Worker Consent for personal data to be available outside of King’s Talent Bank


1. Who is this for?


Any workers who have registered with King’s Talent Bank and are seeking for work assignments from King’s College London and/or work assignments for businesses and organisations other than King’s College London. Workers can register to be added to a ‘public pool’ and thus be available for work from other organisations.


2. Why do I need to give consent?


By agreeing for your work profile to be available within the public pool some of your information will be viewable by people outside of Kings’ Talent Bank Ltd and it is important you understand this before giving consent.


3. Who looks after my personal data?


King’s Talent Bank Limited is the Data Controller and Keystone Employment Group LLP (who provide the web service) is the Data Processor. The King’s Talent Bank Service is covered by a Data Processing Agreement which can be found in Appendix 1.


4. Who can see my personal data?


If you only do work for King’s College London then hiring managers within King’s College London can see:

 Your profile information (skills, work experience, abilities, CV, references, compliance eligibility and availability).

A Manager who has hired you and is approving your timesheets will also see (in addition to the above):

 Current work assignment and timesheet information 


In addition, Senior Administrators or Consultants for King’s Talent Bank have access to:

 Your profile information (skills, work experience, abilities, CV, references, compliance eligibility and availability)

 Current work assignment and timesheet information

 Your supporting documents (passport, visa information)

 Your prior timesheets, pay rates, payslips, prior work assignment details

 Personal details, next of kin, nationality, Date of Birth, National Insurance details


If you choose to also be available for roles outside of King’s College London - for other businesses and organisations, then hiring managers in those businesses or organisations will have access to:

 Your profile information (skills, work experience, abilities, CV, references, compliance eligibility and availability).


A Manager who has hired you and is approving your timesheets will also see (in addition to the above):

 Current work assignment and timesheet information 


By accepting the terms of this consent, you are giving permission for the above information to be accessed by King’s Talent Bank and external organisations.




































Appendix 1: Data Processing Agreement











(1) KING’S TALENT BANK LIMITED, at James Clerk Maxwell Building, 57 Waterloo Road, London SE1 8WA (the "Data Controller"); and


(2) KEYSTONE EMPLOYMENT GROUP LLP, of Keystone House 272-276 Pentonville Road, London N1 9JY (the “Data Processor").





This Agreement sets out the terms and conditions under which Personal Data, and Sensitive Personal Data held by the named “Data Controller” will be processed by the named “Data Processor”. The Parties enter into this Agreement to ensure compliance with the Data Protection Act 1998 (the “Act”). The parties agree that all processing of Data must comply with the provisions of the Act.


Paragraphs 11 and 12 Part II of Schedule 1 of the Act place obligations on a Data Controller to ensure that any Data Processor it engages provides sufficient guarantees to ensure that the Processing of the Data carried out on its behalf will be secure. The Parties enter into this Agreement to ensure the protection and security of Data passed from the Data Controller to the Data Processor for Processing, or accessed by the Data Processor on the authority of the Data Controller for Processing, or otherwise received by the Data Processor for Processing on the Data Controller’s behalf.


This Agreement further defines certain service levels to be applied to all Data related Services provided by the Data Processor.





INTERPRETATIONS In this Agreement:


“King’s Talent Bank” means King’s Talent Bank Limited of James Clerk Maxwell Building, 57 Waterloo Road, London SE1 8WA


"Act" means the Data Protection Act 1998 unless otherwise indicated;


"Data" means any information of whatever nature that, by whatever means, is provided to the Data Processor by the Data Controller, is accessed by the Data Processor on the authority of the Data Controller or is otherwise received by the Data Processor on the Data Controller's behalf, for the purposes of the Processing specified in this Agreement, and shall include, without limitation, any Personal Data and/or Sensitive Personal Data;

"Data Subject", "Personal Data", "Sensitive Personal Data" and "Processing" shall have the same meanings as are assigned to those terms in the Act;


"Services" means processing of the Data by the Data Processor in connection with and for the purposes of the provision of the services to be provided by the Data Processor to the Data Controller under the Services Agreement;


“Services Agreement” means the agreement for the provision of services between the Data Controller and the Data Processor identified in the Client Terms of Business for Supplying the Service.


“Parties” refers collectively to the parties to this Agreement, being King’s Talent Bank and Keystone;


“The Purpose” Keystone, the Data Processor, provides a software service to operate the “King’s Talent Bank ”. This allows candidates to register to undertake work for King’s Talent Bank Limited and, where agreed by the candidate, other external business and organisations to access those candidates to make them offers of work. The service allows hiring managers and administrators access to data related to the candidates, their personal and work related details and financial and compliance information pertinent to managing and interacting with those candidates.


The Personal Data will be stored by the Data Processor within the European Economic Area (the “EEA”).





1.1 The Data Controller agrees to provide the Data Processor with the relevant Data

required for the Purpose.


1.2 The information to be provided is as follows:


1.2.1 Candidate/Worker details to enable the placement of Candidates/Workers into assignments 


1.2.2 Candidates/Workers assignment details and hours worked and relevant pay rate details to enable King’s Talent Bank Staff or external organisations to pay Candidates/Workers for work completed 


1.2.3 Candidates/Workers details to enable reporting and Management Information provision (e.g. name and address, previous work history and experience, skills and history)


1.2.4 Candidates/Workers details to enable the monitoring and management of the service (e.g. assignment history and equalities monitoring information)


1.2.5 Any other information necessary for the fulfilment of the purpose.


1.3 For the avoidance of doubt the Data transferred to the Data Processor under the

Agreement at no time becomes the property of the Data Processor.


1.4 In consideration of the obligations undertaken by the Data Processor in clauses 2-5 of

this Agreement, below, the Data Controller agrees that it shall ensure that it complies

at all times with the Act and in particular, the Data Controller agrees that it shall ensure

that any disclosure of Personal Data made by it to the Data Processor is made with the

Data Subject’s consent or is otherwise lawful.




2.1 The Data Processor is to act only on instructions from the Data Controller.


2.2 Data will be delivered to the Data Processor using the following procedures: Data will

be collected by a secure user interface to be accessed through the World Wide Web

by the Data Subject and Data Controller.


2.3 The Data Processor undertakes to:-


2.3.1 Process the Data at all times in accordance with the Act and solely for the

purposes connected with provision by the Data Processor of the Services and in

the manner specified from time to time by the Data Controller in writing and for

no other purpose or in any manner except with the express prior written consent

of the Data Controller;


2.3.2 Ensure that Personal Data will not be processed to support measures or

decisions with respect to particular individuals;


2.3.3 Ensure that Personal Data will not be processed in such a way that substantial damage or substantial distress is, or is likely to be, caused to any Data Subject;


2.3.4 Ensure that the Data will not be disclosed to any third party without the prior written authority of the Data Controller.


2.4 No steps will be taken by the Data Processor to contact any party identified in the Data

unless it is for the purposes of delivering the service set out in this contract or the Data

Controller has given prior written consent.


2.5 All Personal Data held by the Data Processor including any archive or back-up copies,

will be returned to the Data Controller and securely destroyed from any system that it is

held on at a date to be agreed by the relevant parties. After this date, the Data Processor must promptly provide to the Data Controller a written declaration confirming that the Data has been returned and securely destroyed from its systems.


2.6 The Data Processor will not transfer, or permit the transfer of the Data, to any territory

outside the EEA without the prior written consent of the Data Controller.


2.7 On reasonable notice, the Data Processor will allow its Data Processing facilities,

procedures and documentation to be submitted for scrutiny by the Data Controller or

its auditors in order to ascertain compliance with the relevant laws of the United

Kingdom and the terms and conditions of this Agreement.


2.8 The Data Processor will ensure that each of its employees, agents and subcontractors

are made aware of and comply with the obligations under this Agreement with regard

to the security and protection of the Data.


2.9 In the event of the exercise by Data Subjects of any of their rights under the Act in

relation to the Data, the Data Processor will inform the Data Controller as soon as

possible. The Data Processor agrees to assist the Data Controller with all Data Subject

information requests which may be received from any Data Subject in relation to any Data.


2.10 In the event that the Data Processor receives a request for any information

contained in the Data under the Freedom of Information Act 2000 the Data Processor

will not respond to the person making such request but will inform the Data Controller

within two (2) working days of its receipt. The Data Processor further agrees to assist

the Data Controller with all such requests for information which may be received from

any person within such timescales as may be prescribed by the Data Controller.






3.1 For the avoidance of doubt, the obligations of confidentiality imposed on the Parties by

this Agreement shall continue in full force and effect after the expiry or termination of

this Agreement.


3.2 The Data Processor will respect the privacy of individuals in any part of the purpose

requiring the use of Personal Data.


3.3 Under no circumstances will the Data Processor attempt to identify any person from the Data or aggregate data by any data matching or other exercise except where required

for the Purpose.




4.1 The Data Processor agrees to apply appropriate security measures commensurate with the requirements of principle 7 of the Act to the Data. In particular, the Data

Processor shall ensure at all times that adequate measures are in place to do everything possible to:-


a. make accidental compromise or damage to the Data unlikely during storage, handling,

use, Processing, transmission, transport or otherwise; and


b. deter deliberate compromise or opportunist attack.


4.2 The Data Processor shall ensure that security measures, commensurate with those

operated by the Data Controller, shall be in force and applied at all times.


4.3 The Data Processor shall implement technological and all other reasonable

measures to protect against accidental loss, destruction, damage, alteration or

disclosure. These measures shall be appropriate to the harm which might result

from any unauthorised or unlawful processing, accidental loss, destruction or

damage to the Personal Data and having regard to the nature of the Personal Data

which is to be protected.


4.4 Any security incidents, breaches and newly-identified vulnerabilities must be reported

to the Data Controller by the Data Processor immediately. In the case of any incident

that gives rise to a Data loss then the Data Processor shall inform the Data Controller

promptly and in any case no later than within 24 hours of the Data breach occurring.




5.1 The Data Processor shall not sub-contract any of its rights or obligations under this

Agreement without the prior written consent of the Data Controller.


5.2 Where the Data Processor, with the consent of the Data Controller, sub-contracts its

obligations under this Agreement it shall do so only by way of a written agreement

with the subcontractor which imposes the same obligations in relation to the security

of the processing on the sub-contractor as are imposed on the Data Processor under

this Agreement.


5.3 For the avoidance of doubt, where the subcontractor fails to fulfil its obligations under

any sub-processing agreement, the Data Processor shall remain fully liable to the

Data Controller for the fulfilment of its obligations under this Agreement.


5.4 Neither party shall assign or transfer any rights or obligations under this Agreement to

another party without the prior written consent of the other.




6.1 Any rights, of any person, to enforce the terms of this Agreement pursuant to the

Contracts (Rights of Third Parties) Act 1999 is hereby excluded.




7.1 This Agreement shall terminate automatically upon termination or expiry of the Data

Processor's obligations in relation to the Services. On termination of this agreement

the Data Processor shall deliver to the Data Controller and/or securely destroy, at the

Data Controller's sole option, all the Data Controller's Data in its possession or under

its control.




8.1 The Data Processor is liable for and shall indemnify and keep the Data Controller fully

indemnified on demand from and against each and every action, proceeding, liability,

loss, damage, cost, claim, fine, expense and/or demand suffered or incurred by the

Data Controller which arise from or in connection with or pursuant to any act or

omission of or the performance of the Data Processor’s obligations under this

Agreement, including without limitation those arising out of third party demand, claim

or action, or any breach of contract, negligence, fraud, wilful misconduct, breach of

statutory duty or non-compliance with this Agreement or any part of the Act by the

Data Processor or any of the Data Processor personnel.




9.1 This Agreement will be governed by the laws of England and Wales, and the parties

submit to the exclusive jurisdiction of the English courts for all purposes connected

with this Agreement including the enforcement of any award or judgement made

under or in connection with it.