GDPR Statement


From our standards to our practices, everything we do is driven by quality.

People focused

People make the difference. We  provide our clients with the best.


Our highly qualified team will provide you with up-to-date information.


We seek to provide the perfect solution each and every time.

Integra are committed to being transparent about how it protects the privacy and security of personal data.  This policy sets out how Integra “we”, “our”. “us”, “the company” handles and uses Personal Data of our customers, suppliers, employees, workers and other third parties along with the ongoing commitment to meeting its data protection obligations.

This policy applies to all employees.  You must read, understand and comply with the policy when processing personal data on our behalf, attend and complete any training requests.  Your compliance with this policy is mandatory and any breach of it may result in disciplinary action.

 What is Personal Data?

Personal data is any information identifying a data subject or information relating to a data subject that we can identify (directly or indirectly) from that data alone or in combination with other identifiers we possess or can reasonably access.

What is a Data Subject?

Data subject is a living, identified or identifiable individual about whom we hold personal data and may have legal rights regard their Personal Data.

The information Integra may collect, hold and process from:

A candidate of whom we are finding a suitable role for:

  • Full name
  • Address
  • Email address
  • Phone number
  • CV
  • Job preferences (role, geographical area, salary expectation)
  • Other documentation or information provided such as training certification

 An individual who has worked for the organisation previously or currently:

  • Date of birth
  • Passport copy
  • National Insurance number
  • Permits and visas
  • Details of job offers and placements
  • References
  • DBS or EDBS checks
  • Medical information
  • Communications record log
  • Financial information

Who provides the information?

Yourself or a third party who we work with, such as an employment business or agency, or job board. References will be provided by your previous employer(s). Medical information may be provided by your GP, Consultant or Occupational Health professional. DBS checks and security clearance checks may supplied by the Disclosure and Barring Service or other external relevant company.

How we use your information

The information supplied under (a) may be used as follows:

  • To assist you in finding a suitable position by matching your skill sets with job vacancies
  • To put forward your CV and details to prospective clients and employers
  • Candidate placement
  • To keep you informed about services and offered by us
  • To let you know about available work opportunities

The information under (b) may be used as follows:

  • For compliance and legalities to establish you have the right to work
  • To undertake necessary security and criminal checks required by the law
  • To ascertain whether certain medical and health safety issues need to be accessed relating to certain positions and deal with these
  • To arrange and place contractual documentation once a role has been secured
  • For payment once placed in a role

Why do Integra collect, hold and process your information?

Right to work

Information and documentation we ask you to provide to establish your right to work, is processed by us and we are legally obliged to do this.

Medical information

We collect information about this as it is necessary to protect health and safety, and we also ensure that we prevent any discrimination on the grounds of disability.

Criminal record

For some roles, criminal record checks are vital so we can comply with the law.

Entering into a contract

We will use the information you have supplied including your financial information, to successfully begin a contract and fulfil your role.


In order for us to pay you, we are legally obliged to provide information about you to HMRC.


For us to run a compliant business, we may process or store your data once a placement has been secured.

Your CV and related information/documents

In order to secure you a role, we send your CV and related information to prospective employers and Integra’s clients.

Once a placement is secured, additional information as necessary will be provided to them, in order for the placement to proceed.


For the purposes of placing you in a suitable role, we may share your information another business within the Integra group of companies.

Trusted third parties

For payment and undertaking pre-employment checks, we may share your data with the following parties: HM Revenue and Customs, legal advisers, pension scheme providers and other suitable companies.

Special Categories of Personal Data

Data relating to health, racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, or data relating to sex life or sexual orientation.

Criminal Convictions – Data relating to criminal convictions.

What are the risks of not looking after data properly?

Extreme care must be taken when processing personal data.  Information must be kept secure.  Lost or stolen personal information can be used to commit offences such as fraud or identity theft and could result in:

  • Customer detriment
  • Enforcement action/fine/legal action
  • Loss of trust/Loss of business
  • Adverse company publicity
  • Disclosure of your information

Data retention

All the personal data we hold is stored in our UK database. In accordance with our Data Retention Policy, your information will not be retained for longer than is necessary.

Your rights

You have right to ask for a copy of the information held about you free of charge. To make this request please email

You are also entitled to the following rights: restriction of processing, erasure, objection and data portability.


If you are concerned about how your personal data is collected or processed, please first raise your concerns with us directly on

Consent withdrawal

If you have provided us with consent to process your data for the purpose of finding you suitable work, however you want to withdraw this, you can do this by emailing .


If you wish to contact the business regarding our data processing practices, please address your comments and questions directly to our HR Department, by emailing .

Privacy notice updates

We may change the Privacy Notice at any time in accordance with the GDPR guidelines, to comply with any further requirements.

Data Protection Principles

The company processes personal data and adheres to the principles relating to Processing of

Personal Data set out in the UK GDPR which require Personal Data to be:

  1. Lawfulness, fairness & transparency – Processed lawfully, fairly and in a transparent manner in relation to the data subject;
  2. Purpose Limitation – Collected only for specified and legitimate purposes and not subsequently processed in a way which is incompatible with those purposes;
  3. Data Minimisation – Adequate, relevant, and limited to what is necessary in relation to the purposes for which it is processed;
  4. Accuracy – Accurate and, where necessary, kept up to date;
  5. Storage Limitation – Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data is processed;
  6. Integrity & Confidentiality – Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction, or damage, using appropriate technical or organisational measures.
  7. Accountability – We are responsible for and must be able to demonstrate compliance with the data protection principles listed above.

Lawful basis for processing

To enable the company to process any personal data, it must first have a lawful basis. This is not

intended to prevent Processing but ensure that we Process Personal Data fairly and without

adversely affecting the Data Subject.

There are six lawful bases to choose from. Within the companies processing activities document it

has identified which lawful basis or bases applies to each processing activity.

 The six lawful bases are:

  • Consent – an individual has given clear consent to process their personal data for a specific purpose.
  • Contract – processing is necessary for a contract to be entered into steps to be taken before entering into a contract.
  • Legal obligation – processing is necessary to comply with the law
  • Vital interests – when it is necessary to protect someone’s life.
  • Public task – where it is necessary to perform processing in the public interest
  • Legitimate interests – processing is necessary for the companies’ legitimate interests or that of a third party unless an individual’s personal data overrides those legitimate reasons.


A Controller must only process Personal Data on the basis of one or more of the lawful bases set out

in the UK GDPR, which includes Consent.

A Data Subject consents to Processing of their Personal Data if they indicate agreement clearly either

by a statement or positive action to the Processing. Consent requires affirmative action so silence,

pre-ticked boxes or inactivity are unlikely to be sufficient. If Consent is given in a document which

deals with other matters, then the Consent must be kept separate from those other matters.

Data Subjects must easily be able to withdraw Consent to Processing at any time and withdrawal

must be promptly honoured. Consent may need to be refreshed if you intend to Process Personal

Data for a different and incompatible purpose which was not disclosed when the Data Subject first


When processing Special Category Data or Criminal Convictions Data, we will usually rely on a legal

basis for processing other than Explicit Consent or Consent, if possible.

You will need to evidence Consent captured and keep records of all Consents so that the Company

can demonstrate compliance with Consent requirements.

Individual Rights

As data subjects, individuals have a number of rights in relation to their personal data. These include

rights to:

  1. Right to be informed

Individuals have the right to be informed about the collection and use of their personal


Individuals have a right to know the purpose the company processes their personal data,

the lawful basis, retention periods and who their personal data will be shared with.

This information is included in the company’s privacy policy at the time of first collecting

personal data. A copy is available on the company website and by request.

  1. Right of access

Individuals have the right to access their personal data. If an individual makes an access

request commonly referred to as a ‘subject access request’, the company will also tell


  • Purposes of processing
  • Categories of personal data
  • recipients or categories of recipient’s personal data is disclosed to
  • retention period for storing personal data or where this is not possible, your criteria for determining how long it will be stored for
  • his/her rights to request rectification, erasure or restriction or restriction to object to such processing
  • his/her right to lodge a complaint with the Information Commissioners Office (ICO)
  • information about the source of the data, where it was not obtained directly from the individual
  • existence of automated decision making (including profiling)
  • safeguards provided if personal data is transferred to a third country or international organisations.
  1. The right to rectification

An Individual has the right to have any personal data held about them rectified if it is

incomplete or inaccurate, though the company may need to verify the accuracy of any new data provided. It is important that the personal data the company holds is

accurate and current.  If a request is made to have information rectified, then the company’s compliance department will advise how to handle any request.

  1. The right to erasure

An individual may ask the company to delete information it holds about them in

certain circumstances, this is often referred to as the ‘right to be forgotten’. This

right is not absolute and only applies in certain circumstances. It may not always be

possible for the company to delete the information held about Individuals, for

example, if the company has an ongoing relationship with them or we are required

to retain information to comply with our legal obligations.

If a request is made to have information erased, then the company’s compliance

department will advise how to handle any request.

  1. The right to restrict processing

Individuals have a right to restrict processing of their personal data. This is not an

absolute right and only applies in certain circumstances. For example, where an

Individual contests the accuracy of their personal information, it may be restricted

until the accuracy is verified, or where the processing is unlawful but an Individual

objects to it being deleted and request that it is restricted instead.

If a request is made to have information restricted, then the company’s compliance

department will advise how to handle any request.

  1. The right to data portability

Dependent on the lawful basis used by the company, Individuals have a right to

receive, move, copy, or transfer their personal information to another data


Where applicable the company will provide to an individual, or a third-party personal

data in a structured, commonly used, machine-readable format. Note that this right

only applies to automated information which was initially provided by the individual

and the legal basis was consent or for the performance of a contract.

If a request is made to have information transferred, then the company’s compliance

department will advise how to handle any request.

  1. The right to object

An individual has the right to object to the processing of their personal data. This is

not an absolute right unless it is regarding direct marketing.

If an individual objects to their personal data being processed, then the company’s

compliance department will advise how to handle any request.

  1. Rights in relation to automated decision making and processing

Automated decision making is made where there is no human intervention. The

company is required to ensure individuals can obtain human intervention, express

their point of view, and obtain an explanation of any decision and challenge it.

Individuals, in certain circumstances have a right to object to profiling.

Requests will be dealt with by the compliance department and consideration will be

taken of the data subjects’ reasons.

You must verify the identity of an individual requesting data under any of the rights listed above (do

not allow third parties to persuade you into disclosing Personal Data without proper authorisation).

Data Security

The company takes security of personal data very seriously which includes internal policies and

controls in place that ensures appropriate security of personal data, including protection against

unauthorised or unlawful processing and against accidental loss, destruction or damage using

appropriate technical and organisational measures. Where the company engages third party

processors to process personal data on its behalf, such parties do so on the basis of written

instructions, are under a duty of confidentiality and provide sufficient guarantees to implement

appropriate technical and organisational measures to ensure the security of personal data.

You must follow all procedures and technologies we put in place to maintain the security of all

Personal Data from the point of collection to the point of destruction. You may only transfer Personal Data to third party service providers who agree to comply with the required policies and procedures and who agree to put adequate measures in place, as requested.

You must maintain data security by protecting the confidentiality, integrity, and availability of the

Personal Data, defined as follows:

  1. Confidentiality means that only people who have a need to know and are authorised to use
  2. the Personal Data can access it;
  3. Integrity means Personal data is accurate and suitable for the purpose for which it is
  4. processed; and
  5. Availability means that authorised users are able to access the Personal Data when they need
  6. it for authorised purposes.

Transfer Limitation

The UK GDPR restricts data transfers to countries outside the UK to ensure that the level of data

protection afforded to individuals by the UK GDPR is not undermined. You transfer Personal Data

originating in one country across borders when you transmit, send, view or access that data in or to a different country.

You may only transfer Personal Data outside the UK if one of the following conditions applies:

  1. the UK has issued regulations confirming that the country to which we transfer the Personal
  2. Data ensures an adequate level of protection for the Data Subject's rights and freedoms;
  3. standard contractual clauses approved for use in the UK have been issued:
  4. the Data Subject has provided Explicit Consent to the proposed transfer after being informed
  5. of any potential risks; or
  6. the transfer is necessary for one of the other reasons set out in the UK GDPR including the
  7. performance of a contract between us and the Data Subject, reasons of public interest, to
  8. establish, exercise or defend legal claims or to protect the vital interests of the Data Subject
  9. where the Data Subject is physically or legally incapable of giving Consent and, in some
  10. limited cases, for our legitimate interest.

Data Retention

The company will only retain personal data only for as long as necessary to fulfil the purposes it was

collected for. Details of retention periods for different aspects of personal information are available

in the company’s separate data retention policy/schedule.

To determine the appropriate retention period of personal data, the company considers the amount, nature and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of personal data, the purposes for which the company processes personal data and

whether the company can achieve those purposes through other means and applicable legal


Personal Data is deleted as per the data retention policy once the company no longer requires access to personal data and considering applicable laws and regulations.

Privacy by Design and Data Protection Impact Assessments

It is a legal requirement for the company to implement Privacy by Design measures when Processing

Personal Data by implementing appropriate technical and organisational measures (like

Pseudonymisation) in an effective manner, to ensure compliance with data privacy principles.

You must assess what Privacy by Design measures can be implemented on all programmes, systems,

or processes that Process Personal Data by taking into account the following:

  • the state of the art;
  • the cost of implementation;
  • the nature, scope, context, and purposes of Processing; and
  • the risks of varying likelihood and severity for rights and freedoms of Data Subjects posed by the Processing.

Controllers must also conduct a data privacy impact assessment when implementing major system or business change programs involving the Processing of Personal Data including;

  • use of technologies (programs, systems, or processes), or changing technologies (programs, systems, or processes);
  • Automated Processing including profiling
  • Large scale Processing of Special Categories of Personal Data or Criminal Convictions Data; and

where processing is likely to result in a high risk to individuals or in certain mandatory situations listed above to be integrated into the business.

The project team will complete the data protection impact assessments and pass through to the

compliance team to review.

A separate policy exists covering the processes of carrying out privacy impact assessments.

Automated Decision-Making

The company may from time to time use personal data in automated decision-making processes.

Where such decisions have a legal (or similarly significant effect) on data subjects, the company

recognises that data subjects have the right to challenge such decisions, request human intervention,

express their own point of view, and to obtain an explanation of the decision from the business.

The company recognises that the right described above does not apply in the following


  • The decision is necessary for the entry into, or performance of a contract between

the company and the data subject;

  • The decision is permitted by law; or
  • The data subject has given their explicit consent.

Any requests not to have personal data processed by an automated means must be referred to the

department manager or the compliance department.


The company may from time to time use personal data for profiling purposes.

When personal data is used for profiling purposes, the company is committed to ensuring the


  • That clear information explaining the profiling shall be provided to data subjects, including the significance and likely consequences of the profiling;
  • That appropriate mathematical or statistical procedures shall be used;
  • That technical and organisational measures shall be implemented to minimise the risk of errors. If errors occur, such measures must enable them to be easily corrected; and
  • That all personal data processed for profiling purposes shall be anonymised to prevent discriminatory effects arising out of profiling.

Personal Data Breaches

A personal data breach could result from an accidental or deliberate breach of security leading to the

accidental or unlawful destruction, loss, corruption of, alteration, unauthorised disclosure of, or

access to, personal data.

We have put in place procedures to deal with any suspected Personal data Breach and will notify

Data Subjects or any applicable regulator where we are legally required to do so.

If you know or suspect that a Personal Data breach has occurred, do not attempt to investigate the

matter yourself. Immediately contact the Compliance department or members of the Information

Security team and follow the Security Incident Response Plan. You should preserve all evidence

relating to the potential Personal Data Breach.

The company holds a separate policy for individuals to follow when dealing with suspected/actual

Personal Data Breaches.

Individual Responsibilities

Individuals are responsible for helping the company keep their personal data up to date. Individuals

should let the company know if personal data provided to the company changes, for example if an

individual moves to a new house or changes his/her contact details or bank details.

Individuals may have access to the personal data of other individuals and of our customers and

clients in the course of their employment, contract, volunteer period, internship, or apprenticeship.

Where this is the case, the company relies on individuals to help meet its data protection obligations

to staff, customers, and clients.

Individuals who have access to personal data are required:

  • to access only personal data that they have authority to access and only for authorised purposes. not to disclose personal data except to individuals (whether inside or outside the company) who have appropriate authorisation.
  • to keep personal data secure (for example by complying with rules on access to premises, computer access, including password protection, and secure file storage and destruction).
  • not to remove personal data, or devices containing or that can be used to access personal data, from the company's premises without adopting appropriate security measures (such as encryption or password protection) to secure the data and the device;
  • not to store personal data on local drives or on personal devices that are used for work purposes; and
  • to report data protection breaches of which they become aware immediately.

Further details about the company's security procedures can be found in its IT policy.

Failing to observe these requirements may amount to a disciplinary offence, which will be dealt with

under the company's disciplinary procedure. Significant or deliberate breaches of this policy, such as

accessing employee or customer data without authorisation or a legitimate reason to do so, may

constitute gross misconduct and could lead to dismissal without notice.


The company will provide training to all individuals about their data protection responsibilities as

part of the induction process and at regular intervals thereafter.

Individuals whose roles require regular access to personal data, or who are responsible for

implementing this policy or responding to right of access requests under this policy, will receive

additional training to help them understand their duties and how to comply with them.

The Compliance team will carry out horizon scanning as part of their everyday duties to ensure the

company is aware of changes pending to legislation and ensure staff receive the required training

where necessary.


When the company first collects personal data, it provides details of any marketing it may like to

conduct and whom their personal data may be sent to. Where this is within the Connexus Group and

similar products are being marketed, this can be sent to all customers or prospective customers

unless they have specifically opted out of marketing. Individuals who have opted out of marketing

are added to a compression list to avoid any further marketing material being sent.

Where marketing involves using outside organisations or where the original consent is incompatible

with the intended marketing, then before details are passed on, then explicit consent must first be

obtained from the individual that the agree to receive marketing material and how they would like to

receive such material. Every marketing campaign will provide details to the individual that if they

change their mind, they can opt out of receiving marketing. Their details are then added to the

suppression list.

All marketing campaigns will be sent to the Compliance Team for approval before marketing


Sharing Personal Data

Generally, we are not allowed to share Personal Data with third parties unless certain safeguards and

contractual arrangements have been put in place.

You may only share the Personal Data we hold with another employee, agent or representative of

our group if the recipient has a job-related need to know the information.

You may only share the Personal Data we hold with third parties, such as our service providers, if:

  1. a) they ‘need to know’ the information for the purposes of providing the contracted services;
  2. b) sharing the Personal Data complies with the Privacy Notice provided to the Data Subject and,

if required, the Data Subject's Consent has been obtained;

  1. c) the third party has agreed to comply with the required data security standards, policies and

procedures and put adequate security measures in place;

  1. d) the transfer complies with any applicable cross-border transfer restrictions; and
  2. e) a fully executed written contract that contains UK GDPR-approved third party clauses has

been obtained.

You must comply with the Company's guidelines on sharing data with third parties.

Data Analysis

The company needs to analyse the characteristics of large volumes of personal data. This is

particularly relevant to our MGA and delegated authorities where the company needs to ’profile’ the

underwriting risk of different products to determine the correcting rating and underwriting


When data is conducted for analysing, then any personal data is first anonymised. IT has specific

policies detailing how this process is carried out.

Related Documents

This policy supplements and should be read in conjunction with our other policies and procedures in

force from time to time, including without limitation our;

Right of Access Policy

Data Retention Policy

Data Protection Impact Assessments

IT Policy

Information Security Policy

Security Incident Response Plan

Personal Data Breach Policy

Review of This Policy

This Policy will be reviewed annually or as legislation or company needs require.


Latest Vacancies

Top rated recruitment

Let's talk

We are more than just a recruitment company - we are a business solutions provider, actively solving resourcing issues for our clients.