The purpose of this Data Privacy Notice is to outline Ascot Barclay Group's (the trading name of Ascot Barclay Group Limited also referred to as ‘Ascot Barclay’ or ‘ABG’) approach to and responsibilities regarding the legal protection of data collected, handled and stored throughout the course of the Company's business activities. It is also to ensure compliance to the European General Data Protection Regulations (GDPR) and the updated UK Data Protection Act 2018.
Ascot Barclay strive to ensure accountability and transparency with regards to the handling of personal data at all times. The company's policies and processes are designed to ensure that we provide data subjects with easily accessible and meaningful information to ensure that they know what personal data is collected about them, as well as why and how it is being processed, their rights in connection with that processing and the exercising of those rights. The Company is committed to the continuous improvement of our management of personal data.
"Personal data" means any information relating to an identified or identifiable natural person (known as a "data subject"), and can include, for example, names, ID numbers, location data, online identifiers and factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of a data subject.The data protection legislation also recognises 'special categories' of personal data, the processing of which are subject to stricter regulation than other forms of personal data.This category of personal data includes data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic or biometric data used to uniquely identify natural persons, data concerning health or data concerning an individual's sex life or sexual orientation.
All activities relating to personal data (e.g. collection, structuring, alteration, storage, retrieval, consultation, use, adaptation, disclosure, erasure or destruction), whether using automated means or not, are known as "processing" for the purposes of the data protection legislation.
The data protection legislation makes a distinction between those who process data as "controllers" and those who process it as "processors" and imposes different obligations on controllers and processors."Controllers" are individuals or organisations that determine the purposes and means of the processing of personal data."Processors" are individuals or organisations that process personal data on behalf of a controller.
A data controller is a person or organisation who/that determines the purposes for which and the manner in which any personal data is to be processed. In the case of Ascot Barclay, the controller is the Company. The contact details are as follows:
Ascot Barclay, 71-75 Shelton Street, London, WC2N 9JQ
Address: 71-75 Shelton Street, London, WC2H 9JQ
Ascot Barclay supply consulting services and solutions to both the private and public sectors and corporate markets for both contract and permanent job opportunities. The company collects and processes personal data in order to assist staff and associates to find suitable consulting opportunities and to continue an ongoing relationship and service provision following the securing of a role and in the delivery of the service and where you decide to participate to inform our CISO Fingerprint™ and CISO Footprint™ analytics and benchmarking tool set (the security tools). You may give your personal details to the Company directly, such as on an application or via our website, or we may collect them from another source such as a social media sites or via networking at industry events or opt in lists.
Our process is to contact consultants to discuss potential work opportunities and establish candidate interest and availability. Candidate details (at this stage this typically amounts to CV and contact details) are retained in an electronic recruitment file on a secure and password protected PC or in the case of the CISO Footprint and CISO Fingerprint tools on a secure password-controlled server. Only individuals with a clear requirement to access the system as part of their job are given passwords or access writes. Candidate details are retained on this system whilst active in their role or search and in the case of the tools for as long as required to provide the service. Thereafter a reasonable amount of activity and contact relating to consultant role searching is recorded on the database to ensure accuracy of matching to relevant opportunities or to provide the services relating to the Ascot Barclay Group security tools. In addition to this we would record factual comments data regarding CV submissions and interviews and the data provided by participants in the CISO Footprint and CISO Fingerprint reviews or as part of our cyber security service provisions, included contact details and information relating to penetration or security testing and advisory services.
This notice is to explain what Ascot Barclay do with personal data -how we collect, use and process the data. It also outlines what our legal obligations are and what rights data subjects have. This notice covers the personal data of Ascot Barclay 's consulting candidates, associates, clients, suppliers and website visitors and anyone that the Company may contact for any legitimate reasons required to carry out our business.
Ascot Barclay 's Lawful Basis for the processing of your personal data is to pursue our legitimate business interests, described in more detail below, although we will also rely on the Lawful Basis of legal obligation and the Lawful Basis of consent for specific uses of data.
We will rely on legal obligation if we are legally required to hold information on to you to fulfil our legal obligations.
We will in some circumstances rely on consent for particular uses of your data and in these circumstances, you will be asked for your express consent, if legally required. Examples of when consent may be the lawful basis for processing include Special Category (sensitive information).
Our legitimate interests in collecting and retaining your personal data are described below.
The company provides consulting and advisory services and solutions to both candidates and clients and has a legitimate interest to process personal data in order to be able to provide these services and solutions - in doing so, the Company acts as a data controller.
The Company needs to check the identity of candidates, their qualifications and right to work, as well as process payments and manage entitlement to certain statutory rights. It is therefore in the legitimate interests of all parties involved (the consultancy, the work seeker, the users of our security tools and the client) that Ascot Barclay is able to process personal data.
Data is mainly collected directly from Data subjects - either by direct contact to us by phone or email/web enquiry or by our contact by phone or email. Data may also come from third parties such as online or offline media research or referees. The following list is not exhaustive but includes personal data that may, dependant on specific circumstances, be needed to allow Ascot Barclay to undertake its activities in matching its consultant or staff candidates to client requirements, managing job offers and making payments.The company will only collect and process data that is deemed necessary and only in jurisdictions where there are no restrictions imposed.
Date of birth
Referee details and notes provided by referees
Proof of insurance (Professional Indemnity, Public Liability, Employers Liability)
Ltd Company information/Certificate of Incorporation
Proof of right to work/immigration status
Proof of ID (UK/Eu Passport or non-EU Visa - both with at least 6 months)
Proof of address (original utility bills dated within 3 months)
Financial information (for background checks and/or payment)
National Insurance number
Details of any criminal convictions
The dates, times and frequency with which you access our services - including notes on progress of job search including CV submissions, interviews arranged/attended, feedback, offers and roles secured, timesheets, invoices etc
Notes regarding your job requirements, interests and needs - as provided
Information regarding current and required remuneration, benefits or pensions
Any additional information you choose to provide to inform the CISO FingerPrint™ or CISO FootPrint™ or generally as part of your engagement with us.
If you do not provide certain information when requested, we may not be able to process your application for a vacancy or vacancies with our clients or to compete the data necessary to provide you with a meaningful response to the CISO Footprint™ and CISO Fingerprint™ outputs you request.
When personal data is stored on paper or has been printed out for business reasons, it is always kept in a secure place with only authorised personnel having access. Ascot Barclay apply the following business practices:
When not required, the paper or files must be kept in a locked drawer or filing cabinet.
Employees must ensure that paper and printouts are not left where visible to unauthorised people, such as on a printer.
Data printouts should be shredded/disposed of securely when no longer required.
When data is stored electronically, it must be protected from unauthorised access, accidental deletion and malicious hacking attempts:
Data is protected by strong passwords that are changed regularly and never shared.
If data is stored on removable media (like a CD or DVD), these are locked away securely when not being used.
Data is only stored on designated drives and servers, and only be uploaded to approved cloud computing services.
Servers containing personal data are sited in a secure location, away from general office space. Data is backed up frequently and are where appropriate tested regularly, in line with the company's standard backup procedures.
All servers and computers containing data are protected by approved security software and a firewall. Ascot Barclay recognise that personal data if accessed could cause risk of loss, corruption or theft and apply the following:
When working with personal data, employees must ensure that their computer screens are always locked when left unattended.
Personal data should not be shared informally and never be sent by email where inappropriate to do so.
Data backups must be encrypted before being transferred electronically.
Sensitive Personal data should never be transferred outside of the European Economic Area.
Ascot Barclay automatically collect data from the company website via cookies, as deemed useful to help improve user experience and manage the services provided. This information includes but is not limited to:
Personal details of consulting and associate candidates are collected to help find suitable consulting opportunities and are generally used in the following ways:
Processing personal data to ensure the receipt of relevant and targeted marketing materials/information or matching CISO Footprint™ and CISO Fingerprint™ with individual records.
Job matching/recruitment/benchmarking/research activities:
Storing and updating details to ensure we are matching candidate to the most appropriate roles
Assessing/profiling personal data to assess eligibility for roles
Sending data (CV and any other required information such as location, fee rate requirements) to clients to demonstrate suitability
Carrying out of any obligations arising from contracts entered into by Ascot Barclay and their candidates or third parties in relation to the placement of that consultant or advisory candidate (references, credit checks, insurance certificates, criminal record checks etc.)
Collecting bank details, VAT registration, NI number, Ltd. Co. details in order to make payments against invoices submitted or online for fees associated with CISO Footprint™ and CISO Fingerprint™ payments
Ascot Barclay use the services of a number of third party providers which may involve the processing of candidate personal data in the legitimate interests of conducting a cyber security business. These include, but this is not an exhaustive list:
We will only use your personal information for the purpose for which it was collected unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If we need to use your personal information for an unrelated purpose, we will advise you of this and explain the Lawful Basis for us doing so.
You should be aware that we may process your personal information without your knowledge or consent where this is required or permitted by law.
It is important that the personal information we hold about you is accurate and current. Please be sure to keep us informed if your personal information changes during your relationship or association with us.
How we use sensitive personal information.
Some special categories of personal data, such as information about health or medical conditions, is processed to carry out employment law obligations for example in relation to candidates with disabilities and for health and safety purposes.
We may use other special categories of personal data, such as information about ethnic origin, sexual orientation, health or religion or philosophical belief, this is done for the purposes of meaningful equal opportunities monitoring or reporting. Data used by us for these purposes is anonymised or is collected with your express consent, which can be withdrawn at any time. You are entirely free to decide whether or not to provide such data and there are no consequences of failing to do so.
The GDPR (DPA 2018 - Data Protection Act 2018) provides you with the following rights.
The right to:
Request correction of the personal information that we hold about you. This enables you to have any incomplete or inaccurate information the company hold about you corrected
Request erasure of your personal information. This enables you to ask us to delete or remove personal information where there is no good reason for the company continuing to process it. You also have the right to ask us to delete or remove your personal information where you have exercised your right to object to processing (see below)
Object to processing of your personal information where the company is relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground
Request the restriction of processing of your personal information. This enables you to ask the company to suspend the processing of personal information about you, for example if you want us to establish its accuracy or the reason for processing it
Request the transfer of your personal information to another party in certain formats, if practicable.
The GDPR/DPA2018 gives you the right to access and obtain the personal information held about you. This is known as a "data subject access request".
Ascot Barclay recognise the data subject's right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her. However, this does not apply where the decision is:
CISO Fingerprint™ questionnaires or other tools or process’s in the opt-in suite
Ascot Barclay 's profiling of consulting candidates always involves human decision making and is never based solely on automated profiling. In order to analyse or predict suitability to meet the requirements of a particular role, candidates are matched to the specific qualifications and experience needed and sifted using either solely human decision making or a combination of automated and human processing. The CISO Footprint™ and CISO Fingerprint™ are designed as automated tools and are not used in isolation to make hiring decisions or recommendations without human intervention.
Ascot Barclay have strict processes in place to ensure that all consultant candidate search functions and any other appropriate decision-making tools and processes, do not inadvertently discriminate against candidates and breach the Equality Act 2010 and the Company adopts good practice recommendations at all times.
A personal data breach is a breach that results in the destruction, alteration or unauthorised disclosure or access to personal data.
Ascot Barclay will make every effort to contain any personal data breaches identified and will also undertake an immediate assessment of any potential risks resulting from the breach in line with our data breach incident process. Should it be considered that there is a high risk to an individual/s as a result of the breach then Ascot Barclay will endeavour to inform the individual/s as soon as possible.
Ascot Barclay is registered with the Information Commissioner's Office and all records retained by the company are done so in accordance with data protection laws. It is the policy of Ascot Barclay to retain personal data where there is legitimate reason to do so; this reason being the requirement to search for and secure consulting job roles or in the provision of security research, solutions and services across industry, government and commerce.
All hard copies of personal data are securely stored and then disposed of in confidential waste bins or securely shredded.
Ascot Barclay 's retention policy is to hold personal data of candidates or clients on our database system until such time that at least three years of inactivity has lapsed, (inactivity to be defined as no contact between Ascot Barclay and the data subject).
It is our best practice to run a search on our database at 6 monthly periods to identify candidates with no activity for a period of 3 years of more. Once identified these candidates are checked against the following criteria:
Are they also a current, recent or past client Contact?
Are they currently or have previously been contracted to work for an Ascot Barclay client or has Ascot Barclay been contracted by them to deliver as service or services.
Should a candidate , prospective client or client meet any of the above criteria, then their records will be retained, but in all other circumstances a mass deletion of records on our database will be carried out.
Ascot Barclay mandate all personal data received must be transferred to the company's database system. All original records received via Outlook or any other electronic method, or paper-based documents received must be deleted or destroyed securely as soon as reasonably possible. Compliance to this process is checked every 6 to 12 months as part of the company's sales process audit and employees who fail to comply will be subject to disciplinary action.
The exception to this is data held by the Ascot Barclay Compliance and Finance teams under the terms of the GDPR/DPS2018. This is defined as personnel and financial records that are required in order to run the company efficiently and to comply with statutory requirements. The company is not required to keep the original of all documents - copies can be stored but they must be stored in writing, including in electronic format. The type of record will determine the length of time the record must be kept for.
Details of specific retention periods are available on request.
This notice may be updated, revised, replaced and re-issued from time to time, to ensure it continues to meet all legislative requirements and relevant developments in data management and security techniques. Any changes to Ascot Barclay 's data processing processes or this privacy notice will be brought to the attention of all data subjects via a notice on our website.
You also have the right to raise concerns or make a complaint to a supervisory body which in the United Kingdom is the Information Commissioner's Office. The ICO can be contacted on 0303 123 1113 or at https://ico.org.uk/concerns/.
Mike Loginov (Director)
(Mike’s signature for GDPR.jpg – not shown for security reasons)
ICO registration/reference number: ZA378508