International Recruitment Privacy Notice & International Data Transfer Authorisation

Safe Places for Children UK (International Recruitment Project)

Last Updated: 24 February 2026

Purpose and Scope

This Privacy Notice explains how Safe Places for Children UK (“the Organisation”, “we”, “us”) processes and transfers personal data as part of the International Recruitment Programme for employment opportunities with Safe Places for Children Australia.

Safe Places for Children UK operates the recruitment process and may share relevant personal data with:

• Safe Places for Children Australia; and

• SIRVA (immigration services provider),

where necessary for employment assessment, safeguarding, compliance, onboarding, visa eligibility verification and operational purposes. Applicants for employment with Safe Places for Children Australia are required to complete and submit an Authority to Transfer Sensitive Personal Information Offshore – Consent Form, acknowledging international transfer of personal data in connection with recruitment and employment decisions.

Roles and Responsibilities

Safe Places for Children UK acts as a Data Controller in respect of personal data collected during the international recruitment process.

Safe Places for Children Australia may act as:

  • an independent Data Controller in relation to employment decisions and regulatory obligations within Australia; or

  • a recipient organisation operating under formal data-sharing arrangements.

SIRVA operates as an independent Data Controller in relation to immigration eligibility assessments, unless acting under documented processor instructions issued by Safe Places for Children Australia or UK. Appropriate governance, contractual safeguards and oversight arrangements are maintained between affiliated entities and third-party providers.

Each organisation remains independently responsible for its own compliance with applicable data protection laws and regulatory obligations within its jurisdiction.

Joint Controller Arrangement (Article 26 UK GDPR)

Where Safe Places for Children UK and Safe Places for Children Australia jointly determine the purposes and means of processing personal data in connection with international recruitment activities, the organisations may act as Joint Controllers in accordance with Article 26 of the UK General Data Protection Regulation.

In such circumstances:

A formal Joint Controller Arrangement is established between the organisations.

  • The arrangement defines respective responsibilities for compliance with UK GDPR obligations, including transparency requirements, data subject rights, security measures and breach reporting.

  • Safe Places for Children UK remains responsible for providing this Privacy Notice and ensuring individuals are informed about how their data is processed.

  • Safe Places for Children Australia assumes responsibility for processing activities relating to employment decisions, onboarding and regulatory compliance within Australia.

The essence of the joint controller arrangement will be made available to data subjects upon request.

Nothing in this arrangement limits the rights of data subjects under UK GDPR.

Criminal Record and Safeguarding Data Processing

Safe Places for Children UK may process personal data relating to criminal convictions, offences or safeguarding-related information where required as part of safer recruitment practices and safeguarding obligations.

Such processing is undertaken in accordance with:

  • Article 10 UK GDPR (processing of criminal offence data); and

  • Schedule 1, Part 2 of the Data Protection Act 2018.

The lawful basis for this processing includes:

  • Compliance with legal obligations relating to safeguarding and safer recruitment;

  • Substantial public interest conditions, including the safeguarding of children and individuals at risk; and

  • Employment-related requirements.

Criminal record data is processed only where necessary and proportionate, and access is restricted to authorised personnel involved in recruitment, safeguarding or regulatory compliance. Appropriate policy documentation is maintained to ensure compliance with the requirements of Schedule 1 Data Protection Act 2018.

Categories of Personal Data

The following categories of personal data may be processed and transferred:

Recruitment and Employment Records

  • Interview notes (formal and screening) and assessments

  • Reference details and reference checks

  • Recruitment evaluation records

  • Curriculum Vitae and cover letters

  • Employment history checks and gap analysis

  • Name, address, email and telephone details

  • Conditional offers and employment agreements

Identification and Onboarding Documentation

  • Passport copies

  • Driver’s licence

  • Proof of residency

  • Visa documentation (including VEVO checks)

  • Birth certificate (where required)

  • Identification documents required for employment verification and visa requirements

Special Category and Sensitive Personal Data

  • Health information and occupational health forms

  • Safeguarding-related information

  • Criminal record information (where required by safeguarding or regulatory obligations)

Lawful Basis for Processing

Personal data is processed under the following lawful bases:

Article 6 UK GDPR

  • Article 6(1)(b) – Processing necessary to take steps prior to entering into an employment contract

  • Article 6(1)(c) – Compliance with legal obligations

  • Article 6(1)(f) – Legitimate interests in managing international recruitment and safeguarding responsibilities

Article 9 UK GDPR (Special Category Data)

  • Article 9(2)(b) – Employment and social protection obligations

  • Article 9(2)(g) – Substantial public interest, including safeguarding of children and individuals at risk

Where explicit consent is obtained, this relates to acknowledgement of international data transfer and does not replace the primary lawful bases outlined above.

International Transfers (UK GDPR Chapter V Compliance)

Personal data may be transferred outside the United Kingdom to Safe Places for Children Australia and/or SIRVA. Where transfers occur to countries without a UK adequacy decision, Safe Places for Children UK implements appropriate safeguards, including:

  • UK International Data Transfer Agreements (IDTA) or equivalent contractual mechanisms

  • Formal data-sharing agreements

  • Technical and organisational security measures

  • Documented International Transfer Risk Assessments (ITRA)

Transfers are conducted in compliance with UK GDPR Articles 44–49 and are subject to due diligence to ensure an essentially equivalent level of protection. Personal data transferred internationally will be limited to the minimum necessary to achieve the stated recruitment and safeguarding purposes.

Safeguarding Data Sharing

Safe Places for Children UK recognises that safeguarding responsibilities may require the sharing of personal information, including special category data, to protect children, young people, or vulnerable individuals from harm.

Personal data may be shared without consent where:

  • there is a safeguarding concern.

  • disclosure is necessary to prevent harm or risk; or

  • sharing is required by law or regulatory obligation.

Such sharing will be conducted under:

  • Article 6(1)(c) or 6(1)(e) UK GDPR.

  • Article 9(2)(g) UK GDPR; and

  • relevant safeguarding legislation and statutory guidance.

Where safeguarding requires international sharing, only relevant and proportionate information will be disclosed, and appropriate safeguards will be maintained. The welfare of children and vulnerable individuals takes priority over confidentiality where legally justified. Decisions to share safeguarding information are made on a case-by-case basis, balancing the duty of confidentiality against the necessity to protect individuals from harm.

Withdrawal of Authority

Applicants may withdraw transfer authorisation in writing by contacting:

  • spcsr@safeplacesforchildren.co.uk

However:

  • Personal data already transferred may continue to be processed by Safe Places for Children Australia or SIRVA in accordance with applicable legal and regulatory requirements; and

  • Withdrawal may impact eligibility to proceed with recruitment or employment.

Data Retention

Personal data will be retained in accordance with:

  • Organisational retention policies

  • Employment and safeguarding regulatory requirements

  • Applicable UK and Australian legal obligations

Security and Governance

Safe Places for Children UK maintains appropriate technical and organisational measures to ensure personal data is:

• Protected against unauthorised access or disclosure

• Securely transmitted during international transfers

• Accessed only by authorised personnel

Oversight of international data governance is maintained by the Data Protection Officer, with strategic accountability held at board level.

Data Subject Rights

Individuals have rights under UK GDPR including:

  • Access

  • Rectification

  • Restriction of processing (where applicable)

  • Objection (in certain circumstances)

Complaints may be made to the Information Commissioner’s Office (ICO).

International Data Governance Framework

Safe Places for Children UK adopts a risk-based approach to managing international personal data processing. This includes:

Governance & Accountability

  • Board oversight of international data risk

  • Named Data Protection Officer responsible for compliance

  • Clear definition of controller and processor roles

Legal Compliance

  • Compliance with UK GDPR Articles 44–49

  • Use of approved international transfer mechanisms

  • Documented lawful basis for special category data

Risk Management

  • International Transfer Risk Assessments (ITRA)

  • Vendor and partner due diligence

  • Ongoing regulatory monitoring

Safeguarding Integration

  • Alignment between data protection and safeguarding policies

  • Clear escalation routes for safeguarding disclosures

  • Proportionate information sharing

Technical & Organisational Measures

  • Secure transmission protocols

  • Role-based access controls

  • Data minimisation and retention controls

Monitoring & Review

  • Periodic review of transfer arrangements

  • Audit of international transfers

  • Incident response and breach management procedures

Contact Details

Registered Office: Safe Places for Children UK, First Floor, Triad House, Mountbatten Court, Worrall Street, Congleton, Cheshire, United Kingdom, CW12 1DT

Tel: 01260 228 388

Email: enquiries@safeplacesforchildren.co.uk

Data Protection Officer

Cieran McAuley

Safe Places for Children UK, First Floor, Triad House, Mountbatten Court, Worrall Street, Congleton, Cheshire, United Kingdom, CW12 1DT

Tel: 01260 228 388

Mobile: 07592 127037

Email: DPO@safeplacesforchildren.co.uk