Privacy notice for job applicants

Spire Healthcare collects and processes your personal data for a number of purposes and only where we have a legal basis to do so.

The type of data we collect and what our legal basis is for that processing is outlined below.

Personal details including:

• Full name
• Address
• Date of birth
• Contact numbers and email addresses
• Job title
• Gender
• Marital status
• National Insurance number

Legal basis for processing: To pursue our legitimate interests as a business.

Driving licence/Copy of Driving licence

To verify your identity

Legal basis for processing: To our legal obligations or exercise our rights.

Right to work

• Right to Work Evidence
• Head and shoulders photograph (CQC requirement to ensure that the applicant, compliance checked person and the person arriving for work are the same)

Checking you are legally entitled to work in the UK as required by immigration laws

Legal basis for processing: To comply with our legal obligations or exercise our rights.

Previous employment information

• Employment references
• Employment history
• Conduct Declarations

To obtain satisfactory evidence of conduct in previous employment. Note that additional conduct questions will be asked where a candidate as previously worked in services relating to:

• Health or Social Care
• Children or vulnerable adults

Legal basis for processing: To comply with CQC guidelines for the employment of fit and proper persons.

Recruitment documentation: 

• CV/Cover letter
• Application form
• Evidence of Professional memberships and qualifications, background vetting data (including References from previous employers)

To complete all required pre-employment checks

Legal basis for processing: To pursue our legitimate interests as a business.

For Overseas workers, where applicable: 

• Evidence of NMC computer-based test
• Evidence of NMC OSCE attempt and outcome
• International criminal record evidence

Legal basis for processing: To comply with our legal obligations or exercise our rights.

Building access records

Data gathered through the monitoring of our building access records, CCTV recording

Legal basis for processing: To pursue our legitimate interests as a business.

Disclosure and Barring checks

** Note that documentation is collected to satisfy the DBS identity checking criteria. Typical combination of documents is a passport, driving licence and bank statement (list of acceptable docs is available online). In this example, once the check is completed the Passport would be retained to satisfy right to work requirements and the driving licence and bank statement would be destroyed.

Legal basis for processing: To comply with our legal obligations or exercise our rights.

Job role and interview

Details of the job role you are applying for and any interview notes made by us during or following an interview with you

To enable us to assess your suitability for that role

Legal basis for processing: To pursue our legitimate interests as a business.

Special categories of personal data

For occupational health reasons or where we are assessing your working capability, subject to appropriate confidentiality safeguards.

Information about your physical or mental health, or disability status, to assess whether any reasonable adjustments are required for you during the recruitment process, and, where you are successful in your role application, carrying out any medical assessment required for your role, pension and any insurance benefit

Legal basis for processing: To comply with our legal obligations.

Most of the personal data we collect, use and hold will be collected directly from you.  However, third parties, such as former employers, background check providers, credit reference agencies, official bodies (eg regulators or criminal record bureaus), medical professionals, training and occupational health providers and company advisors may also send your personal data to us.

Within the Spire group of companies 

We share your personal data with other companies in the Spire group.

Third parties 

We may share your personal data with the following third parties:

• Occupational health providers
• Disclosure and Barring Service
• International criminal record checking agencies
• Recruitment agencies
• IT service providers (for example software we use during the recruitment process)

We may also need to share your personal data with regulatory and government bodies.

If we share your personal data, we will make sure appropriate protection is in place to protect it in line with data protection laws.

We (or third parties acting on our behalf) store or process data that we collect about you in countries within the European Economic Area (EEA).

We may also need to transfer your personal data outside the EEA to service providers, agents and subcontractors in countries where data protection laws may not provide the same level of protection as those in the European Economic Area, such as the USA.  Where this happens, we agree specific assurances within our contracts with those providers to ensure there are appropriate controls in place to protect your data.

If you would like further information regarding the steps we take to safeguard your personal data, please contact the DPO using the details set out above.

We are committed to looking after your personal data and have implemented appropriate physical, technical, and organisational security measures designed to secure your personal data against accidental loss and unauthorised access, use, alteration, or disclosure.

In addition, we limit access to your personal data to those employees, agents, contractors and other third parties who have a business need to know it.  They will only use your personal data on our instructions and they are subject to a duty of confidentiality.

We will retain your personal data for as long as we are legally or contractually required to do so, or for a period which is justifiable to meet our business needs. If your application for employment is successful, personal data gathered during the recruitment process will be transferred to your HR file and retained during your employment. The periods for which employee data is held are provided in our Spire Colleague Privacy Notice.

Any personal data held on unsuccessful applicants is held for 2 years post application and then securely destroyed unless we need to retain it for longer to exercise or defend any legal claims.

If you have any questions how the retention of your records, please contact our Data Protection Officer at dataprotection@spirehealthcare.com for more details.

Under data protection law you have certain rights in relation to the personal data that we hold about you. You may exercise these rights at any time by contacting our Data Protection Officer, using the details set out above.

Your rights include:

• Right to be informed: you have the right to know how we process your personal data (as explained in this notice)
• Right of Access: you have a right to receive a copy of your personal data.
• you can ask us to change or complete any inaccurate or incomplete personal data held about you.
• Right to Object: you have the right to object, in certain circumstances, to us processing your personal data. For example, you can object to us sending you marketing material or using your personal data to create a profile about you.
• Right to Erasure: in certain circumstances, you can ask us to delete your personal data. For example, where it is no longer necessary for us to use it, you have withdrawn consent, or where we have no lawful basis for keeping it.
• Right of Portability: you have the right to ask us to send a copy of certain elements of your personal data (predominantly data you have shared directly with us) to another company.
• Right to Restrict: you can ask us to restrict the personal data we use about you where you have asked for it to be erased (and the erasure has not taken place or we were unable to ease the data when we should have) or where you have objected to our use of it.

Exercising your rights is free and we will respond to any request as quickly as we can. Under current law, we have up to a calendar month to respond to any request. We will endeavour to meet this. If we can’t, we’ll contact you to explain why and confirm when your request will be processed.

If you have any questions or concerns about how your personal data is managed by Spire Healthcare please contact our Data Protection Officer, using the contact details listed on page 1 of this privacy notice.

You are also entitled to raise a complaint with the Data Protection Supervisory Authority – which in the UK is the Data Commissioner's Office (ICO). You can find their contact details at 

Making a complaint will not affect any other legal rights or remedies that you have.