This notice applies to job applicants. Hiscox* collects and processes personal data relating to job applicants as part of any recruitment process. Protecting the privacy and security of your personal information as a job applicant is extremely important to us. We want you to be clear on how your personal information is processed and how we comply with data protection laws.
If you have any questions about this notice, please contact the recruitment team, using the following email address: [email protected].
This privacy notice does not form part of any contract of employment, or other contract to provide services.
Hiscox is committed to protecting your privacy. This notice tells you what personal information we collect, why we need it, how we use it during and after your employment with us and what protections are in place to keep your personal information secure. It also sets out your rights in relation to your personal information.
It is important that you read this notice, and any information notice that we may subsequently provide to you, carefully so that you are aware of how and why we are processing your personal information.
We may update, or otherwise amend, this notice at any time and you will be notified of such amendments.
Hiscox act as data controller in respect of the personal information that we process about you. This means that we are responsible for deciding how we hold and use personal information about you.
We have appointed a Data Protection Officer to oversee Hiscox’s compliance with data protection laws. The contact details of the Data Protection Officer are [email protected]
If you have any questions about this notice, how we handle your personal information or you would like to update the information we hold about you, we strongly encourage you to speak to the recruitment team in the first instance, but if you wish you can also contact the Data Protection Officer.
Your 'personal information' means any information about you from which you can be identified - either by reference to an identifier (for example your name, location data or online identifier (e.g. IP address)) or from factors specific to your physical, cultural or social identity (e.g. your social background, outside interests etc).
It does not include information where the identity has been removed (such as anonymous information).
Hiscox collect and use personal information that you provide for the recruitment process.
The personal information about you that we may collect, store and use includes, but is not limited to, the following categories of information:
General information such as your name, address, contact details (work and personal), date of birth and gender.
Recruitment information such as your right to work documentation, driving licence, references, employment records, salary and benefits history and other information included in a CV or covering letter as part of the application process.
Information collected through personality profiling tests.
Please note that the type of personal information we collect about you will depend to some extent on your circumstances, role and our legal obligations.
Certain 'special categories' of more sensitive personal information (such as information about racial/ ethnic origin, sexual orientation, political opinions, religious/ philosophical beliefs, trade union membership, biometric or genetic data and health data) are given a higher level of protection by data protection laws.
The special categories of more sensitive personal information we may collect, store and use includes, but is not limited to, the following categories of information:
Information about your race or ethnicity and disability
Information about your health, including any medical condition and health and sickness records
We collect your personal information:
From you: we typically collect your personal information directly from you through the application and recruitment process – personal information is contained in application forms, CVs, from your passport or other identity documents, or collected through interviews or other forms of assessment (including personality profile tests).
From third parties: we will only seek information from third parties if we offer you a job, and will inform you that we will be doing this. These third parties include former employers, credit reference agencies, medical officers or other background check agencies and details of those third parties are available from the recruitment team.
The categories of personal information we may collect, store and use from third parties includes, but is not limited to, the following categories of information:
References
Credit details
Occupational health reports
Criminal record check results to the extent allowed by law.
We will only process your personal information when the law allows us to. In most cases, we will process your personal information where it is necessary:
Basis 1 - to take steps before entering, and to enter, into a contract with you
Basis 2 - to comply with legal obligations (e.g. checking a successful applicant's eligibility to work in the country before employment starts)
Basis 3 - for our legitimate interests as a business and as an employer (i.e. recruitment) as a business and as your potential employer – it allows us to manage the recruitment process, assess and confirm a candidate's suitability for employment and decide who to recruit. We may also need to process information from job applicants to respond to and defend legal claims.
We have considered, as we are required to do under the data protections laws, whether our legitimate interests are overridden by job applicants' rights and freedoms, and have concluded that they are not.
We need all the personal information detailed in 2B for making recruitment decisions.
We will only use your personal information for the purposes for which we collected it - unless we reasonably consider that we need to use it for another purpose that is compatible with the original purpose.
We may process special categories of personal information when the law allows us to, which will be in the following situations:
Basis A - Where we need to do so to fulfil our legal obligations or exercise our rights in connection with employment (e.g. for making reasonable adjustments for individuals with a disability where this is required by law)
• Where it is necessary for reasons of substantial public interest (e.g. for equal opportunities monitoring)
Basis B - Where it is needed to assess your working capacity on health grounds (e.g. for an occupational health report), subject to appropriate confidentiality safeguards
Basis C - Where it is necessary in order to establish, exercise or defend a legal claim
Basis D - With your explicit consent, where the processing is voluntary - this will only be in limited circumstances
'Special categories' of particularly sensitive personal information attract higher levels of protection, and we must have specific justification for collecting, storing and using this type of personal information. The only special category data which we may process at the application stage is information about your health/ disability for the purpose of considering if we have an obligation to make reasonable adjustments throughout the recruitment process (Basis A).
At this application stage, we will not seek any information concerning criminal convictions.
We will only seek and rely on your consent where you are fully informed and your consent can be freely given. You should be aware that you do not have to provide your consent and it will not impact on your application for employment with us if you do not consent.
If you do provide your consent to the processing of your personal information for a specific purpose, you have the right to withdraw your consent for that specific processing at any time. Once we have received notification that you have withdrawn your consent, we will no longer process your information for that purpose. If you wish to withdraw your consent, please contact the recruitment team in the first instance, who will refer to the Data Protection Officer as needed.
Hiscox has security measures in place to prevent your personal information from being accidentally lost, used or accessed in an unauthorised way, or inappropriately altered or disclosed. In addition, we limit access to your personal information to those who need to process that information for business reasons. They will only process your personal information on our instructions and they are subject to a duty of confidentiality.
We have put in place procedures to deal with any suspected information security breach and will notify you and any applicable regulator of a suspected breach as appropriate and in accordance with our legal obligations.
Where this is relevant to their role, your line managers, certain HR professionals, and in some cases certain colleagues (i.e. where necessary to fulfil business requirements) will have access to some of your personal information.
We may share your personal information with third parties, including third party service providers and other Hiscox Group companies in the following situations:
Where required by law
it is necessary to take steps at your request when considering entering into a contract with you where required by law (e.g. to check a successful applicant's eligibility to work in the country)
where we have another legitimate interest in doing so, as a business and as your potential employer
In these circumstances, we require third parties to ensure the security of your personal information and to treat it in accordance with the law.
The terms of our contracts with third parties include obligations on them in relation to what personal information they can process and what they can do with that information. All our third party service providers, professional advisers and other entities in the Hiscox Group are required to take appropriate security measures to protect your personal information in line with our policies.
We do not permit our third party service providers to use your personal information for their own purposes – they may only process your personal information for specified purposes and in accordance with our instructions.
We may disclose your personal information to the third parties listed below where relevant to the purposes described in this notice:
Hiscox Group Companies who may have relevant vacancies
Further details can be obtained from the recruitment team.
With your consent, your personal information may be disclosed to members of the Hiscox Group outside the European Economic Area (being the US, Bermuda and Singapore) who might have relevant vacancies. Certain suppliers and service providers may also have personnel or systems located outside the European Economic Area. Your personal information may therefore be transferred to non-European Economic Area countries, details of which are available from the recruitment team.
Hiscox has an intra-Group data transfer agreement in place which regulates cross-border transfers of your personal information within the Group.
Where third parties transfer your personal information outside the European Economic Area, we will take steps to ensure that your personal information receives an adequate level of protection, for example by, entering into information transfer agreements or by ensuring that the third parties are certified under appropriate information protection schemes.
You have a right to request further information relating to the transfer of your personal information and the safeguards in place.
If you require further information about this, you can request it from the recruitment team.
We will retain your personal information only for as long as is reasonably necessary to satisfy the purposes for which it was collected, and for the purposes of satisfying any legal, accounting or reporting and regulatory requirements. These legal and other requirements require us to retain certain records for a set period of time, including following the termination of your employment. In addition, we retain certain records in order to resolve queries and disputes that may arise from time to time. This is set out in the Records Retention policy. If you would like further details about the Records Retention policy, please speak to the recruitment team.
If your application is successful, personal data gathered during the recruitment process will be transferred to your personnel file and retained during your employment or engagement. Details about the periods for which your data will be held will be provided to you in a new employee privacy notice.
Please ensure you inform us if your personal information changes during the recruitment process as it is important that the personal information we hold about you is accurate and current.
Certain information has to be provided so that we can enter into a contract with you (e.g. your contact details, right to work in the country and payment details). Without this information, we may not be able to process your job application efficiently.
In addition, you may have to provide us with information so that you can exercise your statutory rights. If you fail to provide the necessary information, this may mean you are unable to exercise your statutory rights.
Certain information may also need to be provided so that we can comply with our regulatory obligations.
You have a number of rights in relation to the personal information that we hold about you.
You have the following rights (subject to certain exemptions):
to make a data subject access request: to obtain a copy of the personal information we hold about you
to ask us to correct inaccurate personal information, including the right to have any incomplete information about you made complete
to ask us to erase your personal data where it is no longer necessary in relation to the purposes for which it was collected
to ask to restrict the processing of your personal information where:
the accuracy of the personal data is contested - while steps are taken to correct or complete it or to verify the accuracy
the processing is unlawful but the erasure of the personal data is not appropriate
we no longer require the personal data for the purposes for which it was collected but it is required for the establishment, exercise or defence of a legal claim
to object to processing which we have justified on the basis of a legitimate interest - in which case the relevant processing will only continue where we have compelling legitimate grounds for processing your personal information
to object to any decisions based solely on automated decision making
to ask to obtain a portable copy of those parts of your personal data where we rely on consent or performance of the contract as the justification for processing, or to have a copy of that personal data transferred to a third party controller
to withdraw your consent to processing where, in rare circumstances, we have relied on your consent as the justification for processing your personal information
to ask to obtain a copy of any data transfer agreement, or to access information about safeguards under which your personal data is transferred outside of the European Economic Area
to lodge a complaint with the appropriate supervisory authority
Subject access requests
There is generally no fee to access the personal information that we hold about you, however we may charge a reasonable fee if your request is clearly unfounded or excessive or if you request further copies of the same information.
Alternatively, we may refuse to comply with a request that is unfounded or excessive.
No automated decision-making is performed.
Further information about your rights is available from the recruitment team.
If you want to make one of these requests, please contact the recruitment team in writing.