legal requirements as an employer in the UK.  

This might include details of any medical conditions or special requirements.   

Why?

We use such information about your health and/or special requirements in order to ensure we accommodate any needs to support you in the recruitment process and comply with our medical regulatory requirements. If appointed, we may need more information as part of your onboarding process.  

This may include details of your current and desired salary. 

Why?

This is so that we can assess whether the work opportunity meets your expectations. 

This currently covers data including gender, race, ethnic origin, sexual orientation, religious or other beliefs, and whether you have a disability or require any additional support as part of our diversity and equality commitments.  

Why?

To help us meet our commitment to equal opportunities, we carry out monitoring of certain information relating to our staff. The information is collated into anonymous statistics that are kept by the HR Department.   

3. Why we use your data 

There are a number of reasons why we use your personal data in relation to your application to work with us. These include circumstances where the use of such data is in our legitimate interests as a potential employer or as part of our legal obligations as an employer in the UK. 

This includes, but is not limited to: 

  • Recruitment and interviewing administration. We will process your contact, recruitment, and salary data in our legitimate interests to arrange a job interview with you and/or assess your job application
  • Eligibility to work. We will process your background and medical data to comply with our legal obligations as an employer in the UK 
  • Reference checking. We will process information obtained from your referees in our legitimate interests to assess your job application and suitability for the role
  • Provision of special support. We may process your medical data to support you in the recruitment process in line with our legal obligations as an employer in the UK
  • Professional memberships and qualifications. We may collect and process your data in our legitimate interest to ensure candidates are qualified for the role in which they are applying for and/or to comply with our legal obligations as an employer in the UK
  • Criminal convictions. We may collect and process your background data to comply with our legal obligations as an employer in the UK
  • Equality and diversity. We may use aggregated data derived from your demographic and salary information to comply with our legal obligations in relation to equal opportunities or equal pay.

If you fail to provide information when requested, which is necessary for us to consider your application (such as evidence of qualifications or work history), we will not be able to process your application successfully

For the avoidance of doubt, The London Clinic does not use automated decision making within its recruitment process, however we will notify you if this position changes.

Please note: if you have received or are currently receiving medical treatment at The London Clinic, your data will be handled as a patient. Please refer to the Patient Terms and Conditions and patient privacy notice for how this information is handled as this is separate from the processing activities identified within this notice. 

4. Where we get your data from   

The London Clinic will only process information provided directly or indirectly (via recruitment third parties) by you as part of your recruitment process. For further information on how recruitment third parties process your personal data, please refer to their privacy notices. 

5. Who we share your data with 

At this stage, your data is not shared with third parties outside of our control. If successful in your application to work with us, upon onboarding, your information will be processed in line with The London Clinic’s employee privacy notice that will be provided to you at that stage.  

 

6. Where in the world your data is physically sitting 

We use systems, technology and/or support vendors who may store or have access to physical or cloud storage which resides both in the UK and abroad. This includes countries both within the European Economic Area (‘EEA’) and, in limited circumstances, those further afield, for example the United States of America.  

Where we store or share personal data with a third party in a country outside of the UK or EEA, we will put appropriate safeguards in place to protect that data in accordance with the applicable Data Protection Laws and the ICO’s guidance. These range from a contract with that third-party supplier through to technical measures to protect it while it gets there.  

7. How long we keep your data 

We only keep your data as long as it is required either by English Law, employment best practice, codes of practice or our own legitimate business needs.   

If you are successful in your application, we will keep your data in your employment file for as long as you are an employee at The London Clinic and for 7 years after you leave. If you are unsuccessful in your application, we will keep your data on record just for 6 months from the date we have communicated to you our decision, unless you consent to us storing your information for longer (i.e. you choose to add it in our candidate portal for future roles). We retain your personal information for that period so that we can show, in the event of a legal claim, that we have not discriminated against you and that we have conducted the recruitment exercise in a fair and transparent way. After this period, we will securely destroy your personal information in accordance with applicable laws and regulations. 

 

8. How we protect your data 

As you can appreciate, we cannot give you the full list of specific measures we have in place to prevent your data from being accidentally lost, used, accessed in an unauthorised way, altered or disclosed. However, please rest assured that we are committed to ensuring a high level of protection for your data while it is in our management.   

Examples of some of the measures we have in place include:  

  • Agreed organisation-wide standards on security and data handling
  • IT technical controls to limit access to your personal information only to those employees, agents, contractors and other third parties who have a business need-to-know  
  • Physical security controls on our buildings and wards  
  • Contractual controls with third parties (‘our house, our rules’)  
  • Training and awareness for all employees and Consultants  
  • Key roles in our organisation with specialist knowledge on Information Governance, Data Protection and Cyber Security to ensure your information is always protected.  

Access to your recruitment file and the information kept therein is restricted and is monitored and approved by the HR Department on a need-to-know basis.  

9. What your rights are in connection with your data 

Where we use your information with your consent, you control how that data is used and shared by  The London Clinic. However, where we are using your data under a legal obligation or other grounds, your rights under Data Protection Laws are more restricted.    

A summary of all the Data Protection rights and how they apply to your interactions with us is below:   

This is known as a data subject access request whereby you can receive a copy of the personal data that we hold about you.  This right applies in all circumstances, however there might be some scenarios where we cannot provide you with some of the information requested (i.e. to protect the rights of others or due to legal privilege/confidentiality). If that is the case, we will explain this to you as part of our response to your request.  

Make a data subject access request 

You can correct any incomplete or factually inaccurate personal data that we hold about you. It is important to understand that this right does not extend to matters of opinion, such as medical diagnoses. This right applies in all circumstances, however there might be some scenarios where we cannot retrospectively edit your record. If that is the case, we will explain this to you as part of our response to your request.

We cannot always fulfil your request if there are specific legal reasons requiring us to retain your personal data. We will explain these to you, if applicable, when responding to your request.   

You can ask us to delete or remove your personal data where: 

  • There is no good reason for us continuing to use it

  • You have successfully exercised your right to object to us using it or you have withdrawn your consent

  • We may have processed your information ‘unlawfully'

  • We are required to erase your personal data to comply with English law. 

You can object to our processing of your personal data if: 

  • We are relying on legitimate interests and you feel it impacts on your fundamental rights and freedoms. We may be able to demonstrate compelling overriding legitimate grounds for the processing

  • We are processing for direct marketing purposes. 

You can ask us to suspend processing of your personal data if: 

  • You want us to establish the data’s accuracy

  • Our use of your personal data is unlawful, but you do not want us to erase it

  • You need us to hold the data to establish, exercise or defend legal claims, even if we no longer require it

  • You have objected to our use of your data, but we need to verify whether we have overriding legitimate interests to use it. 

You can request that we provide you or your chosen third-party with your personal data in a structured, commonly used, machine-readable format (an excel spreadsheet for example). This right only applies to electronic/digital information that you have provided to us either with your consent or where we use the information to perform a contract with you. 

If you give us consent to process your personal data, you can withdraw that consent at any time by emailing dataprotection@thelondonclinic.co.uk.

At any time, you can complain to either us or the ICO about any concerns you have over how your data is being handled.  

  • To register a complaint with us please email dataprotection@thelondonclinic.co.uk

  • To register a complaint with the ICO please visit their website at www.ico.org.uk or address a letter to Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF or call their helpline on 0303 123 1113. 

How you can find out more information

If you have any questions or queries about how we handle your personal data at The London Clinic, please get in touch at dataprotection@thelondonclinic.co.uk.   

Last updated

Version 2.0. This notice was last updated in February 2022. 

Share