Recruitment Privacy Notice
Last updated: 10 July 2025
What is a Privacy Notice?
A privacy notice is a document that explains how and why we collect, use, store, and share your personal data. It is designed to help you understand what information we hold about you, how we protect it, and what your rights are under data protection laws such as the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
This notice provides transparency about our data practices and ensures that you are informed about how your personal information is handled when you interact with us — whether as a learner, employee, job applicant, centre representative, or in any other capacity.
Who are we?
We are Ascentis, an award-winning, charitable awarding organisation and Access Validating Agency (AVA) based in the UK. Our mission is to provide high-quality qualifications and educational services that enable individuals to achieve their full potential and progress in life, learning, and work.
Ascentis is regulated by Ofqual, Qualifications Wales, and the Council for the Curriculum, Examinations and Assessment (CCEA) in Northern Ireland. We are also licensed by the Quality Assurance Agency (QAA) to validate Access to Higher Education Diplomas.
The Ascentis Group also includes International Dyslexia Learning Solutions (IDLS), which provides specialist multi-sensory software to primary and secondary schools in the UK and around the world with the goal to provide learning support to people with dyslexia, dyscalculia, and other similar conditions that can present obstacles for learning.
Our registered office is:
Ascentis House, Lancaster Business Park, 3 Mannin Way, Lancaster, LA1 3SW.
Why should you read this notice?
This notice is important because it explains how we handle your personal data and outlines your rights under data protection law.
At Ascentis, we are committed to being open and transparent about how we collect, use, and protect your information. To ensure clarity and avoid confusion, we provide separate privacy notices tailored to the specific relationship we have with you — whether you're a learner, employee, centre representative, or otherwise.
This particular notice applies to you in your capacity as a job applicant. It sets out what personal data we collect, why we collect it, how we use it, and how you can exercise your rights.
What personal data do we collect?
During the recruitment process, we collect a range of personal data to assess your application and manage our recruitment procedures effectively. This includes information you provide directly to us, data generated through your interactions with our recruitment systems, and, where applicable, data received from third parties such as recruitment agencies or online platforms (e.g., LinkedIn/Facebook). The types of personal data we collect may vary depending on the role you apply for and the method of application, but typically include the following:
Element of Information
Description
Personal Identification and Contact Details
First name, Surname
Your full legal name
Email address
Contact email used during the application process
Home telephone number, Mobile number
Contact numbers for communication
Date of birth
Used to verify identity and eligibility
Legal gender
Gender as recorded on official documents
Recognised gender (optional)
Gender identity, if different from legal gender
Full current address, Postcode
Residential address for contact and verification
Signature
Used for employment contract should candidate be successful
Photograph
Profile photo
Imported from LinkedIn/Facebook if you choose to share your profile
Education and Training
Educational background
Institutions attended, dates, subjects, and degree classifications
Training courses
Courses completed, dates, and qualifications/grades received
Employment History
Current employment
Employer name, address, job title, start date, and work email
Previous employment
Past employers, roles, dates, and job responsibilities
Qualifications, skills, experience
Summary of your professional background
Driving and Mobility
Ability to use a car
Driving license number and license check code
References
References
Referee contact details, relationship, and employment-related factual information
Right to Work and Identity Verification
National Insurance number
Used for employment (payroll processing) and right-to-work checks where required
Passport/ID documents
Identity verification and right-to-work documentation
Visa or immigration status
Proof of right to work in the UK
Proof of address
Supporting documentation for identity verification
Health and Criminal Record Information
Disability status
Information to support reasonable adjustments during recruitment
Unspent convictions
Disclosure of criminal history under the Rehabilitation of Offenders Act 1974
DBS check results
Criminal background checks where required by regulation
Equal Opportunities and Diversity Monitoring (optional)
Equal opportunities data (optional)
Ethnicity, religion, sexual orientation, etc., for ONS (Office for National Statistics) reporting
Recruitment Process Data
CVs and cover letters
Documents submitted as part of your application
Application form responses
Information entered into the application system
Interview notes and assessments
Notes and scores from interviews or assessments
Pre-employment test results
Results from any tests or evaluations undertaken
Communication records
Emails or messages exchanged during the recruitment process
Emergency Contact Details
ATS usage data
Anonymised statistics and tracking data from the application platform
How do we collect your data?
We collect personal data about you through a variety of sources and methods during the recruitment process. These include:
Directly from you
- Most of the personal data we collect is provided directly by you when you:
- Submit an application through our website or recruitment platform
- Upload your CV, cover letter, or supporting documents
- Complete application forms or assessments
- Communicate with us via email, phone, or other channels
- Attend interviews or recruitment events
Through third-party platforms
If you apply for a role via a third-party platform (such as LinkedIn, Facebook, or a recruitment agency), we may receive personal data as part of your application. For example, if you choose to apply using your LinkedIn or Facebook profile, your photo and other profile information may be shared with us automatically through an integrated feed.
From recruitment agencies
If you are referred to us by a recruitment agency, they may provide us with your CV, contact details, and other relevant information as part of the application process.
From referees
We may collect personal data from the referees you provide, including information on your previous employment.
From publicly available sources
Where relevant to the role, we may review publicly available professional profiles (e.g. LinkedIn) to support the recruitment process.
Through our recruitment systems
Our Applicant Tracking System (ATS) may collect technical and usage data, such as anonymised statistics and interaction tracking, to help us improve the recruitment experience.
Why do we collect your data? (Purposes of processing)
We collect your personal data to support and manage all aspects of the recruitment process. This includes:
Assessing your suitability for a role
To evaluate your qualifications, experience, and skills in relation to the job you have applied for.
Managing the recruitment process
To communicate with you, arrange interviews, conduct assessments, and keep records of your application.
Making informed hiring decisions
To ensure fair and consistent decision-making based on relevant criteria.
Carrying out pre-employment checks
To verify your identity, employment history, qualifications, and right to work in the UK, and to conduct background checks where required.
Meeting legal and regulatory obligations
To comply with employment law, safeguarding requirements, and the expectations of regulatory bodies such as Ofqual, CCEA, Qualifications Wales, QAA, and SQA.
Ensuring equality, diversity, and inclusion
To monitor and promote equal opportunities in our recruitment practices (where such data is provided voluntarily).
Improving our recruitment processes
To analyse anonymised data and system usage to enhance the candidate experience and the effectiveness of our recruitment tools.
What is our lawful basis for processing your data?
Under the UK General Data Protection Regulation (UK GDPR), we must have a valid lawful basis for each type of personal data we process. During the recruitment process, we rely on a combination of lawful bases depending on the nature of the data and the purpose of processing.
Below is a breakdown of the lawful bases we rely on and the types of processing activities they apply to:
Lawful Basis
Relevant Article
When We Use It
Legitimate Interests
Article 6(1)(f) GDPR
Most of the personal data we collect and process during recruitment is necessary for our legitimate interest in managing a fair and effective recruitment process. This includes:
Reviewing CVs and applications
Shortlisting and interviewing candidates
Communicating with you about your application
Assessing your suitability for a role
Maintaining records of the recruitment process
Improving our recruitment systems and processes
We ensure that our interests do not override your rights and freedoms.
Contractual Necessity
Article 6(1)(b) GDPR
Where processing is necessary to take steps at your request before entering into a contract of employment. This includes:
Processing your application
Arranging interviews
Making an offer of employment
Legal Obligation
Article 6(1)(c) GDPR
Where we are required to process your data to comply with legal obligations. This includes:
Verifying your right to work in the UK
Conducting Disclosure and Barring Service (DBS) checks where required by law or regulation
Consent
Article 6(1)(a) GDPR
We may ask for your explicit consent to process certain types of data, particularly where it is optional or sensitive. This includes:
Retaining your information within our candidates bank for future job opportunities
Equal opportunities and diversity monitoring (e.g. ethnicity, religion, sexual orientation)
Use of your profile photo when applying via LinkedIn or Facebook
You can withdraw your consent at any time by contacting us.
Special Category Data
Article 9(2)(b), (h), or (a) GDPR
For processing sensitive data such as health or diversity information, we rely on additional conditions under Article 9. These include:
Employment and social protection law (e.g. reasonable adjustments for a disability)
Explicit consent (e.g. for diversity monitoring)
Occupational health and safety requirements
Criminal Convictions Data
Article 10 GDPR & Schedule 1 DPA 2018
Where required, we process information about unspent criminal convictions and DBS checks under our regulatory obligations (e.g. Ofqual, CCEA, QAA). This is done in accordance with Schedule 1 of the Data Protection Act 2018.
Who do we share your data with?
We do not share your recruitment data with third parties for marketing or unrelated purposes. However, to support the recruitment process and meet our legal obligations, we share your data with the following trusted service providers:
Teamtailor (Applicant Tracking System)
We use Teamtailor to manage and administer our recruitment process. Teamtailor acts as a data processor on our behalf, providing a secure platform for storing and processing your application data. They are contractually bound to process your data only under our instructions and in compliance with UK GDPR.
🔗 Teamtailor Data and Privacy
Veremark (Right-to-Work Checks)
For candidates who are unable to attend an in-person right-to-work check (e.g. remote workers), we use Veremark to conduct online verification. In these cases, we share your full name and email address with Veremark to initiate the check. You will be asked to upload a copy of your passport, and an outcome report will be generated. Both documents will be securely stored in your recruitment file in line with legal right-to-work requirements.
🔗 Veremark Privacy Policy
🔗 Veremark Data Protection Policy
These providers are carefully selected and are required to meet strict data protection and security standards. We do not share your recruitment data with any other third parties unless required to do so by law.
If your application is successful
If you are offered and accept a role with Ascentis, your personal data will be transferred to our internal systems, including SharePoint and Cezanne, for the purposes of onboarding and employment management. Full details of how we process employee data are provided in our Employee Privacy Notice, which will be made available to you upon joining.
Do we transfer your data internationally?
We do not routinely transfer your recruitment data internationally, but in limited and specific circumstances, your data may be processed or stored outside the United Kingdom (UK). These transfers are strictly controlled and only occur when necessary to support the recruitment process.
Teamtailor (Applicant Tracking System)
We use Teamtailor, a cloud-based recruitment platform, to manage and administer our recruitment process. According to our agreement and their Data Processing Agreement:
Personal data may be stored or processed within the EU/EEA, or in countries that have been deemed to provide an adequate level of protection by the UK Government or European Commission.
Where data is transferred to other countries, Teamtailor ensures appropriate safeguards are in place, such as Standard Contractual Clauses (SCCs).
Teamtailor is contractually bound to process your data only under our instructions and in full compliance with UK GDPR.
Veremark (Right-to-Work Checks)
We use Veremark to facilitate online right-to-work checks for candidates who are unable to attend in-person verification (e.g. remote workers). In these cases:
With your consent, we will share your name and email address with Veremark so they can contact you directly to complete the check.
Veremark will then request the necessary documentation from you, such as a scan of your passport, which is submitted directly to them. Ascentis does not receive or retain a copy of your passport at any stage of this process.
The final report provided to Ascentis by Veremark confirms only whether you have the right to work in the UK; it does not include copies of your documentation.
Veremark may process your data internationally, but only in accordance with UK Data Protection Law, including the UK GDPR. They confirm that any international transfers are carried out using appropriate safeguards, such as Standard Contractual Clauses (SCCs) or transfers to countries with an adequacy decision.
All providers are contractually required to implement strong technical and organisational measures to protect your data and are not permitted to use it for any purpose other than delivering services to Ascentis.
If you would like more information about international data transfers or the safeguards we use, please contact our Legal, Risk and Data Protection Team using the details provided in this notice.
How do we keep your data safe?
We take the security of your personal data seriously. We have internal policies, procedures, and technical controls in place to ensure that your data is not lost, accidentally destroyed, misused, or disclosed, and is not accessed except by authorised personnel in the proper performance of their duties.
Our security measures include:
Secure systems and platforms
Your recruitment data is stored within secure systems, including our Applicant Tracking System (Teamtailor) and, where applicable, our right-to-work verification provider (Veremark). Both providers are contractually required to comply with UK GDPR and implement robust security controls.
Access controls
Access to your personal data is strictly limited to authorised personnel, including members of our People and Culture Team and relevant Hiring Managers. All staff are trained in data protection and confidentiality.
Encryption and secure transmission
We use encryption and secure communication protocols to protect your data during transmission and storage, where appropriate.
Identity verification
When you exercise your data protection rights, we carry out identity verification checks to ensure that personal data is only disclosed to the correct individual.
Retention and disposal
We retain your data only for as long as necessary for the recruitment process and in line with our data retention policy. Once no longer needed, your data is securely deleted or anonymised.
Monitoring and review
We regularly review our data protection practices and systems to ensure they remain effective and compliant with legal and regulatory requirements.
Internal policies and safeguards
We operate under a suite of internal policies and procedures designed to protect your data, including:
- Data Protection Policy
- Cyber Security Measures
- Password-protected systems
- Restricted system access
- Locked cabinets for paper-based records
- Disciplinary Policy for breaches of data protection
How long do we keep your data?
We retain your personal data only for as long as necessary to fulfil the purposes for which it was collected, including to comply with legal, regulatory, and contractual obligations.
For unsuccessful candidates, we do not store personal information internally unless it relates to interview notes, which are recorded later in the recruitment process. All other recruitment data is securely stored within our Applicant Tracking System (Teamtailor).
Unless you request otherwise, your data will be automatically deleted 6 months after a recruitment decision has been made.
You can also manage your data directly through Teamtailor’s candidate portal, where you can:
- Access or update your personal information
- Request deletion of your data
- Control your privacy preferences
For more information or to manage your data, visit:
🔗 Teamtailor Data & Privacy Settings
If you are successful in your application, your data will be transferred to our internal systems (such as SharePoint and Cezanne) and retained in accordance with our Employee Privacy Notice, which will be provided to you upon onboarding.
Once your data is no longer required, it will be securely deleted or anonymised in line with our data retention and disposal policies.
What are your rights?
Under the UK General Data Protection Regulation (UK GDPR), you have a number of rights in relation to your personal data. These rights are designed to give you greater control over how your information is used. Depending on the lawful basis for processing, you may have the following rights:
Data Subject Right
Article (GDPR)
Description
Right to be informed
Article 13 & 14
You have the right to be informed about the collection and use of your personal data, including the purposes, retention periods, and who it will be shared with. This is provided through privacy notices.
Right of access
Article 15
You can request access to the personal data we hold about you, along with information about how and why it is being processed. This is commonly known as a "subject access request."
Right to rectification
Article 16
You can ask us to correct or complete any inaccurate or incomplete personal data we hold about you.
Right to erasure (Right to be forgotten)
Article 17
In certain circumstances, you can request that we delete your personal data, for example, if it is no longer necessary for the purpose it was collected or if you withdraw consent.
Right to restrict processing
Article 18
You can ask us to limit the way we use your data in specific situations, such as when you contest its accuracy or object to its use.
Right to data portability
Article 20
Where processing is based on consent or contract and carried out by automated means, you can request your data in a structured, commonly used, machine-readable format and have it transferred elsewhere.
Right to object
Article 21
You can object to the processing of your personal data where we rely on legitimate interests or use your data for direct marketing.
Rights related to automated decision-making
Article 22
You have the right not to be subject to decisions made solely by automated means, including profiling, that have legal or similarly significant effects. You can request human intervention and contest decisions.
How can you exercise your rights?
If you wish to exercise any of your rights under data protection law—such as accessing your personal data, requesting corrections, objecting to processing, or withdrawing consent—you can do so by submitting a Data Subject Access Request (DSAR).
To begin the process, please contact us to request a copy of our DSAR form, which must be completed and returned to us via email. This form helps us process your request efficiently and ensures we have all the necessary information to locate your data.
Who to contact
Teamtailor
For control over your data that is processed via Teamtailor, please visit:
Data & Privacy - Teamtailor
People and Culture Team
For recruitment-related queries please contact:
[email protected]
Legal, Risk and Data Protection Team
For general data protection queries, to request the DSAR form in relation to your application, or to submit your completed DSAR form:
[email protected]
Outsourced Data Protection Officer (DPO)
If you prefer to raise your request externally or are not satisfied with our internal response:
[email protected]
What information will we need?
To protect your personal data and ensure we only release information to the correct individual, we require:
Your full name, date of birth, and current address
A clear description of the data you are requesting
Two forms of identification, such as:
- Passport
- Driving licence
- Birth certificate
- Utility bill (dated within the last 3 months)
- Bank statement (dated within the last 3 months)
- Rent book or vehicle registration document
If someone is acting on your behalf, they must also provide:
- Proof of their identity
- Proof of legal authority to act on your behalf (e.g. power of attorney or signed letter of authority)
We will carry out verification checks before processing your request to ensure your identity and protect your data from unauthorised access.
We aim to respond to all valid requests within one calendar month. In some cases—such as complex or multiple requests—this may be extended, but we will inform you if this is the case.
How can you make a complaint?
We are committed to protecting your personal data and handling it in a fair, lawful, and transparent manner. If you have concerns about how your personal information is being used, we encourage you to raise them so we can address the issue promptly and appropriately.
You can raise a complaint through the following channels:
Legal, Risk and Data Protection Team (Ascentis)
Who they are:
This is our internal team responsible for overseeing data protection compliance, managing risks, and ensuring that your personal data is handled in line with UK GDPR and other relevant legislation.
When to contact them:
You should contact this team as your first point of contact if you have any concerns, questions, or complaints about how your personal data is being collected, used, or stored by Ascentis.
How to contact them:
Contact Information:
Organisation Name:
Ascentis
Mailing Address:
Ascentis House, Lancaster Business Park, 3 Mannin Way, Lancaster, LA1 3SW
Data Email Address:
[email protected]
Legal Email Address:
[email protected]
Phone Number:
01524 845046
Website:
Cutting Edge Qualifications Agency | Awarding Organisation Body | Ascentis
ICO Registration Number:
S1927556
Outsourced Data Protection Officer (DPO)
Who they are:
Our independent, outsourced Data Protection Officer service provides expert oversight of our data protection practices and ensures we meet our legal obligations under data protection law.
When to contact them:
If you are not satisfied with the response from our internal team, or if you would prefer to raise your concern with someone external to Ascentis, you can contact our DPO directly.
How to contact them:
Data Protection Officer Information:
Organisation Name:
The DPO Centre Ltd
Mailing Address:
50 Liverpool St, London EC2M 7PY
Contract Email Address:
[email protected]
Phone Number:
020 3797 1289
Website:
Data Protection Services - Speak to an Expert | DPO Centre
Information Commissioner’s Office (ICO)
Who they are:
The Information Commissioner’s Office (ICO) is the UK’s independent authority responsible for upholding information rights and enforcing data protection legislation, including the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
When to contact them:
If you believe that we have not handled your personal data in accordance with the law, and you are not satisfied with the outcome of your complaint after contacting our internal team or our Data Protection Officer, you have the right to escalate your concerns to the ICO. They can investigate your complaint and take action where necessary.
How to contact them:
Contact Method
Details
Phone
0303 123 1113
Online Complaint Form
www.ico.org.uk/make-a-complaint
Website
www.ico.org.uk
Postal Address
Information Commissioner's Office
Wycliffe House, Water Lane,
Wilmslow, Cheshire, SK9 5AF
The ICO provides guidance on your rights and how to raise a concern, even if you choose not to make a formal complaint.
Changes to this notice
We may update this privacy notice from time to time to reflect changes in our practices, legal requirements, or the way we operate. When we make significant changes, we will take appropriate steps to inform you — such as posting the updated notice on our website or contacting you directly where necessary.
We encourage you to review this notice periodically to stay informed about how we protect your personal data.
The date of the most recent update will always be shown at the top of the notice.
Contact us
If you have any questions, concerns, or requests regarding how your personal data is handled during the recruitment process, please don’t hesitate to get in touch with us.
People and Culture Team
For queries specifically related to your application or recruitment data:
[email protected]
Legal, Risk and Data Protection Team
For general data protection enquiries or to submit a Data Subject Access Request (DSAR):
[email protected]
Outsourced Data Protection Officer (DPO)
If you prefer to raise your concern externally or are not satisfied with our internal response:
[email protected]
We are committed to protecting your privacy and will respond to your enquiry as promptly as possible.
