Privacy Policy

 

Privacy Policy

This Privacy Notice applies to all applicants who have applied to be engaged for employment by FirstGroup plc (or any of its subsidiaries or associated entities).

Created: May 2018

Last updated: October 2023

 

CONTENTS

ABOUT THIS PRIVACY NOTICE

This section explains how we are committed to protecting the privacy and security of your personal data. It also explains how compliance with this Privacy Notice will be monitored.

HOW WILL WE USE YOUR PERSONAL DATA?

This section explains how we will collect, store and use personal data that you provide to us. This is to enable us to carry out our activities and obligations as your potential employer.

WHO WILL HAVE ACCESS TO YOUR PERSONAL DATA?

This section explains which of our employees will have access to your personal data. It also explains the reason for our employees accessing your personal data.  

WHO ELSE MIGHT WE SHARE YOUR PERSONAL DATA WITH?

This section informs you of who we share your personal data with. It also explains the reason for sharing; this is largely so that we can carry our activities and obligations as your potential employer.

HOW LONG DO WE KEEP YOUR PERSONAL DATA?

This section explains the length of time that we will retain your personal data. It also explains why we would hold your personal data for such time periods.

WHAT ARE YOUR RIGHTS?

This section explains that you have rights in relation to your personal data. It also explains what these rights are and how you can go about exercising them.

WHO CAN YOU ASK FOR MORE INFORMATION?

This section provides you with contact information should you have any questions or concerns about the way we handle your personal data. It also explains how you can contact the data protection regulator should you be unsatisfied with our response to your data protection issues.

1              ABOUT THIS PRIVACY NOTICE

1.1          We are committed to protecting the privacy and security of your personal data. This Privacy Notice sets out how we use and protect the information that you provide to us. It explains what we do with your data.

1.2          In this policy, we also set out details about your rights in relation to the personal data we hold about you, and how to contact us if you have any questions or comments.

1.3          Compliance with this Privacy Notice will be monitored by our DPO and Deputy DPO (please see section 7 below) and reported on at a senior level to the FirstGroup plc Executive Committee.

2              HOW WILL WE USE YOUR PERSONAL DATA?

2.1          We will collect, store and use information about you in order to carry out our activities and obligations as your potential employer. We will only do this where:

  • it is necessary in order to comply with legal obligations which apply to us;
  • it is necessary in order to fulfil our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests; or
  • the law otherwise permits or requires it.

2.2          We may also use your personal information in the following situations, which are likely to be rare:

  • where we need to protect your interests (or someone else’s interests).
  • where it is needed in the public interest.

2.3          We will use the personal information we collect about you to:

(a)           Assess your skills, qualifications, and suitability for the role.

(b)           Carry out background and reference checks, where applicable.

(c)           Communicate with you about the recruitment process.

(d)           Keep records related to our hiring processes.

(e)           Comply with legal or regulatory requirements.

2.4          We also need to process your personal information to decide whether to enter into a contract of employment with you.

2.5          The table at Schedule 1 sets out the type of information we may collect and what it may be used for.  We need all the categories of information in Schedule 1, primarily to allow us to comply with legal obligations or to pursue our legitimate interests, provided your interests and fundamental rights do not override those interests.

2.6          If you fail to provide information when requested, which is necessary for us to consider your application (such as evidence of qualifications or work history), we will not be able to process your application successfully. For example, if we require a credit check or references for the role and you fail to provide us with relevant details, we will not be able to take your application further.

2.7          Automated decision-making takes place when an electronic system uses personal information to make a decision without human intervention. We are allowed to use automated decision-making in the following circumstances:

(a)           Where it is necessary to perform the contract with you and appropriate measures are in place to safeguard your rights.

(b)           In limited circumstances, with your explicit written consent and where appropriate measures are in place to safeguard your rights.

2.8          Depending on the role, we may use automated decision-making to inform some of our recruitment decisions, including where the role requires certain qualifications (e.g. a driving licence) or a clean Criminal Records Check (e.g. in certain finance-related roles). We consider that we have a lawful basis for using this technology to assist us with ensuring that only candidates that are lawfully capable of carrying out the role are considered. You have rights in relation to automated decision-making, including a right to object, which are explained further in section 6 below.

2.9          We will use your particularly sensitive personal information in the following ways:

(a)           We will use information about your disability status to consider whether we need to provide appropriate adjustments during the recruitment process, for example whether adjustments need to be made during a test or interview.

(b)           We will use information about your race or national or ethnic origin, religious, philosophical, or moral beliefs, or your sexual life or sexual orientation, to ensure meaningful equal opportunity monitoring and reporting.

2.10        We do not need your consent if we use special categories of your personal information in accordance with our written policy to carry out our legal obligations or exercise specific rights in the field of employment law. In limited circumstances, we may approach you for your written consent to allow us to process certain particularly sensitive data. If we do so, we will provide you with full details of the information that we would like and the reason we need it, so that you can carefully consider whether you wish to consent. You should be aware that it is not a condition of your contract with us that you agree to any request for consent from us.

2.11        If you use our Website, we automatically collect the following information:

  • web usage information (e.g. IP address), your login information, browser type and version, time zone setting, operating system and platform; and
  • information about your visit, including the full Uniform Resource Locators (URLs) clickstream to, through and from our Website (including date and time); time on page, page response times, download errors, length of visits to certain pages, page interaction information (such as scrolling, clicks and mouse-overs).

2.12        Where we collect information about you in the ways described above, we do so on the basis that it is in our legitimate interests to collect and process this data. In most situations this will be anonymised, but we collect and process this data to ensure that our site is functioning properly and that your candidate experience is to the standard that you and we expect.

3              WHO WILL HAVE ACCESS TO YOUR PERSONAL DATA?

3.1          Your personal data will only be seen or used by those of our employees who have a legitimate business need to access your personal data for the purposes set out in this Privacy Notice. This will include our HR, recruitment, resourcing and occupational health team and other employees who need the information to perform their management or administrative functions.

3.2          We take your privacy seriously and have implemented appropriate physical, technical, and organisational security measures designed to secure your personal data against accidental loss, destruction or damage and unauthorised access, use, alteration, or disclosure.

4              WHO ELSE MIGHT WE SHARE YOUR PERSONAL DATA WITH?

4.1          Except as explained in this Privacy Notice, we will not share your personal data with third parties without your consent unless required to do so by law.

4.2          To comply with our legal, statutory, and regulatory obligations, we may share your personal data with authorities including but not limited to the: Disclosure and Barring Service, Office of Rail and Road, Department for Transport, Rail Accident Investigation Branch, British Transport Police, Network Rail, Traffic Commissioner, Transport for London, Driver and Vehicle Standards Agency and Driver and Vehicle Licensing Agency as appropriate from time to time.

4.3          Where you have applied for certain roles within our rail business, we may share your personal data with authorities including but not limited to the: Rail Delivery Group, Rail Staff Travel, Rail Pension and Rail Assessment Centre Forum as appropriate from time to time. Whilst this is not a legal, statutory, or regulatory obligation, it is best practice that the rail industry abides by to ensure that the safety of passengers and train staff is of paramount importance.

4.4          We may share your personal data with third-party service providers who assist us with administering our potential employment relationship with you. This may include benefits administration providers, employment screening bureaus, communications service providers (e.g. to facilitate video interviews), insurance providers and legal services providers. Any such third parties will only be permitted to use your personal data for specific purposes in accordance with our instructions and not for their own purposes.

4.5          For reporting and administrative purposes, it may sometimes be necessary to share some of your personal data with other members of our group of companies.

4.6          If a business transfer or change of business ownership takes place or is envisaged, we may transfer your personal data to your prospective new employer. If this happens, we will inform you of this transfer.

4.7          We may transfer the personal data that we collect from you to, and store it at, a destination outside the United Kingdom (UK) or the European Economic Area (EEA) and in countries not recognised by the European Commission or the relevant UK supervisory authority (as appropriate) as providing an adequate level of protection for personal data. If we do transfer your personal data outside the EEA we will ensure that such transfer shall be covered by a framework recognised by the relevant authorities or courts as providing an adequate level of protection for personal data including but not limited to putting in place Standard Contractual Clauses (the agreement in the form annexed to the European Commission's decision of 5 February 2010 on Standard Contractual Clauses for the transfer of personal data to processors established in third countries.

5              HOW LONG DO WE KEEP YOUR PERSONAL DATA?

5.1          Subject to clause 5.2, we will not keep personal data belonging to any unsuccessful applicants for longer than six months after the individual is notified. Applicants have the opportunity to request that we retain their personal data on file for consideration in respect of future positions. We will only do this with your consent and this consent will be valid for 12 months.

5.2          We may indefinitely retain personal data within assessment records for safety critical roles. This is because applicants of safety critical roles who fail assessments may be prevented from reapplying.

5.3          We may retain personal data about you for statistical purposes (such as monitoring equality and diversity in our workplace). However, wherever possible, where data is retained for statistical purposes, it will be anonymised.

5.4          If you would like more detail on the retention of applicant information, please contact us using the details provided in section 7 below.

6              COOKIES

6.1          The Website uses cookies. Cookies are text files containing small amounts of information which are downloaded to your personal computer, mobile or other device when you visit a website. For more information, please see our Cookies Policy.

7              WHAT ARE YOUR RIGHTS?

7.1          It is important that the information we hold about you is accurate and up to date. If you think any of the personal data we hold about you is inaccurate or incomplete, please use the tools provided on the recruitment platform used to submit your application to update such details. Should you have any problems with this you should let us know as soon as possible.

7.2          We hope that this Privacy Notice will provide you with the information you need about what personal data we are processing about you, why it is being processed, what we are using it for and how long it will be retained for. However, you have the right to access the personal data we hold about you by making a subject access request.

7.3          In some circumstances (e.g. if you think we are unnecessarily processing personal data about you), you may be able to ask us to erase your personal data, or to stop or restrict the processing your personal data.

7.4          You have the right to object to automated decision-making. This is where a decision, which produces legal effects or similarly significantly affects you, has been based solely on automated processing (including profiling). You have the right to request human intervention to review the decision.

7.5          If we make an automated decision on the basis of any particularly sensitive personal information, we must have either your explicit written consent or it must be justified in the public interest, and we must also put in place appropriate measures to safeguard your rights.

7.6          For more information on your rights and how to use them, or if you would like to exercise any of your rights, please contact us using the details set out in section 7 below.

8              WHO CAN YOU ASK FOR MORE INFORMATION?

8.1          FirstGroup plc (and its subsidiaries or associated entities) are data controllers, because we collect personal data about you and determine how and why it will be used. Our contact details are: post: FAO Data Protection Officer, 8th Floor, The Point, 37 North Wharf Road, London W2 1AF; tel: +44 (0)1224 650100; or email: DPO@firstgroup.co.uk.

8.2          We have appointed Christy Baker as the FirstGroup Data Protection Officer and Beth Sharratt as the Deputy Data Protection Officer. They are responsible for our approach to data protection and protecting your privacy. You can contact them at DPO@firstgroup.co.uk.

8.3          If you are unsatisfied with our response to any data protection issues you raise with us or the Data Protection Officers, you have the right to make a complaint to the Information Commissioner’s Office (ICO). The ICO is the authority in the UK which is tasked with the protection of personal data and privacy.

Schedule 1

   
TYPE OF PERSONAL DATA    
   
WHAT IT MAY BE USED FOR    

Personal contact details such as name, title, address, telephone numbers and email address

To contact you during the recruitment process. If you are successful, these contact details will be used to populate your HR records.

Date of birth

For equal opportunity monitoring and reporting, to ensure compliance with our legal obligations

Gender

For equal opportunity monitoring and reporting, and to ensure compliance with our legal obligations

Government identification numbers (e.g. social security, national insurance, driver’s license, passport)

To verify your identity and to comply with our legal obligations

Education, qualifications, and training records

To ensure you have the correct qualifications and skills to perform the role you have applied for

Professional membership records

To ensure you have the relevant memberships required or desirable in order to perform the role you have applied for

References, CVs, cover letters and work history

To ensure and evidence your suitability for the role you have applied for

Proof of work eligibility e.g. passport, birth certificate, biometric residence permit

To ensure you have the right to work in the UK

Criminal records checks

To ensure and evidence your suitability for the role you have applied for

Race, nationality, or ethnic origin and religious or philosophical beliefs

For equal opportunity monitoring and reporting, and to ensure compliance with our legal obligations

Sexual orientation

For equal opportunity monitoring and reporting, and to ensure compliance with our legal obligations

Health records

To ensure suitability for certain safety critical roles and to ensure employee safety in the workplace and to provide appropriate workplace adjustments

Location data (e.g. records of entry and exit to the building and, in case of emergency, fire evacuation)

To ensure that, in case of emergency, all parties within the building have been safely evacuated

CCTV footage (e.g. when attending the premises for interviews or assessments)

To ensure building security and safety (e.g. to investigate any reports of incidents)

Technical data includes internet protocol (IP) address, your login data, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform and other technology on the devices you use to access this website.

To use data analytics to improve the Website, services, candidate relationships and experiences

Please note that, in the event of a dispute between us and you, any of the information set out above may be used to establish and defend a legal claim.