Opto Health Job Applicant Privacy Notice

What is the purpose of this document?

Opto Health UK Limited (Opto Health) is a "controller" in relation to personal data under the UK GDPR. This means that we are responsible for deciding how we hold and use personal data about you.

This privacy notice applies to you who are applying for work with us (whether as an employee, worker, or individual contractor). It shares information with you about what personal data we collect about you, why it will be used, and for how long it will keep your data. If you have any questions after reading this notice, you can contact our Data Protection Officer at dpo@opto.co.uk.

What kind of information do we hold about you?

In connection with your application with us, we will collect, store, and use the following categories of personal data about you:

  1. The information you have provided to us on your CV and other application materials, including name, title, address, telephone number, personal email address, phone number, date of birth, employment history, education history, qualifications, skills, and interests, photo (only if provided by you, but we do not need this or encourage you sending it to us);
  2. The information you provide to us during an interview;
  3. Government-issued identifiers and related documents, including your national identification or other social insurance number, as may be legally required; and
  4. Citizenship, nationality, country of residence, and immigration status, as may be legally required

We may also collect, store and use the following types of more sensitive personal data:


Only if you decide to provide it, information related to your disability, which is health data


Information about criminal convictions and offences, only for those limited categories of roles identified in Section 5 of this Privacy Notice.

How is your personal data collected?

We collect personal data about job applicants from the following sources:


You, the applicant.


Recruitment agencies we may engage from time to time;


Disclosure and Barring Service in respect of criminal convictions and offence data, only for those limited categories of roles specified in Section 5 of this Privacy Notice;


Your named referees; and


Third party publicly accessible sources, such as your LinkedIn profile, the General Medical Council (GMC) or the Nursing and Midwifery Council (NMC).

How will we use the personal data we collect about you?

We will use the personal data we collect about you to:


Assess your skills, qualifications, and suitability for the role.


Communicate with you about the recruitment process.


Keep records related to our hiring processes.


Comply with legal or regulatory requirements.


It is in our legitimate interests (Article 6(1)(f)) to decide whether to appoint you to a role because it would be beneficial to our business to appoint someone to that role.


We also need to process your personal data to decide whether to enter into a contract (Article 6(1)(b)) with you and in certain cases because of a legal obligation (Article 6(1)(c)).

If you fail to provide personal data

If you fail to provide information when requested, which is necessary for us to consider your application (such as evidence of qualifications or work history), we will not be able to process your application successfully. For example, if we require a references for this role and you fail to provide us with relevant details, we will not be able to take your application further.

How do we use sensitive personal data?

We will use your sensitive personal data in the following ways:


Only if you decide to provide information related to your disability, we will use this information about your disability status to consider whether we need to provide reasonable and appropriate adjustments during the recruitment process, for example whether adjustments need to be made.


This processing is under Article 6(1)(c), to comply with our legal obligations, as well as under Article 9(2)(b), to carry out the exercising of certain obligations and exercising specific rights related to employment as supported by the Data Protection Act (2018), Schedule 1, part 1(1) related to processing for employment.

Information about criminal convictions

We will process information about criminal convictions for job applicants in two categories of roles. Depending on the category of the role, a different check is required. These include:


Facility On Site Roles. These are roles which require on site presence at a healthcare facility that could include incidental exposure to patients as a part of the role. These require a Basic DBS check.


Opto Clinician Roles. These are roles which involve the provision of health care services through direct contact with patients. These require an Enhanced with Barred Lists DBS check.

At which stage of recruitment is this data collected?

We will only collect information about your criminal convictions history if we would like to offer you the role (conditional on checks and any other conditions, such as references, being satisfactory) and your role falls into one of these two categories.

What is the legal basis for processing this data?


For Facility On Site Roles, this processing is made under our legitimate interest to ensure trust and integrity in Opto Health staff to secure the confidentiality of information about and the safety of the individuals who may be seeking services at a healthcare facility, and is supported by Schedule 1, Part 2 (12) of the Data Protection Act (2018), supporting the NHS in their regulatory requirement related to unlawful acts and dishonesty.


For Opto Clinician Roles, this processing is made under the legal requirement under the Safeguarding Vulnerable Groups Act 2006 (amended by Protection of Freedoms Act in 2012) and is supported by Schedule 1, Part 2 (2) of the Data Protection Act (2018), related to health or social care purposes, where the individual is further subject to a responsibility of professional secrecy as a part of their profession.

We have in place an appropriate policy document and safeguards which we are required by law to maintain when processing such data. A copy of this document will be made available to you to review.

Why might we share your personal data with third parties?

We will only share your personal data with the following third parties:


Recruitment advisers and service providers, for the purpose of providing their services and advise to us


Referees, for the purpose of seeking references according to your instructions


Government authorities, for the purpose of exercising or defending Opto Health’s rights or as may be necessary to comply with a legal obligation

All our third-party service providers are required to take appropriate security measures to protect your personal data in line with our policies. We do not allow our third-party service providers to use your personal data for their own purposes. We only permit them to process your personal data for specified purposes and in accordance with our instructions.

How long will we keep your personal data?

Duration of the recruitment. We will retain your personal data for a period of six months after we have communicated to you our decision about whether to appoint you to role.

We retain your personal data for that period so that we can show, in the event of a legal claim, that we have not discriminated against applicants on prohibited grounds and that we have conducted the recruitment exercise in a fair and transparent way. After this period, we will securely destroy your personal data in accordance with our data retention policy.

For future recruitment opportunities. If you wish that we retain your personal data in case a further opportunity may arise in future for which you may be a suitable candidate, we will only do this with your consent. In this case, we will retain your personal data for an additional one year following the end of the recruitment.

What rights do you have in connection with your personal data?

Under certain circumstances, by law you have the right to:


Request access to your personal data (commonly known as a "data subject access request"). This enables you to receive a copy of the personal data we hold about you and to check that we are lawfully processing it.


Request correction of the personal data that we hold about you. This enables you to have any incomplete or inaccurate information we hold about you corrected.


Request erasure of your personal data. This enables you to ask us to delete or remove personal data where there is not a reason for us continuing to process it. You also have the right to ask us to delete or remove your personal data where you have exercised your right to object to processing (see below).


Object to processing of your personal data where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground. You also have the right to object where we are processing your personal data for direct marketing purposes.


Request the restriction of processing of your personal data. This enables you to ask us to suspend the processing of personal data about you, for example if you want us to establish its accuracy or the reason for processing it.


Request the transfer of your personal data to another party.


Right to withdraw consent where you have provided the consent for the processing.

If you want to exercise these rights or have a question about your personal data or any of the terms of this privacy notice, please contact our Data Protection Officer by email at dpo@opto.co.uk.

How can you make a complaint with the supervisory authority?

You have the right to make a complaint at any time to the Information Commissioner's Office (ICO) who is responsible for data protection issues in the UK. You can reach their office at https://ico.org.uk/make-a-complaint/

If you have any questions about this privacy notice, please contact our DPO at dpo@optohealth.co.uk.

This privacy notice was last updated on 23rd August 2023.