At Carve, we’re committed to protecting the privacy of our clients, partners, Carvers, suppliers, website visitors and candidates. As data controllers, we’ll only process any personally identifiable data you submit to us for the legitimate HR and business management purposes set out in this policy.
When we refer to personally identifiable data, or personal information, we mean information that identifies or can be used to identify you directly or indirectly, including, but not limited to, first and last name, date of birth, email address, gender, occupation or other demographic information.
What Personal Data will we collect, store or process?
Google Analytics – when you visit www.carveconsulting.com, or any of the microsites under our control, we use a third party service, Google Analytics, to collect standard internet log informations and details of visitor behaviour patterns. We do this to find out things such as click through rates, number of visitors, behaviour patterns, etc. This information is not processed in a way that can personally identify you. Neither we, nor Google, make any attempt to find out the identities of those visiting Carve’s website.
WiFi – when you use Carve’s guest WiFi, at our offices, we have a legitimate interest in collecting data about your device, the volume of data which you use, the websites and applications that you access and your usage by time, frequency and location.
Carve Pulse, other mail outs and direct marketing information – when you register to receive the Carve Pulse, or other of our regular communications, we need to collect personal information. We’ll process this information by adding your contact details to a list that we hold on Mailchimp and our CRM system, Prosperworks, and use Mailchimp to deliver our newsletters. We may also contact you to obtain or provide additional information; to check our records are correct and that you’re happy with our services. We never sell your personal information to other organisations or businesses. You can unsubscribe at any time by clicking the unsubscribe link at the bottom of our emails.
Candidates – when you apply for a position at Carve, you’ll either do so through the job board, Indeed, via our website, or by email. We store this information on Prosperworks, Google Apps for Work (in a place with restricted access), and Indeed. In order to process your application, we’ll need to collect, store and process the following information:
- Data you submit in your CV and cover letter
- Data generated by interviews, tests and correspondence with you
- Recommendations and references provided on your behalf by others
- Data generated by our referencing partner, XREF, including, but not limited to, prior employment, criminal history checks and education
- To contact you about other prospective positions if we feel it may be of interest to you
- To answer your enquiries
- To perform any legal function we are obliged to perform
We’ll use this data to:
- assess your suitability for employment for the role for which you are applying, for future roles that may become available, for administrative purposes, to refer back to previous applications if you re-submit an application in the future
- Analyse our applicant pool so we may understand our applicant base and continue to attract top talent
- Record keeping to the extent permitted by applicable law
Who will process candidates’ data?
- Any employee within Carve who is involved in the recruitment process of a particular position
How long will we keep candidates’ personal data?
- If we employ you, the data used to recruit you will form part of your personnel records (see ‘Carvers’) which is governed by internal policy.
Clients – we collect such data as is necessary to fulfil our contractual obligations with clients in the provision of services.
Partners – we collect such data as is necessary for us to work together as partners on projects and events.
Suppliers – we collect such data as is necessary for you to perform your contractual obligations with us, including, but not limited to: contact details, financial information, results of audits we are required to conduct as part of our compliance with ISO27001:2013.
Carvers – along with the information detailed in, ‘Candidates’, above, we hold such records as is necessary to be able to fulfil our obligations under your employment contract with us. This is subject to internal policy.
Information provided on the understanding that it will be shared with a third party – the blog section of our website allows you to post information with a view to that information being read, copied, downloaded, or used by other people. In posting comments it is up to you to satisfy yourself about the privacy level of every person who might use it. We do not specifically use this information except to allow it to be displayed or shared. Once your information enters the public domain, we have no control over what any individual third party may do with it. We accept no responsibility for their actions at any times. You may make a request for a comment to be deleted by contacting us at InfoSec@carveconsulting.com.
Access to your personal information – you are entitled to view, amend, or delete the personal information that we hold. Email your request to our Head of Talent & Operations, Kate Halls at InfoSec@carveconsulting.com. Should we receive any request to access, edit or delete personally identifiable information, in order to safeguard your information, we shall first take reasonable steps to verify your identity before taking steps to grant you such access.
Commitment to protection – Carve is certified as compliant under ISO27001:2013, the International Standard for Information Security, and the General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679), whereby we take organisational, technical and physical security measures to protect your personal data from loss, misuse, alteration or destruction. Where we contract with trusted third-party suppliers to provide services that may enable them to access your personal data, we require them, by contract, to have the same standards of security and privacy controls in place. An example of such a third-party would be an accountant, bookkeeper, lawyer, referencing service, IT Consultant or certification body.
Data may be processed outside the European Union – our website is hosted within the United Kingdom. We may also use outsourced services in countries outside the European Union from time to time in other aspects of our business. Accordingly data obtained within the UK or any other country could be processed outside the European Union. We use the following safeguards with respect to data transferred outside the European Union:
- The processor is within the same corporate group as our business or organisation and abides by the same binding corporate rules regarding data processing.
- The processes and tools as set out in our Information Security Management System in accordance with certification under ISO27001:2013.
Data retention – for however long we have a clear business need for it to the duration and extent permitted by applicable law.
Legal obligation – we may also release personal information to regulatory or law enforcement agencies, if they require us to do so, or where we are legally obliged.
Destroying your personal data – we use secure methods for deleting personal data records: electronic deletion from Google Apps for Work, removal from third party databases (such as Mailchimp), shredding of physical documents.