This is a living document and is being updated on a regular basis.
We have been working to ensure we comply fully with the GDPR regulations, May 2018. We have always and going forward, intend to, operate our services in a transparent and open manner with regards to how data is collected, stored, transported and processed within the organisation.
NEREO operate many services which collect and process data covered by the new regulations including –
- North East Jobs
- Northern Digital Jobs
- Online DBS service
- Winter Maintenance
- NEREO Campus
- ILM Accreditation
We also carry out many processing services in relation to employees of the organisations we partner with and offer access to work being carried out by a range of Associates.
We have carried out a full audit and re-write of our internal policies and procedures relating to the data we capture, process and retain. Below gives specific details as to what work has been carried out in regard to specific service offerings.
Please consult the items below if needing to ascertain how NEREO is remaining compliant in regards to the services you currently interface with.
Full suite of policies and procedures have been put in place covering data and it’s journey through the organisation.
Full acceptance of policies and procedures has been achieved from NEREO Exec board down.
Registers for Data Maps, Lawful Basis of Processing, DPIA’s, Information Assets, Risks, Privacy Notices, Subject Access Requests, Data Breaches and Partner Compliance have been either created, maintained or updated s necessary.
External DPO has been provisioned and has worked with NEREO across all changes.
Main cookies notice has been added to the NEREO website, accessible here.
Internal training is being delivered and GDPR is now a standing item on ALL meetings we hold, both internally and externally.
Subject Access Request online form has been put in place – https://www.nereo.gov.uk/subject-access-request-form/
North East Jobs and Northern Digital Jobs
Several new pieces of work are being carried out to the database and structure of the program.
Privacy Notices and Cookies Policies have been updated to give full overview of how the site adheres.
Several of the advertising organisations who use the online application features have updated and added privacy notices, consent wordings, etc. on their forms and on their information pages.
New routines have been put in place which clear out abandoned application forms and accounts older than 12 months. Again, detailed in the privacy notice on the site.
Lawful Basis for Processing Description
- Basis for Processing: Consent / Legitimate Interests
- Type of Personal Data: Criminal Records / Equal Opportunities /Location Data / Personally Identifiable
- Synopsis: Our operation of the North East Jobs and Northern Digital Jobs sites centres around providing a service and gateway to allow our advertising organisations to interact with jobseekers. We also use anonymous data to deliver service improvements.
- Categories of Data Subject: Employees / Public / Service Users / System Users
- Duration of Processing:Processing for as long as is legally required for the recruitment processes. (This varies per each organisation using the system)
- Plan for Return or Destruction of Data once processing completed (unless requirement under law to preserve): Candidates Talent Profile retained for as long as a candidate has an active account. Application data held for 12 months after archive of job. Non active profiles removed after 12 months from notice of non activity
New consent wording has been put in place for the applicants.
NEREO records of users on the site has been through a cleansing process and reduced in timescale of what we retain.
Lawful Basis for Processing Description
- Basis for Processing: Consent / Public Task
- Type of Personal Data: Criminal Records / Location Data / Personally Identifiable
- Synopsis: We analyse the data provided by an individual when one of the organisations who use our services ask them to complete an online DBS form.
- Categories of Data Subject: Customers / Employees / Public
- Duration of Processing: From point of application being made up to 12 months after the application has been responded to by the Disclosure and Barring Service
- Plan for Return or Destruction of Data once processing completed (unless requirement under law to preserve): Data is archived after six months from the DBS completing their checks. It is then made anonymous after a further 3 years (purged to a skeleton record for reporting purposes only. The record is then completely erased from the system after 7 years.
All forms and procedures have been through a thorough re-write.
Application form has had address removed as it was unnecessary information for us to capture. New consent capture mechanism also put in place.
Renewal of lost / damaged card forms have been re-written with separate versions for training centres and applicants.
NEREO Campus is being brought in line with our other services but is in the process of having a redesign of the service. This will include ensuring that full GDPR compliance is adhered to.
We are working with ILM to ensure all our programmes and courses adhere strictly to GDPR guidelines.
See also, training courses below
We are in the process of constructing more robust contracts with our associates that specify our requirements for data storage of any work they carry out as a result of contracts gained through NEREO.
Contracts are in draft at present awaiting sign off.
New IT arrangements are being tested for the secure storage of all work they carry out.
Training Courses and Events
We have implemented new consent collection procedures around attendees on courses and events.
We have stopped producing delegate lists unless they are specifically requested as part of the course and consent has been provided by all parties. As a rule, however, they will not be a part of course joining packs moving forward.
Databases and record systems to manage courses have been updated and cleansed as necessary.