Data Protection Policy

Policy information


iRecruit Partners


Scope of policy

This policy covers all the activities of iRecruit Partners (Berkshire) Ltd, acting as a recruitment consultancy placing permanent staff with client companies and working on both a retained and non-retained basis.

Policy operational date

25th May 2018


Policy prepared by

Nicky Morris – Managing Director

Sue Southall – Managing Director

Date approved by Board/ Management Committee


Policy review date

25th May 2021



Purpose of policy

The purpose of this policy is to outline iRecruit Partners complete commitment to the letter and spirit of the GDPR regulations and to underline our commitment to protecting the rights and privacy of all individuals.

Types of data processed

iRecruit Partners process data in the form of candidate CVs.  This will typically include personal details such as contact details, employment background and qualifications but may also on occasion include references.

In addition, client data in the form of client contacts, job profiles and company background information will be stored and processed.

Policy statement

iRecruit Partners is committed to a policy of protecting the rights and privacy of individuals, especially candidates who have shared their data with the company, and clients in accordance with the General Data Protection Regulation (GDPR) May 2018.

The new regulatory environment demands higher transparency and accountability in how we manage and use personal data. It also rightly accords new and stronger rights for individuals to understand and control that use.

The GDPR contains provisions that the company will need to be aware of as data controllers, including provisions intended to  enhance  the  protection  of  candidate’s  personal data.

iRecruit Partners process data largely relating to the recruitment of staff for our clients.  To comply with various legal obligations, including the obligations imposed on it by the General Data Protection Regulation (GDPR) and to work towards industry best practice, iRecruit Partners must ensure that all this information about individuals is collected and used fairly, stored safely and securely, and not disclosed to any third party unlawfully.

We are committed to being open and honest with all individuals whose data we process and ensure that all staff who process data act consistently and openly in the processing of that data.

As part of our commitment to good data processing practice we undertake to notify the Information Commissioner of any data breach or potential data breach, even if it not strictly required by law.

Key risks

Key risks associated with iRecruit Partners data processing activities lie in two areas and the company is committed to ensuring that these risks are minimised wherever possible.  The areas of risk are:

  • Accidental sharing or loss of data by staff through incorrect emailing, loss of computing equipment or other unforeseen action
  • Deliberate hacking of IT systems by third parties



The Board / Company Directors

Nicky Morris – Managing Director

Sue Southall – Managing Director

Data Protection Officer

Nicky Morris – Managing Director

Sue Southall – Managing Director



Security measures

iRecruit Partners undertakes to put appropriate technical and organisational measures in place against unauthorised or unlawful processing of personal data, and against accidental loss or destruction of data.

All members of staff are responsible for ensuring that any personal data which they hold is kept securely and not disclosed to any unauthorised third parties.

All electronic data is held in the cloud in the Office 365 system and not on personal laptops or PCs.

iRecruit Partners will ensure that all personal data is accessible only to those who have a valid reason for using it.

iRecruit Partners will have in place appropriate security measures e.g.

  • ensuring that hard copy personal data is kept in lockable filing cabinets/cupboards with controlled access
  • password protecting personal data held electronically.
  • archiving personal data which are then kept securely (lockable cabinet).
  • placing any PCs or terminals etc. that show personal data so that they are not visible except to authorised staff.
  • ensuring that PC screens are not left unattended without a password protected screen-saver being used.

Security Breaches

In the event of a security breach, iRecruit Partners commit to notify all parties concerned, and the ICO, at the latest within 72 hours of becoming aware of the breach.

As soon as the company becomes aware of the breach, all steps will be taken to secure the data, identify the potential risk of the data loss and to contact candidates and clients to notify them of the loss and associated risks. The 72 hour ICO commitment should be the very minimum requirement and we will endeavour in all cases to exceed that target.


Data recording and storage


iRecruit partners will review and update all data on a regular basis. It is the responsibility of the individuals giving their personal data to ensure that this is accurate, and each individual should notify iRecruit Partners if there is any change in their data e.g. new positions added to their CV.

iRecruit Partners will ensure that the data held is accurate and up to date before communication with a client regarding candidate suitability for a role.

Retention periods

iRecruit Partners policy is to retain candidate CVs for three years, after which time they will be deleted.  Candidates will not be contacted at this time unless there is a specific reason to do so.  If there is some other legal requirement upon iRecruit Partners to keep the information for longer the subject of the data will be notified.

Client data will be kept indefinitely unless the client wishes their data to be removed from our system.


iRecruit Partners will dispose of any personal data in a way that protects the rights and privacy of the individual concerned (e.g. secure electronic deletion, shredding and disposal of hard copy files as confidential waste).


Right of Access


Data subjects, generally candidates, have the right at any time to request access to the data held about them by iRecruit Partners.  It is Sue Southall’s responsibility to ensure that any requests for access are handled promptly and professionally

Procedure for making request

Any individual making a Right of Access Request should do so in writing to:

Sue Southall
Trinity Court,
Molly Millars Lane,
RG41 2PY

iRecruit Partners will not make a charge for this service and will respond within 48 hours of the request

Provision for verifying identity

An individual making a Right of Access Request may be asked to verify their identity.




iRecruit Partners is committed to being wholly transparent and open in all our dealings with candidates.

We commit to:

  • Let candidates know what data we hold on them
  • What opportunities may be of interest to them
  • Prevent processing likely to cause damage or distress.
  • Prevent processing for purposes of direct marketing.
  • Take action to rectify, block, erase or destroy inaccurate data.
  • Request that the Office of the Information Commissioner assess whether any provision of the Act has been contravened.


Lawful Basis

Underlying principle

iRecruit Partners process data under the principle of Legitimate Interest.  It is the company’s belief that candidates who either approach iRecruit Partners or are approached by iRecruit Partners regarding vacancies, realistically expect that their data will be processed and passed onto the client company.

Data is processed in the legitimate interest of the candidate (data subject), client and iRecruit Partners in pursuit of the company’s business.  There is no practicable alternative that would be less intrusive to the candidate.

Candidates register their CVs in the belief that iRecruit Partners will contact them regarding current or future opportunities.  No processing is carried out without the candidate’s full knowledge and approval.  No processing is carried out that would be detrimental to the data subject (candidate).

There will be no marketing to the data subject and their data will not be shared with any third party.

In the event that a client requires specific consent, then written consent will be obtained from the candidate and a record kept, but this is the exception rather than the rule.


Policy review


iRecruit Partners – Managing Director


Policy review by end of May 2021