{{org_field_logo}}

{{org_field_name}}

Registration Number: {{org_field_registration_no}}

---

Candidate Confidentiality and Data Handling Policy

{{org_field_name}}

1. Purpose

The purpose of this policy is to establish clear, legally compliant, and effective guidance for the collection, use, storage, sharing, and disposal of candidate information processed by {{org_field_name}} during recruitment, placement, and employment activities. This policy ensures that candidates’ personal and sensitive data is handled in accordance with The Data Protection Act 2018, the UK General Data Protection Regulation (UK GDPR), the Employment Practices Code, and other applicable legislation, including the Health and Social Care Act 2008 (Regulated Activities) Regulations 2014. It is essential to maintain confidentiality and integrity in handling candidate data, as this underpins public confidence, ensures compliance with professional and regulatory standards, and protects the rights of individuals whose data is held by the agency.

2. Scope

This policy applies to:

• All registered nurses, healthcare assistants (HCAs), support workers, and other candidates applying for positions through {{org_field_name}}
• All employees, directors, and temporary staff involved in the recruitment, onboarding, compliance, and placement of candidates
• All personal and sensitive information collected, processed, stored, shared, or disposed of by {{org_field_name}} regarding candidates
  The policy applies throughout the entire candidate relationship, from initial enquiry and application through to placement, employment, and retention of records.

3. Related Policies

• Data Protection and Confidentiality Policy
• Recruitment Policy
• Safeguarding Adults and Children Policy
• Whistleblowing Policy
• Complaints Policy
• Disciplinary Policy

4. Policy Statement

{{org_field_name}} is committed to respecting and protecting the privacy, confidentiality, and data rights of all candidates. We will process all personal information fairly, lawfully, and transparently, ensuring that data is:

• Collected for specific, explicit, and legitimate purposes
• Processed securely and in accordance with the law
• Accurate and kept up to date
• Retained only for as long as necessary
• Accessed only by authorised persons
• Disposed of safely when no longer required
  The Director will ensure this policy is implemented effectively and will oversee the management of candidate data throughout the recruitment and placement process.

5. Definitions

Personal Data: Any information relating to an identified or identifiable individual (e.g., name, address, contact details, employment history).
Special Category Data: Sensitive personal data including health information, ethnicity, criminal record information, and other protected data categories.
Data Subject: The individual to whom the personal data relates (in this context, the candidate).
Data Controller: {{org_field_name}}, who determines the purposes and means of processing personal data.
Data Processor: Any party processing personal data on behalf of {{org_field_name}}.

6. Responsibilities

Director
The Director is responsible for:

• Ensuring full compliance with the Data Protection Act 2018 and UK GDPR
• Reviewing and updating this policy annually
• Ensuring that appropriate procedures and safeguards are in place for handling candidate information
• Ensuring that all staff handling candidate data receive appropriate training
• Managing data protection incidents, breaches, and complaints
• Overseeing audits of data processing activities

All Staff
All employees and workers of {{org_field_name}} involved in recruitment, placement, or data processing are responsible for:

• Complying fully with this policy
• Ensuring all candidate information is treated as confidential
• Collecting, processing, sharing, and storing data lawfully and securely
• Reporting suspected data breaches immediately to the Director
• Only accessing candidate information where necessary for legitimate business purposes

7. Types of Candidate Data Collected

{{org_field_name}} collects and processes the following data for recruitment and employment purposes:

• Personal identification details (name, date of birth, contact information)
• Proof of right to work in the UK
• Employment history and references
• Professional registration details (e.g., NMC PIN)
• Training records and qualifications
• Criminal record checks (Disclosure and Barring Service certificates)
• Occupational health information
• Equal opportunities monitoring information (where collected)
• Bank details and payment information
• Correspondence and records of communication
  All data is collected for legitimate purposes directly related to recruitment, placement, and employment obligations.

8. Lawful Basis for Processing

Candidate data is processed under the following lawful bases:

• Consent (where applicable)
• The performance of a contract or in order to take steps at the request of the candidate prior to entering into a contract
• Legal obligations (e.g., employment law, safeguarding)
• Legitimate interests pursued by {{org_field_name}} to operate an effective recruitment and placement service
  Special category data is processed under Article 9(2) of the UK GDPR, for purposes such as employment, social protection, occupational health, or safeguarding.

9. Confidentiality

All candidate data is strictly confidential. Staff must:

• Not share candidate data outside of {{org_field_name}} unless there is a lawful and justified reason
• Only share data with authorised persons, including client organisations, for placement purposes
• Ensure information is shared securely (e.g., encrypted emails, secure portals)
• Avoid discussing candidate data in public areas or with unauthorised persons
  Any breach of confidentiality will be treated seriously and may result in disciplinary action.

10. Data Sharing

Candidate data will only be shared with:

• Client organisations for placement suitability assessments
• Disclosure and Barring Service (DBS) for criminal record checks
• Training providers for course enrolment
• Occupational health services where appropriate
• Statutory bodies (e.g., CQC, HMRC) when legally required
  Candidates will be informed about data sharing arrangements and, where necessary, their consent will be obtained.

11. Data Storage

Candidate information will be stored:

• Electronically on secure, password-protected systems
• In locked filing cabinets where paper records are used
• In line with the Data Protection Act 2018 and UK GDPR
  Only authorised staff will have access to candidate records.

12. Data Retention

Data will be retained:

• For the duration of the candidate’s relationship with {{org_field_name}}
• For six years following the candidate’s last placement, unless otherwise required by law
• For shorter periods where data is deemed no longer necessary
  Upon expiry of retention periods, data will be securely deleted or destroyed.

13. Candidate Rights

Under the UK GDPR, candidates have the following rights:

• The right to be informed about how their data is used
• The right of access to their data (Subject Access Request)
• The right to rectification of inaccurate data
• The right to erasure (where applicable)
• The right to restrict processing in certain circumstances
• The right to data portability (where applicable)
• The right to object to processing
  Requests relating to these rights must be submitted to the Director and will be responded to within the statutory timeframe.

14. Training

All staff will receive:

• Data protection and confidentiality training during induction
• Annual refresher training
• Additional training if required following incidents or updates to legislation
  The Director will ensure training remains current and relevant.

15. Data Breach Management

A data breach is any incident leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. All suspected or confirmed breaches must be reported immediately to the Director. The Director will:

• Investigate and assess the severity of the breach
• Notify affected data subjects where required
• Report the breach to the Information Commissioner’s Office (ICO) within 72 hours if necessary
• Implement corrective actions to prevent recurrence
• Record the incident in the organisation’s data breach log

16. Governance and Quality Assurance

The Director will:

• Conduct annual audits of data handling and confidentiality compliance
• Investigate and address data handling incidents or complaints
• Maintain records of staff training and awareness
• Monitor compliance with this policy and all applicable data protection laws

17. Director’s Oversight

The Director is responsible for:

• Ensuring that this policy is implemented effectively
• Overseeing all matters relating to data protection and confidentiality
• Ensuring that data processing practices remain aligned with legal, regulatory, and best practice requirements
• Promoting a culture of confidentiality and data protection among all staff

18. Policy Review

This policy will be reviewed annually by the Director or sooner if required due to legislative changes, guidance updates, or following a significant data protection incident.

---

Responsible Person: {{org_field_registered_manager_first_name}} {{org_field_registered_manager_last_name}}
Reviewed on: {{last_update_date}}
Next Review Date: {{next_review_date}}
Copyright © {{current_year}} – {{org_field_name}}. All rights reserved.