Privacy policy for the Personal Group employer branding and recruitment
Date of publication: 19-01-2026
Introduction
We respect your privacy and understand that privacy is important to you and that you care about how information about you is used, so this privacy notice sets out details about what data we collect and how we use it.
This policy (together with any employment contract we may enter with you) applies to:
- The creation of candidate accounts when using our online recruitment tools.
- Any applications made for job roles with us.
- Employees in their job roles with us.
- Contractors in respect of their engagement with us.
- Any voluntary workers in their engagement with us (including work experience and intern relationships).
This policy sets out the basis on which any personal data we collect from you, or that you provide to us, will be processed by us. Please read the policy carefully to understand our practices regarding your personal data and how we will treat it.
Data to which this policy applies
This policy applies to the data which is collected on our recruitment tools, provided by you as part of an application or engagement with us, from face to face meetings, references and data we may collect about you as part of any role you may be engaged in.
The companies which collect data are those who may engage you or consider your applications. These are:
• Personal Group Benefits Limited.
• Personal Group Holdings plc.
• Personal Assurance Services Limited.
• Innecto People Consulting Limited.
• Personal Management Solutions Limited.
• Personal Assurance plc.
All of the companies have the same registered office which is John Ormond House, 899 Silbury Boulevard, Central Milton Keynes, MK9 3XL.
Personal Assurance Services Ltd oversees all of the data management within Personal Group to ensure that we comply with this policy and the data protection rules. Personal Group refers to the companies generally.
Use of data
This policy relates to our use of data for employment and related matters. The data controller for any data use will be the company employing, engaging or considering the engagement of you. This will be confirmed as part of any process or on request. This policy deals with the data we use as a controller.
Important information and who we are
Our data protection registration number is Z5238745.
We are a group of companies including the following:
• Personal Group Benefits Limited;
• Personal Group Holdings plc;
• Personal Assurance Limited;
• Innecto People Consulting Limited.
We have appointed a data protection officer (DPO). If you have any questions about this privacy policy, please contact them using the details set out below.
Contact details
Our full details are:
- Full name of legal entity: Personal Assurance Services Limited
- Email address: info@personal-group.com
- Postal address: John Ormond House, 899 Silbury Boulevard, Central Milton Keynes MK9 3XL
You have the right to make a complaint at any time to the Information Commissioner's Office (ICO), the UK regulator for data protection issues. You should contact your line manager (or the HR team in relation to recruitment) as your first point of contact if you have any questions or concerns about data protection.
Changes to the privacy policy and your duty to inform us of changes
We keep our privacy policy under regular review.
This version was last updated on 17th January 2025. It may change and if it does, these changes will be posted on this page.
It is important that the personal data we hold about you is accurate and current. Please keep us informed if your personal data changes during our relationship with you.
The data we collect about you
We may collect, use, store and transfer different kinds of Personal Data about you which we have grouped together as follows:
- Identity Data includes first name, last name, username or similar identifier and title.
- Contact Data includes home address email address and telephone numbers. It may also include next of kin data.
- Financial Data includes direct debit account details.
- Transaction Data includes details about payments to and from you.
- Technical Data includes internet protocol (IP) address, your login data, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform, and other technology on the devices you use to access this website and our services.
- Profile Data includes your username and password, provided in our systems and may include your interests, preferences, feedback and survey responses.
- Engagment Data includes information about any application or engagement you may have with us.
- Sensitive Data includes information about health, ethnicity, sexual orientation or other items of data that are special category data (see below).
- Marketing and Communications Data includes your preferences in receiving marketing from us and your communication preferences.
We also collect, use and share Aggregated Data such as statistical or demographic data for any purpose. Aggregated Data could be derived from your Personal Data but is not considered Personal Data in law as this data will not directly or indirectly reveal your identity. For example, we may aggregate your Usage Data to calculate the percentage of users accessing a specific website feature. However, if we combine or connect Aggregated Data with your Personal Data so that it can directly or indirectly identify you, we treat the combined data as Personal Data which will be used in accordance with this Privacy Notice.
We will collect Special Categories of Personal Data about you (this includes details about your medical information). We only collect this type of information where you consent to this. We may not be able to provide assistance to you or manage your needs if you do not provide this information. We may collect any information about criminal convictions and offences as this may be necessary for regulatory purposes.
How is your personal data collected?
We will collect and process the following data about you:
- Information you give us. This is information (including Identity and Contact Data) you consent to giving us about you by filling in forms on our recruitment tools, submitting applications, as part of any engagement with us, or by corresponding with us (for example, by email or chat). It includes information you provide when you register to use our recruitments tools/apply for a role and when you are engaged by us. If you contact us, we will keep a record of that correspondence.
- Background checks. We may carry out background checks as part of our onboarding/recruitment processes. These are required for roles within Personal Group. We will confirm when background checks are taking place.
- Information collected during your employment/engagement. We will collect information about you during the course of your employment or engagement. This information may relate to your performance, the activities in your role or about absences or disciplinary issues.
- Information you provide in relation to your health and support needs. We will collect information about your health and support needs to allow us to perform as a disability confident employer so that you can attend any interviews and in order that we can make any reasonable adjustments that you may require.
How we use your personal data
We will only use your personal data when the law allows us to do so. Most commonly we will use your personal data in the following circumstances:
- Where you have consented before the processing.
- Where we need to perform a contract, we are about to enter or have entered with you. This includes any employment contract or consultancy agreement.
- Where it is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests.
- Where we need to comply with a legal or regulatory obligation.
Since special category data is usually more sensitive than ordinary personal data, we need to have an additional legal ground to use and hold it. Most commonly, as well as one of the legal grounds listed above, we rely on one or more of the following additional legal grounds when we process your special category data:
- Where we need to exercise our legal rights or carry out our legal obligations in relation to employment or social security and the processing is in line with our Data Protection Policy (Employment, social security and social protection law)
- Where it is needed in the public interest, such as for equal opportunities monitoring and in line with our Data Protection Policy (public interest)
- Where it is needed to assess your working capacity on health grounds, subject to appropriate confidentiality safeguards (Health or social care)
Occasionally, we may also hold and use ordinary personal data: in the public interest for the detection or prevention of crime; or where needed to protect your vital interests or those of another person. We may also occasionally hold anduse special category data: to establish, exercise or defend a legal claim; where needed to protect your interests (or someone else’s interests) where you are not capable of giving your consent; or where you have already made the information public.
We may, during our recruitment process, use automated screening tools as part of the application processes. The answers provided to one or more questions (excluding any special category or equal opportunities questions) may result in your application being denied. This technology is used to help us manage the high volume of applications we can receive for some roles and can confirm that the same decision would be made if there was a manual review. For some roles, we may use these automatic screening tools to help us partly profile candidates to assess their suitability for specific roles. Those tools are used to score candidates based on a specific criteria for the applicable roles. Although automated screening tools are used to create a partial profile in the relevant candidate assessment process, final decisions regarding progression of those candidates through the recruitment process and selection into role are subject to human review and oversight. The results of automated profiling are assessed as part of a wider suitability assessment[GW1] .
Sometimes we may use your personal data for purposes that are different from or incompatible with those for which we collected it. If we do this, we will notify you and explain our legal ground for using your data in this way, as required under data protection law.
See below to find out more about the types of lawful basis that we will rely on to process your personal data.
We will only send you marketing communications by email or text if we have your consent. You have the right to withdraw that consent at any time by contacting us.
Purposes for which we will use your personal data
Purpose/activity
Type of data
Lawful basis for processing
As part of an application or recruitment process
Identity
Contact
Technical
Profile
Sensitive
Your consent
Steps towards the performance of a contract with you
Legal or regulatory obligation
Your employment or engagement with us
All specified data types
Your consent
Performance of a contract with you
Legal or regulatory obligation
Necessary for our legitimate interests (to recover debts due to us)
We may also anonymise your personal data to allow us to monitor our performance in relation to equality, diversity and inclusion. When we anonymise your personal data it ceases to be personal data and you cannot be identified from it.
Disclosures of your personal data
We share your personal data with the third parties who provide services to us. This includes recruitment advisers, our outsourced IT support services and others who provide assistance to us. All these third parties will have data processor agreements in place.
We may share your data with our clients or partners as part of our operations. Where we do this it will be part of your job role or engagement with us.
We may also provide your data to third parties who will be data controllers themselves. This will include the providers of any pension benefits, health insurance benefits (provided outside Personal Group) and other providers of benefits who provide services directly to you. We will provide information to our regulators and this may include your personal data. All of these third parties will hold data in accordance with the data protection legislation and rules.
International transfers
We do not generally transfer your personal data outside the UK or the EEA. In the limited circumstances where your data may be accessed or transferred outside the UK or EEA this is subject to the UK data protection requirements and will still be protected.
Data security
All information you provide to us is stored on secure servers located in the EEA.
Once we have received your information, we will use strict procedures and security features to try to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way.
We have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator when we are legally required to do so.
Data retention
Details of retention periods for different aspects of your personal data are available in our retention policy which you can request by contacting us.
In some circumstances you can ask us to delete your data: see below for further information.
In some circumstances we will anonymise your personal data (so that it can no longer be associated with you) for research or statistical purposes, in which case we may use this information indefinitely without further notice to you.
In the event that you are no longer engaged by us your personal data may be deleted, however this will only be after a period where it is no longer needed for legal or regulatory purposes, or for a period you have agreed to.
Your legal rights
Under certain circumstances you have the following rights under data protection laws in relation to your personal data.
You have the right to:
- Request access
to your personal data (commonly known as a "data subject access request"). This enables you to receive a copy of the personal data we hold about you and to check that we are lawfully processing it.
- Request correction of the personal data that we hold about you. This enables you to have any incomplete or inaccurate data we hold about you corrected, though we may need to verify the accuracy of the new data you provide to us.
- Request erasure
of your personal data. This enables you to ask us to delete or remove personal data where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal data where you have successfully exercised your right to object to processing (see below), where we may have processed your information unlawfully or where we are required to erase your personal data to comply with local law. Note, however, that we may not always be able to comply with your request of erasure for specific legal reasons which will be notified to you, if applicable, at the time of your request.
- Object to processing of your personal data where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground as you feel it impacts on your fundamental rights and freedoms. You also have the right to object where we are processing your personal data for direct marketing purposes. In some cases, we may demonstrate that we have compelling legitimate grounds to process your information which override your rights and freedoms.
- Request restriction of processing of your personal data. This enables you to ask us to suspend the processing of your personal data in the following scenarios:
- (a) if you want us to establish the data's accuracy;
- (b) where our use of the data is unlawful but you do not want us to erase it;
- (c) where you need us to hold the data even if we no longer require it as you need it to establish, exercise or defend legal claims; or
- (d) you have objected to our use of your data but we need to verify whether we have overriding legitimate grounds to use it.
You also have the right to ask us not to continue to process your personal data for marketing purposes.
You can exercise any of these rights at any time by contacting us at peopleteam@personalgroup.com
Glossary
Lawful basis
Consent means processing your personal data where you have signified your agreement by a statement or clear opt-in to processing for a specific purpose. Consent will only be valid if it is a freely given, specific, informed and unambiguous indication of what you want. You can withdraw your consent at any time by contacting us.
Legitimate Interest means the interest of our business in conducting and managing our business to enable us to give you the best service/product and the best and most secure experience. We make sure we consider and balance any potential impact on you (both positive and negative) and your rights before we process your personal data for our legitimate interests. We do not use your personal data for activities where our interests are overridden by the impact on you (unless we have your consent or are otherwise required or permitted to by law). You can obtain further information about how we assess our legitimate interests against any potential impact on you in respect of specific activities by contacting us.
Performance of Contract means processing your data where it is necessary for the performance of a contract to which you are a party or to take steps at your request before entering into such a contract.
Comply with a legal obligation means processing your personal data where it is necessary for compliance with a legal obligation that we are subject to.
Profiling means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements.
Third party processors
We will use some external third parties to process data for us. Where we do this contracts are in place to ensure that the third parties act appropriately with your data. There are third parties who act for us and not those who process your data. The processors are:
Service providers acting as processors based in the UK and EEA who provide IT and system administration services.
Professional advisers based in the UK.
[GW1]I have revised as the para before this is dealing with auto screening so we need to ensure they work together. Discussed with James to confirm.
Request the transfer of your personal data to you or to a third party. We will provide to you, or a third party you have chosen, your personal data in a structured, commonly used, machine-readable format. Note that this right only applies to automated information which you initially provided consent for us to use or where we used the information to perform a contract with you.Withdraw consent at any time where we are relying on consent to process your personal data. However, this will not affect the lawfulness of any processing carried out before you withdraw your consent. If you withdraw your consent, we may not be able to provide certain products or services to you. We will advise you if this is the case at the time you withdraw your consent.
