Privacy Policy
1.1 We take your privacy seriously. This policy documents your privacy rights and how we gather, use and share personal data about you during the recruitment process, in accordance with the Data Protection Act 2018 and the General Data Protection Regulation (EU) 2016/679, as well as other data protection and privacy laws and separate UK data protection law as may be updated or replaced from time to time.
1.2 It is important that you read this notice, together with any other privacy notice we may provide on specific occasions when we are collecting or processing personal data about you, so that you are aware of how and why we are using such information. We will update this notice if we make any significant changes affecting how we use your personal data, and if so we will contact you to let you know about the change.
2 About us
2.1 We are what is known as the 'controller' of personal data we gather and use. When we say 'we', 'us' or the 'Scottish FA' in this notice, we mean The Scottish Football Association Limited.
2.2 All references to the Scottish FA will include the following subsidiary companies: i) Hampden Park Limited; ii) The National Stadium Sports Medicine Centre (trading as Hampden Sports Clinic); and iii) The Scottish Football Association Museum Trust (trading as the Scottish Football Museum).
2.3 This notice shall not form part of any employment contract which you may enter into with us, and we reserve the right to amend this notice at any time.
2.4 We use Pinpoint, an online software product provided by The Infuse Group Ltd (t/a Pinpoint Software), to assist with our recruitment process. We use Pinpoint to process personal information as a data processor on our behalf. Pinpoint is only entitled to process your personal data in accordance with our instructions.
3 Your Privacy Rights
1.1 You have various rights in respect of the personal data we hold about you – these are set out in more detail below. If you wish to exercise any of these rights, please contact dpo@scottishfa.co.uk. You will generally not be charged a fee to exercise any of your rights over your personal data.
1.1.1 Right to object: You can object to our processing of your personal data where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground.
1.1.2 Access to your personal data: You can request access to a copy of your personal data that we hold, along with information on what personal data we use, why we use it, who we share it with, how long we keep it for and whether it has been used for any automated decision making.
1.1.3 Consent: Most of the time, we won't need your consent to use your personal data as we will be using it only to fulfil our obligations and exercise our rights as an employer. If you have given us your consent to use personal data, you can withdraw your consent at any time.
1.1.4 Rectification: You can ask us to change or complete any inaccurate or incomplete personal data held about you.
1.1.5 Erasure: You can ask us to delete your personal data where it is no longer necessary for us to use it, you have withdrawn consent, or where we have no lawful basis for keeping it.
1.1.6 Portability: You can ask us to provide you or a third party with some of the personal data that we hold about you in a structured, commonly used, electronic form, so it can be easily transferred.
1.1.7 Restriction: You can ask us to restrict the personal data we use about you where you have asked for it to be erased or where you have objected to our use of it.
1.1.8 No automated-decision making: You have the right not to be subject to automated decisions that will create legal effects or have a similar significant impact on you. We do not currently carry out automated decision-making in the course of you working with us, but we will notify you in advance if this changes.
1.2 You can make a complaint to us by contacting us by email to dpo@scottishfa.co.uk or, if you are unsatisfied with our response, to the data protection supervisory authority – in the UK, this is the Information Commissioner's Office, at https://ico.org.uk/.
4 What Kinds of Personal Data We Use
4.1 We will collect various categories of personal data during the course of the recruitment process.
4.2 Up to and including the stage of the recruitment process at which we shortlist candidates for interview, we will collect, store, and use the following categories of personal data about you:
· personal contact details such as name, title, home addresses, telephone numbers, and personal email addresses;
· date of birth;
· details of your qualifications, experience, employment history (including job titles, current salary and working hours) and interests;
· information about any of your criminal convictions and offences;
· information about your race or ethnicity, religious beliefs, sexual orientation and political opinions;
· gender;
· details of your referees; and
· any other information contained within your CV or cover letter or gathered as part of the recruitment process.
4.3 After the shortlisting stage, we may collect, store, and use the following additional categories of personal data about you. Any offer which we make may be conditional on your provision of such requested information:
· identification information (including a copy of driving licence, passport and utility bills);
· your nationality and immigration status and information from related documents, such as your passport or other identification and immigration information
· information about your previous academic and/or employment history from references obtained about you from previous employers and/or education providers;
· information contained in any third party references provided to us about you;
· information regarding your academic and professional qualifications;
· information regarding your performance in respect of any psychometric testing or other assessments which may be used throughout the recruitment process; and
· information about any of your criminal convictions and offences (including information obtained through Disclosure Scotland or other third party disclosure providers).
4.4 Some kinds of personal data are given special protection by the law – these are called 'special category' personal data. We will sometimes collect, store and use the following types of 'special category' personal data as part of the recruitment process:
· information about your race or ethnicity, religious beliefs, sexual orientation and political opinions; and
· information about any of your criminal convictions and offences (from, for example, Disclosure Scotland or other third party disclosure providers).
5 How We Gather your Personal Data
We will obtain your personal data in different ways:
· directly from you, when you send us your CV or cover letter, or when you otherwise apply for a job with us (either in response to an advertisement or speculatively);
· from an employment agency which has applied for a role with us on your behalf;
· your referee(s) (including former employers where relevant);
· from any references provided to us from your current or previous employers, or other third party organisations;
· through your completion of any psychometric tests that we use to evaluate your skills and suitability for a role; and
· a background check provider (including Disclosure Scotland or other third party disclosure providers).
· Pinpoint provides us with the facility to link the data you provide to us with other publicly available information about you that you have published on the Internet – this may include sources such as LinkedIn and other social media profiles.
· Pinpoint’s technology enables us to search various databases, which may include your personal data, to find possible candidates to fill our job openings. Where we find you in this way we will obtain your personal data from these sources.
6 How We Use your Personal Data and the Legal Basis
6.1 We only use your personal data where it is permitted by the laws that protect your privacy rights.
6.2 The legal bases and purposes for processing your personal data during our recruitment process are:
· To consider your application in respect of a role for which you have applied.
· To consider your application in respect of other roles.
· To communicate with you in respect of the recruitment process.
· To enhance any information that we receive from you with information obtained from third party data providers.
· To find appropriate candidates to fill our job openings.
· to take steps to enter into an employment contract with you;
· for compliance with a legal obligation (e.g. our obligation to check that you are eligible to work in the United Kingdom);
· for the performance of a task carried out in the public interest;
· for the purposes of our legitimate interests, but only if these are not overridden by your interests, rights or freedoms (for example, assessing your suitability for the relevant role for which we are recruiting, whilst ensuring that any personal data obtained is held securely); and
· To help Pinpoint improve their services.
6.3 We seek to ensure that our collection and processing of your personal data is always proportionate.
6.4 We do not need your consent to use your personal data where the law otherwise allows us to use it. In limited circumstances, we may approach you for your consent to allow us to process certain personal data. If we do so, we will provide you with full details of the information that we would like and the reason we need it, so that you can consider whether to give your consent. You have no obligation to give consent if you are asked for it, and if you do give consent you may withdraw it at any time.
7 How We Use Particularly Sensitive Personal Data
7.1 Special protection is given to certain kinds of personal data that is particularly sensitive. This is information about your health status, racial or ethnic origin, political views, religious or similar beliefs, sex life or sexual orientation, genetic or biometric identifiers, trade union membership and any criminal convictions.
7.2 We shall process special categories of personal data about you for the following key purposes:
· where necessary in the establishment, exercise or defence of legal claims (for example, in the context of an employment tribunal case or a personal injury claim); and
· for reasons of substantial public interest (for example, where such processing is required to monitor equal opportunities in accordance with our obligations in the Equality Act 2010).
7.3 We may also be required to process information about any criminal convictions you may have when conducting background checks from Disclosure Scotland or other third party disclosure providers, to ensure that individuals in certain roles do not have any criminal convictions).
8 If You Fail to Provide Personal Data
In some cases, if you fail to provide personal data when requested, we may not be able to progress your application further or enter into a contract of employment with you.
9 Sharing your Personal Data With Others
9.1 We will share your personal data with third parties where required by law, where it is necessary to administer the recruitment process, to allow us to enter into an employment relationship with you, or where we or the third party has a legitimate interest and it is fair and reasonable in the circumstances to share the information. We will only share your personal data to the extent needed for those purposes.
9.2 We may share your personal data for these purposes with:
· HR and recruitment consultants, and other relevant professional advisers (including those of any partner organisations where the partner organisations are assisting in the shortlisting and/or interview process);
· government and regulatory bodies such as Police Scotland, where we have a legal obligation to do so (such as to comply with our statutory audit obligations or for the prevention and detection of crime); and
· external background check providers (including Disclosure Scotland or other third party disclosure providers).
9.3 Where possible, your personal data will be anonymised but this may not always be possible. The recipient of the information will be bound by confidentiality obligations.
10 Data Retention
10.1 We keep the personal information that we obtain about you during the recruitment process for no longer than is necessary for the purposes for which it is processed. How long we keep your information will depend on whether your application is successful and you become employed by us, the nature of the information concerned and the purposes for which it is processed.
10.2 We will keep recruitment information (including interview notes) for no longer than is reasonable, taking into account the limitation periods for potential legal claims such as race or sex discrimination, after which they will be destroyed.
10.3 If your application is successful, we will keep only the recruitment information that is necessary in relation to your employment. Upon entering into a contract of employment with us, our use of your personal data will be set out in our Employee Privacy Notice.
11 Keeping your personal data secure
11.1 We have appropriate security measures in place to prevent personal data from being accidentally lost, or used or accessed in an unauthorised way. We limit access to your personal data to those who are part of the recruitment process or otherwise have a genuine business need to know it. Those processing your personal data will do so only in an authorised manner and are subject to a duty of confidentiality.
11.2 We also have procedures in place to deal with any suspected data security breach. We will notify you and any applicable regulator of a suspected data security breach where we are legally required to do so.
11.3 The data that we collect from you and process using Pinpoint’s Services will be transferred to and stored at one of several datacentre locations in Amsterdam (Netherlands) and may be synchronised to one of several datacentre locations in London (United Kingdom) for backup and redundancy purposes. By submitting your personal data, you agree to this transfer, storing or processing.
12 Transfers Outside the UK
12.1 We may need to transfer your personal data outside the UK to our owner or other group companies or to other service providers, agents, subcontractors and regulatory authorities in countries where data protection laws may not provide the same level of protection as those in the European Economic Area.
12.2 We will only transfer your personal data outside the EEA where either:
(a) the transfer is to a country which the EU Commission has decided ensures an adequate level of protection for your personal data. Some US providers may also be certified under the EU-US Privacy Shield which confirms they have appropriate measures in place to ensure the protection of your data; or
(b) we have put in place our own measures to ensure adequate security as required by data protection law. These measures include ensuring that your personal data is kept safe by carrying out strict security checks on our overseas partners and suppliers, backed by strong contractual undertakings approved by the relevant regulators such as the EU style model clauses.
13 Right to Complain
You can make a complaint to us about how we handle and use your personal data by first contacting us at dpo@scottishfa.co.uk and then if not satisfied, to the data protection supervisory authority – in the UK, this is the Information Commissioner's Office, at https://ico.org.uk/.
How to complain
We hope that we can resolve any query or concern you raise about our use of your information.
The General Data Protection Regulation also gives you right to lodge a complaint with a supervisory authority, in particular in the European Union (or European Economic Area) state where you work, normally live or where any alleged infringement of data protection laws occurred.