Applicant, Employee and Contractor Privacy Notice
Applicant, Employee and Contractor Privacy Notice
Status | Draft | Approved | Deprecated | Version | 2 |
Approved | 07 May, 2024 | Approved by | Chris Shillum |
Authors | Ellen Paterson, based on v1, authored by Beckage | Next Review | 07 May, 2025 |
1. Introduction
As an employer, ORCID (‘we’, ‘us’, ‘our’) is responsible for deciding how to collect and use personal data, which we need in order to meet our contractual, statutory and business requirements. We take this responsibility seriously and are committed to protecting the privacy and security of the personal data we hold about all applicants, employees and contractors.
Our processing of your personal data is subject to certain legal safeguards specified in the applicable national and international data protection laws, including but not limited to the European Union (EU) and UK General Data Protection Regulation (GDPR). Even though we are a US-based organization, the GDPR applies to some of our uses of personal data.
In the terminology of the GDPR, we are a ‘data controller’. This means we have certain legal responsibilities, one of which is to provide information about how we use personal data. The specific information that the GDPR requires can be found throughout this Privacy Notice.
The responsibility to explain how we use personal data also exists in other data protection laws. This Privacy Notice aims to include all relevant transparency requirements, regardless of where our applicants and staff are located.
2. About this Privacy Notice
This Privacy Notice describes how we collect, use, store, share and ultimately dispose of your personal data throughout the recruitment and selection process, during and after your working relationship with us. We refer to all these activities as ‘processing’ your data.
This Notice applies to all applicants, current and former employees, workers and contractors, and covers all types of personal data, regardless of format.
The information we process about you will vary depending on your application status, role, circumstances and location. We have specified in this Notice where data processing relates only to a specific country.
This Notice covers the ways we will use your personal data in our normal course of business. When appropriate, we will provide separate privacy information to cover any additional processing activities not mentioned here.
This Notice does not form part of any contract of employment or other contract to provide services. Nothing in this Notice either stated or implied is intended to create or shall be construed as creating a contract of employment for a specific or definite duration. Where an individual employee’s or contractor’s contract includes data protection terms, this Notice should be considered supplemental to these terms. In the event of a conflict between the contract and this Notice, the contract will take precedence.
It is important that you read this Notice, together with (if you are a member of staff) ORCID’s staff policies and any other information we may provide on specific occasions when we are processing your personal data, so that you are aware of how and why we are using your data and what your rights are under the relevant data protection legislation.
We may update this Notice at any time and will make the most current version available to you. If we make significant changes (that is, describing new or changed uses of your data), we will provide all staff with an updated copy of this Notice as soon as reasonably practicable.
In each subsections 4.1 – 4.6 of this Notice we refer to the ‘lawful basis’ for processing your data. By this, we mean the legal grounds we rely on and are required to have under the GDPR. Terms in bold text in these sections refer to the lawful bases listed in Article 6 of the GDPR.
3. How we obtain your personal data
We collect your data directly from you through the application and recruitment process, and from the following sources:
From employment or recruitment agencies
From job forums and recruitment events
From referees, external and/or internal
From pension administrators and government departments, where applicable
Via background checks (for specific roles only. We will let you know if this applies to you)
We also collect additional personal data directly from you in the course of job-related activities throughout the period of you working for us, and from the following sources:
From any PEO (Professional Employment Organization), EOR (Employer of Record) or payroll service provider we use in conjunction with your employment
From external training or certification providers (e.g. Udemy)
Usage information from our and our vendors’ IT systems
From your manager (e.g., performance reviews) and other colleagues (e.g., through chat or email messages)
4. The personal data we process and why we need it
We use the following information to assess your skills, qualifications, and suitability for the role; to decide on shortlisting for interview; to decide whether to offer you the role; to carry out background and reference checks (where applicable); to communicate with you about the recruitment process; to keep records related to our hiring processes, and to comply with legal or regulatory requirements.
The information you have provided to us in your CV / résumé and covering letter
The information you have provided on our application form
Any information you provide to us during an interview
Results and/or output of any application related test or exercise
Where relevant, information obtained as a result of a background check. This may include sensitive data, such as information on any criminal convictions and offenses.
4.1.1 Lawful basis
We process personal information related to recruitment and selection where it is necessary for the performance of a contract (or to take steps prior to entering into a contract), for compliance with our legal obligations, or – less commonly – where it is in our legitimate interests to do so.
We use the following information to manage the employment or contractor relationship we have with you; to provide you with access to services required for or beneficial to your role; to provide references on request, and to manage our human resources processes.
Personal contact details: your full name, address (permanent, temporary and mailing), contact telephone numbers, work and personal email addresses
Professional and education history including your qualifications, job application, CV / résumé, and employment references
Interview notes and records submitted by you during the application process
Background check details, such as credit rating or criminal record, where relevant to your role
Government issued ID or similar identification documents. Your identification details may include your social security or National Insurance number, passport number, driver’s license number or similar national identification numbers.
Citizenship / nationality status, residency, and work authorization (visa or permit) status
Your date and place of birth and gender
Your ethnicity and military veteran status, only if we are required and permitted to obtain this by relevant government regulations
Your marital status
Your emergency contact(s), their relation to you and their contact information
Your employee number
Your photograph
Your electronic signature
Your ORCID iD
Your work location (including any temporary or permanent changes)
Business travel information
Languages spoken
Details of any secondary employment you declare to us (in relation to our Outside Work policy )
Work content that you produce for use on our website, internal platforms (e.g., Slite, Slack), social media, or Trello boards
Dietary restrictions, if provided by you (for use at our annual retreats and other in-person events)
Links to social media profiles, if provided by you
Spouse and children’s names, dates of birth and social security numbers (US employees only, if opting in to ORCID benefits)
4.2.1 Lawful basis
We process personal information related to your employment or contractor relationship with us where it is necessary for the performance of a contract to which you are a party, for compliance with our legal obligations, or – less commonly – where it is in our legitimate interests to do so. We will use emergency contact information in order to protect your vital interests or those of another person.
For employees and contractors, we process the following information for the payment and administration of your salary or fees, retirement benefits and other employment-related benefits, and for business management and planning purposes, including accounting and auditing. We also process it for the administration of statutory and ORCID-provided time-off allowances, such as vacation, sick or family and compassionate leave, and to assess staff relocation requests .
Information about your job role and your employment relationship, including your start and leave dates, any promotions or changes to your employment contract (if any), job description, working pattern (including any requests for flexible working), role and department
Details of your salary, fees, rewards, and all other incentives and benefits
Your bank account details, payroll records, and tax status information
Details of your time and specific hours spent working
Details of expenses or other payments claimed
Details of any leave including sick leave, vacation, etc.
Retirement benefit details including membership of both national and ORCID-provided retirement benefit schemes and your contributions
Insurance and indemnity information
Details relating to family and compassionate leave, sick leave, incidental leave, government-provided maternity, paternity, shared parental and adoption leave and pay, where these have been shared by you. This includes forms applying for the relevant leave and any other relevant documentation relating to the nature of the leave you will be taking.
4.3.1 Lawful basis
We process personal information related to your salary and pension where it is necessary for the performance of a contract to which you are a party, or for compliance with our legal obligations.
For employees and contractors, we use the following information to manage your work; to assess your performance, including consideration of discretionary awards ; to support individual training requirements, to conduct pay and other reviews, to deal with any employment-related disputes, and for the development and management of our organizational structure.
Information relating to your performance at work e.g., probation and performance reviews and promotions
Information relating to grievance and dignity at work matters and investigations to which you may be a party or witness
Disciplinary records and documentation related to any investigations and disciplinary action, including warnings issued, in line with our Progressive Discipline Policy
Whistleblowing concerns raised by you, or to which you may be a party or witness
Information related to your training history, certification, and development needs
Audio and video from any training or staff development and engagement sessions you attend that are being recorded
Information on workload and work plans
4.4.1 Lawful basis
We process personal information related to performance, training, and grievance procedures where it is necessary for the performance of a contract to which you are a party, or for compliance with our legal obligations.
We use the following information to ensure the security of our IT systems and network, the security, wellbeing and job satisfaction of our employees, to assess your compliance with our policies and procedures and — in the case of external audits — to ensure ORCID meets its financial, legal and operational obligations. This processing includes detection or prevention of any inappropriate behavior or violation of ORCID policies, including the protection of our intellectual property, confidential information and other tangible and intangible property.
Information on your access to and use of ORCID assets and systems, including your network IP address when working from home, for the purpose of detecting and preventing unauthorized activities in such systems
Your responses to staff surveys, if these are not anonymised
Salary, fee, taxation and contact information (for auditing purposes)
4.5.1 Lawful basis
We process personal information related to monitoring and auditing where it is necessary for compliance with our legal obligations, for the performance of a contract to which you are a party, or for our legitimate interests in protecting company assets and ensuring the retention and job satisfaction of our employees.
4.6 Information relating to your health, wellbeing and equal opportunities
We use the following information to comply with our legal obligations. We also use it to ensure the health, safety and wellbeing of our employees, subject to confidentiality safeguards.
Health and wellbeing information, either declared by you or mentioned in sick leave forms, health management questionnaires or information received from your doctor or hospital
Your medical certificate (certain countries)
Accident records if you have an accident while working, including insurance claim records
Details of any workspace audits or reasonable adjustments
4.6.1 Lawful basis
We need all the categories of information in the above list to enable us to comply with our legal obligations as your employer.
4.7 Failure to provide information
Applicants:
If you fail to provide information when requested, which is necessary for us to consider your application (such as evidence of qualifications or work history), we will not be able to process your application successfully. For example, if we require references for this role and you fail to provide us with relevant details, we will not be able to take your application further.
Employees and contractors:
If you fail to provide certain information when requested, we may not be able to perform the obligations of our employment or contractual relationship with you (such as paying you), or we may be prevented from complying with our legal obligations (such as to ensure the health and safety of our workers).
5. Sensitive personal data
Some of the information described in section 4 is more sensitive in nature. We recognise that certain types of sensitive personal data require higher levels of protection.
These ‘special categories’ of personal data are listed in Article 9 of the GDPR . The GDPR also provides additional safeguards for the processing of personal data relating to criminal convictions and offenses (see above link, Article 10).
We only process these types of information when necessary. In addition to the lawful bases listed in section 4, the GDPR requires us to have further justification for collecting, storing and using this type of personal data. We will process special categories of personal data in the following circumstances:
In exceptional circumstances, with your explicit consent (see section 6)
Where we need to carry out our legal obligations or exercise rights in connection with employment
Where it is needed in the public interest, such as for equal opportunities monitoring
Less commonly, we may process this type of information where it is needed in relation to legal claims or where it is needed to protect your or someone else’s vital interests and you/they are not capable of giving your consent, or where you have already made the information public.
We have in place the policies and safeguards which we are required to maintain when processing such data.
We will only collect information about criminal convictions and offenses (which covers information about offenders or suspected offenders in the context of criminal activity, allegations, investigations and proceedings) if it is appropriate and necessary given the nature of your role, and where we are legally able to do so. Where appropriate, and with your prior knowledge, we may collect such information as part of the recruitment and selection process or we may receive information directly from you in the course of you working for us.
6. About consent
The GDPR lawful bases, or justifications, we rely on for processing your personal data are set out in sections 4 and 5 of this Privacy Notice. Consent is one of the lawful bases under the GDPR; however, we will not normally ask for consent as our lawful processes basis. Instead, we rely on the other lawful basis provided throughout this Privacy Notice.
7. Automated decision making
You will not be subject to decisions that will have a significant impact on you based solely on automated decision-making, unless we have a lawful basis for doing so and we have notified you.
We do not envisage that any decisions will be taken about you using automated means. However, we will notify you in writing if this position changes.
8. How long we keep your personal data
ORCID will retain your personal data in accordance with our Document Retention Policy. We will not keep information longer than is necessary for the purpose for which it was collected, including for the purposes of satisfying any legal, accounting or reporting requirements.
We retain records of unsuccessful applications for a period of one (1) year following completion of the recruitment process.
Depending on the purpose for processing your data and the type of information affected, we will process your data for the duration of your employment relationship with us, and furthermore for a minimum period of six (6) years from the date of termination of the employment relationship, unless we are required to keep your data for a longer period under any legal obligation or business requirement as listed in the Document Retention Policy.
9. Sharing your personal data
9.1 Data Processors
Your personal data will be shared with third party organizations who are engaged by ORCID to provide certain services involving the processing of applicant and staff data. We have contracts in place with these organizations and they cannot do anything with your personal data unless we have instructed them to do so, or unless required by law. A list of our data processors who process applicant and staff data is available on request.
9.2 Sharing data with other organizations
ORCID occasionally uses recruitment agents to help us source applicants for roles. In these cases, some data relating to your application and status of progression through the recruitment process will be shared with the agency.
Depending on the country in which you are based, ORCID may engage an Employer of Record (EoR), a Professional Employer Organization (PEO) or payroll services provider to help manage a range of employment matters, such as tax and employee benefits, and ensure that we comply with country-specific laws and regulations.
You will be made aware at the point of joining ORCID if one of these types of organizations will be handling these matters in relation to your employment. You, and ORCID, will be required to share some of your data with these organizations in order for them to fulfill their obligations.
ORCID has agreements in place with each company that includes the sharing of personal data. They will also publish privacy information on their websites and provide you with their own privacy information as required. We advise you to review the information for the EoR/PEO or payroll services provider relevant to you.
From time to time, ORCID may engage auditors who will examine aspects of our operations, usually finance-related. The audit process may require sharing of limited employee data, and occasionally the auditors will contact employees for spot checks. If this is the case, we will notify you of any such contact as early as possible.
On request, we may provide employment references or other employment confirmations (e.g., from banks or other verifiable authorities), in line with our Employment Applications & Reference Checks policy.
Where allowed or required by law, we may share your data with benefits providers and government agencies, for example for taxation purposes.
While you or your colleagues may share some personal data with other organizations in the course of your work – for example, in work-related conversation with Members – ORCID does not otherwise share employee data with other organizations unless required by law.
10. International transfers of personal data
ORCID is a US-headquartered organization with current and former employees and contractors who are based in a number of countries. We utilize data processors (see 9.1) whose business may also be international, whose data storage facilities may be in different countries, and/or whose own use of service providers (sub-processors) may also require the international transfer of data. As such, as a member of staff, even if you are based in the US your personal data will be transferred to countries other than your home country in the course of our normal business activities.
We recognise that different countries have varying data protection laws and standards, some of which apply directly to some of ORCID’s business activities. We will only transfer data to different countries where we are satisfied that adequate levels of protection are in place to protect that information.
The EU and UK GDPR place restrictions on how EU and UK citizen data can be transferred to other countries. Although the GDPR does not apply to all ORCID’s uses of personal data, we aim to meet the high standards of the EU and UK GDPR in all our data processing activities. This includes ensuring that we take appropriate steps to protect your personal data when it is transferred to another country.
Where the EU or UK GDPR directly applies to personal data to be transferred to an organization in another country, we will adequately address any potential risks and:
The destination country has been deemed to provide an adequate level of protection for personal data; or,
The transfer is subject to appropriate safeguards, specifically that standard data protection clauses have been incorporated into an agreement between ORCID and the other organization; or,
In exceptional circumstances only, one or more of the derogations set out in the GDPR can be applied.
If you would like to know more about international data transfers affecting your personal data, please contact our Data Protection Officer (see section 12).
11. Your rights in relation to our processing of your data
11.1 Rights under the EU and UK GDPR
Under certain circumstances you have the right to:
Request access to your personal data (commonly known as a data subject access request, DSAR or SAR). This enables you to receive a copy of the personal data we hold about you and to check that we are processing it lawfully.
Request correction of the personal data that we hold about you. This enables you to have any incomplete or inaccurate information we hold about you corrected.
Request erasure of your personal data (also known as the ‘right to be forgotten’). This enables you to ask us to delete or remove personal data where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal data where you have exercised your right to object to processing (see below).
Object to processing of your personal data where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground. You also have the right to object if we are processing your personal data for direct marketing purposes.
Request the restriction of processing of your personal data. This enables you to ask us to suspend the processing of personal data about you, for example if you want us to establish its accuracy or the reason for processing it.
Receive personal data you have provided to us in a structured, commonly used and machine readable format. The ‘data portability’ right also gives you the right to request that ORCID transmits this data directly to another controller.
If you want to review, verify, correct or request erasure of your personal data, object to the processing of your personal data, or request that we transfer a copy of your personal data to another party, please contact the Data Protection Officer (see section 12).
You will not have to pay a fee to access your personal data (or to exercise any of the other rights). However, we may charge a reasonable fee if your request for access is clearly unfounded or excessive. Alternatively, we may refuse to comply with the request in these circumstances.
We may need to request information from you to help us confirm your identity and ensure your right to access the information (or to exercise any of your other rights). This is an appropriate security measure to ensure that personal data is not disclosed to any person who has no right to receive it.
11.2 Rights of individuals in the US and other nations
As noted elsewhere in this Notice, the EU and UK data protection laws do not always apply to our use of personal data. We do however respect the high standard of rights that these laws afford individuals, and recognise that they are similar to rights under some other national data protection laws. As such, we follow the GDPR rights as described in the preceding section for all ORCID applicants and employees. When a request is received we will also review and take into account any other national or state laws that may be applicable to an individual’s personal circumstances.
11.3 Your duty to inform us of changes
It is important that the personal data we hold about you is accurate and current. Please keep us informed if your personal data changes during your working relationship with us.
12. Who to contact about our use of your personal data
We have appointed a Data Protection Officer (DPO) to oversee compliance with this Privacy Notice. If you have any questions about this Privacy Notice or how we handle your personal data, please contact the DPO at [email protected] .
Under the EU and UK GDPR, you also have the right to make a data protection complaint at any time to the relevant Supervisory Authority.
Each EU Member State has a designated data protection Supervisory Authority. You have the right to raise a complaint with the Supervisory Authority in the Member State where you live, where you work, or where the infringement took place.
You can find links to the EU national data protection authorities here: https://edpb.europa.eu/about-edpb/about-edpb/members_en#member-ie .
The UK equivalent to the Supervisory Authority is the Information Commissioner’s Officer, whose website is here: https://ico.org.uk/
If the EU and UK GDPR do not apply to our processing of your personal data there may be other government agencies to which you can submit a complaint. Please contact the Data Protection Officer for advice in the first instance.
13. Changes to this Privacy Notice
This Privacy Notice was last updated in May 2024. The previous version is available in the Slite archive (for current employees and contractors) or from the Data Protection Officer on request (see section 12).
We reserve the right to update this Privacy Notice at any time and we will provide employees with a new copy of this Notice annually, or more frequently if we make any substantial updates. Future minor updates made within the year will be listed below.