Integra are committed to being transparent about how it protects the privacy and security of personal data. This policy sets out how Integra “we”, “our”. “us”, “the company” handles and uses Personal Data of our customers, suppliers, employees, workers and other third parties along with the ongoing commitment to meeting its data protection obligations.
This policy applies to all employees. You must read, understand and comply with the policy when processing personal data on our behalf, attend and complete any training requests. Your compliance with this policy is mandatory and any breach of it may result in disciplinary action.
What is Personal Data?
Personal data is any information identifying a data subject or information relating to a data subject that we can identify (directly or indirectly) from that data alone or in combination with other identifiers we possess or can reasonably access.
What is a Data Subject?
Data subject is a living, identified or identifiable individual about whom we hold personal data and may have legal rights regard their Personal Data.
The information Integra may collect, hold and process from:
A candidate of whom we are finding a suitable role for:
- Full name
- Email address
- Phone number
- Job preferences (role, geographical area, salary expectation)
- Other documentation or information provided such as training certification
An individual who has worked for the organisation previously or currently:
- Date of birth
- Passport copy
- National Insurance number
- Permits and visas
- Details of job offers and placements
- DBS or EDBS checks
- Medical information
- Communications record log
- Financial information
Who provides the information?
Yourself or a third party who we work with, such as an employment business or agency, or job board. References will be provided by your previous employer(s). Medical information may be provided by your GP, Consultant or Occupational Health professional. DBS checks and security clearance checks may supplied by the Disclosure and Barring Service or other external relevant company.
How we use your information
The information supplied under (a) may be used as follows:
- To assist you in finding a suitable position by matching your skill sets with job vacancies
- To put forward your CV and details to prospective clients and employers
- Candidate placement
- To keep you informed about services and offered by us
- To let you know about available work opportunities
The information under (b) may be used as follows:
- For compliance and legalities to establish you have the right to work
- To undertake necessary security and criminal checks required by the law
- To ascertain whether certain medical and health safety issues need to be accessed relating to certain positions and deal with these
- To arrange and place contractual documentation once a role has been secured
- For payment once placed in a role
Why do Integra collect, hold and process your information?
Right to work
Information and documentation we ask you to provide to establish your right to work, is processed by us and we are legally obliged to do this.
We collect information about this as it is necessary to protect health and safety, and we also ensure that we prevent any discrimination on the grounds of disability.
For some roles, criminal record checks are vital so we can comply with the law.
Entering into a contract
We will use the information you have supplied including your financial information, to successfully begin a contract and fulfil your role.
In order for us to pay you, we are legally obliged to provide information about you to HMRC.
For us to run a compliant business, we may process or store your data once a placement has been secured.
Your CV and related information/documents
In order to secure you a role, we send your CV and related information to prospective employers and Integra’s clients.
Once a placement is secured, additional information as necessary will be provided to them, in order for the placement to proceed.
For the purposes of placing you in a suitable role, we may share your information another business within the Integra group of companies.
Trusted third parties
For payment and undertaking pre-employment checks, we may share your data with the following parties: HM Revenue and Customs, legal advisers, pension scheme providers and other suitable companies.
Special Categories of Personal Data
Data relating to health, racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, or data relating to sex life or sexual orientation.
Criminal Convictions – Data relating to criminal convictions.
What are the risks of not looking after data properly?
Extreme care must be taken when processing personal data. Information must be kept secure. Lost or stolen personal information can be used to commit offences such as fraud or identity theft and could result in:
- Customer detriment
- Enforcement action/fine/legal action
- Loss of trust/Loss of business
- Adverse company publicity
- Disclosure of your information
All the personal data we hold is stored in our UK database. In accordance with our Data Retention Policy, your information will not be retained for longer than is necessary.
You have right to ask for a copy of the information held about you free of charge. To make this request please email email@example.com.
You are also entitled to the following rights: restriction of processing, erasure, objection and data portability.
If you are concerned about how your personal data is collected or processed, please first raise your concerns with us directly on firstname.lastname@example.org.
If you have provided us with consent to process your data for the purpose of finding you suitable work, however you want to withdraw this, you can do this by emailing email@example.com .
If you wish to contact the business regarding our data processing practices, please address your comments and questions directly to our HR Department, by emailing firstname.lastname@example.org .
Privacy notice updates
We may change the Privacy Notice at any time in accordance with the GDPR guidelines, to comply with any further requirements.
Data Protection Principles
The company processes personal data and adheres to the principles relating to Processing of
Personal Data set out in the UK GDPR which require Personal Data to be:
- Lawfulness, fairness & transparency – Processed lawfully, fairly and in a transparent manner in relation to the data subject;
- Purpose Limitation – Collected only for specified and legitimate purposes and not subsequently processed in a way which is incompatible with those purposes;
- Data Minimisation – Adequate, relevant, and limited to what is necessary in relation to the purposes for which it is processed;
- Accuracy – Accurate and, where necessary, kept up to date;
- Storage Limitation – Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data is processed;
- Integrity & Confidentiality – Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction, or damage, using appropriate technical or organisational measures.
- Accountability – We are responsible for and must be able to demonstrate compliance with the data protection principles listed above.
Lawful basis for processing
To enable the company to process any personal data, it must first have a lawful basis. This is not
intended to prevent Processing but ensure that we Process Personal Data fairly and without
adversely affecting the Data Subject.
There are six lawful bases to choose from. Within the companies processing activities document it
has identified which lawful basis or bases applies to each processing activity.
The six lawful bases are:
- Consent – an individual has given clear consent to process their personal data for a specific purpose.
- Contract – processing is necessary for a contract to be entered into steps to be taken before entering into a contract.
- Legal obligation – processing is necessary to comply with the law
- Vital interests – when it is necessary to protect someone’s life.
- Public task – where it is necessary to perform processing in the public interest
- Legitimate interests – processing is necessary for the companies’ legitimate interests or that of a third party unless an individual’s personal data overrides those legitimate reasons.
A Controller must only process Personal Data on the basis of one or more of the lawful bases set out
in the UK GDPR, which includes Consent.
A Data Subject consents to Processing of their Personal Data if they indicate agreement clearly either
by a statement or positive action to the Processing. Consent requires affirmative action so silence,
pre-ticked boxes or inactivity are unlikely to be sufficient. If Consent is given in a document which
deals with other matters, then the Consent must be kept separate from those other matters.
Data Subjects must easily be able to withdraw Consent to Processing at any time and withdrawal
must be promptly honoured. Consent may need to be refreshed if you intend to Process Personal
Data for a different and incompatible purpose which was not disclosed when the Data Subject first
When processing Special Category Data or Criminal Convictions Data, we will usually rely on a legal
basis for processing other than Explicit Consent or Consent, if possible.
You will need to evidence Consent captured and keep records of all Consents so that the Company
can demonstrate compliance with Consent requirements.
As data subjects, individuals have a number of rights in relation to their personal data. These include
- Right to be informed
Individuals have the right to be informed about the collection and use of their personal
Individuals have a right to know the purpose the company processes their personal data,
the lawful basis, retention periods and who their personal data will be shared with.
personal data. A copy is available on the company website and by request.
- Right of access
Individuals have the right to access their personal data. If an individual makes an access
request commonly referred to as a ‘subject access request’, the company will also tell
- Purposes of processing
- Categories of personal data
- recipients or categories of recipient’s personal data is disclosed to
- retention period for storing personal data or where this is not possible, your criteria for determining how long it will be stored for
- his/her rights to request rectification, erasure or restriction or restriction to object to such processing
- his/her right to lodge a complaint with the Information Commissioners Office (ICO)
- information about the source of the data, where it was not obtained directly from the individual
- existence of automated decision making (including profiling)
- safeguards provided if personal data is transferred to a third country or international organisations.
- The right to rectification
An Individual has the right to have any personal data held about them rectified if it is
incomplete or inaccurate, though the company may need to verify the accuracy of any new data provided. It is important that the personal data the company holds is
accurate and current. If a request is made to have information rectified, then the company’s compliance department will advise how to handle any request.
- The right to erasure
An individual may ask the company to delete information it holds about them in
certain circumstances, this is often referred to as the ‘right to be forgotten’. This
right is not absolute and only applies in certain circumstances. It may not always be
possible for the company to delete the information held about Individuals, for
example, if the company has an ongoing relationship with them or we are required
to retain information to comply with our legal obligations.
If a request is made to have information erased, then the company’s compliance
department will advise how to handle any request.
- The right to restrict processing
Individuals have a right to restrict processing of their personal data. This is not an
absolute right and only applies in certain circumstances. For example, where an
Individual contests the accuracy of their personal information, it may be restricted
until the accuracy is verified, or where the processing is unlawful but an Individual
objects to it being deleted and request that it is restricted instead.
If a request is made to have information restricted, then the company’s compliance
department will advise how to handle any request.
- The right to data portability
Dependent on the lawful basis used by the company, Individuals have a right to
receive, move, copy, or transfer their personal information to another data
Where applicable the company will provide to an individual, or a third-party personal
data in a structured, commonly used, machine-readable format. Note that this right
only applies to automated information which was initially provided by the individual
and the legal basis was consent or for the performance of a contract.
If a request is made to have information transferred, then the company’s compliance
department will advise how to handle any request.
- The right to object
An individual has the right to object to the processing of their personal data. This is
not an absolute right unless it is regarding direct marketing.
If an individual objects to their personal data being processed, then the company’s
compliance department will advise how to handle any request.
- Rights in relation to automated decision making and processing
Automated decision making is made where there is no human intervention. The
company is required to ensure individuals can obtain human intervention, express
their point of view, and obtain an explanation of any decision and challenge it.
Individuals, in certain circumstances have a right to object to profiling.
Requests will be dealt with by the compliance department and consideration will be
taken of the data subjects’ reasons.
You must verify the identity of an individual requesting data under any of the rights listed above (do
not allow third parties to persuade you into disclosing Personal Data without proper authorisation).
The company takes security of personal data very seriously which includes internal policies and
controls in place that ensures appropriate security of personal data, including protection against
unauthorised or unlawful processing and against accidental loss, destruction or damage using
appropriate technical and organisational measures. Where the company engages third party
processors to process personal data on its behalf, such parties do so on the basis of written
instructions, are under a duty of confidentiality and provide sufficient guarantees to implement
appropriate technical and organisational measures to ensure the security of personal data.
You must follow all procedures and technologies we put in place to maintain the security of all
Personal Data from the point of collection to the point of destruction. You may only transfer Personal Data to third party service providers who agree to comply with the required policies and procedures and who agree to put adequate measures in place, as requested.
You must maintain data security by protecting the confidentiality, integrity, and availability of the
Personal Data, defined as follows:
- Confidentiality means that only people who have a need to know and are authorised to use
- the Personal Data can access it;
- Integrity means Personal data is accurate and suitable for the purpose for which it is
- processed; and
- Availability means that authorised users are able to access the Personal Data when they need
- it for authorised purposes.
The UK GDPR restricts data transfers to countries outside the UK to ensure that the level of data
protection afforded to individuals by the UK GDPR is not undermined. You transfer Personal Data
originating in one country across borders when you transmit, send, view or access that data in or to a different country.
You may only transfer Personal Data outside the UK if one of the following conditions applies:
- the UK has issued regulations confirming that the country to which we transfer the Personal
- Data ensures an adequate level of protection for the Data Subject's rights and freedoms;
- standard contractual clauses approved for use in the UK have been issued:
- the Data Subject has provided Explicit Consent to the proposed transfer after being informed
- of any potential risks; or
- the transfer is necessary for one of the other reasons set out in the UK GDPR including the
- performance of a contract between us and the Data Subject, reasons of public interest, to
- establish, exercise or defend legal claims or to protect the vital interests of the Data Subject
- where the Data Subject is physically or legally incapable of giving Consent and, in some
- limited cases, for our legitimate interest.
The company will only retain personal data only for as long as necessary to fulfil the purposes it was
collected for. Details of retention periods for different aspects of personal information are available
in the company’s separate data retention policy/schedule.
To determine the appropriate retention period of personal data, the company considers the amount, nature and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of personal data, the purposes for which the company processes personal data and
whether the company can achieve those purposes through other means and applicable legal
Personal Data is deleted as per the data retention policy once the company no longer requires access to personal data and considering applicable laws and regulations.
Privacy by Design and Data Protection Impact Assessments
It is a legal requirement for the company to implement Privacy by Design measures when Processing
Personal Data by implementing appropriate technical and organisational measures (like
Pseudonymisation) in an effective manner, to ensure compliance with data privacy principles.
You must assess what Privacy by Design measures can be implemented on all programmes, systems,
or processes that Process Personal Data by taking into account the following:
- the state of the art;
- the cost of implementation;
- the nature, scope, context, and purposes of Processing; and
- the risks of varying likelihood and severity for rights and freedoms of Data Subjects posed by the Processing.
Controllers must also conduct a data privacy impact assessment when implementing major system or business change programs involving the Processing of Personal Data including;
- use of technologies (programs, systems, or processes), or changing technologies (programs, systems, or processes);
- Automated Processing including profiling
- Large scale Processing of Special Categories of Personal Data or Criminal Convictions Data; and
where processing is likely to result in a high risk to individuals or in certain mandatory situations listed above to be integrated into the business.
The project team will complete the data protection impact assessments and pass through to the
compliance team to review.
A separate policy exists covering the processes of carrying out privacy impact assessments.
The company may from time to time use personal data in automated decision-making processes.
Where such decisions have a legal (or similarly significant effect) on data subjects, the company
recognises that data subjects have the right to challenge such decisions, request human intervention,
express their own point of view, and to obtain an explanation of the decision from the business.
The company recognises that the right described above does not apply in the following
- The decision is necessary for the entry into, or performance of a contract between
the company and the data subject;
- The decision is permitted by law; or
- The data subject has given their explicit consent.
Any requests not to have personal data processed by an automated means must be referred to the
department manager or the compliance department.
The company may from time to time use personal data for profiling purposes.
When personal data is used for profiling purposes, the company is committed to ensuring the
- That clear information explaining the profiling shall be provided to data subjects, including the significance and likely consequences of the profiling;
- That appropriate mathematical or statistical procedures shall be used;
- That technical and organisational measures shall be implemented to minimise the risk of errors. If errors occur, such measures must enable them to be easily corrected; and
- That all personal data processed for profiling purposes shall be anonymised to prevent discriminatory effects arising out of profiling.
Personal Data Breaches
A personal data breach could result from an accidental or deliberate breach of security leading to the
accidental or unlawful destruction, loss, corruption of, alteration, unauthorised disclosure of, or
access to, personal data.
We have put in place procedures to deal with any suspected Personal data Breach and will notify
Data Subjects or any applicable regulator where we are legally required to do so.
If you know or suspect that a Personal Data breach has occurred, do not attempt to investigate the
matter yourself. Immediately contact the Compliance department or members of the Information
Security team and follow the Security Incident Response Plan. You should preserve all evidence
relating to the potential Personal Data Breach.
The company holds a separate policy for individuals to follow when dealing with suspected/actual
Personal Data Breaches.
Individuals are responsible for helping the company keep their personal data up to date. Individuals
should let the company know if personal data provided to the company changes, for example if an
individual moves to a new house or changes his/her contact details or bank details.
Individuals may have access to the personal data of other individuals and of our customers and
clients in the course of their employment, contract, volunteer period, internship, or apprenticeship.
Where this is the case, the company relies on individuals to help meet its data protection obligations
to staff, customers, and clients.
Individuals who have access to personal data are required:
- to access only personal data that they have authority to access and only for authorised purposes. not to disclose personal data except to individuals (whether inside or outside the company) who have appropriate authorisation.
- to keep personal data secure (for example by complying with rules on access to premises, computer access, including password protection, and secure file storage and destruction).
- not to remove personal data, or devices containing or that can be used to access personal data, from the company's premises without adopting appropriate security measures (such as encryption or password protection) to secure the data and the device;
- not to store personal data on local drives or on personal devices that are used for work purposes; and
- to report data protection breaches of which they become aware immediately.
Further details about the company's security procedures can be found in its IT policy.
Failing to observe these requirements may amount to a disciplinary offence, which will be dealt with
under the company's disciplinary procedure. Significant or deliberate breaches of this policy, such as
accessing employee or customer data without authorisation or a legitimate reason to do so, may
constitute gross misconduct and could lead to dismissal without notice.
The company will provide training to all individuals about their data protection responsibilities as
part of the induction process and at regular intervals thereafter.
Individuals whose roles require regular access to personal data, or who are responsible for
implementing this policy or responding to right of access requests under this policy, will receive
additional training to help them understand their duties and how to comply with them.
The Compliance team will carry out horizon scanning as part of their everyday duties to ensure the
company is aware of changes pending to legislation and ensure staff receive the required training
When the company first collects personal data, it provides details of any marketing it may like to
conduct and whom their personal data may be sent to. Where this is within the Connexus Group and
similar products are being marketed, this can be sent to all customers or prospective customers
unless they have specifically opted out of marketing. Individuals who have opted out of marketing
are added to a compression list to avoid any further marketing material being sent.
Where marketing involves using outside organisations or where the original consent is incompatible
with the intended marketing, then before details are passed on, then explicit consent must first be
obtained from the individual that the agree to receive marketing material and how they would like to
receive such material. Every marketing campaign will provide details to the individual that if they
change their mind, they can opt out of receiving marketing. Their details are then added to the
All marketing campaigns will be sent to the Compliance Team for approval before marketing
Sharing Personal Data
Generally, we are not allowed to share Personal Data with third parties unless certain safeguards and
contractual arrangements have been put in place.
You may only share the Personal Data we hold with another employee, agent or representative of
our group if the recipient has a job-related need to know the information.
You may only share the Personal Data we hold with third parties, such as our service providers, if:
- a) they ‘need to know’ the information for the purposes of providing the contracted services;
- b) sharing the Personal Data complies with the Privacy Notice provided to the Data Subject and,
if required, the Data Subject's Consent has been obtained;
- c) the third party has agreed to comply with the required data security standards, policies and
procedures and put adequate security measures in place;
- d) the transfer complies with any applicable cross-border transfer restrictions; and
- e) a fully executed written contract that contains UK GDPR-approved third party clauses has
You must comply with the Company's guidelines on sharing data with third parties.
The company needs to analyse the characteristics of large volumes of personal data. This is
particularly relevant to our MGA and delegated authorities where the company needs to ’profile’ the
underwriting risk of different products to determine the correcting rating and underwriting
When data is conducted for analysing, then any personal data is first anonymised. IT has specific
policies detailing how this process is carried out.
This policy supplements and should be read in conjunction with our other policies and procedures in
force from time to time, including without limitation our;
Right of Access Policy
Data Retention Policy
Data Protection Impact Assessments
Information Security Policy
Security Incident Response Plan
Personal Data Breach Policy
Review of This Policy
This Policy will be reviewed annually or as legislation or company needs require.