Privacy
statements

Why are we collecting your information?

The information that you provide to us during routine enquiry channels such as via our website, other platforms for example Viva City Web Chat, in person, during a telephone call, or during the registration or application process, is required by Sanctuary for us to provide you with a requested service or an offer of accommodation. We need to collect this information because without it we will not be able to provide you with accommodation services or enter a contract with you.

If you agree, we would like to contact you about accommodation you have expressed an interest in, as well as accommodation that may interest you in the future. This is voluntary and if you consent, we will contact you about other services that are relevant to you.

If you proceed with your application and become a customer of ours, we will assume you are happy to receive information about future accommodation, unless you choose to opt out of receiving these communications.

You can change your mind about marketing communications at any time. Please contact us if you would like to manage or update your marketing preferences.

We may also use your information to improve the services you, and other customers, receive from us as well for market intelligence purposes to enable us to target our marketing activities appropriately.

What information are we collecting?

The information that you provide to us via our booking platform, in person, on forms or during any enquiry will be used to provide you with a service or offer you accommodation. The information we collect may include, for example:

• ·         Name, address and contact details

·         Date of birth,

·         Gender,

·         Year of study, university/college course details

·         Emergency Contact details,

·         Financial information,

·         Guarantor details (if applicable),

·         Accommodation preferences (e.g., preferred room type, sharing preferences)

·         Employer details (if applicable)

·         "Right to Rent" documentation/evidence (if applicable)

·         Nationality

·         Previous addresses, employment information (if applicable)

Some of the information which we collect will be special categories of personal data (also called sensitive personal data), which includes information about any relevant health conditions or specific needs that our staff should be aware of. This will also enable us to determine whether we have suitable accommodation and enable us to allocate the most appropriate accommodation depending on your needs.

We may also receive personal information indirectly, from the following sources in the certain circumstances:

• ·         Universities

  ·         FE institutions

  ·         NHS Trusts

  ·         Marketing and referral agencies

What is our lawful basis for using your information?

Under Article 6 of the UK GDPR, the lawful bases we rely on for processing this information are:

• ·         Consent

• ·         Performance of a contract.

  • ·         Compliance with a legal obligation.

  • ·         Our legitimate interests or that of a third party.

In accordance with Article 9 (UK GDPR) the condition we rely on for processing special categories of personal data is:

• ·         Explicit consent

Sharing your information

Members of Sanctuary Group

Sanctuary Group is made up of a number of related companies. We will share your information with other members of Sanctuary Group where necessary to best provide the services to you.

Your information will only be accessed by other Sanctuary group companies where it is necessary to do so in order to provide services to you in accordance with your enquiry and any future contract. The obligations which are set out in this notice shall apply to the other members of our Group to the same extent that they apply to us.

For more information on which companies make up Sanctuary Group, please go to About Sanctuary.

Regulators and other legal obligations

We may also be required to share your information with our regulators who are permitted access to this information by law and with other organisations where we have a legal obligation to share the information with them.

Contractors and sub-contractors

It may be necessary to share information about you with our contractors and sub-contractors to provide you with the services in accordance with your enquiry and any future contract between us. We will only share information about you with contractors and sub-contractors which is relevant and necessary to address your individual needs.

Our contractors and sub-contractors will not share your information with any other parties and will only be able to use the information when completing work on our behalf.

Other organisations

 We may from time to time share your information with other organisations, such as:

• ·         Partner organisations whom we have data sharing agreements with, for example University/NHS Trusts/Agencies acting on our behalf.

For our commercial and market rent customers, we may share your information with credit reference agencies to enable us to determine your suitability to enter a contract with us.

Data processors and Transfers

To facilitate the delivery of services to you, we use the following categories of data processors who process information on Sanctuary’s behalf:

·         Booking, lettings and marketing agents

·         Payment services providers

·         Software provider for technical IT system support.

We use a third-party processor, Campaign Monitor, for some of our email campaigns and we transfer your information to Campaign Monitor for the purpose of sending e-marketing and communication emails to you. Campaign Monitor is a global business that is headquartered in Australia and uses a data centre located in the United States of America, so their processing of your personal data will involve a transfer of data outside the UK.

Whenever we transfer your personal data out of the UK in this way, we ensure a similar degree of protection is afforded to it by ensuring that we rely on an adequacy decision and/or use specific contract clauses which give personal data the same protection it has under UK law.

Please contact us if you want further information on the specific mechanism used by us when transferring your personal data outside of the UK.

Storing your information and deleting it 

·       We will store the personal data which you provide to us for as long as you remain an applicant and/or service user. Following this your information will be retained for 6 years.

·       For applications which do not result in the use of our services information is retained for 3 years.

·       Information held for marketing purposes will be stored for as long as you agree with your information being held for this purpose. We will review and refresh consent with you regularly.

Why are we collecting your information?

The information that you provide to us during routine enquiry channels such as via our website, other platforms for example Viva City Web Chat, in person, during a telephone call, during the contracting process or while you are staying with us, is required by Sanctuary for us to provide you with a requested service and meet our contractual obligations under your accommodation agreement.

We need to collect this information because without it we will not be able to provide you with accommodation services under your accommodation agreement. 

We may also use your information to improve the services you, and other customers receive from us as well for market intelligence purposes to enable us to target our marketing activities appropriately.

We will also use your contact details to keep you updated about other accommodation you may be interested in in the future unless you opt out of these marketing communications.

We also conduct customer research with a view to improving services. You can opt out by ticking the relevant box during the contracting process. You can also change your mind about marketing communications at any time. Please contact us if you would like to manage or update your marketing preferences.

What information are we collecting?

The information that you provide to us via our booking portal, in person, on forms or during any enquiry will be used to provide you with a service or accommodation.  The information we collect may include, for example:

·         Name, address and contact details

·         Date of Birth,

·         NI number, Passport Number (if applicable)

·         Emergency contact details

·         Guarantor details (if applicable)

·         Student ID

·         Financial Information

·         Passport sized photograph (if applicable)

·         Direct Debit mandates (Keyworkers only)

·         “Right to Rent” documentation/evidence (if applicable)

·         Nationality

Some of the information which we collect will be special categories of personal data (also called sensitive personal data), which includes information about any relevant health conditions or specific needs that our staff should be aware of when delivering accommodation services for you. This information would also be used when considering, for example, any requests for adaptations, adjustments or specialist equipment and therapy pets.

As part of the contracting process, if applicable, we will direct you to our external electronic payment provider who will process payments as agreed in your accommodation services contract.

What is our lawful basis for using your information?

Under Article 6 of the UK GDPR, the lawful bases we rely on for processing this information are:

·         Performance of a contract.

·         Compliance with a legal obligation.

·         To protect the vital interests of an individual or third party

·         Our legitimate interests or that of a third party.

In accordance with Article 9 (UK GDPR) the condition we rely on for processing special categories of personal data is:

·         Explicit consent

Sharing your information

Members of Sanctuary Group

Sanctuary is made up of a number of related companies. We will share your information with other members of our Group where necessary in order to best provide accommodation services to you in accordance with the contract between us.

Your information will only be accessed by other Sanctuary Group companies where it is necessary to do so in order to provide services to you in accordance with your enquiry and any contract. The obligations which are set out in this notice shall apply to the other members of our Group to the same extent that they apply to us.

For more information on which companies make up Sanctuary, please go to About Sanctuary.

Contractors and sub-contractors

It may be necessary to share information about you with our contractors and sub-contractors in order to provide you with accommodation services in accordance with the contract between us.  We will only share information about you with contractors and sub-contractors which is relevant and necessary to address your individual needs and/or maintain the health and safety of personnel attending site.

Our contractors and sub-contractors will not share your information with any other parties and will only be able to use the information when completing work on our behalf.

Regulators and other legal obligations

We may also be required to share your information with our regulators who are permitted access to this information by law and with other organisations where we have a legal obligation to share the information with them.

Other organisations

We may from time to time share your information with other organisations, such as:

·         Partner organisations whom we have data sharing agreements with for example Universities/NHS Trusts/customer referral agencies acting on our behalf;

·         Utility companies so they can provide services to you and contact you in respect of utility charges (only if applicable);

·         Mail or parcel delivery organisations who have incomplete delivery address details in order to facilitate delivery of parcels addressed to you. If we utilise delivery notifications where you live, we share the required details for example; name, address and contact details in order for us to provide this service.

Relevant organisations or provided emergency contacts may be contacted in instances where we have formed vital concerns that you may either be at immediate risk of harm or pose such a risk for example NHS crisis teams or mental health crisis teams; any educational institution with a legitimate interest; the police and provided emergency contacts. Wherever possible we will inform you that we have made such a disclosure.

To assist the management of our contracts we may utilise debt recovery/deposit protection where applicable to enforce our payment rights for accommodation services provided. If applicable, we will also share information with your nominated guarantor.

Data processors and Transfers

To facilitate the delivery of services to you, information is shared with the following categories of data processors who process information on Sanctuary’s behalf:

·         Debt Collection Agencies

·         Payment Service Providers

·         Referencing Agencies

·         Software provider for technical IT system support.

We use a third-party processor, Campaign Monitor, for some of our email campaigns and we transfer your information to Campaign Monitor for the purpose of sending e-marketing and communication emails to you. Campaign Monitor is a global business that is headquartered in Australia and uses a data centre located in the United States of America, so their processing of your personal data will involve a transfer of data outside the UK.

Our payment platform provider, WPM, use sub-processors who are located outside of the UK. These sub-processers are located in the European Economic Area and the United States of America and support distribution, security and hosted data centres. If you use our payment platform provider their processing of your personal data will involve a transfer of data outside the UK.

Whenever we or one of our data processors transfer your personal data outside of the UK in this way, we ensure a similar degree of protection is afforded to it by ensuring that specific contractual clauses are implemented which give personal data the same protection it has in the UK.

Please contact us if you want further information on the specific mechanism used when your personal data is transferred outside of the UK.

Storing your information and deleting it

We will not keep your personal data for longer than we need it or are required to by law. We will retain your information for 6 years following the end of your accommodation agreement.

Why are we collecting your information?

You have indicated that you are willing to provide credit support (in the form of a Guarantee) to Sanctuary to enable us to provide student accommodation services to your relative, friend or contact.

The information that you provide us during the Guarantor process is required by Sanctuary for us to enter a legal contract of guarantee with you and meet the obligations of that contract.

Without this information we would not be able to enter a contract of guarantee with you.

Where applicable we may also receive your personal information indirectly, from universities for this purpose.

What information are we collecting?

We process the following information to set up and perform a contract of Guarantee between us:

·         Name

·         Address

·         Contact Details

·         Date of Birth

·         Proof of Address (for example a copy of a utility bill)

·         Financial Details

·         Signed deed of guarantee, which includes signature, witness signature and occupation details

What is our lawful basis for using your information?

Under Article 6 of the UK GDPR, the lawful bases we rely on for processing this information are:

(b) Performance of a contract

(f) Our legitimate interests or that of a third party

Sharing your information

Members of Sanctuary Group

Sanctuary is made up of a number of related companies. We will share your information with other members of our Group where necessary in order to best facilitate the contract between us.

Your information will only be accessed by other Sanctuary group companies where it is necessary in accordance with your contract. The obligations which are set out in this notice shall apply to the other members of our Group to the same extent that they apply to us.

For more information on which companies make up Sanctuary Group, please go to About Sanctuary.

Regulators and other legal obligations

We may also be required to share your information with our regulators who are permitted access to this information by law and with other organisations where we have a legal obligation to share the information with them.

Other organisations

We may from time to time share your information with other organisations, such as:

·         Partner organisations whom we have data sharing agreements with for example Universities and NHS Trusts.

Data processors and Transfers

To facilitate this process, information is shared with the following categories of data processors who process information on Sanctuary’s behalf:

·         Debt Collection Agencies – arrears management

·         Legal Partner – arrears management

·         Payment service providers

Our payment platform provider, WPM, use sub-processors who are located outside of the UK. These sub-processers are located in the European Economic Area and the United States of America and support distribution, security and hosted data centres. If you use our payment platform provider their processing of your personal data will involve a transfer of data outside the UK.

Whenever we or one of our data processors transfer your personal data outside of the UK in this way, we ensure a similar degree of protection is afforded to it by ensuring that specific contractual clauses are implemented which give personal data the same protection it has in the UK.

Please contact us if you want further information on the specific mechanism used when your personal data is transferred outside of the UK.

Storing your information and deleting it

We will store the personal data which you provide to us for as long as your contract of Guarantee remains in place. Following settlement of the account this information will be retained for 6 years.

Why are we collecting your information?

Sanctuary uses Video Surveillance Management Systems (commonly known as CCTV) to help reduce the fear or threat of crime, to protect customers, staff, our premises, fixtures, fittings, and property.

Video surveillance images will be used to:

·         assist in the prevention and detection of crime;

·         facilitate the identification, apprehension and prosecution of offenders in relation to crime;

·         ensure the security of Sanctuary customers, employees, visitors and property;

·         facilitate appropriate door and site access;

·         reduce incidences of vandalism and criminal damage; and

·         enhance the feeling of security provided to customers, staff, and visitors.

What information are we collecting?

We collect and process video surveillance images. These images may reveal or enable the inference of special categories of data (also called sensitive personal data), such as any disability or health conditions, racial or ethnic origin as well as religious beliefs.

What is our lawful basis for using your information?

Under Article 6 of the UK GDPR, the lawful basis we rely on for processing this information is:

·         Our legitimate interests or that of a third party.

In accordance with Article 9 (UK GDPR) the condition we rely on for processing special categories of personal data is:

·         Reasons of substantial public interest.

Our basis in Law is Section 10 of Schedule 1, of the Data Protection Act 2018 as the processing is necessary for the purposes of the prevention or detection of an unlawful act.

Sharing your information

Members of Sanctuary Group

Sanctuary Group is made up of several related companies. We will share your information with other members of Sanctuary Group where necessary to best provide the services to you.

For more information on which companies make up Sanctuary Group, please go to About Sanctuary.

Regulators and other legal obligations

We may also be required to share your information with our regulators who are permitted access to information by law and with other organisations where we have a legal obligation to share the information with them.

Other organisations

We may from time to time share your information with other organisations, such as:

·         insurance companies or solicitors, in connection with any claims where evidence of video surveillance footage is required.

Data processors and transfers

To facilitate this process, information is shared with the following categories of data processors who process information on Sanctuary’s behalf:

·         security companies that are responsible for on-site security and monitoring of surveillance footage (where applicable at specific sites).

Storing your information and deleting it

·       We will not keep your personal data for longer than we need it or are required to by law

·       We retain video surveillance footage for 28 days at which point the information is automatically deleted.

Why are we collecting your information?

To enable customers, and the public to raise enquiries and/or seek information about our services.

If your enquiry relates to a service failure, the information that you provide will also be used for the purpose of improving our products and services.

What information are we collecting?

The information that we collect about you will include your name and contact details, and any other information which you provide to us via email, social media message, telephone, live chat or by completing an enquiry form from our website.

What is our lawful basis for using your information?

Under Article 6 of the UK GDPR, the lawful bases we rely on for processing this information are:

·         Our legitimate interests or that of a third party in enabling customers, residents and the public to engage with us on the services available, seek information and or support.

Sharing your information

Members of Sanctuary Group

Sanctuary Group is made up of several related companies. We will share your information with other members of Sanctuary Group where necessary to answer or resolve your query.

For more information on which companies make up Sanctuary Group, please go to About Sanctuary.

Contractors and sub-contractors

It may be necessary to share information about you, with our contractors and sub-contractors to resolve your enquiry for example if you report a fault and require a repair. Our contractors and sub-contractors are contractually required to ensure that they adhere to the security requirements imposed by the Data Protection Act 2018 and the UK GDPR.

Our contractors and sub-contractors will not share your information with any other parties and will only be able to use the information when completing work on behalf of us.

Regulators and other legal obligations

We may also be required to share your information with our regulators who are permitted access to this information by law and with other organisations where we have a legal obligation to share the information with them.

Data processors and Transfers

To facilitate enquires through our website and social media channels the following categories of data processors may process information on Sanctuary’s behalf when providing technical IT support:

• • Website hosting partner
  • Software providers

We use a cloud-based social media aggregator platform to manage direct messages sent to our social media accounts. Technical support for the platform is based in Canda and the delivery of these services may involve a ‘restricted transfer’ under data protection law. Any transfer is made in accordance with Article 45 of the UK GDPR as Canda is deemed an ‘adequate’ country by the UK Government.

The platform also uses servers located in the United States of America to store information. This processing also constitutes a ‘restricted transfer’ under data protection law and is also made in accordance with Article 45 of the UK GDPR as the processing is in accordance with the UK-US data bridge.

Storing your information and deleting it

Following resolution of your enquiry, your information will be retained as outlined below:

·       Web forms submitted via our websites are retained for 30 days.

·       Social media private messages are retained for two weeks.

·       Emails are retained for a minimum of one year and are automatically deleted after three years.

·       Telephone recordings are retained for 30 days. Please note not all telephone calls are recorded.

·       Live chat logs are retained for two years.

Why are we collecting your information?

Information you provide to us is voluntary and will be used to support our communication and marketing activities. This may include promotional materials, press releases, social media posts, case studies and corporate documents.

Our materials may be published internally within Sanctuary as well as externally to our residents, on our social media channels and our websites.

What information are we collecting?

We currently collect and process the following information:

·         Name

·         Age/Date of birth

·         Contact details including your email, phone number and your address; and

·         Photos, videos or audio recordings (if applicable)

·         Personal experiences (if applicable)

If you choose to provide it, some of the information which we collect may be special categories of personal data (also called sensitive personal data), which includes the following information:

·         Health-related information, including disability

·         Sexual orientation

·         Racial or ethnic origin; and

·         Religious beliefs

What is our lawful basis for using your information?

Under Article 6 of the UK GDPR, the lawful basis we rely on for processing this information is:

·         You have given your consent. You can remove your consent at any time by contacting communications@sanctuary.co.uk.

In accordance with Article 9 (UK GDPR) the condition we rely on for processing special categories of personal data is:

·         Explicit consent

Sharing your information

Members of Sanctuary Group

Sanctuary Group is made up of several related companies. We will share your information with other members of Sanctuary Group where necessary to facilitate our marketing and communication activities.

For more information on which companies make up Sanctuary Group, please go to About Sanctuary.

Contractors and sub-contractors

It may be necessary to share information about you with our contractor and sub-contractors, for example with an external design, website or digital agency, when creating our marketing materials. Our contractors and sub-contractors are contractually required to ensure that they adhere to the security requirements imposed by the Data Protection Act 2018 and the UK GDPR.

Our contractors and sub-contractors will not share your information with any other parties and will only be able to use the information when completing work on behalf of us.

Regulators and other legal obligations

We may also be required to share your information with our regulators who are permitted access to this information by law and with other organisations where we have a legal obligation to share the information with them.

Other organisations

With your consent we may from time to time share your images and information provided with our partners to support our communication and marketing activities.

Data processors and Transfers

To facilitate our communication and marketing activities, information is shared with the following categories of data processors who process information on Sanctuary’s behalf:

·         Photographers and videographers;

·         Website and digital agencies;

·         Marketing and PR agencies;

·         Media organisations;

·         Printing companies;

·         System providers (in circumstances of technical IT support)

Storing your information and deleting it

·       We will not keep your personal data for longer than we need it or are required to by law.

·       We will retain the information you provide for 5 years, unless you contact us to withdraw consent earlier than this date.

·       We may from time to time seek to ‘refresh’ your consent, at which point we would retain your information for a further 5 years from the date consent was refreshed.

Why are we collecting your information?

 Data protection laws aim to empower individuals and give them greater control over their personal data through several rights including:

·         Right of access – referred to by Sanctuary as a DSAR (Data Subject Access Request), gives individuals the right to obtain a copy of their personal data from us, as well as other supplementary information.

·         Right to rectification – to have inaccurate personal data rectified, or completed if it is incomplete. This right is not absolute and in certain circumstances we can refuse a rectification request.

·         Right to erasure – the right to have their personal data erased. This right is not absolute and in certain circumstances we can refuse an erasure request.

·         Right to restrict processing – to restrict the processing of their personal data. For example, Sanctuary could continue to store personal data but not use it. This right is not absolute and in certain circumstances we can refuse a request.

·         Right to data portability – to obtain and reuse their personal data for their own purposes across different services. The right only applies to information an individual has provided to Sanctuary and where the lawful basis for processing is consent or performance of a contract. Paper records are excluded from this right.

·         Right to object – the right to object to the processing of their personal data in certain circumstances. Individuals have an absolute right to stop their data being used for direct marketing. The right effectively allows individuals to stop or prevent organisations from processing their personal data, though is not absolute and in certain circumstances we do not have to comply.

·         Rights related to automated decision making and profiling – restricts organisations from making solely automated decisions, by enabling individuals to request human intervention or challenge a decision that has been made.

Sanctuary is committed to protecting the rights of data subjects and ensuring compliance with all applicable data protection laws in the UK. The information we collect, and process will be used to administer your data subject rights request.

What information are we collecting?

 To facilitate your request, we will collect and process the following information:

·         Name

·         Contact details, such as address, email address and telephone number

·         Identification documentation

·         Details of the scope of request

·         Third party authority data (where applicable)

What is our lawful basis for using your information?

Under Article 6 of the UK GDPR, the lawful basis we rely on for processing this information is:

·         Compliance with a legal obligation – using your information is necessary for us to comply with a legal obligation to which we are subject in accordance with UK data protection law.

Sharing your information

Members of Sanctuary Group

Sanctuary Group is made up of several related companies. We will share your information with other members of Sanctuary Group where necessary to facilitate your request.

For more information on which companies make up Sanctuary Group, please go to About Sanctuary.

Regulators and other legal obligations

We may also be required to share your information with our regulators who are permitted access to this information by law and with other organisations where we have a legal obligation to share the information with them, for example if you raise a complaint with Information Commissioners Office about the handling of your request.

Other organisations

We may share your information with other organisations where relevant in order to comply with your request of erasure, restriction, objection or rectification where we had previously shared that information with our partner organisations.

Storing your information and deleting it 

·       We will not keep your personal data for longer than we need it or are required to by law. 

·       Following completion of your request or any subsequent complaint to the Information Commissioners Office, the case file will be retained for one year before deletion.

Why are we collecting your information?

The information that you provide to us via our online recruitment portal, on your application form, curriculum vitae and covering letter and any other communications between us in connection with your application, is required by Sanctuary for us to process your application appropriately and in line with current legislation. Without this information, we will not be able to consider your application.

We would also like to contact you in relation to other career opportunities we think you may be interested in after creating your Sanctuary profile. This is voluntary, but if you consent, when creating a profile or submitting an application we will use contact details provided by you for this purpose. If you do not want to be informed of any career opportunities, please leave the ‘Opt-In if you would like to receive Marketing e-mails about future job opportunities’ box unticked.

We would also like to inform you about new job posting notifications through the job alert function. This is voluntary, but if you consent, you can create job alerts based on key words and locations of your choosing when creating your profile or at any point afterwards. If you do not want to be informed of any job alerts, please leave the ‘Opt-In if you would like a Job Alert automatically created’ box unticked.

You can manage and update your marketing preferences at any time via your profile.
We may also collect information that is relevant to your application via a third party you have provided information to, such as:

·         Recruitment agencies

·         Apprenticeship organisations

·         Online recruitment services, such as Indeed.com

·         Social media sites, such as LinkedIn

What information are we collecting?

The below sets out what data we require during the recruitment process depending on the terms of your employment and whether you are already employed at Sanctuary or not.

Some of the information which we collect will be special categories of personal data (also called sensitive personal data), such as information about any disability you may have. You need to be aware that we will use this information to ensure we deliver services to you in an appropriate manner. An understanding of your personal situation and individual needs will allow us to provide a tailored service that meets any physical or cultural needs that you may have.

Existing employee being recruited into a new role

Application Stage

·         Name and contact details

·         Employee ID

·         Right to work – screening question about whether you have the right to work in the UK (“Yes/No” question. Documents not provided at this stage)

·         Criminal conviction results – screening question about whether you have any cations or convictions

·         Adjustments needed if applicable (Sanctuary Group is committed to ensuring that our recruitment processes are barrier-free and as inclusive as possible to everyone. This includes making adjustments for people who have a disability or long-term condition. If you would like us to do anything differently during the application process, please provide details)

·         Employment history

·         Education and training history

·         CV/Resume

·         Driving Licence – screening question about whether you hold a valid license

Offer Stage

·         Employee ID

·         Job title

·         Criminal conviction results

·         Full employment history

Offer Stage (if criminal records check required)

·         Driving licence details

·         5-year address history

·         Previous names

·         DBS Supporting Documentation

Prospective employees

Application Stage

·         Name and contact details

·         Right to work – screening question about whether you have the right to work in the UK (“Yes/No” question. Documents not provided at this stage)

·         Criminal conviction results – screening question about whether you have any cations or convictions

·         Health conditions including disability – screening question in relation to fitness for work

·         Adjustments needed if applicable (Sanctuary Group is committed to ensuring that our recruitment processes are barrier-free and as inclusive as possible to everyone. This includes making adjustments for people who have a disability or long-term condition. If you would like us to do anything differently during the application process, please provide details)

·         Employment history

·         Education and training history

·         CV/Resume

Offer Stage

·         Name and contact details

·         Date of birth

·         Gender and gender identity

·         Identification documentation

·         National Insurance number

·         Nationality

·         Country of birth

·         Right to work documentation

·         Right to work share code

·         Immigration/right to work status

·         Bank details

·         Relationship status

·         Criminal conviction results

·         Health conditions including disability – screening question in relation to fitness for work

·         Facial biometric data (British and Irish citizens only)

·         Racial or ethnic origin

·         Religious or philosophical beliefs

·         Sexual orientation

·         Title

·         Disability Group

·         Evacuation Plan

·         Emergency Contact

·         Referee details

·         Full employment history

·         Gender Pronouns

Offer Stage (if criminal records check required)

·         Mother’s maiden name

·         Town of birth

·         Driving licence details

·         5-year address history

·         Previous names

·         DBS Supporting Documentation

What is our lawful basis for using your information?

Under Article 6 of the UK GDPR, the lawful bases we rely on for processing this information are:

(a)    You have given your consent – for us to contact you about other opportunities and provide job alerts to you via your communication preferences in your profile. You can amend your settings in your profile to remove you consent at any time.

·         When logged into your candidate profile, there is a field ‘Opt-In if you would like to receive marketing e-mails about future job opportunities’ where the tick box can be amended (ticked/unticked).

·         For job alerts, you can go into the job alerts section and delete/dustbin any job alerts that have been set up.

·         You can also e-mail dataprotection@sanctuary.co.uk to revoke your consent.

(b)   Performance of a contract – using your information in this way is necessary for us to consider entering into a contract of employment with you, subject to the recruitment process.

(c)    Compliance with a legal obligation – using your information is necessary for us to comply with a legal obligation to which we are subject, in accordance with UK employment laws as an employer and as a provider of care and support services.

In accordance with Article 9 (UK GDPR) the condition we rely on for processing special categories of personal data is:

(a)    Explicit Consent – facial biometric data

(b)    Employment, social security and social protection.

Our basis in Law is Section 1(a) of Schedule 1, of the Data Protection Act 2018 as the processing is necessary for the purposes of performing or exercising obligations or rights which are imposed or conferred by law on the controller or the data subject in connection with employment, social security or social protection. Collecting this information is necessary to use that information for carrying out our obligations and rights relating to your prospective employment with us.

Sharing your information

Members of Sanctuary Group

 Sanctuary Group is made up of several related companies. We will share your information with other members of Sanctuary Group where necessary to facilitate the recruitment process.

For more information on which companies make up Sanctuary Group, please go to About Sanctuary.

Regulators and other legal obligations

We may also be required to share your information with our regulators who are permitted access to this information by law and with other organisations where we have a legal obligation to share the information with them.

Other organisations

We may from time to time share your information with other organisations, such as: 

·         Disclosure and Barring Service and/or Disclosure Scotland

·         Digital right to work check provider – to process digital right to work checks (British and Irish citizens only)

Data processors and Transfers

To facilitate the delivery of services to you, information is shared with the following categories of data processors who process information on Sanctuary’s behalf: 

·         DBS check facilitation service – to process checks for criminal convictions to ensure suitability for roles.

·         References processor – to process reference checks for new starters.

We also use a third-party processor, for technical IT support with our internal systems, who may transfer your data outside the UK to India.

We use a third-party processer, for integration from applications sent via Indeed who transfer your data to us via the United States of America.

These transfers are made in accordance with Article 46 of the UK GDPR as we have ensured a similar degree of protection is afforded to it through our processor implementing an International Data Transfer Agreement.

For further information on the safeguards implemented, or to access a copy please email dataprotection@sanctuary.co.uk.

Storing your information and deleting it

We will not keep your personal data for longer than we need it or are required to by law.

Any personal data held in connection with your application will be stored while the application is active, and for a maximum of 12 months after an application has been closed, after which point it will be anonymised. Thereafter application information may be retained on Sanctuary’s systems anonymously in accordance UK legal and regulatory requirements.

Any personal data held on your candidate profile will be stored while your profile is active and automatically deleted after 12 months of inactivity.

If you are interviewed but are not successful with your application, your interview data will be deleted after 6 months from the date of your interview.

You can delete your candidate profile at any time by logging into your account, going to ‘Options > Settings’ and clicking the ‘Delete Profile’ button.

Why are we collecting your information?

The information that is provided to us during your appointment (including that obtained as part of the recruitment process), or whilst you are engaged by us as an employee, contractor or worker is required by Sanctuary for us to enter into and perform a contract of employment or services with you. Without this information, we will not be able to offer and enter a contract with you.

The information you provide to us will be used for the following purposes:

·         managing your appointment and employment with us, including the performance of our obligations and exercise our rights under your contract of employment or service with us;

·         it will allow us to provide services and facilities which are tailored to your needs;

·         monitoring and compliance purposes in line with our legal obligations (including our legal obligations as an employer);

·         monitor your business and personal use of our information and communication systems to ensure compliance with our Acceptable Usage Policy and Procedure. This includes login and logoff times and any emails or other communications you send or receive in the course of your duties;

·         it will allow us to ensure information and network security, including preventing unauthorised access to our computer and electronic communication systems and preventing malicious software distribution;

·         collect health information as part of the new starter process and when required to ensure the health and safety of all of our staff and residents. For example,

a.)    we may ask you about any disabilities you have, so that we can make reasonable adjustments to assist you in your role

b.)    during or after a period of illness we may ask for information as part of a return-to-work assessment 

c.)    make decisions and offer support in the event of illness or a health issue, including determining your fitness for the role and making adjustments to support you at work;

d.)    collect information which you provide to us as part of any health review or claim, including occupational health and ergonomics assessments where relevant to your role;

·         understanding of your personal situation and individual needs to enable us to provide a tailored service that meets any physical or cultural needs that you may have;

·         improve our overall employee experience, by improving our HR policies, procedures and our operating model. This includes collecting data from any online surveys you choose to complete (e.g. communications, engagement, leavers) – please refer to our separate Privacy Statement on Staff Surveys for further information;

·         to contact you for the purpose of communicating emergency information in a critical incident (e.g. cyber-attack, total network loss or pandemic);

·         so we can send you information about your employment (e.g. benefit schemes, pension, electronic payslips, staff surveys, ID badges);

·         occasionally, where technical information is being delivered or where there is a legitimate business need, we will record meetings and presentations that use MS Teams, Zoom or similar technologies (we will notify you in advance if a meeting will be recorded and will offer options for those attendees who would rather not participate in a recorded session); 

·         for HR systems training purposes;

·         collect recordings of Automated Call Distribution (ACD) user telephone calls (both internal and external) for training and monitoring purposes;

·         to maintain the security, health and safety of all our staff and service users by:

a.)    collecting photographs for use on staff ID cards

b.)    collecting data from door access systems;

·         collecting equalities data is part of Sanctuary’s Equality Strategy: Inclusion for All and is therefore a core element of governance and making sure that we listen and respond to your needs, promote your interests and enhance trust within our community. Before or during your employment Sanctuary may invite you to share data on your diversity characteristics. These can be provided on a voluntary basis, and you can update or remove them via MySanctuary at any time;

 ·         to allow us to communicate with you in the most appropriate way. For example, we can provide documents in large print if needed.

The below sets out what further data we may require to manage your appointment by various role types.

Lone- workers, peripatetic workers, and maintenance operatives

• ·         track your location using GPS technology, to ensure efficient use of vehicles and the safety of lone workers

  ·         monitor the movement of company mobile phones and/or mobile devices to ensure lone worker safety
  

Company car users and/or expense claimants

collect information to verify driver eligibility before using a company vehicle or making an expense claim for mileage. For example,

·         Driver’s license details including:

a.     License categories

b.     License restrictions

·         Driving offences that are civil offence data

·         Health-related information

·         Driving offences that are criminal offence data

We may also receive personal information indirectly, from the following sources in the certain circumstances:

·         Recruitment agency

·         Referee

·         Disclosure & Barring Service (DBS)

·         Disclosure Scotland

What information are we collecting?

To facilitate the purposes detailed in section 4 we collect the following information:

·         Name and contact details

·         Date of birth

·         National Insurance number

·         Nationality

·         Country of birth

·         Bank details

·         Relationship status

·         Emergency contact details

·         Next of kin details

·         Training records

·         Staff survey responses

·         Photograph

·         Door access information

·         Communication preferences

·         Information and communication systems usage

·         Employment performance information

Where applicable we collect work eligibility data to ensure compliance with legal and regulatory requirements. This information allows us to verify employee’s suitability for specific roles, maintain a safe working environment, and meet industry standards. This includes the following information:

·         ID documents for visa checks (British and Irish citizens only)

·         Right to work status, documentation and share code

·         Supporting documentation and information for DBS checks (including 3-year DBS re-check)

·         Criminal conviction check results

·         Role-specific qualifications and registrations

Some of the information which we collect will be special categories of personal data (also called sensitive personal data), which includes the following information:

·         Health data, including disability

·         Trade union membership

·         Gender and gender identity data

·         Racial or ethnic origin

·         Religious or philosophical beliefs

·         Sexual orientation

What is our lawful basis for using your information?

Under Article 6 of the UK GDPR, the lawful bases we rely on for processing this information are:

a)    Performance of a contract – using your information in this way is necessary for us to perform the employment or services contract in place between us and in order to take steps at the request of you prior to entering into the contract.

b)    Compliance with a legal obligation – using your information is necessary for us to comply with legal obligations to which we are subject, in accordance with the UK employment laws as an employer and as a provider of care and support services.

c)    Legitimate interests – using your information is processing is necessary for the purposes of our legitimate interests for communicating emergency information in a critical incident and for collecting data from any online surveys you choose to complete.

In accordance with Article 9 (UK GDPR) the condition we rely on for processing special categories of personal data is:

a)    Explicit consent to process your equality and diversity data. You can manage this information via MySanctuary and remove at any time. You are also able to remove your consent at any time by contacting HRDO@sanctuary.co.uk.

b)    Employment, social security and social protection

Our basis in Law is Section 1(a) of Schedule 1, of the Data Protection Act 2018 as the processing is necessary for the purposes of performing or exercising obligations or rights which are imposed or conferred by law on the controller or the data subject in connection with employment, social security or social protection.

Sharing your information

Members of Sanctuary Group

 Sanctuary Group is made up of several related companies. We will share your information with other members of Sanctuary Group where necessary to best provide the services to you.

For more information on which companies make up Sanctuary Group, please go to About Sanctuary.

Regulators and other legal obligations

We may also be required to share your information with our regulators who are permitted access to this information by law and with other organisations where we have a legal obligation to share the information with them.

Other organisations

We may from time to time share your information with other organisations, such as:

·         pension companies, for the purpose of managing retirement savings schemes related to your appointment;

·         benefit companies, for the purpose of managing employee benefit schemes related to your appointment;

·         occupational health and insurance companies/brokers, for the purpose of managing health related issues and policies relating to your appointment;it may be necessary to provide our occupational health provider with your contact details in order for a health questionnaire to be sent to you following your appointment;

·         we may need to provide insurance companies with information about your health, to comply with employment related insurance policy terms;

·         training companies, colleges and funding/awarding bodies, for the purpose of providing learning and development during the course of your employment;

·         future employers, for the purpose of providing factual references;

·         recruitment companies, for the purpose of managing your appointment;

·         debt collection agencies, for the purpose of obtaining outstanding monies in relation to your appointment;

·         fleet management companies, for the purpose of managing, maintaining and servicing company provided vehicles;

·         solicitors, advocates and trade union representatives, for the purpose of dealing with legal issues in relation to your appointment;

·         safeguarding organisations and emergency services for the purpose of protecting our staff and residents;

·         the police for the purpose of detection and prevention of crime; and

·         organisations with a function of auditing and/or administering public funds for the purpose of detection and prevention of fraud.

·         Home Office, to check a prospective employee/employees immigration or right to work status

·         DBS (Disclosure & Barring Service) and/or Disclosure Scotland, to carry out a DBS checks.

·         the Driver and Vehicle Licensing Agency (DVLA) for checking employee eligibility to drive

·         Vehicle and Operator Services Agency (VOSA) for the safe and legal operation of the Group’s vehicles.

Data processors and Transfers

To facilitate the appointment process, information is shared with the following categories of data processors who process information on Sanctuary’s behalf:

·         DBS check facilitation service – to process checks for criminal convictions to ensure suitability for roles.

·         References processor – to process reference checks for new starters.

·         Driving license check facilitation service – for the purpose of collecting the driving licence information from the DVLA.

·         digital right to work check provider – to process digital right to work checks (British and Irish citizens only)

·         vehicle suppliers for the delivery and collection of vehicles.

·         companies producing benchmarking information to enable Sanctuary to obtain market data to make decisions in relation to your appointment

·         mail fulfilment companies, for the purpose of printing and dispatching communications and ID or service badges related to your appointment

·         engagement companies, for the purpose of undertaking staff surveys and seeking feedback on the organisation;

Whenever we transfer your personal data out of the UK in this way, we ensure a similar degree of protection is afforded to it by ensuring that we rely on an adequacy decision, and/or use specific contract clauses which give personal data the same protection it has under UK law.

We use a third-party processor, for technical IT support with our internal systems, who may transfer your data outside the UK to India.

This transfer is made in accordance with Article 46 of the UK GDPR as we have ensured a similar degree of protection is afforded to it through our processor implementing an International Data Transfer Agreement.

For further information on the safeguards implemented, or to access a copy please email dataprotection@sanctuary.co.uk.

Storing your information and deleting it

We will not keep your personal data for longer than we need it or are required to by law.

Once you are no longer working for us, we will review the information which we hold concerning you and determine whether there are any reasons why we need to continue holding that information. For example, it may be necessary to retain information about you in order to manage income tax and national insurance queries or provide earnings details to pension schemes. Once the identified purpose comes to an end, unless there is another identifiable purpose for which it is necessary to hold on to your information, we will delete your information.

Recordings of ACD users’ calls will be kept for a period of 30 days for the purpose of staff training and development and will be deleted after this time.

From the employment end date, your employee file will be kept for 6 years.

From the employment end date, information contained in your employee file that relates to employer’s liability (i.e. training records, absence records, medical records relating to work related illness/accident) will be kept for 40 years.

From the employment end date, information related to driver’s licenses, expense claims and benefits will be retained for 6 years following the purpose it was used for.

Why are we collecting your information?

 The information provided to us by your agency during your assignment (including that obtained during the recruitment process) is necessary for us to facilitate your assignment as a worker. This information is required for us to manage and perform the services you provide. Without this information, we will not be able to facilitate your assignment with us.

We collect personal data about agency workers during recruitment and assignment to manage our business operations effectively, comply with legal and regulatory obligations, and maintain a safe work environment. Specifically, we need this information to:

·         Verify identity and right to work

·         Facilitate recruitment and payroll processes

·         Meet legal and regulatory compliance requirements

·         Ensure workplace health and safety, and security

We may also collect information that is relevant to your application via a third party you have provided information to, such as:

·         Recruitment agencies

What information are we collecting?

 The information that we are collecting about you is information which is provided to us during the course of your assignment, including that obtained as part of the recruitment process and information provided by you whilst you are engaged by us as an agency worker. The list below sets what data we require:

·         Name

·         Contact details

·         Gender

·         Job title

·         Date of birth

·         Right to work information including status, share code, visa type, expiry data and a copy of the right to work document

·         Training history

·         Qualification certificates

·         References

·         Photograph for identification purposes

·         Criminal conviction details including date of last DBS/PVG check and DBS/PVG number

·         Health conditions screening question in relation to fitness for work

·         Car insurance (if applicable)

·         Driving license (if applicable)

·         Student term time dates (if applicable)

What is our lawful basis for using your information?

 Under Article 6 of the UK GDPR, the lawful bases we rely on for processing this information are:

(c)    Compliance with a legal obligation – using your information is necessary for us to comply with a legal obligation to which we are subject, in accordance with UK employment laws as an employer and as a provider of care and support services.

(f)     Legitimate interests – using your information is processing is necessary for the purposes of our legitimate interests during your assignment (including that obtained during the recruitment process) is necessary for us to facilitate your assignment as a worker. This processing is essential for managing and performing the services you provide. Without this information, we would be unable to facilitate your assignment with us.

In accordance with Article 9 (UK GDPR) the condition we rely on for processing special categories of personal data is:

(b)  Employment, social security and social protection

Our basis in Law is Section 1(a) of Schedule 1, of the Data Protection Act 2018 as the processing is necessary for the purposes of performing or exercising obligations or rights which are imposed or conferred by law on the controller or the data subject in connection with employment, social security or social protection.

Sharing your information

Members of Sanctuary Group

Sanctuary Group is made up of several related companies. We will share your information with other members of Sanctuary Group where necessary to best provide the services to you.

For more information on which companies make up Sanctuary Group, please go to About Sanctuary.

Regulators and other legal obligations 

We may also be required to share your information with our regulators who are permitted access to this information by law and with other organisations where we have a legal obligation to share the information with them.

Data processors and Transfers

To facilitate your assignment, information may be shared with our HR platform provider for the purpose to technical system support.

We also use a third-party processor, for technical IT support with our internal systems, who may transfer your data outside the UK to India.

These transfers are made in accordance with Article 46 of the UK GDPR as we have ensured a similar degree of protection is afforded to it through our processor implementing an International Data Transfer Agreement.

For further information on the safeguards implemented, or to access a copy please email dataprotection@sanctuary.co.uk.

Storing your information and deleting it

We will not keep your personal data for longer than we need it or are required to by law.

Any personal data held in connection with your agency work will be retained for up to 6 years after end of assignment.

Why are we collecting your information?

 Sanctuary’s award-winning apprenticeship programme offers apprentices and staff the chance to study for a practical qualification while contributing to the success of a fast-paced, constantly evolving organisation.

An apprenticeship is a programme of learning that takes place in the work environment and depending on the programme, at college, where a learner will gain experience and skills in their chosen sector.

The information that is provided to us during the course of the apprenticeship recruitment process is required by Sanctuary in order for us to determine if you are eligible to undertake an apprenticeship programme. Without this information, we will not be able to offer and enter into an apprenticeship contract with you.

We may also receive personal information indirectly, from the following sources in the certain circumstances:

·         Learning providers – to provide updates on progress of qualifications and to support the sign-up process

What information are we collecting?

 During the apprenticeship recruitment process we will collect and process the following information:

·         Name and contact details

·         Date of birth

·         Nationality

·         Gender

·         Unique learner number

·         Qualifications

Some of the information which we collect will be special categories of personal data (also called sensitive personal data), which includes the following information:

·         Ethnicity

What is our lawful basis for using your information?

Under Article 6 of the UK GDPR, the lawful bases we rely on for processing this information are:

(b)  Performance of a contract.

In accordance with Article 9 (UK GDPR) the condition we rely on for processing special categories of personal data is:

(b)  Employment, social security and social protection

Our basis in Law is Section 1(a) of Schedule 1, of the Data Protection Act 2018 as the processing is necessary for the purposes of performing or exercising obligations or rights which are imposed or conferred by law on the controller or the data subject in connection with employment, social security or social protection.

Sharing your information

Members of Sanctuary Group

Sanctuary Group is made up of several related companies. We will share your information with other members of Sanctuary Group where necessary to best provide the services to you.

For more information on which companies make up Sanctuary Group, please go to About Sanctuary.

Regulators and other legal obligations

 We may also be required to share your information with our regulators who are permitted access to this information by law and with other organisations where we have a legal obligation to share the information with them.

Other organisations

 We may from time to time share your information with other organisations, such as:

·         Learning provider to identify learner and support the sign-up process

·         Digital Apprenticeship Service to receive learner details of new apprentices

We use a third-party processor, for technical IT support with our internal systems, who may transfer your data outside the UK to India.

This transfer is made in accordance with Article 46 of the UK GDPR as we have ensured a similar degree of protection is afforded to it through our processor implementing an International Data Transfer Agreement.

For further information on the safeguards implemented, or to access a copy please email dataprotection@sanctuary.co.uk.

Storing your information and deleting it

We will not keep your personal data for longer than we need it or are required to by law.

We keep the information outlined in section five of this notice for six years following the end of your apprenticeship.