As a leading boutique talent management firm, we understand the importance of safeguarding and keeping candidate information up-to-date and we are committed ourselves to protecting the privacy of any/all candidates’ personal data.
The following describes our firm’s policy regarding the collection, use and transfer of personal data to our clients.
Objective and Scope. The purpose of the Candidate Data Protection Standards (the “standards”) is to provide consistent safeguards for the processing of the personal data of candidates by Kensington International.
- “Processing” refers to any human manual or automated action performed on personal data by Kensington International. This includes, but is not limited to, recording, organizing, storing, modifying, disseminating, transferring, disclosing, deleting and sharing such data among Kensington International in accordance with Kensington International’s policies.
- “Candidate” is any individual whom Kensington International presents to a client. This includes, but is not limited to, executive, director, and management search, development and assessment services.
- “Personal data” is any information about a candidate originally collected or otherwise used by a Kensington International employee in the context of a search. Personal data includes, but is not limited to candidate name, contact information, date of birth, social security number, professional experience, academic qualifications, skills, etc.
Please note these standards do not apply to any personal data that has be “anonymized” and used in the aggregate such as compiling industry and employment statistics where such data does not involve personally identifying information and individuals are not identifiable from it.
Processing Personal Data. Kensington International’s standards for processing personal data require the following:
- personal data is processed fairly and lawfully.
- Personal data is processed for legitimate purposes associated with Kensington International’s business model and the services the firm provides (“purposes”).
- Personal data is not processed in any manner incompatible with these purposes.
- Personal data is always relevant to the purposes for which the personal data is obtained.
- Personal data is only used by Kensington International and is not sold or shared for related or unrelated purposes to non-affiliated third parties unless otherwise stated at the time of collection or as required by law.
- Personal data is processed and maintained in a manner that assures reasonable accuracy.
- Personal data that is inaccurate is corrected, updated or deleted within a reasonable time of the discovery of the inaccuracy.
- Personal data is stored only for the duration necessary to fulfill these purposes.
- Personal data is protected by all necessary and appropriate protective measures – both technological and legal.
- Personal data will not by automatically processed in any manner which will have a significant effect on the data subject except where authorized by a law which also safeguards the data subject’s legitimate interests.
- Personal data will not be transferred to third parties without adequate protections in place.
Purposes for Personal Data Processing. Kensington International processes personal data only for its own use, only for legitimate purposes, and in accordance with applicable law. Such purposes include:
- Executive, Leadership and Middle Management Search: Kensington International processes and disseminates personal data in order to match candidates who are qualified for a particular position with client organizations who have an opening for such a position. Examples of processing for this purpose include but are not limited to collecting data from the candidate directly, performing background searches with the candidate’s consent, relaying personal data to a client with the candidate’s consent and receiving referrals from individuals associated with the candidate.
Security, Confidentiality and Enforcement. Kensington International will take all necessary and appropriate protective measures to prevent unauthorized access, loss or damage to personal data and to ensure any processing of personal data is done in accordance with these standards. Those measures include:
- Training: All employees of Kensington International who have permanent or regular access to personal data, who are involved in the collection of personal data, or in the development of tools used to process personal data are trained in these standards and the best practices of handling such data.
- Access Security: Personal data is securely stored and can only be accessed via Kensington International’s internal software/systems. Personal data is only accessible by Kensington International employees from Kensington International computers and only through Kensington International’s private network. Access is continually monitored and restricted to employees of Kensington International. It is secured by appropriate physical, electronic and managerial security procedures to prevent unauthorized access, loss or damage to the personal data.
- Contractor Obligations: All contractors performing services for Kensington International must execute a written service contract. Beyond business terms, these service contracts include confidentiality & security obligations and data protection provisions, and provide enforcement mechanisms through all available legal remedies.
- Kensington International Website and Not Actively Looking Safeguards: To safeguard all personal data that is submitted by candidates online, appropriate physical, electronic and managerial security procedures have been put in place to prevent unauthorized access, maintain the accuracy of data, and ensure proper use of information obtained through our website.
- Candidate Consent Forms: All candidates are presented with consent forms which must be signed before any personal data will be disclosed to a client organization or other third party.
Required Processing. In situations where personal data must by disclosed as a matter of law, Kensington International will use its best efforts to lawfully resist, limit or delay disclosure, and will ensure that only the personal data that is necessary and relevant to the request is provided.
In the event that Kensington International becomes aware of any legislation applicable that is likely to have a substantial adverse effect on the ability of Kensington International to comply with these standards, Kensington International will determine a suitable course of action aimed at ensuring compliance with these standards in consultation with the relevant data protection authority.
Candidate Rights of Access, Rectification and/or Deletion. Given the nature of Kensington International’s services, the candidate is involved in the processing of his or her personal data in furtherance of the purposes. Additionally, the candidate may, at any time and in accordance with local law, contact Kensington International and inquire about his or her personal data. Requests by the candidate for access to his or her personal data for revisions or for Kensington International to cease processing of personal data can be made to any Kensington International employee or via email to email@example.com
The Data Protection Officer for Kensington International (Managing Partner, Executive Search Operations), will coordinate all revisions or deletions of personal data. Upon request, Kensington International will compile the information and provide it to the candidate. The candidate may request a revision of his or her personal data if it is incomplete or contains inaccuracies. Kensington International updates or revises the personal data as the situation or law requires. A candidate may also request his or her personal data no longer by processed.
All requests to stop processing of a candidate’s personal data will promptly be honored by Kensington International and, unless otherwise noted in the request, will apply to all forms of processing by Kensington International (including search and assessment services and any marketing communications).
Candidate Enforcement Rights and Mechanisms. Any person may inquire as to the nature of the data stored or processed about him or her by Kensington International. Any Kensington International employee contacted regarding such a request will forward the information to the Data Protection Officer.
The Data Protection Officer will contact the individual directly and will remain Kensington International’s liaison with the individual while the handling of the request is ongoing.
If the candidate believes his or her personal data is being processed in contravention of these standards, the candidate may report the concern to their contact at Kensington International, to any Kensington International employee, or via email to firstname.lastname@example.org. The matter will then be reported to the Data Protection Officer.
Internal Oversight Procedures. Kensington International ensures enforcement of these standards through its Data Protection Officer who will monitor processing of personal data and conduct periodic data protection compliance audits. The Data Protection Officer is further responsible for investigating any claims related to data processing and may coordinate with outside legal counsel to analyze the scope of the alleged violation.
In addition, employees will self-police their actions and the actions of their peers regarding the processing of personal data. Employees are required to immediately report any violation to a Managing Partner who will notify and work with the Data Protection Officer to investigate the claim.
To the extent that such matters cannot be adequately handled within Kensington International’s own resources, Kensington International may appoint an independent third party to conduct an investigation/audit of any of the procedures or issues involving its Candidate Data Protection Standards.
Communication of Standards. These standards will be published at www.kionline.com and will be available to Kensington International employees on its internal network. Employees are trained to adhere to these standards and to follow the appropriate protocol. Additionally, a copy of these standards will be distributed to any candidate who requests one.
Modification of Standards. Kensington International reserves the right to modify these standards as needed. Should Kensington International make any substantive modifications to these Candidate Data Protection Standards, the changes will be promulgated throughout the firm via an email announcement, a posting of the revised Candidate Data Protection Standards to the internal network, and training in accordance with any legal requirements. Candidates will be informed going forward to have access to the updated Candidate Data Protection Standards at www.kionline.com and in the company network. Kensington International will also take appropriate steps to notify the relevant Data Protection Authorities.
Obligations to Data Protection Authorities. Kensington International will respond diligently and appropriately to all requests from all authorized and official US and EU data protection authorities regarding these standards, including consenting to requests by a data protection authority to audit Kensington International’s compliance with these standards.
Kensington International will abide by the advice of these data protection authorities on any issues related to the interpretation and application of Kensington International’s Candidate Data Protection Standards. Upon request, these data protection authorities shall receive a copy of any compliance audits conducted by Kensington International regarding these standards, and Kensington International will further comply with requests by these data protection authorities for additional review of compliance efforts.