Data Protection Policy
Effective Date: 28 January 2020
Nicholas Scott is an agency which provides top quality lawyers and other professionals on a contractor basis to its clients. We aim to be transparent about the data we collect about you, how it is used and with whom it is shared.
Professional candidates use our Services to find contracting business opportunities, and to upload time sheets, payment information, availability and other information necessary in relation to client assignments they have contracted to work on via Nicholas Scott.
Nicholas Scott is committed to protecting your personal information in accordance with current EU data protection law.
Nicholas Scott Legal Services Limited, a company registered in England and Wales under company number 08840712 and whose registered office address is at 33 Cannon Street, London, EC4M 5SB (“Nicholas Scott”) is the data controller for any personal information you supply to us in the course of using or enquiring about using our Services. As data controller, Nicholas Scott determines the purposes and means of the processing of that personal data. Our contact details are as follows:
Legal Services Limited
33 Cannon Street
Telephone Number: 0203 475 3192
Email Address: email@example.com
What we collect
Nicholas Scott may collect your personal data from information that you provide us with when using our Services or engaging with us, namely:
Our Website Contact Form
Our website provides a contact form in order for anyone to submit an enquiry to us and also the ability for candidates interested in a particular job to submit their details for consideration for that role. Those particular pages of our website are encrypted and we do not transmit the data externally - it remains at all times within our secure network. As well as the information that you submit via the form, we also collect the IP address of the person submitting it.
Our Mailing List
We maintain a candidate mailing list within our CRM database so that candidates can receive information about specific roles or updates about our Services or news relevant to our Services that may be of interest. We also maintain a client mailing list within our CRM database so that clients can receive information about specific candidates or offers that may be of interest to them. You can control whether to opt in or out of these mailings by contacting us and/or via the opt out link that is included at the bottom of our mailings.
General marketing mailings to clients or candidates are occasional and generally limited to a maximum of 4-6 per year. This does not include system notifications where we need to inform you of any changes that may affect your Service and these are sent to applicable users as required.
Candidates who which to join our pool or be considered for a particular role typically provide us with information from their CV or resume: name, date of birth, contact details, current and previous employers, details of your work experience and skills, education and qualifications, as well as role preferences. We will keep this information on our secure CRM database so that we can use it to provide candidates with potential role opportunities.
We also collect personal information through our correspondence and meetings with you, through the data you provide to us via the App, through LinkedIn or other publicly available information.
We may log your visits and use of our Services, such as when you view or click on a job advert, install or update our mobile App, upload a time sheet, refer another professional, apply for jobs or upload your availability. We may use log-ins, cookies, device information and internet protocol (“IP”) addresses to identify you and log your use.
We may receive data from your devices and networks when using some of our Services, including location data, depending on the settings on the device from which our Services are accessed. When you visit or leave our Services (including our cookies or similar technology on the sites of others), we may receive the URL of both the site you came from and the one you go to next. We also get information about your IP address, proxy server, operating system, web browser and add-ons, device identifier and features, and/or ISP or your mobile carrier.
Candidate information submitted via our App is stored within a database server. Some of this data is encrypted where necessary and not all is stored in a personally identifiable manner, making the majority of it pseudonymous, i.e. it would require additional processing to link data within tables together.
What we may use your information for
We use the information we receive from candidates to be able to provide them with suitable business opportunities according to their background and experience, and to operate any assignment on which they are placed through us. We require information from potential clients to provide them with the most suitable candidates for their requirements. We may use your personal information to contact you, and/or for the following reasons:
(i) to maintain our database of contacts;
(ii) to contact you about vacancies that we believe you may be interested in, or which you have asked us about;
(iii) to send your information to clients about those vacancies or to assess suitability for the role. We will obtain at minimum verbal consent before sharing your personal data with a client;
(iv) to disclose to third parties we have retained to provide services to allow us to operate our business, for example such as professional advisors, IT hosting providers, reference checking services (as required), etc. and
(v) to set you up on a client assignment when you agree to one.
(vi) Your data is shared by the search firm Nicholas Scott Legal Services Limited which deals with permanent roles and is a sister company of Nicholas Scott.
We carry out some profiling in order to evaluate your interests in a specific career opportunity. We will evaluate the information that you have provided us with about your previous work experience in order to assess whether you are suitable for an opportunity. Under Article 6(1)(b) of the GDPR this profiling is carried out with a lawful basis. It is necessary to our performance of a contract with you, so that we can successfully put you forward for suitable roles.
We may disclose your personal information to certain third parties to the extent that this is reasonably necessary to carry out our business, each of which we have assessed as
compliant with the applicable legislation:
- our customer relationship management (CRM) software provider through which we manage our contacts and documents in a secure fashion. They never cache data on local devices and their servers are located in the U.S.A. They are accredited to the US/EU Privacy Shield;
- our affiliated search firms in other jurisdictions including USA and Australia, where this is deemed appropriate. For example we will share your details with those search firms if there is a candidate or client role which they are dealing with which is of interest to you;
- our dedicated third-party billing agent. All of their data is stored within Microsoft UK & European data centres;
- our dedicated email and website hosting providers. Microsoft is committed to being GDPR compliant across all of their cloud services when enforcement begins on May 25. Their data storage services are located in UK data centres;
- our mobile App provider, whose data storage servers are located within the Next Generation Data datacentre at Newport in the UK. This is a high security facility with 4 metre high perimeter fencing, military grade security and is accredited with ISO9001, ISO14001, ISO27001, PDI DSS Compliance, SSAE16/ISAE3402 Type I and II Certified and IIP Committed. Access to those physical servers is therefore very tightly controlled and limited to specific persons.
- Our third party vetting agents, who provide us with CV Verification and Background Screening services to ensure our lawyers are fully vetted. Their data storage services are located in UK data centres; and
- Our online document storage service. All files stored are encrypted and kept in secure storage servers, which are located in data centres across the United States.
We do not sell, trade, or rent Users’ personal identification information to others. We may share generic aggregated demographic information not linked to any personal identification information regarding visitors and users with our business partners, trusted affiliates and advertisers for the purposes outlined above.
Sending Information Out of the EEA
The personal and sensitive personal information you provide us with may be sent to clients and third parties located outside the European Economic Area (EEA).
When we transfer your personal information outside the EEA we will take reasonable steps with the aim of ensuring your privacy rights continue to be protected.
How long do we keep your information?
In line with GDPR paragraph (39), we retain personal data for no longer than is necessary. What is necessary will depend on the circumstances of each case. Information which relates to an actual assignment will need to be retained for at least 6 years from the end of the assignment. Other information we will hold for 3 years from the date we last engage or communicate with you unless you ask us to delete it.
How is your information kept secure?
Electronically gathered data is stored securely on encrypted computers and third-party systems such as Access CRM and Dropbox.
Paper copies of documents containing personal data are stored in a locked filing cabinet in the Nicholas Scott office which is only able to be accessed by authorised members of staff.
In line with GDPR paragraph (85), in the case of a personal data breach, Nicholas Scott will notify the supervisory authority and data subject of this without undue delay and, where feasible, not later than 72 hours after having become aware of it, unless we are able to demonstrate that the breach is unlikely to result in a risk to your rights and freedoms.
Your rights to your information
You have the right to access your personal data and supplementary individuals. You should be aware of and able to verify the lawfulness of the processing activities.
To request a copy of your personal data please contact our Data Protection Officer, Nick Robbins, by sending a letter to:
33 Cannon Street
You have the right to request that we rectify or amend personal data because it is inaccurate or incomplete. We will do this within thirty days of receipt of your request.
You can request that we delete or remove your personal data as there is no compelling reason for its continued processing.
You can request to restrict, block, or otherwise suppress the processing of personal data. We are permitted to store personal data if it has been restricted, but we cannot process it further. We must retain enough data to ensure the right to restriction is respected in the future.
You can request that we provide you with your data so that you can reuse it for your own purposes. If you request, we must provide it in an easily transferable format and send it directly to another company.
To request the transfer of your personal data please contact our Data Protection Officer via the details given above.
You may object to data processing based on legitimate interest, to direct marketing, including profiling, and to processing data for statistics.
For more information on your rights please visit the ICO website http://ico.org.uk.