You should read this privacy notice if you are applying for a role with Rothesay Life Plc (or any other company in the Rothesay Group).
Understanding the terms of this privacy notice
The meaning of words which appear in bold underlined text are explained in the glossary. You can click on each term to see the definition. Alternatively, you can open the full glossary in another tab by clicking the link below.
Throughout this notice any reference to “we” or “us” refers to Rothesay Life Plc.
To read this privacy notice, please click on each section below.
- About us and our relationship with you
Rothesay Life Plc is an insurance company established in the UK with company registration number 06127279 and ICO registration number Z1003678. We are authorised in the UK by the Prudential Regulation Authority and regulated by the Financial Conduct Authority and the Prudential Regulation Authority.
Rothesay Pensions Management Limited (company registration number 06195160 and ICO registration number Z1003616) is a company within the Rothesay group of companies. It employs individuals who carry out the day-to-day operations of Rothesay.
The registered office address for Rothesay and Rothesay Pensions Management Limited is The Post Building, 100 Museum Street, London WC1A 1PB.
Together Rothesay Life Plc and Rothesay Pensions Management Limited make decisions about the hiring of staff and the application process. As a result, we are joint controllers under data protection laws.
This privacy notice explains how we use and look after your personal data. This privacy notice also tells you about your privacy rights and how the law protects you.
- About this privacy notice
This privacy notice contains information about:
- The personal data that we process as a controller
- Where the personal data has been obtained
- The reasons why we process your personal data and the lawful basis we use to do so
- The security measures that we have in place to keep your personal data secure
- The length of time we store your personal data for
- The organisations, or categories of organisation, with whom we might share your personal data
- International transfers of your personal data
- The rights you have under data protection laws in relation to our processing of your personal data
Please note that we may change this privacy notice from time to time.
To request a printed copy of this privacy notice please contact us using the contact details contained in the part of this privacy notice headed Contact details.
- The personal data we process
The categories of personal data we process include the following:
1. Applicant information: Personal data relating to each of our job applicants. Personal data in this category includes:
- Name
- Email address
- Telephone number
- Details of your relevant education and employment history
- Any personal data you have provided within your curriculum vitae, covering letter/emails and other correspondence with Rothesay
- Any personal data you have provided to us during an interview
- Assessment information (including online tests)
2. Induction information: personal data which we need to process to commence your employment with us following an offer of employment. Personal data includes:
- Bank details
- Right to work status
- National Insurance number
- Passport details
3. CCTV Information: Personal data relating to individuals processed by the CCTV system operated within our offices.
4. Sensitive personal data: This includes:
- Personal data concerning your race or ethnicity, religious beliefs, sexual orientation and political opinions
- Personal data concerning your your health, such as any medical conditions you may have
- Information about your criminal record
- Where the personal data has been obtained
Personal data will usually be collected directly from you through the recruitment exercise.
There will be instances where we collect personal data from other sources. These sources include:
1. Recruitment Agencies: We fill some of our roles through recruitment agencies. If you apply for a role through a recruitment agency, they will pass us details of your name, contact details, CV, and notes of the interview with the agency.
2. Your named referees: We may receive further personal data about you from your referees to aid the interview process.
3. Background check providers: We employ background check providers as part of the interview screening process. They may provide us with further personal data about you.
4. Social media networks: We may collect personal data about you from social media sites, such as LinkedIn, to the extent relevant and necessary in connection with your employment.
5. Candidate assessment providers: We will receive assessment information, including the results of online tests.
- The reasons why and lawful bases relied on to process your personal data
-
The table below provides details of the purpose and the lawful bases upon which we process personal data.
Type of personal data
Why we need it
Lawful bases for processing
Assessing your suitability for a role
We process personal data to contact you about your application for a job with us, assess your relevant experience and suitability for such role and assess what your training needs would be if you started working for us.
Legitimate interests pursued by us or by a third party
We have a legitimate interest to process personal data during the recruitment process and keep records of the recruitment process. This allows us to manage the recruitment process and assess and confirm your suitability for employment.
Assessing your suitability for a role
We may process sensitive personal data as part of our assessment to determine your suitability for a job with us. We may also process sensitive personal data to make reasonable adjustments to our application process in order to meet your needs.
Necessary for complying with our legal obligations as an employer and to comply with employment law
We need to ensure we comply with our legal obligations under applicable law and regulation.
We may also process sensitive personal data under a substantial public interest condition, such as checking whether there are any unspent criminal convictions which would prevent you from working in the role you have applied for.
There may also be limited instances where we would look to process sensitive personal data with your consent.
Finalising an offer
If you are successful at interview and we wish to offer you a role we process personal data to finalise an offer, such as conducting background checks, right to work checks, and beginning your induction process
Necessary for the performance of a contract
When a decision has been made to hire you, we need to process your personal data to contract with you.
Retaining your data
We store your data for a six-month period following an unsuccessful application.
Legitimate interests pursued by us or by a third party
We have a legitimate interest to retain personal data to respond to and defend against potential legal claims relating to the recruitment process.
We also have a legitimate interest to retain your CV and contact details following an unsuccessful application so that we can contact you if an alternative role which we think you might be suitable to apply for becomes available.
To conduct diversity analysis
We may process personal data to monitor our performance against our diversity and inclusion initiatives.
Legitimate interests pursued by us or by a third party
We need to take steps to support our diversity and inclusion agenda and to increase accountability and transparency surrounding diversity and inclusion.
We may also process sensitive personal data under a substantial public interest condition such as ensuring equality of opportunity or treatment.
Managing access to our premises and for security purposes
Legitimate interests pursued by us or by a third party
We need to take steps to ensure the personal safety of our staff and visitors as well as protect our buildings and assets from intrusion, theft, vandalism, damage or disruption.
We may also process personal data including sensitive personal data to comply with other laws, regulations or criminal reporting requirements that we are subject to. This includes compliance with law enforcement agency procedures in connection with various investigations and compliance with any requirement to prevent or detect unlawful acts.
- How we keep your personal data secure
Our commitment to corporate security is demonstrated through the implementation of policies, controls and procedures, which are externally certified and audited to the international information security standard, ISO 27001:2013.
Our security policies, controls and procedures are regularly reviewed and updated so that we maintain good practices across our business to keep your information safe.
We have contractual arrangements in place with all of our service providers who process personal data which are compliant with data protection laws. We regularly check that our service providers are complying with their contractual commitments. This includes assessing and reporting on our service providers’ information security controls to check their compliance using questionnaires and/or on-site audits.
- How long we store your personal data for
We will only keep your personal data for so long as it is reasonably required and, in any event, only for as long as our internal rules and polices allow us to fulfil our business or legal and regulatory obligations. This will usually be six months after an unsuccessful application.
If your application for a job with us is successful and you start work as our employee, please see the staff privacy notice for details of how long we will retain the data gathered during the recruitment exercise. If you apply for a new role with us when you are already our employee, this privacy notice applies in respect of any new information gathered during that application process, and the staff privacy notice continues to apply in respect of any information we already hold by virtue of you being a current employee.
- Who has access to your personal data
We share personal data with a variety of other companies to operate our business. However, we only share the personal data where necessary to help us satisfy one or more of the reasons for processing set out above.
We have detailed the types of companies with whom we currently share personal data below. The companies fall into two categories.
Processors with whom we share personal data
For these companies, we determine the purposes for which the personal data we pass to them is processed and they should not process that personal data other than in accordance with our written instructions. Processors with whom we share personal data:
1. IT service providers
Our main IT infrastructure and core software is provided by Goldman Sachs Group, Inc.. This means that personal data we process is stored on Goldman Sachs’ IT systems.
2. Other service providers to our business
Other companies who process personal data on our behalf include those who provide day-to-day operational business services such as emails, archiving, document scanning and copying, document destruction and printing.Controllers with whom we share personal data
For these companies, we do not determine the purposes for which the personal data we pass to them is processed once it is shared. To understand how the other controllers process your personal data , you should refer to their privacy notices. Controllers with whom we share personal data:
1. Background check provider
As a regulated firm, we have to share personal data with our background check providers so that they can conduct appropriate checks prior to offering you a contract with Rothesay.
2. Professional advisers
We sometimes have to share personal data with our professional advisers (including accountants and lawyers) where it is required for the purposes of their advice.
3. Regulators, law enforcement and auditors
We will share personal data when requested by regulators, law enforcement agencies or other third parties to comply obligations imposed on us by laws and regulations.
- International transfers
Where personal data is transferred to and processed in a country outside of the UK or the EEA (as applicable), we take steps to provide appropriate safeguards to protect your personal data, including by entering into approved standard contractual clauses obliging recipients to protect your personal data and only transferring personal data to the extent that an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data is ensured in compliance with data protection laws.
If you want further information on the specific mechanisms used by us when transferring your personal data outside of the UK or EEA, please contact us using the details contained in the part of this privacy notice headed Contact details.
- Automated decision-making
As part of a recruitment process, we may utilise automated decision-making. For instance, we may use automated decision-making to screen out applicants who do not have the required qualifications, or those who don't score high enough on online assessments.
In the event that we do rely solely on automated decision-making that could have a significant legal or similarly significant effect you have the right to request for someone to review a decision. If you would like any further information or wish to exercise your rights, please contact DPO@rothesay.com
- Your rights
Under certain circumstances, you have the following rights under data protection law:
- The right of access to personal data relating to you (known as Subject Access Requests)
- The right to correct any mistakes in your personal data
- The right to require us to delete your personal data
- The right to restrict our processing of your personal data
- The right to object to us processing your personal data, including for marketing purposes
- The right to have your personal data provided to another controller
- The right not to be subject to a decision based solely on automated processing
How to exercise your rights
If you wish to exercise any of your rights, please contact us using the details contained in the part of this privacy notice headed Contact details.
- Contact details
How to contact us regarding this privacy notice
You may want to contact us to:
- Ask any questions you have in relation to the information contained in this privacy notice
- Exercise any of your rights under the data protection laws
- Request a printed copy of this privacy notice printed in large print or braille
- Request an audio version of this privacy notice
- Make a complaint (see below)
To contact us you can email our Data Protection Officer (DPO) at dpo@rothesay.com or write to:
Data Protection Team, Rothesay Life Plc, The Post Building, 100 Museum Street, London WC1A 1PB
If you live within the European Union, you can also contact our European representative. Their details are as follows:
Address: Bird & Bird GDPR Representative Services SRL, Avenue Louise 235, 1050 Bruxelles, Belgium.
Or email: EUrepresentative.Rothesay@twobirds.com
How to make a complaint
If you have a problem or concern relating to the ways we process your personal data or the contents of this privacy notice, please contact us in the first instance.
We hope that we will be able to address the problem or concern to your satisfaction. However, you also have the right to make a complaint to the Information Commissioner’s Office. The process for making a complaint to the Information Commissioner’s Office is available here:
www.ico.org.uk/make-a-complaint
Their contact details are as follows:
Address: Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
Or phone: 0303 123 1113