Recruitment Privacy Notice
1. Introduction
Owlstone Medical Limited (referred to as “OML”, “We, “Our” or “Us”), is committed to protecting the privacy and security of your personal information.
You have been directed to or otherwise sent a copy of this privacy notice because you are applying for work with us (whether as an employee, worker or contractor). It makes you aware of how and why your personal data will be used, namely for the purposes of the recruitment exercise, and how long it will usually be retained for. It provides you with certain information that must be provided under Data Protection Legislation.
Data Protection Legislation means the Data Protection Act 2018 (DPA 2018), United Kingdom General Data Protection Regulation (UK GDPR), the Privacy and Electronic Communications (EC Directive) Regulations 2003, the EU General Data Protection Regulation (EU GDPR – where relevant) and any legislation implemented in connection with the aforementioned legislation. This further includes any replacement legislation coming into effect from time to time.
If you are successful in your application, you will be provided with a separate privacy notice relating to your employment with us.
2. Data Controller
Owlstone is the controller for the personal information we process for recruitment purposes, as identified in this Privacy Notice.
We are registered with the Information Commissioner’s Office (the ICO) with registration number ZB023504.
We have appointed a Data Protection Officer (DPO) to help us monitor internal compliance, inform and advise on data protection obligations, and act as a point of contact for data subjects and the ICO.
Our Data Protection Officer is:
The DPO Centre Ltd.
50 Liverpool Street
London
EC2M 7PY
www.dpocentre.com
We have also appointed an EU Representative to act on our behalf for EU GDPR matters:
Our EU Representative is The DPO Centre Europe Ltd.
For further details on how you can contact us, our DPO, or our EU Representative, please see the contact us section below.
3. The information we collect and when
We only collect personal information that we know we require as part of our recruitment process and will use genuinely in accordance with Data Protection Legislation. In connection with your application for work with us, we will collect, store, and use the following categories of personal information about you:
- Contact Data: This may include personal data such as your name, title, address, telephone number, personal email address, which may be submitted to us by you via our online application form or by other means.
- Application Data: This may include your resume/CV, current salary (optional), expected salary, notice period, immigration and visa status (where applicable), how you heard about the role or the company and any additional information you voluntarily provide through our application form or via a cover letter.
- Interview Data: Information that you provide to us during the interview process, which we consider pertinent to your application.
- Legal Data: Information needed to comply with applicable laws, such as residence and work permits to ensure that you are entitled to work in the UK.
- Assessment Data: The results of any tests or assessments should they be part of the application process for the role to which you have applied.
- Generated Data: Any data that we generate based on the information we collate throughout the recruitment process to determine whether you are suitable for the role. This could include recommendations via AI tools.
- Cookies and IP Data: This information will be collected if you have applied via our website. For more information please see our Cookie Policy. https://www.owlstonemedical.com/cookie-policy/
- CCTV Data: You may be captured by CCTV should you visit one of our sites for an interview. CCTV cameras are placed around the Science Park in which our office is based and not on OML premises. This is operated by an external provider and OML does not have access to it. Please see signage onsite for details on how this is managed.
We may also collect, store and use the following types of more sensitive personal information:
- Special Category Data: Information about any disability status, health or medical condition that you provide us.
- Background Check Data: Information generated from background and/or security checks, where necessary, which could include information about criminal convictions and offences.
4. How we collect and use your information
4.1 Collection
In most instances we collect personal information directly from you, the candidate, for example through our online application form. In other instances, we may collect personal information from:
- Recruitment agencies
- Background and pre-employment check providers
- Credit reference agencies (in limited circumstances)
- Your named referees
- The Home Office, for employees requiring visas
- Our immigration lawyers, with your consent, as part of the Visa application process
4.2 Lawful bases
We only process your data when we have one of the following lawful bases to do so:
- It is in our legitimate interests to review the information you have provided to identify whether you are a suitable candidate for the role you have applied for.
- We also need to process your personal information to decide whether to enter into a contract of employment with you.
- We may ask for your consent to retain your personal information on file, on the basis that a further opportunity may arise in future and we may wish to consider you for that, or explicit consent should any Special Category Data need to be processed.
If you fail to provide information when requested, which is necessary for us to consider your application (such as evidence of qualifications or work history), we will not be able to process your application successfully. For example, if we require a credit check or references for this role and you fail to provide us with relevant details, we will not be able to take your application further.
4.3 Purposes
We will use the personal information we collect about you to:
| Processing Activity | Categories of Data | Lawful Basis |
| Assess your skills, qualifications, and suitability for the role. Elements of this may include use of AI tools. Please see 4.4 below. | Application Data; Interview Data; Assessment Data | Legitimate Interest; Contractual Obligation |
| Carry out background and reference checks, where applicable (see also 4.3 below). | Background Check Data | Legitimate Interest |
| Communicate with you about the recruitment process. AI tools may be used as part of this process. Please see 4.4 below. | Contact Data; Application Data; Interview Data; Assessment Data | Legitimate Interest; Contractual Obligation |
| Keep records related to our hiring processes. | Contact Data; Application Data; Interview Data; Legal Data; Assessment Data; Background Check Data | Legitimate Interest; Legal Obligation |
| Comply with legal or regulatory requirements. | Legal Data | Legal Obligation |
| If you disclose Special Category Data during the shortlisting or interview process, we will only use such information to consider whether we need to provide appropriate adjustments during the recruitment process, for example whether adjustments need to be made during an interview or as part of the role you are applying for. | Special Category Data | Legitimate interest and compliance with labour law obligations or explicit consent |
| To reach out to you about a role that we believe you may be interested in and are a good fit for. AI tools may be used as part of this process. Please see 4.4 below.8 | Contact Data; Application Data; Interview Data; Legal Data; Assessment Data; Generated Data. | Consent |
4.4 Information about criminal convictions
We will collect information about your criminal convictions history if we offer you a position with us and you accept (conditional on checks and any other conditions, such as references, being satisfactory). Specifically, we process information required for Baseline Personnel Security Standard (BPSS), which will include a report from the DBS on criminal convictions history. We do this to satisfy ourselves that there is nothing in your criminal convictions history which makes you unsuitable for the role and as part of our security policy. Our roles require a high degree of trust and integrity and it is therefore best practice to undertake such checks and a pre-requisite in some instances.
We have in place an Appropriate Policy Document and safeguards which we are required by law to maintain when processing such data.
4.5 Artificial Intelligence (AI) and automated decision making
We may use AI tools (built into our recruitment system) during the recruitment process to:
- Review our existing candidate database to identify whether you are suitable for an open position. The AI tool will assess the skills required for the open position against the information we store on candidates. Based on this analysis, the AI tool suggests suitable candidates from those we have on file, who have agreed to be contacted for future relevant job opportunities. We will then review these suggestions and decide whether to contact the suggested individuals or not. If you do not want your data to be used in this way, you can opt out.
- Draft emails. Any drafts or suggestions will not be making any decisions or determinations regarding the outcome of the recruitment process, and will instead be used to enhance communications with applicants to ensure they are clear, concise and refer to relevant information. Any drafts will be reviewed by the relevant Hiring Manager/Talent Team member.
- Summarise CVs into a 5-point bullet list. This is done by matching the CV against the job description, highlighting skills and any missing competencies. The summary itself will not include any personal information, can be edited by our team and will only be used as a reference point – candidates will not be rejected based on a summary alone.
When we use AI tools, we will not activate any features that permit personal information to be used by the provider for training, testing or otherwise developing AI.
You will not be subject to decisions that will have a significant impact on you based solely on automated decision-making.
While we are using AI features that produce automated functions, we always ensure that a member of our hiring or talent team provide a meaningful human review of any outputs and only rely on the AI tools to support the recruitment process, rather than drive it. As such, we do not consider our use of AI to constitute automated decision making with legal or similarly significant effects. See also 7.7 below.
5. Who we might share your information with
We will only share your personal information with the following third parties for the purposes of processing your application: recruitment agencies, Teamtailor (our recruitment system), IT (including DocuSign) and communication tools (such as email) and parties involved with pre-employment checks, VISA applications and so on. All our third-party service providers and other entities in the group are required to take appropriate security measures to protect your personal information in line with our policies. We do not allow our third-party service providers to use your personal data for their own purposes. We only permit them to process your personal data for specified purposes and in accordance with our instructions.
6. International transfers of information
Our data processing for recruitment purposes largely takes place in the UK. Our recruitment system, Teamtailor, is based in Sweden, which is deemed to provide an adequate/equivalent level of protection to personal information as is provided in the UK.
If we were required to transfer your personal information out of the UK or EU to countries not deemed by the ICO (and or European Commission as relevant) to provide an adequate level of personal information protection, the transfer will be based on safeguards that allow us to conduct the transfer in accordance with the data protection legislation, such as the specific contracts approved by the ICO (or European Commission as relevant) providing adequate protection of personal information. The only current example where this is relevant for our recruitment process is for our recruitment system, Workable, which is hosted in the US.
7. Your rights over your information
You have a number of rights regarding our processing of your data. To exercise these rights, please contact our Data Privacy Team or DPO using the contact details below. We may ask for proof of identity and sufficient information about your interactions with us so that we can locate your personal information and to ensure that your request is legitimate.
7.1 The right to be informed about our collection and use of personal data
You have the right to be informed about the collection and use of your personal data. We ensure we do this through this privacy notice. This is regularly reviewed and updated to ensure it is accurate and reflects our data processing activities.
7.2 Right to access your personal information
You have the right to access the personal information that we hold about you in many circumstances, by making a request. This is sometimes termed a ‘Data Subject Access Request’. If we agree that we are obliged to provide personal information to you (or someone else on your behalf), we will provide it to you or them free of charge and aim to do so within one month from when your identity has been confirmed.
7.3 Right to rectify your personal information
If any of the personal information we hold about you is inaccurate, incomplete or out of date, you may ask us to correct it.
7.4 Right to object or restrict our processing of your data
You have the right to object to us processing your personal information for particular purposes or have its processing restricted in certain circumstances.
7.5 Right to erasure
You have the right to have personal data erased. This is also known as the ‘right to be forgotten’. The right is not absolute and only applies in certain circumstances.
7.6 Right to portability
The right to portability gives you the right to receive personal data you have provided to a controller in a structured, commonly used and machine-readable format. It also gives you the right to request that a controller transmits this data directly to another controller.
7.7 Rights in relation to automated processing
An automated decision is one that is made by systems rather than a person. Under Data Protection Legislation, you have the right to express your concerns and object to a decision taken by purely automated means. You also have a right to request that a person review that decision. This right is unlikely to apply to OML’s use of your data, as any automated processing we carry out is subject to meaningful human intervention. If you would like to discuss this in further detail, please contact us as set out above.
7.8 For more information about your privacy rights
The ICO regulates data protection and privacy matters in the UK. They make a lot of information accessible to consumers on their website and they ensure that the registered details of all data controllers such as ourselves are available publicly. You can access them here https://ico.org.uk/for-the-public.
You can make a complaint to the ICO at any time about the way we use your information. However, we hope that you would consider raising any issue or complaint you have with us first. Your satisfaction is extremely important to us, and we will always do our very best to solve any problems you may have.
8. How long we keep your information for
Should you be successful in your application, your data will form part of your personnel file and will be managed in accordance with our employee privacy notice and internal retention procedures.
Should you be unsuccessful in your application, we will retain your personal information as follows:
- Where you have not provided your consent to be contacted about future job opportunities, your data will be retained for 6 months after we have communicated to you our decision about whether to appoint you. We retain your personal information for that period so that we can show, in the event of a legal claim, that we have not discriminated against candidates on prohibited grounds and that we have conducted the recruitment exercise in a fair and transparent way.
- Where you have provided your consent to be contacted about future job opportunities, your data will be retained for no longer than 24 months after we have communicated to you our decision about whether to appoint you, or from our last point of communication regarding other roles. If we do not contact you in 24 months or you withdraw your consent for us to contact you, we will securely delete your data.
9. Security
We have put in place appropriate security measures to prevent your personal information from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your personal information to those employees, agents, contractors and other third parties who have a business need-to-know. They will only process your personal information on our instructions and they are subject to a duty of confidentiality. If you would like additional assurances regarding how we process data securely, please contact us as set out below.
We have put in place procedures to deal with any suspected data security breach and will notify you and any applicable regulator of a suspected breach where we are legally required to do so.
10. Changes to Our Privacy Policy
We may change this privacy notice from time to time (for example, if the law changes). We recommend that you check this notice regularly to keep up to date.
11. How to contact us
If you would like to exercise one of your rights as set out above, have a question/complaint about this notice or the way your personal information is processed, please our Data Privacy Team and DPO via:
By email: Privacy@Owlstone.co.uk
By post: Owlstone Medical Limited, 183, Cambridge Science Park, Milton Road, Milton, Cambridge, CB4 0GJ
By phone: 01223 428200
If you are based in Europe, you can contact our EU Representative, The DPO Centre Europe Ltd:
By email: EuRep@Owlstone.co.uk
By post: The DPO Centre Ltd, Rue des Poissonniers 13, 1000 Brussels, Belgium
By phone: +32 2 786 19 61
Thank you for taking the time to read our privacy notice.
This notice was last updated in December 2024.