Vacancies
Talent Acquisition Candidate Privacy Notice

Talent Acquisition Candidate Privacy Notice

Introduction

The MHA group (MHA) comprises MHA plc incorporated in England and Wales, registered number 16268837, registered office at The Pinnacle, 150 Midsummer Boulevard, Milton Keynes, Buckinghamshire, MK9 1LZ and its subsidiaries (as defined in the UK’s Companies Act 2006).

MHA is committed to protecting the privacy and security of your personal information. This privacy notice describes how we collect and use personal information about you when you apply for a job or submit an application to us for recruitment or onboarding or leave your information on our records in case a future position arises. 

MHA is a "data controller". This means that we are responsible for deciding how we hold and use personal information about you. We are required under data protection legislation to notify you of this information in this privacy notice and tell you how you can exercise your rights (including the right to object to some of the data handling we carry out)

 

Purpose

The purpose of this policy is to give you a clear explanation about how we collect and use the personal information you provide to us, whether online, via phone, email, in letters or in any other correspondence, or where we receive data from third parties such as recruitment companies. We ensure that we use your information in accordance with all applicable laws concerning the protection of personal information.

It is important that you read this notice, together with any other privacy notice we may provide on specific occasions when we are collecting or processing personal information about you, so that you are aware of how and why we are using such information.

Processing your information in accordance with the law means:   

  • Being fair and transparent with you. 
  • Clearly identifying our purpose for processing your information and checking any additional purpose is compatible with data protection legislation. We document these purposes and periodically review these purposes. 
  • Making sure that the information we process is adequate, relevant and limited to what is necessary for the purpose of processing your information.
  • We take all reasonable steps to make sure the information we hold, and process is accurate and where information is incorrect take remedial action to correct this. 
  • We do not keep information for longer than is required, we identify personal information we no longer need and erase or anonymise information where appropriate.
  • Ensuring that we have appropriate technical security measures in place to maintain the integrity and confidentiality of your information. 

 

How do we use your information?

We use information you supply in support of your application, appointment and onboarding processes (where successful) so that we can consider your application, assess your suitability, conduct eligibility checks (with your consent) and for equal opportunities purposes.

In some of our application processes we may use automated decision making to support our recruitment process. If you would like to know more about this or would like to ask for a review of our automated decision making, please contact our Recruitment team.

As part of our interview process, where this is conducted via Teams or Zoom, we may use automatic note-taking software that transcribes the interviews we conduct. Any information you choose to provide us during the course of our interview will be used to assess your suitability for the role.

We use your data for the purpose of our legitimate interests in managing our recruitment and onboarding processes so that we can take steps at your request prior to entering into a contract with us and/or joining us. Any information we ask you to supply in relation to past civil or criminal offences will be held by us only because any contract we are negotiating with you requires us to assess your fit and proper status. If a position that is, or may be, of interest to you requires background checks, we will tell you about this. This may include DBS checks in the UK.

Where necessary, we will also use this data for the purpose of our legitimate interests in accessing appropriate professional advice and to ensure we comply with legal obligations to which our business is subject.

When you apply for a position with us or submit information in support of your application or offer of employment, we will tell you whether the information we are requesting is essential so that we can progress your application or offer of employment or whether the supply of this information is optional.

With the exception of personal data which we collect and use for the purpose of entering into a contract of employment or for payroll processes should you become an employee, partner or consultant, you can object to our use of the data you have provided at any time. 
To be able to provide you with recruitment, employment and support, we must process your personal data. The type of personal data we collect depends on the way you interact with us, for example engaging with us as an employee or company director will be a different experience than interacting with us as a consultant or client.

 

What data types do we currently collect and for what purposes?

  • Identity data: your first and last names. 
  • Contact data: your address, telephone number, address and email address. 
  • Candidate data: information that you provide when registering your interest in an employment or contracting opportunity with us. This includes the contents of your CV and cover letter, such as your employment history, qualifications, experience and personal interests.  
  • Where your application is progressed then it may also include information obtained during interviews or assessments, information provided by referees and other opinions documented about your candidacy, as well as information about your right to work in the UK, such as your nationality and other details contained in identification documents.
  • In some circumstances we may also process information about your disability status, to ensure that we can consider appropriate adjustments.
  • Data relating to your employment such as financial information (e.g. remuneration and pension), training, performance and attendance  
  • Information relating to your identity where we are required by law to collect this to comply with regulations such as the Companies Act, financial and health and safety regulations.  
  • Your communications with us, including a record of the email correspondence created when you contact us.
  • Data about your health, ethnic origin, religious beliefs, sexual orientation, family life, education and background to enable us to meet our legitimate interests to monitor adherence to our equal opportunities policies.
  • If you attend our offices then your visit may be recorded on CCTV which we employ in our legitimate interest in order to prevent, detect or investigate crimes, including the apprehension and prosecution of offenders
  • For directors and partner appointments, we may require additional information to meet our legal requirements such as information relating to any conflicts of interest you may have. 

 

Special Categories of Personal Data

Sensitive personal data, also known as special category data, means personal data about the following:

  • Racial or ethnic origin
  • Political opinions
  • Religious or philosophical beliefs
  • Trade union membership
  • Genetic data
  • Biometric data (where used for identification purposes)
  • Health data (physical or mental health information)
  • Sex life
  • Sexual orientation

Where sensitive personal data is collected, we will ensure that any additional legal requirements are complied with. We typically ask for some special category data as set out in section 4 above during our recruitment process. You are not obliged to answer these questions but if you do answer the data enables us to meet our legitimate interests of monitoring adherence to our equal opportunities policies. Other special category data may be processed for monitoring equal opportunities, managing health and safety obligations and requirements to make reasonable adjustments for disabilities, and should you start work for MHA, managing absences or complying with deductions from payroll, among other reasons.

 

Our lawful bases for processing your data

Under the UK General Data Protection Regulation (UK GDPR) and GDPR, the lawful bases we rely on for our processing this information are:   

  • Your consent. Where consent has been given, you are able to remove your consent at any time. You can do this by contacting us.
  • Where we have a contractual obligation. For example, where the processing is necessary for the performance of a contract to which you are a party, or to take steps prior to entering into a contract with you. 
  • Where we have a legal obligation. For example, where processing is necessary in order for us to meet our requirements under the company and finance legislation, or to provide information to law enforcement organisations or the Courts.  
  • Where we have a legitimate interest. For example, where it is necessary for the purposes of our legitimate interests, except where our interests are overridden by the interests, rights or freedoms of affected individuals (such as you).   

To determine this, we shall consider several factors such as, what you were told at the time you provided your data, what your expectations are about the processing of your personal data, the nature of the personal data, and the impact of the processing on you.   

On rarer occasions our reasons for holding your personal data may include:  

  • Where we need to protect your vital interests (or someone else's interests).
  • Where it is needed in the public interest or for official purposes.

 

Information sharing

We may have to share your data with third parties, including third-party service providers and other entities in the group. We require third parties to respect the security of your data and to treat it in accordance with the law. If we do, you can expect a similar degree of protection in respect of your personal information.

We will share your personal information with third parties where required by law, where it is necessary to administer the working relationship with you or where we have another legitimate interest in doing so. We may also need to share your personal information with a regulator or to otherwise comply with the law.

"Third parties" includes third-party service providers (such as contractors and designated agents) and other entities within our group.

All our third-party service providers and other entities in the group are required to take appropriate security measures to protect your personal information in line with our policies. We do not allow our third-party service providers to use your personal data for their own purposes. We only permit them to process your personal data for specified purposes and in accordance with our instructions.

We will share your personal information with other entities in our group as part of our regular reporting activities on company performance, in the context of a business reorganisation or group restructuring exercise, and for system maintenance support.

We may share your personal information with other third parties, for example in the context of the possible sale or restructuring of the business.

We may also need to share your personal information with a regulator or to otherwise comply with the law.

 

International transfers

Where we have partners and service providers based outside of the UK and EEA, your personal data may be accessed or otherwise processed in other countries. We have implemented measures and safeguards to ensure that any transfer of data is compliant with the UK and EU data protection laws. For example, we ensure that Standard Contractual Clauses or International Data Transfer Agreements that are approved by the Information Commissioners Office (ICO), the UK Government and/or European Commission are in place. We carry out a detailed assessment to ensure the companies receiving your data can comply with these clauses.

 

Keeping your information safe and secure

We are committed to keeping personal information secure to protect it from being inappropriately or accidentally accessed, used, shared or destroyed, and against it being lost. 

We have put in place measures to protect the security of your information, to prevent your personal information from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your personal information to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal information on our instructions, and they are subject to a duty of confidentiality. Third parties will only process your personal information on our instructions and where they have agreed to treat the information confidentially and to keep it secure.

We have put in place procedures to deal with any suspected data security breach and will notify you and any applicable regulator of a suspected breach where we are legally required to do so.

 

Data retention

We will only retain your personal information for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements. To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.

In some circumstances we may anonymise your personal information so that it can no longer be associated with you, in which case we may use such information without further notice to you.

If your application is unsuccessful, we may decide to retain your details for longer if we think you may be suitable for another position that may arise within MHA in the future. If your application is successful, relevant information will be used for the purpose of administrating your subsequent employment and will be retained and used in accordance with our employee privacy policy which will be made available to you when you take up your employment or position with us.

 

Keeping your data accurate

We are committed to keeping your personal data accurate. If you believe that we have made an error, then please contact us as we have outlined below, and we will use reasonable endeavours to correct.

 

Your data protection rights

Under data protection law, you have rights including:  

  • Your right of access - you have the right to ask us for copies of your personal information.  
  • Your right to rectification - you have the right to ask us to rectify personal information you think is inaccurate. You also have the right to ask us to complete information you think is incomplete.  
  • Your right to erasure - you have the right to ask us to erase your personal information in certain circumstances.  
  • Your right to restriction of processing - you have the right to ask us to restrict the processing of your personal information in certain circumstances.  
  • Your right to object to processing - you have the the right to object to the processing of your personal information in certain circumstances. 
  • Your right to data portability - you have the right to ask that we transfer the personal information you gave us to another organisation, or to you, in certain circumstances. 
  • Your rights in relation to automated decision making and profiling - as a matter of principle, you have the right not to be subject to a decision based solely on automated processing, including profiling.  However, we may automate such a decision if it is necessary for the entering into or performance of a contract between us, authorised by law or regulation or if you have given your explicit consent.

There are some exceptions to these rights, however. For example, it will not be possible for us to delete your data if we are required by law to keep it or if we hold it in connection with a contract with you or to process our payroll. Similarly, access to your data may be refused if making the information available would reveal personal information about another person or if we are legally prevented from disclosing such information.

If you want to review, verify, correct or request erasure of your personal information, please try to do this via the portal we make available to candidates in the first instance. If this does not meet your needs, please contact the DPO as explained in section 13.

If you wish to object to the processing of your personal data, or request that we transfer a copy of your personal information to another party, this should be done by contacting the DPO.

You will not have to pay a fee to access your personal information (or to exercise any of the other rights). However, we may charge a reasonable fee if your request for access is clearly unfounded or excessive, particularly if it is repetitive. The fee will be based on the administrative cost of providing the information. Alternatively, we may refuse to comply with the request in such circumstances. 

We may need to request specific information from you to help us confirm your identity and ensure your right to access the information (or to exercise any of your other rights). This is another appropriate security measure to ensure that personal information is not disclosed to any person who has no right to receive it.

 

Data Protection Officer

We have appointed a data protection officer (DPO) to oversee compliance with this privacy notice. If you have any questions about this privacy notice or how we handle your personal information, please contact the DPO on [email protected]

You have the right to make a complaint at any time to the Information Commissioner's Office (ICO), the UK supervisory authority for data protection issues however we encourage you to contact us first via the email address above so we can attempt to resolve any concerns. We will acknowledge concerns in writing within 30 days.

Information Commissioner's Office details:

Wycliffe House Water Lane Wilmslow Cheshire SK9 5AF
Telephone: 0303 123 1113
Website: www.ico.org.uk
Email: [email protected] 

Changes to this privacy notice

We reserve the right to update this privacy notice at any time. We may also notify you in other ways from time to time about the processing of your personal information.

If you have any questions about this privacy notice, please contact a member of the recruitment team or the DPO.

Last updated: January 2026

Appolinary kalashnikova WY Gh T Lym344 unsplash
Back

Get in touch

Please complete this form and we'll get back to you as soon as we can.

Click here to review our privacy policy
You can email us at [email protected]
City scape
Close

Sign up for news, insights and events

Please provide your details below and select the topics you're interested in. You can manage your preferences or unsubscribe from our communications at any time via the links in the emails we will send you.

Industries
Services

Your details