Wednesday , November , 29 2023
| Language and Accessibility

Job Applicant Privacy Statement


Carlisle City Council (‘the Council’) are a "data controller".

As part of any recruitment process, the Council collects and processes personal data relating to all job applicants within the Council to manage the recruitment process. The Council is committed to being transparent about how it collects and uses that data and to meeting its data protection obligations.

The General Data Protection Regulation (GDPR) and Data Protection Act 2018, sets out the data protection legislation that all data controllers must adhere to. Under the GDPR, there are six data protection principles that the Council must comply with as a data controller. These principles provide that the personal data we hold must be:

  • Processed in a lawful, fair and transparent manner.
  • Collected only for specified, explicit and legitimate purposes and not processed further in a way that is incompatible with those purposes.
  • Adequate, relevant and limited to what is necessary in relation to those purposes.
  • Accurate and kept up to date where necessary.
  • Kept in a form makes it possible to identify individuals for no longer than is necessary.
  • Processed in a way that ensures appropriate security of the data.

The council is responsible for complying with these principles and must be able to demonstrate compliance.

Part 1 – Policy

1 – Purpose

The purpose of this privacy notice is to make you aware of how we comply with the data protection principles both during and after your engagement with the Council. We are required under data protection legislation to provide the information to individuals at the point that data is collected from them and to notify you of the information contained in this privacy notice. To support the Council to ensure this is achieved all applicants are to declare within their application that they have read and understood of this privacy notice.

If you have any questions about this privacy notice or how we handle your personal data, please contact Personnel & Payroll.

2 – Aim

The aim of this policy is to ensure the Council is compliant with the GDPR regulations and that all applicants are fully aware of the Councils obligations and their rights.

3 – Scope and Application

This policy applies to all applicants within the Council to manage the recruitment process. Applicants within this document includes employees, casual workers, agency workers, contractors, volunteers and work experience students.

Hiring managers must ensure that anyone for whom they are responsible is aware of this policy and relevant documents and have read and understood the policy and privacy notice.

4 – Risks

If the Council were to fail to comply with their obligations under the GDPR, including with respect to data subject information rights, the Council could be subject to significant administrative fines of up to €20 million or 4% of the Council’s annual global turnover, whichever is higher.

The Data Protection Act 2018, which supplements the GDPR, also sets out additional conditions relating to criminal offences, which could lead to criminal convictions if breached.

5 – Confidentiality

All documents created as part of the recruitment process will be stored confidentially in line with normal Personnel procedures and stored on file.

6 – Individual Responsibilities


  • Read and ensure that the privacy notice contained within this policy is understood.
  • Read and sign the declaration on your application and provide a copy to Personnel & Payroll.
  • Complete the reference consent form or directly provide consent to your referees for the sharing of personal data they hold.


  • Partake in mandatory in-house recruitment training
  • Ensure all personal information provided is processed and stored in accordance with data protection legislation.
  • Ensure personal information is not disclosed to any unauthorised person.
  • Ensure extra care is taken to protect sensitive information and ensure that sensitive information does not prejudice the recruitment process.
  • Seek advice and work with HR Advisory Services in ensuring that the legal requirement of the Council’s policy, privacy notice and relevant procedures are adhered too.

Personnel & Payroll

  • Ensure all personal information provided is processed and stored in accordance with data protection legislation.
  • Ensure personal information is not disclosed to any unauthorised person.
  • Ensure extra care is taken to protect sensitive information and ensure that sensitive information does not prejudice the recruitment process.
  • To monitor and update the policy and procedure.

HR Advisory Service

  • Provide appropriate advice and guidance to Personnel & Payroll, managers and employees ensuring a consistent application of the Job Application Privacy Notice (compliant with the GDPR) and linked policies and procedures.
  • Attend meetings and interviews to support managers and employees, when deemed necessary.
  • Ensure that legal requirements and Council policy and the privacy notice are adhered to.
  • Support Personnel & Payroll, employees and managers through the process.

7 – Links to other Policies and Procedures

  • National Fraud Initiative
  • Corporate Complaints and Feedback Policy
  • Health and Safety Policy
  • Departmental Health and Safety arrangements, risk assessments and safe working practices (copy in paper files in each department)
  • Encouraging Mutual Dignity and Respect policy
  • Confidential Reporting Policy
  • Carlisle City Council especially for details of Financial Regulations, Contract Procedures, Assets disposal and role of Standards Health and Safety Policy
  • Safeguarding Policy
  • Data Protection Policy
  • Corporate Complaints
  • Keeping Children and Young People Safe Policy and Arrangements
  • Anti-bribery Policy
  • Protocol on Member – Officer Relationships
  • Fraud and Corruption Strategy
  • Volunteer Policy
  • Request to be a Volunteer Form
  • Equality Policy
  • Recruitment – Appointment Procedure

8 - Law relating to this document

General Data Protection Regulation (2016/679 EU)
Data Protection Act 2018

9 – Data Controller

Carlisle City Council
Civic Centre
Telephone no. 01228 817000

10 – Data Protection Officer

Aaron Linden
Information Governance Manager
Telephone no. 01228 817355
Email: [email protected]

Part 2 – Privacy Notice

1.0       What information does the Council collect?

    • The Council will collect personal data about all applicants. Personal data is any information about an individual can be used to directly or indirectly identify the individual. This excludes anonymised data. Some forms of personal data require a higher level of protection because of its sensitive nature. This includes personal data of criminal convictions and offences, and ‘special categories’ of personal data, such as an individual’s racial or ethnic origin, political opinions, religious or philosophical information beliefs, trade union membership, health, sex life or sexual orientation and genetic and biometric data.
    • The Council collects and processes a range of information about you. This may include:
  • your name, address and contact details, including email address and telephone number, date of birth and gender;
  • details of your qualifications, skills, experience and employment history with previous employers, including start and end dates, and your current level of remuneration;
  • copies of qualification certificates gained, attendance of courses and evaluation records;
  • information about your nationality and entitlement to work in the UK;
  • information about your criminal record, where appropriate;
  • information pertaining to personal circumstances, including disabilities;
  • equal opportunities monitoring information, including information about your ethnic origin, sexual orientation, health and religion or belief;
  • whether or not you have a disability for which the organisation needs to make reasonable adjustments during the recruitment process;

1.2  The Council collects this information in a variety of ways, including data collected through application forms, CVs or resumes; obtained from your passport or other identity documents such as your driving licence; or through interviews, if applicable.

    • In some cases, the Council collects personal data about you from third parties, such as references supplied by former employers, information from employment background check providers, information from credit reference agencies and information from criminal records checks permitted by law.
    • Data is stored in a range of different places, including in your personnel file, in the Council's HR management systems and in other IT systems (including the Council's email system).
    • If this Council receives an unsolicited CV submitted on a speculative basis associated with any specific recruitment process, the Council will delete the CV and will not process any information within the CV except for the purpose of informing the candidate of this.

2.0       Why does the Council process personal data?

2.1  The Council has a legitimate interest in processing your personal data during the recruitment process and for keeping records of the process. Processing data from job applicants allows the organisation to manage the recruitment process, assess and confirm a candidate's suitability for employment and decide to whom to offer a job. The organisation may also need to process data from job applicants to respond to and defend against legal claims.

2.2  As the Council relies on legitimate interests as a reason for processing data, it has considered whether or not our interests are overridden by the rights and freedoms of employees or workers and has concluded that they are not.

2.3  The Council will process your personal data only for the purpose it was gathered for, which is the recruitment of staff, including shortlisting, conducting interviews, checking an individual’s entitlement to work in the UK and hiring individuals.

2.4  The Council processes health information if it needs to make reasonable adjustments to the recruitment process for candidates who have a disability. This is to carry out its obligations and exercise specific rights in relation to employment.

2.5  The council may process personal data gathered for the purpose of recruitment for performing its tasks as a public authority.

2.6  Where the Council processes other special categories of personal data, such as information about ethnic origin, sexual orientation, health or religion or belief, this is done for the purposes of equal opportunities monitoring. Data that the Council uses for these purposes is anonymised and is collected with the expressed consent of individuals, which can be withdrawn at any time.

3.0       Who has access to data?

3.1  Your information will be shared internally for the purposes of the recruitment exercise. This includes members of the HR and recruitment team and interviewers involved in the recruitment process. This may include third parties if the role is externally funded and the funding body is active in the recruitment process.

3.2  The Council shares your data with third parties in order to obtain references from other employers, obtain background checks from third-party providers and obtain necessary criminal records checks from the Disclosure and Barring Service. In these circumstances the data will be subject to confidentiality arrangements.

3.5  We will not share your information for marketing purposes unless you have specifically given us permission to do so.

3.6  The Council will not transfer your data to countries outside the European Economic Area.

4.0       How does the Council protect data?

4.1  The Council takes the security of your data seriously. The Council has internal policies and controls in place to try to ensure that your data is not lost, accidentally destroyed, altered, misused or disclosed, and is not accessed except by its individuals in the performance of their duties. Our measures include implementing appropriate access controls, investing in the latest Information Security Capabilities to protect the IT environments we leverage, and ensuring we encrypt, pseudonymise and anonymise personal data wherever possible.

4.2  The Council has procedures in place to deal with any actual or suspected data security breach and will notify you and the Information Commissioner’s Officer of the breach where we are legally required to do so.

4.2  Where the Council engages third parties to process personal data on its behalf, they do so on the basis of written instructions, are under a duty of confidentiality and are obliged to implement appropriate technical and organisational measures to ensure the security of data.

5.0       For how long does the Council keep data?

5.1  The Council will hold your personal data compliant with legal retention periods following the end of the relevant recruitment process and will delete and/or destroy your data at the end of that period.

5.2  A copy of the retention schedule can be supplied upon request.

6.0       Your rights

6.1  As a data subject, you have a number of rights. You can:

  • access and obtain a copy of your data and relevant privacy information on request;
  • require the Council to change incorrect or incomplete data;
  • require the Council to delete or stop processing your data;
  • object to the processing of your data where the Council is relying on its legitimate interests as the legal ground for processing; and
  • ask the Council to stop processing data for a period if data is inaccurate

6.2  Where you have given consent for the processing of your personal data for a specific purpose, you have the right to withdraw your consent for the processing for that specific purpose at any time.

6.3  Where the Council processes other special categories of data, such as information about ethnic origin, sexual orientation, health, religion or belief, age, gender or marital status, this is done for the purposes of equal opportunities monitoring with the explicit consent of job applicants, which can be withdrawn at any time.

6.4  If you would like to exercise any of these rights, please contact the Data Protection Officer detailed above. You can make a subject access request by completing the Council's form found <click here> or can be sent out on request.

UK Information Commissioner's Office, Wycliffe House
Water Lane, Wilmslow, Cheshire, SK9 5AF
Tel: 08456 30 60 60 | Website:

7.0 What if you do not provide personal data?

7.1  You are under no statutory or contractual obligation to provide data to the organisation during the recruitment process. However, if you do not provide the information, the organisation may not be able to process your application properly or at all.

7.2  You are under no obligation to provide information for equal opportunities monitoring purposes and there are no consequences for your application if you choose not to provide such information.

7.3  If you do not want to provide some information as part of your application, and you are unsure whether you have an obligation to do so. Contact Personnel and Payroll to discuss the necessity.

8.0 Automated decision-making

8.1  Recruitment processes are not based solely on automated decision-making.

Policy Review Schedule



Policy title

Job Application Privacy Notice

Policy Location


Policy owner (Directorate)

HR/Finance & Resources

Policy lead contact


Approving body (SMT)

Information Officer

Date of approval

July 2018

Date of implementation

July 2018

Version no. (amendment date)

1.1 09/09/2019

Related Guidelines, Procedures, Codes of Practice etc.

See Part 1 – 8 above

Review interval

When required

Version Control:

Revision date

Issue No.

Summary of Changes



Updated regarding involvement of funding bodies being involved in recruitment of externally funded posts.


This A to Z of services list provides links to service pages alphabetically