Infraspec Privacy Policy (Updated 2026)

1. Introduction

Infraspec Ltd (“we”, “us”, “our”) is committed to protecting the privacy and security of the personal data we process. We comply with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and the Privacy and Electronic Communications Regulations (PECR).

This Privacy Policy explains how we collect, use, store and protect personal data relating to candidates, clients and other individuals we work with.

2. Who We Are

Infraspec Ltd
A recruitment consultancy specialising in Schedule, Cost, Risk and Change roles.
We operate as an Employment Agency and Employment Business under the Conduct of Employment Agencies and Employment Businesses Regulations 2003.

Contact details:
Email: info@infraspec.co.uk
Phone: 01491 845 500
Address: Chiltern House, 45 Station Road, Henley on Thames, RG9 1AT

3. What Personal Data We Collect

We collect and process the following categories of data:

Candidates

  • Name, address and contact details
  • Employment history, qualifications and skills
  • CV and supporting documents
  • Notes from conversations and interviews
  • Right‑to‑work information (where required)
  • Financial information (contractor payments, where applicable)

Clients

  • Contact names and job titles
  • Contact details (phone, email, address)
  • Role requirements
  • Communications and briefing notes

We do not intentionally collect special category data (e.g., health, ethnicity, political views) unless necessary and legally justified. If such information is provided to us, we will process it securely and only where necessary for recruitment purposes.

4. How We Collect Data

We collect data from:

  • CVs submitted directly to us
  • Applications via job boards
  • LinkedIn or other professional networking sites
  • Conversations by phone or email
  • Website forms
  • Referrals
  • Client interactions

We also conduct a Data Protection Impact Assessment (DPIA) annually to ensure we process data appropriately.

5. Legal Basis for Processing

We process personal data under the following lawful bases:

Legitimate Interests

For the core recruitment activities of:

  • identifying suitable candidates
  • assessing suitability
  • submitting candidates to clients
  • maintaining business relationships

This is the standard and recommended basis for recruitment companies.

Contract

Where processing is necessary to take steps at your request prior to entering a contract (e.g., arranging interviews, negotiating terms).

Legal Obligation

Where required by law (e.g., right‑to‑work checks, tax and finance regulations for contractors).

Consent

Only used where appropriate — for example, email marketing.
Consent can be withdrawn at any time.

6. How We Use Personal Data

We use personal data to:

  • Source and match candidates to suitable roles
  • Communicate with candidates and clients
  • Submit CVs and candidate profiles to clients (with candidate agreement)
  • Manage placements, onboarding and contracting
  • Maintain internal records
  • Comply with legal obligations
  • Improve our services

We will always speak to a candidate before sending their CV to any client.

7. Sharing Personal Data

We only share personal data when necessary for recruitment purposes:

With Clients

  • Candidate CVs and summaries
  • Interview notes (where relevant)
  • Only after the candidate agrees to be represented

With Third‑Party Service Providers

Such as:

  • CRM/ATS providers (e.g., Bullhorn)
  • Accountancy/payroll partners (for contractors)
  • Email and cloud storage providers

All third parties process data under contract and must follow UK GDPR.

Legal Requirements

We may disclose information to comply with legal obligations, courts or regulatory authorities (e.g., HMRC, ICO).

International Transfers

If data is transferred outside the UK (e.g., via Bullhorn’s servers), we ensure that approved safeguards such as Standard Contractual Clauses (SCCs) are in place.

8. Data Security

We take appropriate technical and organisational measures to secure personal data, including:

  • Encrypted cloud‑based storage
  • Multi‑factor authentication
  • Access controls limited to staff who need the data
  • Cyber Essentials assessments
  • Staff GDPR training

9. Data Retention

We keep personal data only as long as necessary for recruitment purposes.

Retention Schedule

  • Unsuccessful/archived candidates: 12 months from last meaningful contact
  • Talent‑pool candidates: up to 24 months
  • Placed candidates: up to 6 years (for legal/audit reasons)
  • Right‑to‑work / compliance records: 2 years after employment ends
  • Financial/contracting data: 6 years (statutory requirement)

We conduct annual data reviews to remove or anonymise data no longer required.

Candidates may request deletion at any time.

10. Your Rights

Under the UK GDPR, you have the right to:

  • Access your personal data
  • Rectify inaccurate information
  • Request deletion (“right to be forgotten”)
  • Restrict processing
  • Object to processing based on legitimate interests
  • Request data portability
  • Withdraw consent (where consent is used)
  • Complain to the Information Commissioner’s Office (ICO)

Requests can be made via:
info@infraspec.co.uk

11. Data Breach Procedure

Infraspec staff are trained to report data breaches immediately.
If a breach risks individuals’ rights or freedoms, we will notify:

  • The ICO within 72 hours
  • Affected individuals without undue delay

12. Updates to This Policy

We may update this Privacy Policy periodically.
The most current version will always be available on our website.

13. Contact Us

For questions about this policy or to exercise your rights:

Email: info@infraspec.co.uk
Phone: 01491 845 500
Director: Richard Hodgkins