Candidate Privacy Statement

This candidate privacy statement explains how we, Broadstone[1], collect, use and protect the personal information of candidates’ information gathered via this website and processed using our online application software.

As defined by the Data Protection Act 2018 and the UK General Data Protection Regulation (DPA & UK GDPR) Broadstone is the Data Controller and ultimately responsible for ensuring the data you provide is kept secure, processed correctly and that you understand your legal rights in relation to the data you provide. As part of our Data Controller responsibilities we have an assigned Privacy Officer who can be contacted at privacy@broadstone.co.uk

The online application software we use via this website is supplied by Sage People Limited (trading as Sage People) and they are defined as a Data Processor under the DPA & UK GDPR. They will only process your data in accordance with our instructions. Sage People can be contacted at: C23 – 5 & 6 Cobalt Park Way, Cobalt Park, Newcastle Upon Tyne, Tyne & Wear, NE28 9EJ. The Data Protection Officer for Sage People can be contacted at globalprivacy@sage.com

What personal data do we collect and how?

If you as a candidate choose to submit information, you do so knowing that use of such data is in accordance with this privacy statement.

Information provided directly: The online application software collects only personally identifiable information that is specifically and voluntarily provided by candidates. As part of the registration process, we may collect the following (but not limited to):

  • Name, address, email, telephone number
  • CV (where applicable)
  • Answers to questions around your recruitment preferences
  • Any other information you wish to provide in support of building your candidate profile

Information collected automatically: When you use our website and our online application system, we may collect certain information automatically, such as your IP address, browser type, and device information. This information is generally used for technical administration and website analytics.

Information from third parties: We may collect information about you from third parties, such as recruitment agencies, background check providers (with your consent where required).

Disclosure and Barring Service (DBS) Check Information (where applicable): Certain roles, may require a Basic or Standard DBS check. This pre-requisite will always be stipulated in the job advertisement and therefore prior to your application. In these cases, you will liaise directly with a third-party specialist who will collect the information required to conduct the check, including details about your criminal history (if any). This will only be requested where legally permissible and with your explicit consent.

How will we use your personal data?

We use your personal information for the following purposes related to your job application:

Recruitment and selection: Processing your application, assessing your suitability for the role, conducting interviews, and making selection decisions.

Communication: Contacting you regarding your application, scheduling interviews, and providing updates on the recruitment process.

Legal compliance: Complying with legal obligations, such as right-to-work checks.

Improving our recruitment process: Analysing application data to improve our recruitment strategies and identify areas for improvement.

Background checks (where applicable and with your consent): Conducting background checks, Basic and Standard DBS checks, where necessary and permitted by law, and only with your explicit consent. We will only collect and process information about your criminal history if it is relevant to the role and we are legally obligated to do so.

What is the lawful basis for processing?

The Data Protection Act 2018 and the UK General Data Protection Regulation (DPA & UK GDPR) requires a valid legal basis for Broadstone to process your personal data. For the purposes of processing candidate applications, we consider the following:

Legal obligation: We are required to process your information to comply with legal obligations.

Legitimate interests: We process your information for our legitimate interests in recruiting and selecting qualified candidates. We take care to ensure these interests do not override your rights and freedoms.

Contract: where candidates are successful in the application, processing personal data is necessary for entering an employment contract.

Consent: We may process your information based on your explicit consent, such as for background checks, including DBS checks. You have the right to withdraw your consent at any time.

How do we keep your personal data secure?

We have in place reasonable commercial standards of technology and operational security along with internal policies and procedures to protect all information provided by candidates and applicants from loss, misuse, alteration or destruction. Only authorised personnel have access to personally identifiable information submitted through the website. Such employees are required to maintain the confidentiality of this sensitive data.

How long will personal data be kept for?

Your candidate account will be deactivated after 12 months of inactivity. You can deactivate your account at any time. At the same time as this, your data will be fully anonymised.

Who do we share your personal data with?

It may be necessary to share your personal data with:

Our employees: relevant employees in the recruitment process.

Third-party service providers: companies that provide services to us, such as recruitment agencies, background check providers (including those facilitating DBS checks), IT support, and cloud storage providers. We ensure that these providers have appropriate data protection measures in place.

Legal authorities: we may disclose your information to legal authorities if required by law or legal process.

Background Checks

Some security-sensitive positions will require a Basic or Standard DBS check. This pre-requisite will always be stipulated in the job advertisement and therefore prior to your application.

Where completion of a DBS check or basic disclosure is a condition of offer of employment or is required by law, we will provide you with our “Staff Privacy Notice Appendix: DBS Checks” and any other relevant information which explains how we will handle and protect your data. This will be made available to you at the point of requesting you to complete a DBS application form or when we ask for your consent to use your information to access any service the DBS provides.

What right do individuals have?

You have the following rights in relation to the way in which we deal with your personal data:

  • the right of erasure or to be forgotten: you can request the deletion of your personal data when it is no longer necessary for the purposes for which it was collected, or if you withdraw your consent;
  • the right to rectification: you can ask us to update your personal if it is inaccurate or out of date;
  • the right of data portability: you can obtain and reuse your personal data for your own purposes across different services. This allows you to move, copy, or transfer your data easily;
  • the right to object to the Data Controller’s and/or Data Processor’s handling of your personal data in certain circumstances;
  • the right to withdraw your consent with regard to the handling of your personal data;
  • you have the right to request a copy of the information we hold about you (Subject Access Request); and
  • you have the right to lodge a complaint:  If you believe your data protection rights have been violated, you have the right to lodge a complaint with the supervisory authority.

We are dedicated to providing reasonable access to candidates who wish to review the personal information retained when they apply via our website and correct any inaccuracies it may contain. Candidates who choose to register may access their profile, correct and update their details, or withdraw their details at any time. To do this, candidates can access their personal profile by using their secure login. In all cases we will treat requests to access information or change information in accordance with applicable legal requirements.

Where you exercise your right to object or withdraw your consent, we may continue to process your personal data where we are permitted or required by law or regulatory requirements to do so. In such a case, we will not process more personal data than is required under the circumstances.

If you would like further information in relation to these or would like to exercise any of them, please contact us by email at privacy@broadstone.co.uk at any time.

Complaints

We aim to meet the highest standards when collecting and using your personal data. If you have any queries or complaints about our collection, use or storage of your personal information, or if you wish to exercise any of your rights in relation to your personal information, please contact 020 3869 6900 or privacy@broadstone.co.uk.  We will investigate and attempt to resolve any such complaint or dispute regarding the use or processing of your personal information.

You may also make a complaint to the data protection authority. In the UK, the relevant supervisory authority is the Information Commissioner’s Office (‘ICO’). Information on how to lodge a complaint can be found on the ICO’s website www.ico.org.uk/concerns.  Alternatively, you may seek a remedy through local courts if you believe your rights have been breached.

Changes to our Privacy Statement

We keep this privacy statement under regular review and place any updates on our website. This privacy notice was last updated on 1st March 2025.

[1] Broadstone is the trading name of Broadstone Consultants & Actuaries Limited (07165366), Broadstone Corporate Benefits Limited (07978187), Broadstone Financial Solutions Limited (02131269), Broadstone Pensions Limited (06321397) and Broadstone Regulatory & Risk Advisory Limited (04663795) each with registered office at 100 Wood Street, London, England, EC2V 7AN.