Fair processing notice: Job applicants, current and former employees

2 October 2024

This privacy notice describes how we collect and use personal information about you before, during and after your working relationship with us. It applies to applicants and contracted employees, including work experience candidates, interns, and non-executives.

Other individuals working for AAT as contractors, whether self-employed or through an agency, should refer to our fair processing notice for organisations with whom we have a working relationship.

The data we collect about you

We collect and process a range of data about you. This may include:

  • personal contact details such as name, title, addresses, telephone numbers, and personal email addresses
  • date of birth
  • gender
  • marital status and dependants
  • next of kin and emergency contact information
  • National Insurance number
  • bank account details, payroll records and tax status information
  • salary, annual leave, pension, and benefits information
  • start date
  • location of employment or workplace
  • copy of driving licence
  • copies of right to work documentation
  • recruitment information (including references, qualifications, selection exercises, background checks, occupational health screening and other information included in a CV or cover letter or as part of the application process
  • employment records (including job titles, work history, working hours, training records and professional memberships and any other changes to your employment terms and conditions)
  • details of periods of leave including holiday, sickness absence, family leave and unpaid leave
  • details of attendance management processes and related correspondence
  • compensation history
  • performance information
  • disciplinary and grievance information including informal discussions and mediation
  • information obtained through electronic means such as swipecard records
  • information about your use of our information and communications systems
  • profile information: information you choose to add to system profiles or share with colleagues such as skills and expertise, schools and education, and interests and hobbies
  • photographs.

We may also collect, store, and use the following "special categories" of more sensitive personal information:

  • information about your gender identity, nationality, race or ethnicity, religious beliefs, sexual orientation, and political opinions
  • trade union membership
  • information about your health, including any medical condition, disability status, risk assessments and health and sickness records
  • information about criminal convictions and offences – our reference agency would tell us the nature of any convictions. For some roles, for example finance, we also check credit scores so will also receive information regarding CCJs.

It is important that the personal information we hold about you is accurate and current. Please keep us informed if your personal information changes during your working relationship with us.

What we do with your data and on what grounds

We will only use your personal information when the law allows us to. Most commonly, we will use your personal information where:

  • we need to perform the contract into which we've entered with you (or take steps before entering into a contract with you)
  • we need to comply with a legal obligation, such as providing information to HMRC
  • it is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests.

We may also use your personal information in the following situations, which are likely to be rare:

  • where we need to protect your vital interests (or someone else’s vital interests)
  • where it is needed in the public interest or for official purposes.

Situations in which we will use your personal information

We need all the categories of information in the list above primarily to allow us to perform our contract with you and to enable us to comply with legal obligations.

In some cases, we may use your personal information to pursue legitimate interests of our own or those of third parties, provided your interests and fundamental rights do not override those interests.

Where the reasons for processing data are necessary for the purposes of the legitimate interests pursued by AAT or by a third party, for example to put in place monitoring to prevent adverse incidents and reporting on employee retention and engagement, we will always ensure that our interest or that of the third party is not overridden by your interests or fundamental rights and freedoms which require protection of personal data.

The reasons which we may have to process your data are as follows. Some of the above grounds for processing will overlap and there may be several grounds which justify our use of your personal information under these headings.

Purpose/activityLawful basis for processing including basis of legitimate interest
Making a decision about your recruitment or appointment

Performance of a contract with you

To comply with our legal obligations

With regards to special category personal data - Article 9(2)(b) Employment, social security, and social protection (where authorised by law) – In reliance of Schedule 1 (Part1)(1) of the Data Protection Act 2018

With regards to criminal convictions and proceedings - schedule 1 (Part2)(11) of the Data Protection Act 2018 (Protecting the public against dishonesty etc) and schedule 1 (Part2)(12) - Regulatory requirements relating to unlawful acts and dishonesty etc)

Making decisions about your continued employment or engagement

Performance of a contract with you

To comply with our legal obligations

With regards to special category personal data - Article 9(2)(b) Employment, social security, and social protection (where authorised by law) – In reliance of Schedule 1 (Part1)(1) of the Data Protection Act 2018

With regards to criminal convictions and proceedings - schedule 1 (Part2)(11) of the Data Protection Act 2018 (Protecting the public against dishonesty etc) and schedule 1 (Part2)(12) - Regulatory requirements relating to unlawful acts and dishonesty etc)

Ascertaining your fitness to work

Performance of a contract with you

To comply with our legal obligations

With regards to special category personal data - Article 9(2)(b) Employment, social security, and social protection (where authorised by law) – In reliance of Schedule 1 (Part1)(1) of the Data Protection Act 2018

With regards to criminal convictions and proceedings - schedule 1 (Part2)(11) of the Data Protection Act 2018 (Protecting the public against dishonesty etc) and schedule 1 (Part2)(12) - Regulatory requirements relating to unlawful acts and dishonesty etc)

Managing sickness absence

Performance of a contract with you

To comply with our legal obligations

With regards to special category personal data - Article 9(2)(b) Employment, social security, and social protection (where authorised by law) – In reliance of Schedule 1 (Part1)(1) of the Data Protection Act 2018

With regards to criminal convictions and proceedings - schedule 1 (Part2)(11) of the Data Protection Act 2018 (Protecting the public against dishonesty etc) and schedule 1 (Part2)(12) - Regulatory requirements relating to unlawful acts and dishonesty etc)

Determining the terms on which you work for usPerformance of a contract with you
Conducting probation and performance reviews, managing performance, and determining performance requirementsPerformance of a contract with you
Making decisions about salary reviews and compensationPerformance of a contract with you
Assessing qualifications for a particular job or task, including decisions about promotionsPerformance of a contract with you
Education, training, and development requirementsPerformance of a contract with you
Managing the termination of our working relationshipPerformance of a contract with you
Providing requested referencesPerformance of a contract with you
Liaising with your pension provider and pension administration such as amount of contributionsPerformance of a contract with you
Checking you are legally entitled to work in the UK

Performance of a contract with you

To comply with our legal obligations

Paying you and, if you are an employee, deducting tax and National Insurance contributions

Performance of a contract with you

To comply with our legal obligations

Administering the contract we have entered into with you including processing data to allow you to exercise contractual and statutory rights, such as the right to holiday or parental leave

Performance of a contract with you

To comply with our legal obligations

Applying our grievance or disciplinary procedures

Performance of a contract with you

To comply with our legal obligations

Complying with legislation and dealing with legal disputes involving you, or other employees, workers and contractors, including accidents at work

Performance of a contract with you

To comply with our legal obligations

Preventing fraud

Performance of a contract with you

To comply with our legal obligations

Complying with health and safety obligations

Performance of a contract with you

To comply with our legal obligations

Providing benefits to you, including:

pension scheme

childcare vouchers

season ticket loan

health cash plan

critical illness cover

life assurance protection

income protection

cycle to work scheme

Performance of a contract with you

Providers of these benefits are data controllers in their own right; they will also make their terms of service available and maintain their own privacy notice. These organisations have separate duties to you and your relationship with them may continue beyond your term of service with us.

Maintaining a record of your emergency contact in case you have an accident or become seriously ill at work, or if we have been unable to make contact with you as planned

Necessary for our legitimate interests as a responsible employer

Necessary for the legitimate interests of you and your emergency contact

Business management and planning, including accounting and auditing

Necessary for our legitimate interests (for running our business)

To comply with our legal obligations

To monitor your use of our information and communication systems to ensure compliance with organisational policiesNecessary for our legitimate interests (for running our business, preventing disruption and maintaining security)
To ensure network and information security, including preventing unauthorised access to our computer and electronic communications systems and preventing malicious software distributionNecessary for our legitimate interests (for running our business, preventing disruption and maintaining security)
To conduct data analytics studies to review and better understand employee retention and attrition ratesNecessary for our legitimate interests (for running our business, preventing disruption and maintaining security)
Collection and processing of special category data to support equal opportunities monitoring

Your explicit consent

Except senior roles whereby Schedule 1 (Part2)(9) of the Data Protection Act 2018 (Racial and ethnic diversity at senior levels of organisations) applies

System profile information provided voluntarily to inform colleagues of your skills, experience, and hobbies to promote team workingYour consent
Equal opportunities monitoring and reporting

Our legitimate interests to ensure equal opportunities in relation to monitoring

Reporting: Not applicable – data anonymised

If you fail to provide personal information

If you fail to provide certain information when requested, we may not be able to perform the contract we have entered into with you (such as paying you or providing a benefit), or we may be prevented from complying with our legal obligations (such as to ensure the health and safety of our workers). In certain circumstances this may prevent us from continuing to employ you and lead to your employment contract being terminated.

How we use particularly sensitive personal information

“Special categories” of particularly sensitive personal information require higher levels of protection. We need to have further justification for collecting, storing and using this type of personal information. We may process special categories of personal information in the following limited circumstances:

  • with your explicit written consent. If we need your consent, we will contact you about this
  • where it is authorised by law in the area of employment, social security and social protection, such as:
    • for equal opportunities monitoring or in relation to our occupational pension scheme, and in line with our data protection policy
    • where it is needed to assess your working capacity on health grounds, subject to appropriate confidentiality safeguards, for example, so that we can make reasonable adjustments should you have a disability or health condition and/or so that we can exercise specific rights in relation to employment.

Less commonly, we may process this type of information where it is needed in relation to legal claims or where it is needed to protect your vital interests (or someone else’s vital interests) and you are not capable of giving your consent, or where you have already made the information public.

Our obligations as an employer

We will use your particularly sensitive personal information in the following ways.

  • We will use information relating to leaves of absence, which may include sickness absence or family related leave, to comply with employment and other laws.
  • We will use information about your physical or mental health, or disability status, to ensure your health and safety in the workplace and to assess your fitness to work, to provide appropriate workplace adjustments, to monitor and manage sickness absence and to administer benefits.
  • We will use information about your race or national or ethnic origin, religious, philosophical, or moral beliefs, or your sexual life or sexual orientation and disability status (where provided with your consent), to ensure meaningful equal opportunities monitoring and anonymised reporting and to comply with employment and other laws, for example if you raise concerns about your employment which relate to a protected characteristic.

Your consent

We do not need your consent if we use special categories of your personal information in accordance with our written policy to carry out our legal obligations or exercise specific rights in the field of employment law.

In limited circumstances, we may approach you for your consent to allow us to process certain particularly sensitive data. If we do so, we will provide you with full details of the information we would like and the reason we need it, so you can carefully consider whether you wish to consent.

You should be aware that, where consent is requested, it is not a condition of your contract with us that you agree to any request for consent from us.

Information about criminal convictions

We may only use information relating to criminal convictions where the law allows us to do so. This will usually be where such processing is necessary to carry out our obligations and provided we do so in line with our data protection policy and the Data Protection Act 2018.

Less commonly, we may use information relating to criminal convictions where it is necessary in relation to legal claims, where it is necessary to protect your vital interests (or someone else’s vital interests) and you are not capable of giving your consent, or where you have already made the information public.

We may also process such information about members or former members of staff in the course of legitimate business activities with the appropriate safeguards.

We envisage that we may hold information about criminal convictions.

Where appropriate, we will collect information about criminal convictions as part of the recruitment process or we may be notified of such information directly by you in the course of you working for us.

We will use information about criminal convictions and offences in the following ways:

  • to assess suitability for a role
  • grounds for termination.

We are allowed to use your personal information in this way to carry out our obligations under article 9 (2)(b) – Employment and Article 10 by virtue of schedule 1 (Part2)(11) of the Data Protection Act 2018 (Protecting the public against dishonesty etc) and schedule 1 (Part2)(12) - Regulatory requirements relating to unlawful acts and dishonesty etc).

Automated decision making

We do not currently, and do not envisage, that any decisions will be taken about you using solely automated means, however we will notify you in writing if this position changes.

Who we share your personal data with

Your information may be shared internally in relation to your employment and business administration. This includes with members of the HR division, your line manager, managers in the business area in which you work and ICT or specialised staff if access to the data is necessary for performance of their roles.

We may have to share your data with third parties that also decide the purposes for processing and act as a data controller. These include:

  • HMRC for tax and employment purposes
  • pension providers
  • occupational health provider for health and screening reviews
  • security check provider for credit checks and criminal records background reports
  • benefits providers
  • training providers and facilitators
  • job centres: for work experience candidates, we’ll advise of completion status.

We will share your personal data with your referees to obtain or provide references for you on your request. We may share your personal data where required to do so for the purposes of the prevention or detection of crime, for audit and taxation purposes or where we are otherwise required to do so by other regulators or by law.

We require third parties to respect the security of your data and to treat it in accordance with the law.

We may transfer your personal information outside the EU subject to appropriate safeguards and GDPR Article 46, including as set out under Our use of data processors.

If we do, you can expect a similar degree of protection in respect of your personal information.

Reasons for sharing your personal information with third parties

We will share your personal information with third parties where required by law, where it is necessary to administer the working relationship with you or where we have another legitimate interest in doing so.

Sharing your personal information with other entities in the group

We will share your personal information with other entities in our group as part of our regular reporting activities on company performance, in the context of a business reorganisation or group restructuring exercise, for system maintenance support and hosting of data.

Other third parties

We may share your personal information with other third parties, for example in the context of the possible sale or restructuring of the business. We may also need to share your personal information with a regulator or to otherwise comply with the law.

Our use of data processors

Where a third party data processor is used, we ensure that they operate under contractual restrictions with regard to confidentiality and security, in addition to their obligations under data protection legislation. This means that they cannot do anything with your personal data unless we have instructed them to do it. They will not share your personal data with any organisation apart from us. They will hold it securely and retain it for the period we instruct.

The following activities are carried out by third-party service providers:

  • HR and recruitment database: an IT system provided under contract by a third party provider and stored in the UK
  • employee survey: facilitated under contract by a third party provider based in the UK
  • online candidate assessments: an IT system provided under contract by a third party provider and stored in the UK
  • processing payroll: a third party provider based in the UK
  • systems used in the course of fulfilling your job role: this includes Office 365 hosted in the UK and other services which may be outside the UK. Where services are within the EEA, transfers are based on the UK adequacy decision of EEA countries. Where services are outside the EEA, we use Standard Contractual Clauses to safeguard such transfers; this includes employee names and email addresses and content uploaded to Workplace (Facebook) which is stored in the US. This international data transfer is protected by the Standard Contractual Clauses we have in place with Facebook.

Where we get your data from

We may collect this information from you and from third parties. Data you provide may be contained in or obtained from:

  • your application forms, CVs or resumes
  • your passport or other identity documents
  • forms completed by you at the start of, or during employment
  • correspondence with you
  • processes linked to employment procedures
  • interviews or other forms of assessment.

Personal data about you collected from third parties may include:

  • references supplied by former employers
  • information from employment background check providers
  • information from criminal records checks
  • information from medical specialists
  • information provided by government organisations and pension providers.

We will collect additional personal information in the course of job-related activities throughout the period of you working for us.

How long we keep your data

Selection documentation is kept for 12 months following your recruitment exercise unless we are required to keep these, subject to any immigration requirements. Details of criminal record checks are deleted once confirmation of the check has been recorded unless the outcome of the check requires consideration, in which case the check would be destroyed six months after any resolution.

In all other cases we will hold your personal data for the duration of your employment, and for six years from the date you cease employment at AAT except where we are required to keep details of your employment conditions, in which case we keep these for 12 years from the date you cease employment at AAT.

If at the disposal date your data is subject to legal proceedings, it will be retained for that purpose. At the end of the retention period your data is securely destroyed.

Transferring your data overseas

We transfer your data overseas only as detailed above with regards to data processors and with appropriate safeguards.

Our use of cookies

The recruitment platform we use, aat.recruitee.com, uses some cookies.

Name of cookiePurposeExpiration
_recruitee_careersStore information about the source (for example LinkedIn) through which the candidate came inAfter the session (after closing the browser)
allow_cookies (placed when visiting your careers site if cookie notice is enabled)Store whether careers site visitor has clicked "accept" on the cookie noticeAfter one year

You can find out more about cookies and how to change your cookie settings in our Cookies policy.

Changes to this privacy notice

We will review this privacy notice regularly and reserve the right to update it from time to time.

Related content