Recruitment processing notice

Introduction

The Forces Employment Charity (“FEC”) is committed to protecting and respecting your privacy and to recruiting fairly, lawfully and inclusively.

This notice sets out the basis on which we process your personal data (defined below) during recruitment and pre‑employment checks and explains your rights. Some of the data we collect is special category or criminal offence data; these attract additional safeguards.

The Forces Employment Charity is made up of one legal entity. When we refer to ‘FEC’, ‘we’, ‘us’, or ‘our’, we are referring to the relevant entity in Forces Employment Charity for processing your personal data. A reference to ‘you’ or ‘your’ is to you as an individual, any applicant or candidate.

Who we are

The Forces Employment Charity’s registered office is on the First Floor, Mountbarrow House, 12 Elizabeth Street, London SW1W 9RB. We are a Registered Charity in England and Wales (1061212) and Scotland (SC039262). We are a company registered in England and Wales (03270369). We are registered with the ICO (Z7498943) and act as the data controller and processor for recruitment data.

Our Data Protection Controller can be contacted at the Forces Employment Charity Head Office, First Floor, Mountbarrow House, 12 Elizabeth Street, London SW1W 9RB, or by email at [email protected].

Data protection principles

We will comply with the data protection principles. Personal data must be:

  • Used lawfully, fairly and in a transparent way
  • Collected only for specified, explicit and legitimate purposes that we have clearly explained to you and not used in any way that is incompatible with those purposes and not further processed in a manner incompatible with those purposes
  • Adequate, relevant and limited to what is necessary
  • Accurate and, where necessary, kept up to date
  • Kept only as long as necessary
  • Kept securely

We will conduct data protection impact assessments (DPIAs) for high‑risk processing such as biometric systems or extensive vetting.

What information do we collect from you

The Forces Employment Charity processes personal data to meet legal and statutory obligations and to provide our services. We do not collect unnecessary data.

Information you give us

Information you provide in applications or CVs and through communications (phone, email or otherwise). Information you send to us will be stored and processed by us. This includes documents/files processed through our systems. 

Information we collect as part of the recruitment process

Identity, right‑to‑work evidence, interview notes, assessments, and, where proportionate, pre‑employment vetting results (see sections on Criminal offence data, Security clearance and police vetting, and Biometric data)

Information we collect throughout our relationship

We may collect information during onboarding and employment (if appointed), but this notice focuses on recruitment.

Information we receive from other sources

  • Tax and regulatory authorities (e.g., HMRC)
  • Previous employers/referees
  • Recruitment or vetting agencies
  • Government security authorities or police vetting units (where relevant—see below)
  • Publicly available sources

Categories of data we may process (may include special category or criminal offence data)

  • Identification (name, title, date/place of birth, gender, nationality, ID documents, photographs)
  • Contact (address, phone, email)
  • Employment information (job history, qualifications, references, eligibility to work, driving licence)
  • Emergency contacts
  • Medical information (reasonable adjustments, accessibility needs)
  • Digital location (IP address—limited to security/analytics)
  • Preferences (service interests)
  • Requirements (health)
  • EDI data (ethnicity, disability, parental status, sexual orientation, beliefs) is voluntary and treated as highly confidential
  • Criminal history where lawful and necessary for the role (see Criminal offence data)
  • Biometric data only where a vetted system is used for identity verification or access control, and where lawful, see Biometric data: how we handle it.

Why do we collect this information? Legal bases

We rely on one or more of the following:

  • Contract (steps at your request prior to entering into a contract, or to perform a contract with you)
  • Legal obligation (e.g., right‑to‑work checks; roles requiring DBS or other mandated checks)
  • Legitimate interests (e.g., to assess suitability and manage recruitment), balanced against your rights
  • Consent where required (e.g., certain biometric processing or equality monitoring) you may withdraw consent at any time

Key purposes and data types

  • Supply, improve and support recruitment services: ID, contact, application data, browsing, location, preferences
  • Understand and improve candidate experience/marketing effectiveness: ID, contact, browsing
  • Fair and inclusive recruitment/diversity monitoring: ID, contact, employment info, EDI, health (adjustments), criminal history (where lawful)
  • Pre‑contractual steps/contract performance: ID, contact, employment info, vetting outcomes (where lawful), digital logs
  • Vacancies applied for on our site: ID, contact, employment info
  • Right‑to‑work checks (mandatory): We must verify every employee’s right to work in the UK before employment begins; we will copy and retain documents and conduct any required follow‑up checks.

Special category data and criminal offence data

Special category data

We will only process special category data (e.g., health, EDI, biometrics used for unique identification) where an additional condition applies, such as explicit consent, employment law obligations/rights, substantial public interest (equality monitoring), vital interests, legal claims, or where you have manifestly made it public.

Purposes

  • Equality monitoring and reporting (race/ethnicity, religion/belief, sexual orientation)
  • Health data (reasonable adjustments, fitness for role, return‑to‑work accommodations)
  • Biometric data is used for identity verification or secure access (see below).

Criminal offence data

We collect criminal record information only when it is appropriate and lawful for the role (e.g., DBS eligibility, BPSS requirements, police vetting). We will:

  • Conduct a role‑specific risk assessment to ensure checks are necessary and proportionate
  • Inform you in advance of the level of check and the legal basis
  • Discuss any disclosed information with you before any adverse decision
  • Limit retention of disclosure information (see How long we keep your data)
  • Treat criminal‑record data as strictly confidential, with access restricted to trained staff

Fair Chance Recruitment (ex‑offenders)

Fair Chance Recruitment

FEC follows Fair Chance principles. We will not ask about criminal records at the initial application stage unless the role is legally eligible for such questions or checks. A criminal record is not an automatic bar; we make case‑by‑case, role‑relevant decisions in line with the Rehabilitation of Offenders Act and DBS Code of Practice.

Security clearance and police vetting (BPSS and MPPV/NPPV Level 2)

Security clearance and police vetting

Some roles require additional screening due to contractual or safeguarding requirements.

BPSS (Baseline Personnel Security Standard): identity, right‑to‑work, employment history and checks of unspent convictions. BPSS is not national security vetting. It is the baseline prerequisite for working with the UK government and certain suppliers.

Police vetting – MPPV Level 2 (also referred to as NPPV Level 2): required for non‑police personnel who need unsupervised access to police premises, systems or information (typically up to OFFICIAL, occasionally SECRET). Checks may include PNC/PND intelligence searches and financial checks and are decided by a police vetting unit under the Vetting Code of Practice.

How BPSS differs from MPPV/NPPV Level 2

Purpose: BPSS = baseline integrity/right‑to‑work for government‑related roles; MPPV/NPPV L2 = suitability to access police assets/information.

Scope: BPSS focuses on identity, right‑to‑work, employment history and unspent conviction checks; MPPV/NPPV L2 can involve wider police intelligence and financial vetting and is administered by a police force vetting unit.

Outcome: BPSS permits baseline access to government work; MPPV/NPPV L2 provides specific vetting clearance to access police premises/systems and is subject to police re‑verification schedules.

We will tell you in advance if a role requires BPSS, police vetting, or national‑security vetting (e.g., CTC/SC/DV), and explain what data will be processed, by whom, and for what purpose. Vetting will not be carried out where it is unnecessary and will always be proportionate to the role risk.

Biometric data: how we handle it securely

Biometric data: secure handling

If we use biometric recognition (e.g., facial) for identity verification or secure access:

  • Lawful basis and condition: We identify a lawful basis under UK GDPR and a valid special category condition (often explicit consent unless another condition applies).
  • Data minimisation: We prefer templates over raw images; if raw data is captured, we immediately transform and delete it where feasible.
  • Security controls: Strong encryption at rest and in transit; role‑based access; segregation of biometric stores; hardened authentication; tamper‑evident logs and regular access reviews; no sharing with third parties except vetted processors under contract.
  • DPIA and alternatives: We complete a DPIA before deployment and assess less intrusive alternatives (e.g., ID cards) where appropriate.
  • Accuracy and fairness: We test for accuracy/bias; provide a non‑biometric fallback; and ensure meaningful human review where needed.
  • Retention and deletion: We keep biometric templates only as long as necessary for the stated purpose, then securely erase them and associated raw captures.
  • Transparency and rights: We provide clear notices; respond to access/erasure requests; and support portability where technically feasible.

How long do we keep your information

Recruitment data: six months

Recruitment data (applications, interview notes): six months after the recruitment decision, unless longer is required to resolve a dispute or comply with the law.

HMRC data: seven years (six years plus current year)

HMRC/pay data (if hired): 6 years + current year.

DBS/criminal‑record certificate information: keep no longer than necessary and typically no more than 6 months after the decision, unless a longer period is legally required (e.g., safeguarding audit), stored securely with strictly limited access.

BPSS verification records: retained as required under government security policy (typically for the duration of engagement plus a defined period).

Police vetting (MPPV/NPPV) records: retained in line with the issuing police force’s Vetting Code/APP schedules; subject to re‑verification and annual integrity reviews as mandated by policing guidance.

Information stored on IT systems (e.g., email history) will be deleted regularly in accordance with our retention policies.

Automated decision‑making

We do not process personal data using automated decision-making.

We do not make solely automated decisions that produce legal or similarly significant effects on you. Where automated tools assist shortlisting, meaningful human review is applied.

Who we share your information with

We share only what is necessary, with:

  • Background screening providers (e.g., DBS/Umbrella bodies), government security authorities, or police vetting units, where required for the role
  • Referees, previous employers
  • Regulators and public authorities (e.g., HMRC)
  • Technology and security providers acting as processors under contract

Your rights

You can contact the Data Protection Controller to exercise your rights:

  • Object to processing for marketing or where based on legitimate interests (unless compelling grounds exist)
  • Withdraw consent (where relied upon)
  • Access your data
  • Rectification
  • Erasure (subject to legal/contractual limits)
  • Restriction
  • Data portability (where automated and based on consent/contract)

You may lodge a complaint with the ICO (see https://ico.org.uk/concerns/).

What we ask of you

Please keep your information accurate and up to date (e.g., name, address). For emergency contacts, ensure those individuals know we hold their details for that purpose.

Definitions

Personal data: information relating to an identified or identifiable person.

Special category data: data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data processed for unique identification, health, sex life or sexual orientation.

Criminal offence data: data relating to criminal convictions and offences, or related security measures.

UK GDPR: the retained EU law version of the GDPR, as amended in the UK.

BPSS: Baseline Personnel Security Standard checks for government‑related roles. MPPV/NPPV Level 2: non‑police personnel vetting level administered by police vetting units for access to police assets/systems.

 

March 2026

Want to hear about our programmes, partnerships, events and ways that we could support you?
JOIN OUR MAILING LIST