General Privacy Statement – How we handle your personal data
Ofcom ('the Office of Communications') is the communications regulator for the United Kingdom. It collects and processes personal data that it needs to carry out its statutory functions and to operate as a public body, including employing and contracting staff. This general statement covers all of these various purposes. In most cases we will collect that data from you directly (for example, if you are applying for a licence from us), however from time to time we might need to collect personal data about you from a third party, such as your communications provider.
In accordance with our legal obligations this General Privacy Statement sets out the information you need to know about the way in which Ofcom will collect, process and store your personal data, how long we will keep it for, your rights in connection with that data, and the people with whom we may need to share it.
Whenever we request personal data for a specific purpose that is not covered in this General Privacy Statement we will explain why we need that information and our lawful basis for collecting it. Similarly, if in the future we intend to process your data for a purpose other than that for which it was collected, we will provide you with information on that purpose and any other relevant information.
Ofcom is committed to protecting your privacy in accordance with data protection legislation.
In order to ensure that you are fully aware of how your data will be processed, stored and shared as part of your application to Ofcom please read the below statement carefully.
Omni Resource Management Solutions Limited (herin called ‘Omni’) is the dedicated recruitment partner of Ofcom, and will be, alongside Ofcom, managing the recruitment process for permanent, fixed term and contingent hires.
Omni’s registered office is: Charter House, Woodlands Road, Altrincham, Cheshire, WA14 1HF, registered company number 03278470. Omni are registered on the Information Commissioner's Office Register of Data Controllers under registration number Z7378991 and act as a data controller and a data processor. Omni’s designated Data Protection Lead can be contacted at email@example.com.
Ofcom’s registered office is: Riverside House, 2a Southwark Bridge Road, London, SE1 9HA.
Omni and Ofcom will be joint data controllers of your data.
What personal information will be collected?
Omni and Ofcom take great care to ensure that the information we hold about you meets legal, statutory and contractual obligations and is held securely. This includes having appropriate procedures and practices in place to ensure your personal information is protected.
We will collect and process personal information that you provide as part of the application, recruitment and onboarding process.
This may include your:
- name, address and contact information, including email address and telephone number;
- details of your qualifications, skills, experience and employment history;
- information about your current level of remuneration, including benefit entitlements;
- Whether or not you have a disability, where Omni or Ofcom are required to make reasonable adjustments during the recruitment process; and
- Information about your entitlement to work in the UK.
- Declaration of interest; Ofcom are required to assess any potential conflict of interest in relation to your engagement with Ofcom.
We collect information in the following ways:
- Online application form or CV Via the Applicant Tracking System Workday. Workday’s privacy notice can be found here Privacy Statement | Workday
- Over the phone or in person
- From Recruitment Agencies
- Forms requiring completion as part of the onboarding process
- Obtained through your passport or other identity documents
- Other forms of assessment, including online tests
Equal opportunities monitoring
Ofcom, in accordance with the Equality Act 2010, is committed to equality of opportunity regardless of age, disability, ethnicity, sex, gender reassignment, gender identity and expression, sexual orientation, religion or belief, marriage and civil partnership, caring status or socio-economic background. A better understanding of our colleagues means we can understand the diversity of our organisation, assess the impact of our day-to-day working practices on colleagues, and monitor equality and fairness. We also want to build a diverse workforce that reflects people with different experiences, perspectives, skills and backgrounds that helps us to make communications work for everyone. As part of Ofcom’s commitment to employing a diverse workforce, you will be asked to complete a series of equal opportunity monitoring questions as part of your application submission. All information is reported anonymously and is not linked in any way to your application. This information is classed as special category data.
Special Category Data
Where we collect sensitive personal data, we will only request the information required for the specified purpose.
How we use your personal data
We take your privacy very seriously and will never disclose or share your data without your consent, unless required to do so by law. We will never sell your data. We only retain your data for as long as is necessary and for the purposes specified in this notice. As set out in more detail later, personal data which you provide throughout the recruitment process will be retained for 12 months from the point of application in line with Chartered Institute of Personnel and Development (CIPD) guidelines; after 12 months your data will be anonymised and retained for a further 3 years for reporting purposes. Reporting includes analysis around roles recruited and volumes of applicants received and is shared at management level without your personally identifiable data.
If during this 12-month period, you would like us to provide you with information about future roles and about Ofcom as an employer please tick the consent box in the “Application questions” section of the application form and we will keep you posted. You can however withdraw your consent at any time. The purposes and reasons for processing your personal data are detailed below:
During the registration process on our Applicant Tracking System, Workday, you will be asked to consent to our data processing terms and conditions.
You also have the option to decide if you would like to receive information regarding future roles and make your selection accordingly.
If at any point you change your mind, you can let us know by contacting firstname.lastname@example.org
What if I decide I do not wish for my personal information to be used?
If at any point you change your mind, you can ask for your application to be withdrawn or for your details to be deleted by contacting email@example.com
You also have the right to know
- What personal data we hold about you
- The purposes of the processing
- The categories of personal data concerned
- The recipients to whom the personal data has/will be disclosed
- How long we intend to store your personal data for
- If we did not collect the data directly from you, information about the source
If you believe that we hold any incomplete or inaccurate data about you, you have the right to ask us to correct and/or complete the information and we will strive to update or correct it as quickly as possible; unless there is a valid reason for not doing so, at which point you will be notified.
You have the right to request erasure of your personal data or to restrict processing in accordance with data protection laws, as well as to object to any direct marketing from us and to be informed about any automated decision-making that we use.
If we receive a request from you to exercise any of the above rights, we may ask you to verify your identity before acting on the relevant request; this is to ensure that your data is protected and kept secure.
You can exercise your rights at any time by contacting firstname.lastname@example.org
Sharing and Disclosing Your Personal Information
We do not share or disclose any of your personal information without your consent, other than for the purposes specified in this notice or where there is another lawful basis for doing so.
Omni and Ofcom use third parties to provide the below services and business functions. However, all processors acting on our behalf only process your data in accordance with instructions from us and in doing so will comply fully with this privacy notice.
Our Service Providers
This includes external third-party service providers such as accountants, auditors, legal advisors and other outside professional advisors; IT systems support and hosting service providers; technical engineers; data storage and cloud providers; internal reporting software providers, recruitment agencies; outsourced payroll companies; onboarding providers and other similar third-party vendors and outsourced service providers that assist us in carrying out our business activities.
Third party suppliers include Starred who provide an online feedback service and with whom we will share your name and email address so that they can contact you to capture your views on the experience of the recruitment process. The opportunity to provide feedback is entirely optional and will not have any bearing on your application. The data is used to measure candidate experience and improve our recruitment practises. Should you wish to opt out of providing feedback please contact email@example.com.
International Transfers of Personal Information
Technical and Organisational Measures
Omni and Ofcom take your privacy seriously and we take every reasonable measure and precaution to protect and secure your personal data. We work hard to protect you and your information from unauthorised access, alteration, disclosure or destruction and have several layers of security measures in place.
Consequences of Not Providing Your Data
You are under no statutory or contractual obligation to provide your personal information to Omni or Ofcom; however, as this information is required for us to consider an application, we will not be able to consider you for vacancies without it.
How long will you keep hold of my information?
If your application is successful, the applicant portal (Workday) will store your information for a period of 12 months. Your record will then be anonymised and retained for a further 3 years for reporting purposes. As an employee, Ofcom will continue to process your information for the duration of your engagement and/ or employment and retain your information in line with their record retention policies.
If your application is unsuccessful and no further application or contact is made for 12 months, your application will be anonymised and retained for a further 3 years for reporting purposes.
Where you have consented to us using your details to send information about future roles and information about Ofcom as an employer, we will keep your contact details for the 12 month period highlighted above unless you notify us otherwise and/or withdraw your consent. Please note at the end of the 12 month retention period, your personally identifiable data will be anonymised and retained for 3 years for reporting purposes.
Lodging a Complaint
Omni and Ofcom only process your personal information in compliance with this privacy notice and in accordance with the relevant data protection laws. If, however you wish to raise a complaint regarding the processing of your personal data or are unsatisfied with how we have handled your information, you have the right to lodge a complaint with Omni and or Ofcom and the supervisory authority, the ICO: https://ico.org.uk/concerns/ Please see Omni and Ofcom’s privacy notices for contact details.
Ofcom collects personal data that it needs to perform its statutory functions, to operate as an organisation and to comply with its legal obligations.
Ofcom’s statutory functions include (but are not limited to) its duties and powers under the Office of Communications Act 2002, the Communications Act 2003, the Broadcasting Acts 1990 and 1996, the Wireless Telegraphy Act 2006, the Competition Act 1998, the Enterprise Act 2002, and the Postal Services Act 2011.
As an organisation Ofcom needs to employ staff and to contract with third-party service providers. Ofcom’s legal obligations include its obligations under the Equalities Act 2010, for example, and its duties as an employer under applicable employment and tax legislation.
Depending on the purpose and context, the personal data Ofcom collects may include:
- Your name and job title
- Your contact information (which may include your IP address)
- Your occupation and employer’s details
- Your bank details and national insurance number
- Information relating to your age, disability status, racial or ethnic origin, political opinion and political affiliations, religious or philosophical belief, trade union membership, genetic data, health, sex, sexual orientation, gender and nationality, criminal convictions and offences
- Other information relevant to:
- Improving our services (including, but not limited to, recording or monitoring communications between you and Ofcom for the purposes of quality control and staff training)
- Carrying out our statutory functions as a communications regulator (which include protecting and furthering the interests of consumers and promoting competition)
- Other information relevant to our duties as an employer.
In carrying out our functions, Ofcom may from time to time collect personal data which users of online media platforms (for example, Twitter, Facebook, Instagram, YouTube, news websites and other public blogs/forums) have chosen to make publicly available.
Ofcom may also from time to time collect personal data through the use of “fictional personas” when carrying out research into online media platforms’ processes and functions. This may involve interaction (like following/friending) with other accounts on the platform, including private accounts (in limited circumstances and in accordance with research protocols designed to minimise the impact on other users), where this is necessary for the purposes of the research. We will publish transparency notices notifying people about such research projects on our website. For more information, please read our transparency notice.
Ofcom may use your personal data for the purposes of carrying out its statutory functions, including Ofcom’s law enforcement functions, and complying with its legal obligations. Ofcom may also use your personal data where there are reasons of substantial public interest to do so, or where it has otherwise obtained your consent.
In particular, Ofcom may use your personal data for one or more of the following reasons:
- To carry out our statutory functions, for example:
- Licensing, including granting and administering broadcast licences and licences for radio equipment and other wireless communications apparatus
- Logging and handling complaints, including consumer complaints and fairness and privacy complaints
- Undertaking regulatory investigations or investigations under the Competition Act 1998
- Carrying out law enforcement activities, including investigating and prosecuting criminal offences relating to illegal broadcasting and unlawful use of wireless communications apparatus
- Gathering and publishing evidence and opinions, including through consultations and carrying out research
- Ensuring transparency and accountability in the way in which Ofcom carries out its regulatory activities.
- To improve our services;
- To send information to you which we think may be of interest to you;
- To undertake our duties as an employer;
- To pass your details to accountants, consultants and other professionals for the purpose of obtaining professional advice and complying with Ofcom's contractual obligations;
- To comply with our legal and regulatory obligations;
- To establish, exercise or defend legal claims;
Ofcom may also, from time to time, need to share your personal data with other third parties, including:
- Where appropriate, broadcasters and communications providers, for the purposes of resolving complaints about broadcasting (including on-demand content) or services;
- Organisations falling within the scope of Ofcom’s powers, third party complainants, and any representatives and expert witnesses engaged by those parties or Ofcom for the purposes of exercising our regulatory functions, including undertaking investigations and subsequent appeals. This includes, for example, allowing the subjects of an investigation (and where relevant, the complainant) access to the file, which allows those parties to understand the evidence that Ofcom is relying on in its provisional and final decisions;
- The police, or other law-enforcement bodies, for the purposes of undertaking investigations or where we are legally obliged to do so;
- Government departments and other regulatory bodies for the purposes of enabling us and them to carry out our respective legal and statutory functions. These may include, for example, the Information Commissioner, the Advertising Standards Authority, the Charity Commission, the Civil Aviation Authority, the Competition and Markets Authority and the European Commission (amongst other regulatory or co-regulatory bodies or investigatory bodies of a similar nature);
- Third parties who we may employ to in order to process personal data on our behalf (in compliance with the requirements of data protection legislation). Such third parties may include those providing e-discovery services.
We may use machine learning programmes to help us as we analyse large datasets, but we will not use automated means to take decisions about individuals.
Ofcom will determine the period for which it needs to keep your personal data having regard to the reasons and purposes for which it was collected, our statutory duties and other legal obligations, the exercise and defence of any legal claims, including the period within which any current or potential future legal claims may be brought.
Ofcom has put in place appropriate technical and organisational measures to protect your personal data and to prevent any unauthorised or unlawful processing and any accidental loss, destruction or damage to it.
From time to time, Ofcom may need to transfer personal data to other countries, for example, where personal data is being stored securely in the cloud and the relevant servers are located overseas. We will, in these circumstances, first ensure that the relevant country has the appropriate safeguards in place to protect your personal data.
As your employer (including where you are on secondment to Ofcom, or may be working for us as a freelance contractor), or prospective employer or where you perform a role for Ofcom as a non-executive member of a Committee, Board or Panel (whether or not you are directly employed by Ofcom), Ofcom is required to keep and process information about you for normal employment purposes. The information we hold and process will be used only for our management and administrative use, to carry out our employment or related tasks, or to comply with our legal obligations. We will hold and use it to enable us to run the business and manage our relationship with you effectively, lawfully and appropriately, in connection with the recruitment process, whilst you are an Ofcom employee (or whilst you are appointed as a non-executive member of a Committee, Board or Panel), at the time when your employment or appointment ends and, usually, for a period of 6 years after you have left or cease to be a non-executive member of a Committee, Board or Panel. This includes using information to enable us to:
- comply with the terms of the employment contract we have with you
- perform our statutory functions
- comply with our legal obligations (for example, with respect to tax legislation) and to protect our legal position in the event of legal proceedings
- monitor and improve our performance as an employer (including with respect to diversity).
Much of the information we hold will have been provided by you but some may come from other sources such as your line manager, referees, or current employer where this is not Ofcom.
The sort of information we may collect and hold includes:
- Your application form which includes your name, address, telephone number
- Your curriculum vitae with details of your work experience to date
- Your references
- Copies of your passport and qualification certificates
- Your contract of employment and any amendments to it
- Correspondence with, or about, you, for example letters to you about a pay rise
- Information needed for payroll, benefits and expenses purposes such as bank details
- Contact and emergency contact details (including next of kin)
- Records of holiday
- Details of your age and gender
- Records relating to your career history such as training records, appraisals and other performance measures
- Any disciplinary and grievance records
In some circumstances, we may also collect information that, under the GDPR, is deemed to be sensitive personal data. This includes:
- Records and any details of sickness as well as information relating to your health including Occupational Health reports which could include reasons for absence and GP reports and notes. This information will be used in order to comply with our health and safety occupational health obligations including assessing how your health affects your ability to do your job and whether any adjustments to your job might be appropriate. We will also require this information to administer and manage sick pay.
- Nationality – this will be used for monitoring equality and diversity within our organisation
- Race/Ethnic origin – this will be used for monitoring equality and diversity within our organisation
- Religious belief – this will be used for monitoring equality and diversity within our organisation
- Sex/sexual orientation – this will be used for monitoring equality and diversity within our organisation
- Details of any criminal convictions – this will be used for monitoring equality and diversity within our organisation
We may also monitor computer use, as detailed in our Acceptable Use Policy. We also maintain records of the hours that colleagues work by way of the timesheets which include sickness absence recording.
We may also need to share your data with the third-parties who provide our pension, health insurance schemes and/or other ‘Choices’ benefits to our employees.
Where we have collected your personal data for the purposes of our employment functions, we will retain it for a period of 6 years after you have left Ofcom. Online job applications will be held for up to 3 years for unsuccessful candidates for trend activity reporting purposes and to contact applicants in the future about jobs that they may be interested in. We will retain interview notes and/or any supporting recruitment information for all applicants for a period of 6 months.
As set out in our General Privacy Notice, if, in the future, we intend to process your personal data for a purpose other than that for which it was collected, we will provide you with information on that purpose and any other relevant information.
Under data protection legislation, you have rights to access your personal data and, in certain circumstances to: object to the processing of the data, or to request that it be rectified or erased; request that the processing of the data is restricted; and to data portability of that data. Where Ofcom is relying on your consent in order to use your personal data you may withdraw that consent at any time (however this will not affect the lawfulness of the data processing before your consent was withdrawn).
Should you wish to confirm whether or not Ofcom holds personal data about you, request copies of that data, or make any other request in relation to your personal data, you should send this to Ofcom’s Information Requests team at: firstname.lastname@example.org
If it would be helpful, you can use the form below to make your request:
Should you wish to make a request for personal data that we may hold about someone other than yourself, for example because you are carrying out an investigation under statutory powers, you may wish to use one of the following forms:
Ofcom’s handing of personal data is overseen by our Corporation Secretary, who is Ofcom’s Data Protection Officer. Should you wish to query the way Ofcom is handling your personal data or submit a complaint about this you should address this to our Data Protection Officer at:
2a Southwark Bridge Road
Tel: 020 7981 3000
If you are unhappy with the way that Ofcom is dealing with your personal data, and have already raised your complaint with Ofcom, you can make a complaint to the Information Commissioner’s Office at:
Information Commissioner's Office
Tel: 0303 123 1113 (local rate) or 01625 545 745 if you prefer to use a national rate number