Privacy policy for Candidates
Date of publication: 26.09.2025
Introduction
At WorkNest, we are committed to keeping your personal and business information safe, and complying with all applicable data protection legislation. This is our privacy notice for candidates, in which we tell you how we use and look after your personal data. This privacy notice is also for referees, whose data is shared by candidates for the purpose of providing a reference. This privacy notice explains what personal information we hold about you, how we collect it, and how we use and share information about you when you visit or create a profile on our career’s website, or apply for a role at WorkNest or one of our sibling companies or client companies.
We may update our privacy notice for candidates from time to time. We will communicate updates to the email address you gave to us when you last applied for a job via our careers website. We will also publish the updated privacy notice
on our careers website. If you would like a copy of this privacy notice in another format, email dataprotection@worknest.com.
We last updated this privacy notice in September 2025.
Who we are
We are WorkNest. We deliver first-class Employment Law, HR, and Health & Safety support, backed by hands-on consultancy and advanced technology. WorkNest helps organisations of all sizes and industries confidently manage their employment, safety, and wellbeing challenges, all accessible via our user-friendly portal, myWorkNest.
WorkNest is part of a family of specialist companies backed by Inflexion, dedicated to helping businesses thrive by providing expert support across key operational areas. As part of Axiom GRC, we bring together the most gifted practitioners in people management, health, safety and wellbeing, employment law, professional training, and business technology. We are proud to offer a broader range of services to help protect and nurture organisations of every size.
WorkNest manages the recruitment for companies across the Axiom GRC Group, as well as client companies who use WorkNest’s HR consultancy services.
WorkNest Ltd is a company registered in England and Wales with company number (CRN 04382739) and whose registered office is at 2nd Floor, 20 Grosvenor Place, London, England, SW1X 7HN.
WorkNest is the data controller of personal information we collect when you apply for a role at WorkNest. WorkNest is registered with the Information Commissioner's Office as a data controller under reference: Z2442783
WorkNest is the data processor for our client companies and our sibling companies when we are conducting recruitment on their behalf. For more information about how our client companies or sibling companies process your personal information, please visit theirrespective privacy notices.
Data Protection Officer
WorkNest has a dedicated Data Protection Officer. For any queries, concerns, or complaints you may have about how WorkNest collects, uses or stores your personal information, you can contact our Data Protection Officer at dataprotection@worknest.com
Or you can write to:
Data Protection Officer
WorkNest
Woodhouse
Church Lane
Aldford, Chester
CH3 6JD
For WorkNest’s client companies or sibling companies, please contact them directly for information about their Data Protection Officer. Alternatively, you can contact clientrecruitment@worknest.com
for support.
Legal basis for using your information
Under UK data protection law we must have what is known as a legal basis for collecting and using your information. There are six legal bases, sometimes known as lawful bases:
- Consent: your permission.
- Performance of a contract: when we deliver the services you have requested.
- Vital interest: to save a life.
- Legal requirement: to comply with UK law.
- Public interest: when data processing is beneficial for public good.
- Legitimate interests: see the next section of our privacy notice.
Legitimate interests
Sometimes, we use your personal information using the legal basis of legitimate interest. This means that the reason that we are processing information is because it is beneficial to us and not harmful to you.
We can only use legitimate interest as a lawful basis if we first do a ‘legitimate interest assessment’. This assessment helps us to balance the benefits of what we want to use your personal information for with the impact it can have on you. We only approve this assessment if we are confident that what we want to do with your personal information does not cause harm to you.
What information do we collect?
Candidates
Data category
Description
Data from interviews, assessments and other information from the recruitment process
Such as notes from interviews with you, assessments and tests made, salary requirements.
Information in your application
Such as your CV, cover letter, work samples, references, letters of recommendation and education.
Information in your public profile
Meaning the information we collect about you from public sources related to your professional experience, such as LinkedIn or the website of your current employer.
Information provided by references
Meaning the information we receive from our employees or partners who refer you to us, or by the persons you have listed as your references.
All individuals
Data category
Examples
Device information
If you visit our careers website, we will collect information about your device, such as IP address, browser type and version, session behaviour, traffic source, screen resolution, preferred language, geographic location, operating system and device settings/usage.
Technical and statistical data
If you visit our careers website, we will collect technical and statistical data about your use of the site, such as information about which URLs you visit, and your activity on the site.
Communications data
We will collect and store your communication with us, including the information you provided in the communication. This may include the content of emails, video recordings, messages on social media, the information you add to your account with us, surveys, etc.
Contact details
Such as your name, email address, telephone number and physical address.
Do we process sensitive category data or criminal record information?
Yes. We collect and process sensitive category data and criminal record information for the following reasons:
Purpose
Type of data
Legal basis and condition for processing
It is a legal requirement for employers to check the immigration status and passport of anyone they hire to prevent illegal working and ensure compliance with immigration laws. This responsibility is outlined in the Asylum and Immigration Act 1996 and subsequent legislation. Employers must verify that new employees have the right to work in the UK before they start, even if the individual appears to be a British or settled worker.
Your nationality and immigration status and information from related documents, such as your passport or other identification and immigration information
Legal obligation: employment law
WorkNest collects medical details for new employees to ensure workplace safety, comply with legal obligations, and support employee wellbeing. This data helps identify potential health and safety hazards, inform decisions about reasonable adjustments, and potentially reduce absenteeism.
Information you share with WorkNest in a medical questionnaire (including sensitive personal information regarding your physical and/or mental health)
Legal obligation: employment law
WorkNest collects data on race, ethnicity, sex, sexual orientation, and religion for equality monitoring and to promote diversity and inclusion within the workplace, ensuring compliance with the Equality Act 2010. This data helps identify potential disparities in recruitment, promotion, and other employment practices, and allows for the implementation of positive action measures to address underrepresentation of specific groups. The Equality Act protects individuals from discrimination based on these characteristics.
Your racial or ethnic origin, sex and sexual orientation, religious or similar beliefs
Legal obligation: employment law
WorkNest collects data on criminal records and DBS (Disclosure and Barring Service) primarily to make informed and safer recruitment decisions. We have a duty to protect our clients, especially those who care for vulnerable groups like children and the elderly. DBS checks provide information from police records and, where relevant, barred list information, to help WorkNest assess an applicant's suitability for a role.
Criminal records information, including the results of Disclosure and Barring Service (DBS) checks (where applicable). Conducted by data sub-processors on behalf of WorkNest.
Legal obligation: employment law
Where do we receive your personal information from?
Candidates
Source of information
Explanation
From public sources
We may collect personal data about you from public sources, such as LinkedIn, Glass Door or the website of your current employer.
From our references
We may receive information about you from our employees or partners (such as recruitment service providers), when they believe your profile is of interest for our current or future vacancies.
From your references
If you provide us with references, we may collect information about you from them.
Data we create ourselves in cooperation with you
Information about your application and profile is usually created by us, or by us in cooperation with you, during the recruitment process. This may for example include notes from interviews with you, assessments and tests made.
From the careers site
If you visit our careers site, we collect technical and statistical information about how you use the Career Site, and information from your device.
Directly from you
Most of the information we process about you, we receive directly from you, for example when you apply for a position with us or connect with us. You can always choose not to provide us with certain information. However, some personal data is necessary in order for us to process your application or provide you the information you request to get from us.
References
Source of information
Explanation
From the person for whom you are a reference
If a candidate lists you as their reference, we will collect your contact details from the candidate to be able to contact you. We will ask your permission to keep your details on record. WorkNest uses data sub-processors to support this process.
All individuals
Source of information
Explanation
From the careers site
If you visit our careers site, we collect technical and statistical information about how you use the Career Site, and information from your device.
How do we use your information?
Purpose
Explanation
Review profiles and applications. This also includes communicating with you about your application and profile
Affected individuals: Candidates
Categories of personal data used: All the categories of personal data listed above may be used for this purpose.
Legal basis: legal obligation
Collect and evaluate your professional profile on our own initiative. This also includes communicating with you regarding your profile.
Affected individuals: Candidates
Categories of personal data used: All the categories of personal data listed above may be used for this purpose.
Legal basis: legitimate interest
Record the interview with you
Affected individuals: Candidates.
Categories of personal data used: Communications data.
Legal basis: consent
Use TeamTailor’s inbuilt AI tool (Connect) to match your profile to upcoming vacancies with us
Affected individuals: Candidates.
Categories of personal data used: All the categories of personal data listed above may be used for this purpose.
Legal basis: consent
Provide you with updates about vacancies with us
Affected individuals: Candidates.
Categories of personal data used: Contact details.
Legal basis: consent
Contact you to ask you to provide information about a candidate, and evaluate the information you provide
Affected individuals: Referees
Categories of personal data used: Contact details; Communications data.
Legal basis: legitimate interest
Contact you to ask you to participate in a survey about your experience as a candidate
Affected individuals: Candidates.
Categories of personal data used: Contact details.
Legal basis: legitimate interest
Share your details with others
See ‘Do we share your information?’ for further information
Legal basis: legal obligation, performance of a contract, legitimate interest, vital interest
Protect and enforce our rights, interests and the interests of others, for example in connection with legal claims
Affected individuals: The individual(s) affected by the legal issue - this may include persons from all categories of individuals listed above.
Categories of personal data used: All the categories of personal data listed above can be used for this purpose.
Legal basis: legal obligation, legitimate interest
Collect information about your use of our career site, using cookies and other tracking technologies, as described in our Cookie policy.
Affected individuals: Visitors.
Categories of personal data used: Device information.
Legal basis: consent, legitimate interest
Maintain, develop, test, and otherwise ensure the security of the career site
Affected individuals: Visitors.
Categories of personal data used: Device information; Technical and statistical data.
Legal basis: legal obligation, legitimate interest
Analyse how the career site and its content is being used and is performing, to get statistics and to improve operational performance
Affected individuals: Visitors.
Categories of personal data used: Device information; Technical and statistical data.
Legal basis: consent, legitimate interest
How long do we keep your personal data?
Candidates
We keep your personal data to decide if you are a suitable candidate for the relevant vacancy(ies) with us. We keep your personal data for ninety days after collection to enable us to manage the recruitment process, including reviewing your application(s) and contacting you with an outcome. During this time, if you have been unsuccessful for the role you applied for, and if you have given your permission to be contacted about other opportunities, we may contact you for relevant job openings. If you wish your data to be deleted at any point within the 90 days, contact dataprotection@worknest.com or visit the Data & Privacy page on our career site, and click on the ‘Request’ button next to ‘Remove my data’. If you are applying for a role at a client of WorkNest, contact the team at clientrecruitment@worknest.com
to request the deletion of your data.
During the 90 days, if you have granted permission for us to keep your data to contact you about future opportunities we will keep your data for a further 6 months. At this point, we will ask you again if you wish us to keep your data on record. We will continue to ask for your permission to keep your data on a 6 month rolling basis.
If you are hired, we will keep your personal data during your employment for other purposes than those stated above, which you will be informed of in a privacy notice for employees either from WorkNest, our sibling companies or our client companies, whichever is your employer.
References
We keep your personal data for as long as we keep the personal data of the candidate for whom you acted as a reference.
All individuals
If we process your personal data for the purpose of being able to protect and enforce our rights, we will keep your personal data until the relevant legal issue has been fully and finally resolved.
Website visitors
We keep your personal data for one year for security purposes. The retention periods for cookies are set out in our Cookie Policy. We keep your personal data to analyse the performance of the careers website for as long as we keep personal data about you for other purposes.
Do we send your information outside of the UK?
Our recruitment system, TeamTailor, mainly processes data in Ireland but uses data sub-processors based in Germany and the United States. For more information, please visit their article on subprocessors for the EU region.
We make sure that we have a lawful method of transferring your data, and that your personal information is safe and that the organisation that works for us is obeying UK data protection law, even if it processes data outside the UK.
Do we share your information?
Where WorkNest is the data controller, we may share your information in the following circumstances:
- With other organisations, such as pre-employment screening companies, previous employers you list as referees, document signing companies and our professional advisers to meet our obligations to regulations and standards.
- With our group companies, when they provide us services and functionality to our recruitment process, such as access to particular systems and software.
- If needed to protect or defend our rights, we share your personal data with public authorities or with other parties involved in a potential or existing legal proceeding. This can for example be in case of discrimination claims.
- In connection with a potential merger, sale of company assets, financing, or acquisition of all or part of our business to another company, we may share your personal data to other parties involved in the process.
When we need to share your personal information in these circumstances, if we can we will let you know who we are sharing it with and why. We will share as little information with the other organisation as possible, and using a secure method. We will also check that the recipient of the information will act responsibly.
In some exceptional circumstances, we may need to share your personal information without your knowledge or permission to protect you or someone else. We will share as little information as is needed, and we will share it in a responsible way.
Here are the reasons we may need to share your personal information:
- We are told to by law. We may need to give personal information to the police, legal advisors, professional regulators, or safeguarding agencies.
- You are at risk of serious harm, neglect, death or threat to personal safety.
- You tell us that someone else is at risk of serious harm, neglect, death or threat to personal safety.
- We believe a crime is happening or may happen if nothing is done to stop it. This includes financial fraud.
Where WorkNest is operating as a data processor on either our sibling companies’ or our clients’ behalf, we will only share data as instructed by the data controller unless required by law.
Your legal rights
As a data subject, under UK data protection law you have the right to:
- Access: ask for copies of all information we have about you.
- Rectification: ask us to correct personal information you think is wrong. You also have the right to ask us to complete information you think is incomplete.
- Erasure: ask us to delete your personal information.
- Restriction of processing: ask us to limit the processing of your personal information.
- Objection to processing: say no to the processing of your personal information.
- Data portability: ask that we transfer the personal information you gave us to another organisation, or to you.
- Withdraw consent: if WorkNest has asked your consent to use your data for a particular reason, you have the right to take back that consent so that WorkNest cannot use your data like that in the future. However if you choose to withdraw your consent this will not change anything that WorkNest has used your data for in the past with your consent.
You can choose to use any of these rights for free by contacting us at dataprotection@worknest.com, or writing to us at our address (see ‘Who we are’) with your request.
You can also exercise your rights by:
- Visiting the Data & Privacy page on our career site, and clicking on the option that reflects what you want to do; and
- Logging in to your account with us, where you can use the settings in the account to exercise your rights.
Where WorkNest is the data controller, WorkNest has one calendar month to respond to you from the time we receive your request. We can extend this for up to three months, if needed. WorkNest does not have to agree to your request, but if we do not agree we have to provide an explanation.
Where WorkNest is acting as a data processor on behalf of our sibling companies or our clients, WorkNest will refer your data subject request to the data controller and await instruction.
Complaints
For any queries, concerns, or complaints you may have about how WorkNest collects, uses or stores your personal information, you can contact our Data Protection Officer at dataprotection@worknest.com
Or you can write to:
Data Protection Officer
WorkNest
Woodhouse
Church Lane
Aldford, Chester
CH3 6JD
If WorkNest cannot resolve the issue, you can also make a complaint to the Information Commissioner’s Office (ICO: the UK supervisory authority for data protection):
Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF
ICO helpline number: 0303 123 1113
ICO website: ico.org.uk
Definitions
Anonymise: to change data so that it cannot be linked to an individual person.
Cookie: a small file of information – like a username or password – that are stored on your device and identify the user. Cookies are used to work out what to show you, improving your web experience.
Consent: permission, usually only valid when you have been told exactly what you are consenting to. One of the ways that processing data can be justified under data protection law.
Contractual performance: the data processing needed to carry out an agreement with an individual. One of the ways that processing data can be justified under data protection law.
Data Controller: an organisation (or person) that makes decisions about how and why data is processed.
Data minimisation: collecting the smallest amount of personal data that you need.
Data Processor(s): an organisation (or a person) that carries out the instructions of the Data Controller and processes data on behalf of the Data Controller.
Data Protection Officer: a person who is an expert in data protection and looks after the interests of the data subject.
Data subject: the individual whose personal data is being processed.
Encrypted: encryption allows information to be hidden so that it cannot be read without special knowledge (such as a password). This is done with a secret code or cypher. The hidden information is said to be encrypted.
Generative artificial intelligence (also generative AI or GenAI): is artificial intelligence capable of generating text, images, or other media, using generative models. Generative AI models learn the patterns and structure of their input training data and then generate new data that has similar characteristics.
Information Commissioner’s Office (ICO): the UK’s independent body set up to uphold information rights. The ICO has the power to investigate organisations which do not obey Data Protection laws.
Joint Controllers: two or more Data Controllers who together decide how and why data is processed.
Legal/lawful basis/bases: six reasons recognised by UK GDPR for processing personal information.
Legitimate interests: a strong reason (or reasons) for a Data Controller to process data for no other reason than that it is beneficial to the Data Controller if it does not have an adverse effect on the data subject. This is one of the ways that processing data can be justified under GDPR law, although whenever a Data Controller relies on it, they should have a written decision called a Legitimate Interest Assessment.
Personal information: any information about a real, living individual. For example, name, telephone number, address, health conditions, or qualifications. Information about organisations, such as annual turnover, is not personal information. Information about individuals working at organisations – for example, a business email address, or a job title – is personal information.
Privacy notice: a publicly displayed explanation of how organisations process data.
Purpose limitation: one of the principles of GDPR – personal data should only be used for the reasons it was collected.
Public interest: beneficial for the public. One of the ways that processing data can be justified under GDPR law.
Retention schedule: a table of how long organisations should store data.
UK GDPR: UK General Data Protection Regulation. This is a law designed to protect personal data stored on computers, or in an organised paper filing system. This law is the UK version of a law that is applied across many European countries.
