Privacy Policy
|
Company |
Vantage Staffing Solutions Ltd (trading as Nexus24 Healthcare) |
|
Contact email |
info@nexus24healthcare.co.uk |
|
Policy purpose |
To explain how personal data is collected, used, shared, stored and protected |
|
Primary laws |
UK GDPR, Data Protection Act 2018 and PECR where applicable |
This policy should be read together with the website Cookies Policy and any candidate, worker or client-facing data collection notices used during recruitment, onboarding and placement administration.
1. Purpose and scope
This Privacy Policy explains how Vantage Staffing Solutions Ltd, trading as Nexus24 Healthcare, collects, uses, stores, shares and protects personal data when operating as a healthcare staffing and recruitment business in the United Kingdom. It is written for website publication and is intended to cover personal data relating to job applicants, temporary workers, contractors, referees, client contacts, supplier contacts, website users and other individuals whose information we process in the course of providing staffing services.
We recognise that, as a healthcare staffing business, some of the information we handle can be sensitive. Our aim is to process personal data lawfully, fairly and transparently, to collect only what is genuinely needed for legitimate recruitment and staffing purposes, and to protect that information through appropriate technical and organisational measures.
2. Data controller
Vantage Staffing Solutions Ltd is the data controller for the personal data covered by this policy. In practical terms, this means the company decides why and how the personal data described in this policy is processed.
Trading name: Nexus24 Healthcare
Contact email: info@nexus24healthcare.co.uk
If you contact us about a data protection matter, please provide enough information for us to identify you and understand the request. We may need to ask for proof of identity before disclosing personal data or actioning certain rights requests.
3. The types of personal data we may collect
We may collect and process identification and contact data such as your name, title, postal address, email address, telephone number, date of birth and emergency contact details.
We may collect recruitment and employment-related data such as CVs, work history, training records, qualifications, professional registrations, appraisal information, interview notes, right to work documentation, references, shift availability, placement history, timesheets, payroll details and records needed to assess suitability for particular roles.
We may collect compliance and screening information such as proof of identity, DBS or other vetting information where lawful, occupational health information where relevant to placement decisions, immunisation information where required by a client or assignment, and records demonstrating compliance with client, legal or framework requirements.
We may collect financial data such as bank account details, payment information, invoice-related data and records needed for payroll, pensions, statutory payments, audit and tax purposes.
We may collect website and communications data such as IP address, browser information, device information, pages visited, cookie preferences, messages sent through forms, email correspondence, call notes and records of enquiries, complaints or incidents.
We may also receive information from third parties including referees, former employers, professional regulators, identity verification providers, disclosure services, umbrella companies, payroll partners, clients, public registers and sanctions or right to work checking services where this is lawful and relevant.
4. Special category data and criminal offence data
Some data we process may fall within the UK GDPR’s special category data rules, for example health information, occupational health information, disability information, equal opportunities monitoring data, religion where relevant to accommodation or workplace needs, or trade union information where relevant to payroll deductions or employment rights. In a healthcare staffing context, this can also include immunisation information, fit notes, restrictions, reasonable adjustment information and other role-related health data.
We may also process criminal offence data, including DBS certificate information or status information, where the role, client requirement, law or safeguarding context makes such checks necessary. We do not process this type of information casually. It is handled only where there is a valid legal basis, an additional lawful condition where required, and an operational need connected to safe recruitment, safeguarding, placement or compliance.
5. How we collect personal data
We collect personal data directly from you when you complete forms, send us your CV, apply for work, speak to us by telephone, email us, use our website, attend interview, complete onboarding documents, submit compliance evidence, work assignments, timesheets or payroll documents, or otherwise interact with us.
We may collect personal data indirectly from clients, managed service providers, job boards, referees, background screening providers, right to work verification systems, professional registration bodies, training providers, public sources and compliance systems that support lawful recruitment and staffing activities.
In some cases, we may generate personal data ourselves, for example interview notes, compliance review notes, audit logs, assignment records, incident logs, payroll calculations, communications histories and records of decisions taken about role suitability or restrictions.
6. Why we use personal data
We use personal data to operate our recruitment and staffing services, including identifying suitable candidates, communicating about opportunities, assessing compliance, onboarding workers, arranging placements, matching workers to suitable assignments, managing shifts, operating payroll and invoicing, maintaining client relationships, responding to enquiries and administering our business.
We also use personal data to meet legal, regulatory and contractual obligations, including right to work checks, safeguarding-related requirements, anti-fraud measures, tax and accounting requirements, professional registration verification, complaint handling, incident management, insurance reporting, audit, record retention and the defence or exercise of legal claims.
Where appropriate, we may use limited data for service improvement, business administration, systems security, website analytics, planning, internal reporting and to send business communications that are relevant to our services, subject always to applicable privacy and electronic marketing rules.
7. Lawful bases for processing
We do not rely on a single lawful basis for all processing. The lawful basis depends on the activity and the relationship involved. Typical lawful bases are set out below.
|
Activity |
Typical lawful basis under Article 6 UK GDPR |
Additional condition where sensitive data is involved |
|
Candidate registration, suitability assessment and work matching |
Legitimate interests; steps at the request of the data subject prior to entering a contract; contract where engagement proceeds |
Employment, social security and social protection condition and/or health or social care management condition may apply where relevant health/compliance data is required |
|
Right to work, identity, registration and compliance checks |
Legal obligation; legitimate interests |
Substantial public interest, employment law, safeguarding or health/social care-related conditions may apply depending on the check |
|
Placements, timesheets, payroll and payment administration |
Contract; legal obligation |
Employment and social security condition where relevant |
|
Safeguarding, risk management, incidents and complaints |
Legal obligation; legitimate interests; vital interests in urgent cases |
Substantial public interest and/or vital interests where applicable |
|
Client relationship management and service delivery |
Contract; legitimate interests |
Usually not applicable, unless limited sensitive data is needed for safe staffing decisions |
|
Website security, core functionality and essential analytics |
Legitimate interests; consent where required for non-essential cookies or tracking |
Not usually applicable |
8. Who we may share personal data with
We may share personal data with clients, framework operators, managed service providers and end hirers where this is necessary to introduce, assess, place, manage or pay workers, or to comply with client due diligence requirements. The information shared will depend on the stage and purpose involved. For example, before a placement we may share CV details, work history, availability, qualifications, training and compliance status; after placement we may share assignment-related records such as timesheets, incident information and billing data.
We may share data with payroll providers, pension providers, accountants, banks, insurers, IT providers, compliance platform providers, document storage providers, identity verification providers, background screening providers, right to work checking providers, legal advisers and other carefully selected processors who support our business operations under contractual confidentiality and data protection controls.
We may disclose information where required or justified by law, court order, regulator request, safeguarding concern, police request, fraud prevention need, insurance matter, legal claim or where disclosure is otherwise necessary to protect individuals, the public, our staff or the business.
9. International transfers
We aim to store and process personal data within the UK or countries that provide an adequate level of protection. Where a supplier or system involves a transfer of personal data outside the UK, we will seek to ensure that appropriate safeguards are in place, such as adequacy regulations, standard contractual clauses, provider commitments and security controls proportionate to the risk.
Not every service we use will involve an international transfer, and the transfer position may vary depending on the software or processor in use at the time. We will review this as part of our supplier due diligence and contractual controls.
10. Data retention
We do not keep personal data for longer than is reasonably necessary. Retention periods depend on the nature of the record, the relationship involved, legal requirements, limitation periods, safeguarding expectations, tax and payroll rules, evidential needs and client or framework audit requirements.
As a general approach, candidate and worker records may be retained for a reasonable period after the end of the relationship so that we can deal with repeat work enquiries, disputes, audits, legal claims and regulatory matters. Payroll, tax and accounting records may be retained for longer where law requires it. Right to work evidence must be retained for the duration of employment or engagement and for a further period afterwards where the applicable rules require this.
When retention periods expire, information should be securely deleted, anonymised or destroyed unless there is a lawful reason to retain it longer, such as an ongoing complaint, claim, litigation hold, safeguarding matter, audit or investigation.
11. Illustrative retention schedule
The table below is an indicative operational guide. Actual retention may vary where law, client contracts, safeguarding requirements, insurance obligations, ongoing disputes or regulatory expectations justify a different period.
|
Record type |
Typical retention approach |
Notes |
|
Candidate registration, CV and screening records |
Usually kept while the relationship remains active and for a reasonable period afterwards |
Needed for repeat work enquiries, audit trail and dispute handling |
|
Compliance documents such as ID, right to work and qualification evidence |
Kept in line with legal, client and audit requirements |
Some records may need longer retention where placement or regulatory evidence is required |
|
Timesheets, payroll, pension and tax records |
Retained in line with payroll, tax and accounting obligations |
May be required for HMRC, pension, audit and financial recordkeeping purposes |
|
Complaint, safeguarding or incident records |
Retained for as long as reasonably necessary given risk and legal context |
Longer retention may be justified due to seriousness or claim risk |
|
Website enquiries and routine correspondence |
Retained only as long as necessary for the enquiry and normal business administration |
Can be deleted sooner where no ongoing relationship develops |
12. Data security
We take information security seriously and aim to use measures that are appropriate to the nature of the data and the risks involved. Depending on the system and process, this may include role-based access controls, password controls, multi-factor authentication, secure cloud systems, encryption in transit or at rest where available, restricted document access, backup arrangements, device security, staff awareness measures and secure disposal procedures.
No system can ever be guaranteed to be completely secure. However, we seek to reduce risk through sensible governance, careful supplier selection, access limitation, confidentiality expectations, regular oversight and incident response procedures.
13. Data accuracy
We take reasonable steps to keep personal data accurate and up to date. Because recruitment and compliance records can change frequently, it is important that candidates, workers and clients tell us promptly about changes such as address changes, renewed passports, visa status, professional registration renewals, training updates, restrictions, unspent sanctions or other information relevant to safe and lawful placement.
If we become aware that information is inaccurate, incomplete or out of date, we will seek to correct, update, restrict or remove it as appropriate.
14. Your rights
Subject to the UK GDPR and Data Protection Act 2018, you may have the right to request access to your personal data, ask for inaccurate data to be corrected, ask for deletion in certain circumstances, ask for processing to be restricted, object to certain processing, request portability of certain data, and withdraw consent where consent is the basis relied upon.
These rights are not absolute and may be limited by legal obligations, the rights of others, safeguarding concerns, confidentiality duties, employment-related exemptions, legal privilege or other recognised grounds. If we cannot fully comply with a request, we will explain why unless we are legally prevented from doing so.
Rights requests should be sent to info@nexus24healthcare.co.uk. We may need to verify identity and request enough information to locate the relevant records.
15. Marketing and business communications
We may send service-related communications where these are necessary for recruitment, onboarding, assignment management, compliance, account administration or operational updates. These are not the same as optional promotional marketing.
If we send direct marketing by electronic means, we will do so in accordance with applicable privacy and electronic communications rules. You can opt out of non-essential marketing communications at any time.
16. Website use, cookies and tracking
Our website may use cookies and similar technologies for essential functionality, security, performance analysis and user preference management. Non-essential cookies or tracking technologies should only be used where the required consent standard has been met.
Further detail should be read alongside our Cookies Policy or cookie banner settings presented on the website.
17. Automated decision-making
We do not intend to make decisions about you solely by automated means where the law gives a right not to be subject to such a decision, unless this is lawful and appropriate safeguards are in place. In practice, staffing decisions normally involve human review, including compliance, suitability, availability and client-specific requirements.
18. Children’s data
Our services are generally aimed at adult workers, clients and business contacts. We do not knowingly design our recruitment service for children. If we become aware that personal data has been collected from a child inappropriately, we will review and deal with the matter in line with our legal obligations.
19. Complaints
If you have concerns about how we use your personal data, please contact us first so that we can try to resolve the issue. You also have the right to complain to the Information Commissioner’s Office, which is the UK supervisory authority for data protection matters.
20. Changes to this policy
We may update this Privacy Policy from time to time to reflect operational changes, legal developments, regulatory guidance, technology changes or changes to our services. The version published on our website should be treated as the current version.
Schedule A: category-specific notes
Candidates and workers
If you register with us as a candidate or worker, we may use your information to assess suitability, verify compliance, offer work, submit you for roles, manage onboarding, maintain workforce records, operate payroll and deal with assignment-related issues including sickness, incidents, client feedback, training and revalidation.
Client contacts
If you work for a client or potential client, we may use your information to manage account relationships, supply services, negotiate terms, respond to staffing requests, issue invoices, maintain service records and meet audit, governance and legal requirements.
Referees and emergency contacts
If someone gives us your details as a referee or emergency contact, we will generally only use your information for that limited purpose and will not use it for unrelated marketing.
Website users
If you browse the website or submit an enquiry, we may process technical and communications data to operate the site, maintain security, respond to your message and understand how the website is used.