Data Policy


This policy ensures that our data handling policies and procedures are consistent with the DPA98.


Jo Holdsworth Recruitment Ltd processes personal data in relation to its own staff, work-seekers and individual client contacts. We must comply with the Data Protection Act 1998 set out below.

JHR holds data on individuals for the following general purposes:

  • Staff Administration
  • Advertising, marketing and public relations
  • Accounts and records
  • Administration and processing of work-seekers personal data for the purposes of work-finding services

The Data Protection Act 1998 requires JHR as data controller to process data in accordance with the principles of data protection. These require that data shall be: –

  1. Fairly and lawfully processed
  2. Processed for limited purposes
  3. Adequate, relevant and not excessive
  4. Accurate
  5. Not kept longer than necessary
  6. Processed in accordance with the data subjects rights
  7. Kept securely
  8. Not transferred to countries outside the European Economic Area without adequate protection.


This policy has been written with due regard to relevant legislation including:

  • Data Protection Act 1998

JHR respects the rights of staff under any relevant legislation, but reserves the right, via this policy, to set standards appropriate to the needs of the business.


Compliance with the DPA98 is the responsibility of all employees of JHR. Any deliberate breach of the Data Protection Policy may lead to disciplinary action being undertaken, or access to JHR facilities being withdrawn, or even a criminal prosecution. Any questions or concerns about this policy should be taken up with the Managing Director.

Any employee who considers that the policy has not been followed in respect of their personal data should raise the matter with the DPO.


Personal data means data, which relates to a living individual who can be identified from the data or from the data together with other information, which is in the possession of, or is likely to come into possession of, JHR.

Processing means obtaining, recording or holding the data or carrying out any operation or set of operations on the data. It includes organising, adapting and amending the data, retrieval, consultation and use of the data, disclosing and erasure or destruction of the data. It is difficult to envisage any activity involving data, which does not amount to processing. It applies to any processing that is carried out on computer including any type of computer however described, main frame, desktop, laptop, palm top etc.

Data should be reviewed on a regular basis to ensure that it is accurate, relevant and up to date.

Data may only be processed with the consent of the person whose data is held. Therefore if they have not consented to their personal details being passed to a third party this may constitute a breach of the Data Protection Act 1998. By instructing JHR to look for work and providing us with personal data contained in a CV work-seekers will be giving their consent to processing their details for work-finding purposes. If you intend to use their data for any other purpose you must obtain their specific consent.

However caution should be exercised before forwarding personal details of any of the individuals on which data is held to any third party such as past, current or prospective employers; suppliers; customers and clients; persons making an enquiry or complaint and any other third party.

Data in respect of the following is “sensitive personal data” and any information held on any of these matters MUST not be passed on to any third party without the express consent of the individual:

  • Any offence committed or alleged to be committed by them
  • Proceedings in relation to any offence and any sentence passed
  • Physical or mental health or condition
  • Racial or ethnic origins
  • Sexual life
  • Political opinions
  • Religious beliefs or beliefs of a similar nature
  • Whether someone is a member of a trade union

From a security point of view, only key individuals should be permitted to add, amend or delete data from the database. However all staff are responsible for notifying those listed where information is known to be old, inaccurate or out of date. In addition all employees should ensure that adequate security measures are in place. For example:

  • Computer screens should not be left open by individuals who have access to personal data
  • Passwords should not be disclosed
  • Email should be used with care
  • Personnel files and other personal data should be stored in a place in which any unauthorised attempts to access them will be noticed. They should not be removed from their usual place of storage without good reason.
  • Personnel files should always be locked away when not in use and when in use should not be left unattended
  • Any breaches of security should be treated as a disciplinary issue.
  • Care should be taken when sending personal data in internal or external mail
  • Destroying or disposing of personal data counts as processing. Therefore care should be taken in the disposal of any personal data to ensure that it is appropriate. For example, it would have been more appropriate to shred sensitive data than merely to dispose of it in the dustbin.

It should be remembered that the incorrect processing of personal data e.g. sending an individual’s details to the wrong person; allowing unauthorised persons access to personal data; or sending information out for purposes for which the individual did not give their consent, may give rise to a breach of contract and/or negligence leading to a claim against JHR for damages from an employee, work-seeker or client contact. A failure to observe the contents of this policy will be treated as a disciplinary offence.

Data subjects, i.e. those on whom personal data is held, are entitled to obtain access to their data on request and after payment of a fee. (See Data Subject Access Policy)

Any requests for access to a reference given by a third party must be referred to the Managing Director and should be treated with caution even if the reference was given in relation to the individual making the request. This is because the person writing the reference also has a right to have their personal details handled in accordance with the Data Protection Act 1998, and not disclosed without their consent. Therefore when taking up references an individual should always be asked to give their consent to the disclosure of the reference to a third party and/or the individual who is the subject of the reference if they make a subject access request. However if they do not consent then consideration should be given as to whether the details of the individual giving the reference can be deleted so that they cannot be identified from the content of the letter.

Your Responsibilities

Even if you do not handle personal data as part of your normal work you have a responsibility to ensure that any personal data you see or hear goes no further.  This might, for example include, information you overhear in a telephone conversation.

You must keep personal data secure.  You must comply with security arrangements in place including information technology such as password-protected files and screen savers, other organisational arrangements including locks for drawers and filing cabinets and restricted access arrangements.  When personal data is destroyed this must be in accordance with secure destruction arrangements.  Data must not be thrown into general rubbish bins.  Particular care must be taken where it is necessary to take information away from the company premises.  You should protect against accidental disclosure such as, for example, someone near to you being able to read information over your shoulder.

Never disclose personal information to other employees or a third party either orally or in writing without the prior consent of your manager and until all appropriate checks have been made.  All unusual or potentially sensitive disclosures must be authorised by Gianna Greene.  Sensitive personal data must never be disclosed to third parties without the consent of the Data Protection Manager.


JHR reserves the right to alter the terms and content of the Policy as required at any time in the future.