Worker Consent for personal data to be available outside of King’s Talent Bank
1. Who is this for?
Any workers who have registered with King’s Talent Bank and are seeking for work assignments from King’s College London and/or work assignments for businesses and organisations other than King’s College London. Workers can register to be added to a ‘public pool’ and thus be available for work from other organisations.
2. Why do I need to give consent?
By agreeing for your work profile to be available within the public pool some of your information will be viewable by people outside of Kings’ Talent Bank Ltd and it is important you understand this before giving consent.
3. Who looks after my personal data?
King’s Talent Bank Limited is the Data Controller and Keystone Employment Group LLP (who provide the web service) is the Data Processor. The King’s Talent Bank Service is covered by a Data Processing Agreement which can be found in Appendix 1.
4. Who can see my personal data?
If you only do work for King’s College London then hiring managers within King’s College London can see:
● Your profile information (skills, work experience, abilities, CV, references, compliance eligibility and availability).
A Manager who has hired you and is approving your timesheets will also see (in addition to the above):
● Current work assignment and timesheet information
In addition, Senior Administrators or Consultants for King’s Talent Bank have access to:
● Your profile information (skills, work experience, abilities, CV, references, compliance eligibility and availability)
● Current work assignment and timesheet information
● Your supporting documents (passport, visa information)
● Your prior timesheets, pay rates, payslips, prior work assignment details
● Personal details, next of kin, nationality, Date of Birth, National Insurance details
If you choose to also be available for roles outside of King’s College London - for other businesses and organisations, then hiring managers in those businesses or organisations will have access to:
● Your profile information (skills, work experience, abilities, CV, references, compliance eligibility and availability).
A Manager who has hired you and is approving your timesheets will also see (in addition to the above):
● Current work assignment and timesheet information
By accepting the terms of this consent, you are giving permission for the above information to be accessed by King’s Talent Bank and external organisations.
Appendix 1: Data Processing Agreement
IN THE CASE OF ANY CONTRACT WHERE THE PROVISIONS OF THE DATA
PROTECTION ACT 1998 APPLY TO DATA PROCESSED IN RELATION TO THE
PERFORMANCE OF THE CONTRACT, THIS DATA PROCESSING AGREEMENT (THE
“AGREEMENT”) WILL SUPPLEMENT THE CONDITIONS OF CONTRACT.
AGREEMENT
BETWEEN:-
(1) KING’S TALENT BANK LIMITED, at James Clerk Maxwell Building, 57 Waterloo Road, London SE1 8WA (the "Data Controller"); and
(2) KEYSTONE EMPLOYMENT GROUP LLP, of Keystone House 272-276 Pentonville Road, London N1 9JY (the “Data Processor").
BACKGROUND
This Agreement sets out the terms and conditions under which Personal Data, and Sensitive Personal Data held by the named “Data Controller” will be processed by the named “Data Processor”. The Parties enter into this Agreement to ensure compliance with the Data Protection Act 1998 (the “Act”). The parties agree that all processing of Data must comply with the provisions of the Act.
Paragraphs 11 and 12 Part II of Schedule 1 of the Act place obligations on a Data Controller to ensure that any Data Processor it engages provides sufficient guarantees to ensure that the Processing of the Data carried out on its behalf will be secure. The Parties enter into this Agreement to ensure the protection and security of Data passed from the Data Controller to the Data Processor for Processing, or accessed by the Data Processor on the authority of the Data Controller for Processing, or otherwise received by the Data Processor for Processing on the Data Controller’s behalf.
This Agreement further defines certain service levels to be applied to all Data related Services provided by the Data Processor.
IT IS AGREED
DEFINITIONS AND
INTERPRETATIONS In this Agreement:
“King’s Talent Bank” means King’s Talent Bank Limited of James Clerk Maxwell Building, 57 Waterloo Road, London SE1 8WA
"Act" means the Data Protection Act 1998 unless otherwise indicated;
"Data" means any information of whatever nature that, by whatever means, is provided to the Data Processor by the Data Controller, is accessed by the Data Processor on the authority of the Data Controller or is otherwise received by the Data Processor on the Data Controller's behalf, for the purposes of the Processing specified in this Agreement, and shall include, without limitation, any Personal Data and/or Sensitive Personal Data;
"Data Subject", "Personal Data", "Sensitive Personal Data" and "Processing" shall have the same meanings as are assigned to those terms in the Act;
"Services" means processing of the Data by the Data Processor in connection with and for the purposes of the provision of the services to be provided by the Data Processor to the Data Controller under the Services Agreement;
“Services Agreement” means the agreement for the provision of services between the Data Controller and the Data Processor identified in the Client Terms of Business for Supplying the Service.
“Parties” refers collectively to the parties to this Agreement, being King’s Talent Bank and Keystone;
“The Purpose” Keystone, the Data Processor, provides a software service to operate the “King’s Talent Bank ”. This allows candidates to register to undertake work for King’s Talent Bank Limited and, where agreed by the candidate, other external business and organisations to access those candidates to make them offers of work. The service allows hiring managers and administrators access to data related to the candidates, their personal and work related details and financial and compliance information pertinent to managing and interacting with those candidates.
The Personal Data will be stored by the Data Processor within the European Economic Area (the “EEA”).
1. APPLICATION OF THIS AGREEMENT
1.1 The Data Controller agrees to provide the Data Processor with the relevant Data
required for the Purpose.
1.2 The information to be provided is as follows:
1.2.1 Candidate/Worker details to enable the placement of Candidates/Workers into assignments
1.2.2 Candidates/Workers assignment details and hours worked and relevant pay rate details to enable King’s Talent Bank Staff or external organisations to pay Candidates/Workers for work completed
1.2.3 Candidates/Workers details to enable reporting and Management Information provision (e.g. name and address, previous work history and experience, skills and history)
1.2.4 Candidates/Workers details to enable the monitoring and management of the service (e.g. assignment history and equalities monitoring information)
1.2.5 Any other information necessary for the fulfilment of the purpose.
1.3 For the avoidance of doubt the Data transferred to the Data Processor under the
Agreement at no time becomes the property of the Data Processor.
1.4 In consideration of the obligations undertaken by the Data Processor in clauses 2-5 of
this Agreement, below, the Data Controller agrees that it shall ensure that it complies
at all times with the Act and in particular, the Data Controller agrees that it shall ensure
that any disclosure of Personal Data made by it to the Data Processor is made with the
Data Subject’s consent or is otherwise lawful.
2. DATA PROCESSING
2.1 The Data Processor is to act only on instructions from the Data Controller.
2.2 Data will be delivered to the Data Processor using the following procedures: Data will
be collected by a secure user interface to be accessed through the World Wide Web
by the Data Subject and Data Controller.
2.3 The Data Processor undertakes to:-
2.3.1 Process the Data at all times in accordance with the Act and solely for the
purposes connected with provision by the Data Processor of the Services and in
the manner specified from time to time by the Data Controller in writing and for
no other purpose or in any manner except with the express prior written consent
of the Data Controller;
2.3.2 Ensure that Personal Data will not be processed to support measures or
decisions with respect to particular individuals;
2.3.3 Ensure that Personal Data will not be processed in such a way that substantial damage or substantial distress is, or is likely to be, caused to any Data Subject;
2.3.4 Ensure that the Data will not be disclosed to any third party without the prior written authority of the Data Controller.
2.4 No steps will be taken by the Data Processor to contact any party identified in the Data
unless it is for the purposes of delivering the service set out in this contract or the Data
Controller has given prior written consent.
2.5 All Personal Data held by the Data Processor including any archive or back-up copies,
will be returned to the Data Controller and securely destroyed from any system that it is
held on at a date to be agreed by the relevant parties. After this date, the Data Processor must promptly provide to the Data Controller a written declaration confirming that the Data has been returned and securely destroyed from its systems.
2.6 The Data Processor will not transfer, or permit the transfer of the Data, to any territory
outside the EEA without the prior written consent of the Data Controller.
2.7 On reasonable notice, the Data Processor will allow its Data Processing facilities,
procedures and documentation to be submitted for scrutiny by the Data Controller or
its auditors in order to ascertain compliance with the relevant laws of the United
Kingdom and the terms and conditions of this Agreement.
2.8 The Data Processor will ensure that each of its employees, agents and subcontractors
are made aware of and comply with the obligations under this Agreement with regard
to the security and protection of the Data.
2.9 In the event of the exercise by Data Subjects of any of their rights under the Act in
relation to the Data, the Data Processor will inform the Data Controller as soon as
possible. The Data Processor agrees to assist the Data Controller with all Data Subject
information requests which may be received from any Data Subject in relation to any Data.
2.10 In the event that the Data Processor receives a request for any information
contained in the Data under the Freedom of Information Act 2000 the Data Processor
will not respond to the person making such request but will inform the Data Controller
within two (2) working days of its receipt. The Data Processor further agrees to assist
the Data Controller with all such requests for information which may be received from
any person within such timescales as may be prescribed by the Data Controller.
3. CONFIDENTIALITY
3.1 For the avoidance of doubt, the obligations of confidentiality imposed on the Parties by
this Agreement shall continue in full force and effect after the expiry or termination of
this Agreement.
3.2 The Data Processor will respect the privacy of individuals in any part of the purpose
requiring the use of Personal Data.
3.3 Under no circumstances will the Data Processor attempt to identify any person from the Data or aggregate data by any data matching or other exercise except where required
for the Purpose.
4. SECURITY
4.1 The Data Processor agrees to apply appropriate security measures commensurate with the requirements of principle 7 of the Act to the Data. In particular, the Data
Processor shall ensure at all times that adequate measures are in place to do everything possible to:-
a. make accidental compromise or damage to the Data unlikely during storage, handling,
use, Processing, transmission, transport or otherwise; and
b. deter deliberate compromise or opportunist attack.
4.2 The Data Processor shall ensure that security measures, commensurate with those
operated by the Data Controller, shall be in force and applied at all times.
4.3 The Data Processor shall implement technological and all other reasonable
measures to protect against accidental loss, destruction, damage, alteration or
disclosure. These measures shall be appropriate to the harm which might result
from any unauthorised or unlawful processing, accidental loss, destruction or
damage to the Personal Data and having regard to the nature of the Personal Data
which is to be protected.
4.4 Any security incidents, breaches and newly-identified vulnerabilities must be reported
to the Data Controller by the Data Processor immediately. In the case of any incident
that gives rise to a Data loss then the Data Processor shall inform the Data Controller
promptly and in any case no later than within 24 hours of the Data breach occurring.
5. SUB- CONTRACTING
5.1 The Data Processor shall not sub-contract any of its rights or obligations under this
Agreement without the prior written consent of the Data Controller.
5.2 Where the Data Processor, with the consent of the Data Controller, sub-contracts its
obligations under this Agreement it shall do so only by way of a written agreement
with the subcontractor which imposes the same obligations in relation to the security
of the processing on the sub-contractor as are imposed on the Data Processor under
this Agreement.
5.3 For the avoidance of doubt, where the subcontractor fails to fulfil its obligations under
any sub-processing agreement, the Data Processor shall remain fully liable to the
Data Controller for the fulfilment of its obligations under this Agreement.
5.4 Neither party shall assign or transfer any rights or obligations under this Agreement to
another party without the prior written consent of the other.
6. RIGHTS OF THIRD PARTIES
6.1 Any rights, of any person, to enforce the terms of this Agreement pursuant to the
Contracts (Rights of Third Parties) Act 1999 is hereby excluded.
7. TERMINATION
7.1 This Agreement shall terminate automatically upon termination or expiry of the Data
Processor's obligations in relation to the Services. On termination of this agreement
the Data Processor shall deliver to the Data Controller and/or securely destroy, at the
Data Controller's sole option, all the Data Controller's Data in its possession or under
its control.
8. INDEMNITY
8.1 The Data Processor is liable for and shall indemnify and keep the Data Controller fully
indemnified on demand from and against each and every action, proceeding, liability,
loss, damage, cost, claim, fine, expense and/or demand suffered or incurred by the
Data Controller which arise from or in connection with or pursuant to any act or
omission of or the performance of the Data Processor’s obligations under this
Agreement, including without limitation those arising out of third party demand, claim
or action, or any breach of contract, negligence, fraud, wilful misconduct, breach of
statutory duty or non-compliance with this Agreement or any part of the Act by the
Data Processor or any of the Data Processor personnel.
9. GOVERNING LAW & JURISDICTION
9.1 This Agreement will be governed by the laws of England and Wales, and the parties
submit to the exclusive jurisdiction of the English courts for all purposes connected
with this Agreement including the enforcement of any award or judgement made
under or in connection with it.