Website Privacy Notice: 1st January 2022

Introduction

This Privacy Notice (“Notice”) – together with any other privacy information we may provide on specific occasions – applies to the processing of personal data by us in the course of providing our assurance and advisory services, and carrying out our business operations. The Notice sets out the types of personal data we collect, explains how we collect and process that data, who it shares it with and certain rights and options that you have in this respect.

We recognise that information privacy is an ongoing responsibility, and so we will from time to time update this Privacy Notice as we undertake new personal data practices or adopt new privacy policies.

When we refer to “RightCue” or “we” in this Notice we mean Right Cue Consulting Services Ltd, a company incorporated in England & Wales with registered number 06866953 and registered address at The Square, Basingview, Basingstoke, United Kingdom RG21 4EB. We are registered with the Information Commissioner’s Office under registration number ZA206168.

How we collect and use (process) personal information

We collect and process personal data for the following categories of data subjects:

• Job applicants
• Clients
• Business contacts which include suppliers, consultants, advisors
• Visitors to our website
• Recipients of our marketing activities

Job applicants

All of the information you provide during the application process will only be used for the purpose of progressing your application or to fulfil legal or regulatory requirements if necessary.

We will use the contact details you provide to us to contact you to progress your application. We will use the other information you provide to assess your suitability for the role you have applied for.

We do not collect more information than we need to fulfil our stated purposes and will not retain it for longer than is necessary.

1. Application stage

At the application stage, we ask you for

• Contact details – name, address, phone number and email address
• Your previous experience – details of your education, work history, referees and answers to questions relevant to the role you have applied for
• Financial – Previous salary/salary expectation, conflict of interest
• Health and safety-Disability/Special needs. This information will only be used to ensure a comfortable experience during interview process. This is not mandatory information – if you don’t provide it, it will not affect your application. This information will not be made available to any staff outside of our recruitment and HR team in a way which can identify you.
• Other – ability to drive in the UK

2. Selection stage

Our hiring managers shortlist applications for interviews.

We might also ask you to take a written test, online assessment and complete a psychometric questionnaire. Information will be generated by you and by us. For example, you might complete a written test or we might take interview notes. This information is held by us.

We will also ask you to provide contact details of two references, their details and their answers and/ or opinions will be retained by us. We will also conduct an ID verification and check your right to work in the UK before any offer letters are issued.

3. How long is the information retained?

If you are unsuccessful at any stage of the process, the information you have provided until that point will be retained for 6 months from the closure of the campaign. The information generated throughout the assessment process, for example, interview notes, is retained by us for 6 months following the closure of the campaign.

If you are successful in your application, we will retain your information in accordance with our Privacy Notice for Employees, Workers and Contractors. A copy of this Notice will be provided to you with your offer letter.

Clients

We collect personal information about our clients to provide them with our services. We hold the following information about customers:

• Contact details – name, business address, business email address, business phone numbers including mobile numbers
• Identity data – username and password to our online client portals including the IASME certification portal
• Transactional data including details about services you have purchased from us. We do not process credit card information, the payment transactions are handled securely by a PCI-DSS accredited vendor
• Video, call and chat recordings may be taken in order to provide you with our service. Your consent will be taken before any recordings are made and these recordings are deleted within 14 days.

We may receive personal information from our clients about other individuals, e.g. their employees, while providing our services. Any such information provided to us is used solely for providing our services and is handled strictly as per client instructions.

We may also receive personal information from third parties including other customers, partners, or 3rd parties that we run partnerships, competitions and events with. Any such information provided to us is used solely for providing our services and is handled strictly as per our data protection procedures.

Business contacts

If you are a supplier, service provider, advisor, or consultant, we may process the following personal data about you:

• Contact details – name, work email address, contact numbers
• Professional details – the name of employer, job role, educational or professional background, any professional disqualifications
• Verification of identity details – Passport or any other government-issued document, proof of address, professional indemnity insurance,
• Financial and Transactional details – invoices, bank account numbers for payment
• If you have access to any of our internal platforms – username and password

We use this information to enter into and fulfil a contract with you, to administer and manage our relationship with you including accounting, payment processing activities.

Visitors to our website

When you visit our website, we use third-party services (‘cookies’) to collect standard internet log information and details of visitor behaviour patterns. We do this to find out things such as the number of visitors to various parts of the website. The information is only processed in a way that does not identify any individual.

When you complete a contact form on our website, email cyber@rightcue.com, or contact@rightcue.com, we will use the information provided by you only for the purpose of providing you with an appropriate response.

Marketing data

We hold name and contact details of individuals who have expressed interest in hearing from us about our services or have engaged with us for supply of our services in the past. All direct marketing activities to such individuals shall comply with relevant privacy and regulatory requirements.

How is your personal data collected?

You may give us your personal data by filling in forms or by corresponding with us by post, phone, email or otherwise. This includes personal data you provide when you:

• Engage us to provide services
• Subscribe to our publications
• Request marketing material to be sent to you
• Complete one of our enquiry forms
• Provide us with feedback

Apart from receiving personal data directly from you when you engage us to provide services, we may receive personal data from our partners and associates, for example our accreditation bodies.

When and how do we share your personal data?

We may share your personal data in the following circumstances:

• Internally with staff members who require your information to provide our services and who have received training in data protection
• Our accreditation bodies where this is a requirement for delivering our services
• With our professional advisors, including our legal advisors, financial advisors, insurers, accountants, auditors or other consultants to the extent they require this information to provide their services to us
• With sub-contracts, consultants or associates who are asked by RightCue to deliver all or some of the services
• With courts, law enforcement authorities, regulators or government officials where it is legally required
• With third parties providing IT support and maintenance services, marketing and client support services, data storage services, and checks for credit risk reduction and other fraud and crime prevention purposes; and other financial institutions and credit reference agencies providing services to us
• Any third parties with whom you require or permit us to correspond

We do not sell personal information to anyone and only share it with third parties who are facilitating the delivery of our services and communications.

Transfer of personal data outside of the UK

There may be occasions where we will need to share your data with entities in third countries, such as when we are using cloud software providers or outsourced contractors which enable us to provide you with the services. We verify that any data transfer outside of EEA is subject to EU adequacy requirements, Standard Contractual Clauses or other transfer tools which comply with data protection legislation.

Automated decision making

We do not use automated decision-making in relation to your personal data.

Security of your personal information

To help protect the privacy of data and personally identifiable information you provide to us, we maintain physical, technical and organisational controls. We update and test our security technology and controls on an ongoing basis. We restrict access to your personal data to those employees who need to know that information to provide benefits or services to you.

In addition, we train our employees about the importance of confidentiality and maintaining the privacy and security of your information. We commit to taking appropriate disciplinary measures to enforce our employees’ privacy responsibilities.

We are certified to the ISO 27001, IASME Gold, IASME Quality Principles and CE plus standards which demonstrates our commitment to the security and privacy of your personal information.

Data storage and retention

Your personal data is stored by RightCue on the servers of the cloud-based services and IT service providers we engage, as well as in physical forms in our office and at backup and archive facilities.

We retain data as per our data retention policy and regulatory data retention requirements.

For more information on where and how long your personal data is stored, and for more information on your rights of erasure and portability, please contact us at privacy@rightcue.com.

Data subject rights

We have appointed a Data Protection Officer for you to contact if you have any questions or concerns about our personal data policies or practices. If you are concerned about an alleged breach of privacy law or any other regulation by us, please contact our Data Protection Officer at privacy@rightcue.com who will ensure that your complaint is investigated.

You have the right to ask if RightCue is processing your personal data, and to have access to the personal data we may have about you.

Where we have asked for your consent, you may withdraw consent at any time. If you ask to withdraw your consent, this will not affect any processing which has already taken place.

You also have a right to request correction of inaccurate information, deletion of information in certain circumstances, and to instruct us to stop processing your information. We are obliged to honour such requests as per the regulatory requirements unless we are unable to do so for legal reasons. If you’d like more information or would like to make such a request, please contact our Data Protection Officer stated above.

If you are not satisfied with our handling of your queries or complaints on data protection, you can contact the Information Commissioner’s Office (UK data protection authority) on 0303 123 1113 or at https://ico.org.uk/make-a-complaint/.