Overseas Recruitment Agency

Data Protection Policy

Acorn and associated subsidiaries hold personal data on employees, clients, contractors, partners and job seekers.

This policy details how personal data is used, handled, and stored by all personnel associated with Acorn.

Peter Arkwright has been nominated as the Data Protection Officer (DPO). He will carry out all the relevant duties and whilst doing so, represent the CEO of the company. He can be contacted via the online contact form.

Our procedures
Fair and lawful processing

Acorn must process all personal data fairly and lawfully, in accordance with an individual’s rights. Data processing is restricted to procedures related to recruitment, be that local, national or international.

The Data Protection Officer’s responsibilities include:
  • Review all data protection procedures and policies
  • Arrange and manage data protection training
  • Answer all questions relating to data protection
  • Respond to individuals such as clients and job seekers who wish to know what data is being held on them
  • Check associated parties to make sure their work is compliant
  • Ensure all systems, services, software and equipment meet acceptable security standards
  • Approve data protection statements attached to emails and other marketing material
  • Address data protection queries from staff, partners, contractors, and associates
  • Host external audit teams
  • Carry out internal audits
The processing of all data must be:
  • Necessary to deliver recruitment services
  • Legally compliant
  • Ethically sound
Accuracy and relevancy

Acorn will endeavour to ensure all personal data is accurate, adequate, relevant and not excessive.

Personal data is used to produce Employment Profiles but no confidential information is displayed openly.

Your personal data

You must take reasonable steps to ensure the data we hold on your behalf is accurate. For example, if your personal circumstances change, please inform the DPO so our records can be updated.

Newsletters

Occasionally, Acorn transmits email newsletters to database members. Anyone wishing to be removed from our mailing list can use the unsubscribe link at the bottom of an email.

Data security

Acorn takes reasonable and adequate steps to protect all personal data.

Storage
  • Where data is produced on printed paper, it should be kept in a secure place
  • Printed data should be shredded when no longer required
  • Data stored on computers should be protected by strong passwords that are changed regularly.
  • Data stored on CDs or memory sticks must be locked away securely when not in use
  •  The DPO must approve any cloud system used for data storage
  • Data should be regularly backed up
  • All servers containing sensitive data must be approved and protected by security software and strong firewalls.
  • Data related declarations should be securely stored
Data retention

Acorn will retain personal and corporate data for a period of 7 years.

Transferring data internationally

The team at Acorn, including associates, retain and share, private and confidential information.

A tightly managed system is utilised for the sharing of candidate information, this is only carried out for the purpose of recruitment and employment. When private and confidential data is no longer required, it is removed from all machines and devices, no matter which source. The DPO controls this system and disciplinary action can be taken where mis-management or abuse occurs.

Training

New members of staff or partners will receive training as part of their induction process.

Training will be provided by the DPO

It will cover:

  • The law relating to data protection
  • Data protection, policies and procedures.

Attending training is compulsory.

Conditions for processing

All staff/partners are aware, personal data from other sources is only to be used or shared for the purpose of recruitment and employment.

Consent

Acorn has the consent from all parties to use personal data for the task of recruitment, be that local, national or international.

Criminal record checks

Criminal record checks may be carried out as a means of validating the suitability of a candidate. Where criminal record checks are carried out, the processes adhered to will be within the framework of the law.

Data portability

Upon request, a data subject should have the right to receive a copy of their data in a structured format. These requests should be processed within one month, provided there is no undue burden and it does not compromise the privacy of other individuals. A data subject may also request that their data is removed or transferred directly to another system.

Right to be forgotten

A data subject may request that any information held on them is deleted or removed, and any third party who process or use that data must also comply with the request.

International data transfers

The DPO is to be made aware of all international data transfers

Data audits

If deemed necessary, the DPO is to carry out documented data protection audits.

Reporting breaches

All members of staff have an obligation to report actual or potential data protection compliance failures. This allows Acorn to:

  • Investigate the failure and take remedial steps if necessary
  • Maintain a register of compliance failures
Monitoring

The DPO has overall responsibility for this policy. He will monitor it regularly to make sure it is constantly relevant.