1. Purpose

 

Buckingham Futures is committed to protecting the personal data of candidates, clients, employees, and contractors in accordance with UK Data Protection Law and the General Data Protection Regulation (GDPR). This policy sets out how personal data is collected, used, stored, retained and disposed of, ensuring compliance with all relevant laws.

 

It applies to all in-house staff and agency contractors whose data we process, as well as to any personal data handled in connection with our recruitment and business operations.

 

2. Data Controller & Data Processor

 

Data Controller: The CEO of Buckingham Futures

Responsible for determining the purpose and means of processing personal data

 

Data Processor: Any employee, contractor, or third-party provider who processes data on behalf of Buckingham Futures

 

3. Personal Data Collected

 

Buckingham Futures collects and processes:

Candidates: Name, contact details, identification, right-to-work documents, employment history, references, DBS checks (if applicable), qualifications

Clients: Contact details, company information, contractual data

Employees & Contractors: Name, contact details, bank details, NI number, payroll or payment records, performance records, disciplinary records

 

Other Data: Sensitive personal data such as health information, ethnicity or criminal convictions, only when necessary for the role or compliance requirements

 

4. GDPR Principles

 

All personal data processed by Buckingham Futures follows the GDPR principles:

Lawfulness, fairness, and transparency: Data is processed lawfully, fairly, and in a transparent manner

Purpose limitation: Data is collected for specified, explicit, and legitimate purposes

Data minimisation: Only data necessary for the purpose is collected

Accuracy: Data is accurate and kept up to date

Storage limitation: Data is kept only for as long as necessary

Integrity and confidentiality: Data is kept secure against unauthorized access, loss or damage

 

Accountability: Buckingham Futures is responsible for demonstrating compliance

 

5. Individual Rights

 

Under GDPR, individuals have the following rights:

Right to be informed: Individuals will be informed about how their data is used via privacy notices

Right of access: Individuals can request a copy of the data we hold on them

Right to rectification: Individuals can request corrections to inaccurate or incomplete data

Right to erasure: Individuals can request deletion of their data where legally permissible

Right to restrict processing: Individuals can request that processing be limited in certain situations

Right to data portability: Individuals can request their data in a structured, machine-readable format

Right to object: Individuals can object to processing for certain purposes, including marketing or legitimate interest

Rights related to automated decision-making and profiling

 

Requests should be directed to the Data Controller (CEO) and will be handled in accordance with GDPR timescales.

 

 

 

6. Lawful Basis for Processing

 

Data will be processed on one of the following bases:

Consent of the individual

Performance of a contract

Legal obligation

Legitimate interests of Buckingham Futures

Protection of vital interests

Public task

 

7. Data Retention

 

Buckingham Futures retains personal data only as long as necessary for the purposes collected or as required by law:

 

Data Category                                                                                                                         Retention Period

Candidate applications & registration forms                                                                      6 years after last contact or placement

Employee records (payroll, contracts)                                                                  6 years after employment ends

Contractor records (umbrella company arrangements)                                   6 years after engagement ends

DBS or background checks               As legally required                                                      (usually 6 months to 6 years depending on role)

Client contracts and records                                                                                  6 years after end of contract

Marketing or newsletter data                                                                                Until opt-out or withdrawal of consent

GDPR requests and consent records                                                                    6 years

 

After the retention period, data is securely deleted or anonymized.

 

8. Data Security

 

Access to personal data is restricted to those who need it for their role

Password-protected systems and secure storage are used for both physical and electronic data

Regular training is provided to staff on handling personal data safely

Breaches must be reported immediately to the Data Controller

 

9. Data Sharing

 

Personal data is not shared outside Buckingham Futures except for legitimate business purposes or legal obligations

Contractor data may be shared with clients only if required for assignment purposes

Third-party service providers (e.g., payroll, umbrella companies, IT providers) may process data as processors under contract

 

10. Data Breaches

 

Any data breach must be reported to the Data Controller immediately

The Data Controller will assess the breach and report to the Information Commissioner’s Office (ICO) if required

Affected individuals will be notified if there is a high risk to their rights and freedoms

 

11. Training & Awareness

 

All staff and relevant contractors receive training on data protection and GDPR

Privacy notices are provided to candidates, clients, and employees

Staff are required to follow this policy and report any concerns

 

Policy Owner: Buckingham Futures  | Last Reviewed: January 2026 | Next Review: January 2027