Privacy Notice – Digital Interview and CodeVue Tool

1. Introduction

This Privacy Notice is intended to describe the practices EY follows in relation to the Digital Interview and CodeVue Tool (“Tool”) with respect to the privacy of all individuals whose personal data is processed and stored in the Tool. This Privacy Notice should be read together with the ey.com Privacy Statement, and in case of any conflict with the ey.com Privacy Statement, the terms of this Privacy Notice will prevail.  Please read this Privacy Notice carefully.

2. Who manages the Tool?

“EY” refers to one or more of the member firms of Ernst & Young Global Limited (“EYG”), each of which is a separate legal entity and can determine the purposes and means for data processing in its own right (i.e. act as a data controller or in a similar capacity). The entity that is acting as data controller (or similar capacity) by providing this Tool on which your personal data will be processed and stored is EY Global Services Limited, an EY global entity. EY Global Services Limited licenses the Tool from Hire Vue Inc. 10876 South River Front Parkway, Suite 500, South Jordan, UT 84095, US.

The personal data you provide in the Tool is shared by EY Global Services Limited with one or more member firms of EYG (see “Who can access your information” section below). Each EY member firm manages the data collected by the Tool for the intended purpose.

The Tool is hosted externally in the US at Amazon AWS US-East region, with backups being held at alternate Amazon facilities within the United States.

The Tool is provided by HireVue, Inc., with its registered address at: 10876 South River Front Parkway, Suite 500, South Jordan, UT 84095, United States. EY is still the data controller collecting and processing your personal information in the Tool. Your personal data will be processed by HireVue for the following purposes: (i) to assess your suitability for the role; and (ii) retention in accordance with data retention requirements for future hiring opportunities (as addressed in this policy). HireVue has a formal Disaster Recovery and Business Continuity plan that is ISO 27001 certified. Data and systems are set up redundantly. All video interviews are stored in Amazon S3, which is designed to offer 99.9% level of reliability. Additionally backups are taken daily and stored on separate systems within the same region. Backups are continuous with at least two copies onsite at the Amazon hosting centre. A third backup is available from a second location within an Amazon facility. Amazon does not backup to alternate media or store data outside of Amazon hosting facilities. Any backup copies that are transmitted shall be in an encrypted form in transit. Data at rest is stored in an Encrypted AES-256 state. These backup copies shall be verified quarterly. In the event of a disaster, backup images will be restored on servers at the secondary location, after which DNS will be altered to allow the secondary site to perform the full functionality of the main site.

3. Why do we need your information?

The Tool is divided into two types of functionalities; Digital Interview and CodeVue. Both types are used to help the recruiting process by using video interviewing software. It enables EY to interview and assess you by replacing lengthy application forms or pre-screening questions and reduce the need for traditional face-to-face interviews, whilst retaining person to person interaction and human decisions making. Digital Interview is used to provide online digital interviews and CodeVue is used for coding assessments, which allows recruiters to objectively screen for coding and programming talent.

Your personal data processed in the Tool is used as follows:

  • assess the candidate suitability for role; and
  • will be retained in accordance with data protection retention requirements for future hiring opportunities.

EY relies on your consent to legitimize the processing of your personal data in the Tool. In addition, Processing of your personal data is necessary for the purposes of the legitimate interests pursued by the data controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data. The specific legitimate interest(s) pursued is for Human Resource management, including performance reviews and recruitment.

You have the right to object at any time, on grounds relating to your particular situation, to the processing of personal data concerning you based on the above legitimate interest(s).

We process your personal data based on your consent.

The provision of your personal data to EY is optional (including, for the avoidance of doubt, your image and video image). However, if you do not provide all or part of your personal data, we may be unable to carry out the purposes for processing.

4. What type of personal data is processed in the Tool?

The Tool processes these personal data categories:

  • Your first name;
  • your last name;
  • your email address;
  • your mobile number;
  • your individual RequestID;
  • other information that can be disclosed during the interview such as entity names where previously worked, employees’ names, location of employment, duration of employment and role, amongst others; and
  • SMS/WhatsApp data generated by you.

This data is sourced from a feed from other EY systems known as GRMS – Taleo or directly from yourselves.

5. Sensitive Personal Data

Sensitive personal data reveals your racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, data concerning health or data concerning sex life or sexual orientation.

The following sensitive personal data is collected and processed in the Tool:

The Tool uses video images which include elements of personal data, for example, recorded video of you, your name, your surname, your previous employment history, your hobbies and interests. You may decide to talk about or address categories of sensitive personal data, however, the interviewer will not ask questions which deal with categories of sensitive personal data.

EY does not intentionally collect any sensitive personal data from you via the Tool. The Tool's intention is not to process such information. Data that you provide in the Tool is used by EY for the purpose of evaluating or assessing the candidate’s suitability for a given role. There is also a free text box where you can write out your answer to a question. Therefore, please do not enter Sensitive Personal Data or confidential corporate information into the Tool where the survey contains free-text field(s). Although the purpose of this free text box is not to have such sensitive personal data written out, you may include such type of personal data within your answer.  Please note that none of the questions directly ask you for your racial/ethnic origin, political opinions, religious beliefs and/or health related information.

For Australian Users: The Tool does not intentionally request or collect sensitive personal data about you, nor will you be asked directly to provide sensitive personal data.  However, in using this Tool to complete any video interviews or otherwise complete any forms or provide written responses through the Tool, you may choose to provide information about yourself which is sensitive personal data.  If you provide any sensitive personal data, whether over video or in writing when completing a free text box, you acknowledge that this data is recorded and collected by the Tool and consent to this collection and storage.

For UK Users: Apart from the information requested pursuant to this review assessment (for example, first name last name, email address and previous employment details), please do not input any further confidential information. Please also do not input any sensitive personal data e.g. information revealing racial or ethnic origin, political opinions, religious beliefs, trade union membership, genetic, biometric or health data, data concerning sex life or sexual orientation and data relating to criminal convictions’.

6. Who can access your information?

Your personal data is accessed in the Tool by the following persons/teams:

Recruiters, hiring managers and system administrators – permissions will be granted to other EY members based upon their role, for example, if a role is being adverstised for the forensics team, a member of the forensics team may be asked to conduct the interview and they will be granted access.

Role Country Access purpose Access rights
Recruiter Multiple globally As a user with full access to set up requisitions and add questions both method and content Taleo/Access to requisitions that are under the user group and assigned as the recruiter and all candidates tagged under such requisitions. Recruiters can take complete action on candidates including screening, interview scheduling, offer and hire.
Hiring Manager Multiple globally Review interviews and assessments taken in relations to a role they are recruiting for (not all roles) and participate in live video interviews  Taleo/Access to requisitions only where the user is assigned as the hiring manager. Also has access to candidate profiles tagged under the requisitions but with limited action to view candidate details and take decision on interviews and screenings.
Systems Admin Multiple globally Addition and set up of users and support with set up of requisitions and questions in the tool Has full admin access to system.

The access rights detailed above involves transferring personal data in various jurisdictions (including jurisdictions outside the European Union and outside the country of origin) in which EY operates. EY will process your personal data in the Tool in accordance with applicable law and professional regulations in your jurisdiction. Transfers of personal data within the EY network are governed by EY’s Binding Corporate Rules.

We transfer or disclose the personal data we collect to third-party service providers (and their subsidiaries and affiliates) who are engaged by us to support our internal ancillary processes. For example, we engage service providers to provide, run and support our IT infrastructure (such as identity management, hosting, data analysis, back-up, security and cloud storage services) and for the storage and secure disposal of our hard copy files. It is our policy to only use third-party service providers that are bound to maintain appropriate levels of data protection, security and confidentiality, and that comply with any applicable legal requirements for transferring personal data outside the jurisdiction in which it was originally collected.

To the extent that personal data has been rendered anonymous in such a way that you or your device are no longer reasonably identifiable, such information will be treated as non-personal data and the terms of this Privacy Notice will not apply.

7. Data retention

Our policy is to retain personal data only for as long as it is needed for the purposes described in the section “Why do we need your personal data”. Retention periods vary in different jurisdictions and are set in accordance with local regulatory and professional retention requirements.

In order to meet our professional and legal requirements, to establish, exercise or defend our legal rights and for archiving and historical purposes, we need to retain information for significant periods of time.

The policies and/or procedures for the retention of personal data in the Tool are: Data retention is in accordance with EY Records Retention Global Policy and the applicable Global, Area, Region or Country Retention Schedule.

Further, from the Tool’s perspective, data is retained according to a customer definable data retention setting. Customer Data is properly wiped at the end of the retention period. When media is retired, the approved methods are NIST 800-88. Logs are retained by the Tool for a period of 3 years.  From Taleo’s perspective, there is currently an automated data purge task that removes/deletes all candidate files that meet purge criteria. This criteria is: no activity has taken place in the file for 3 years or the file does not include a HIRE.

Your personal data will be retained in compliance with privacy laws and regulations. After the end of the data retention period, your personal data will be deleted.

8. Security

EY protects the confidentiality and security of information it obtains in the course of its business. Access to such information is limited, and policies and procedures are in place that are designed to safeguard the information from loss, misuse and improper disclosure. Additional information regarding our approach to data protection and information security is available in our Protecting your data (pdf) brochure.

EY is committed to making sure your personal data is secure. To prevent unauthorized access or disclosure, EY has technical and organizational measures to safeguard and secure your personal data. All EY personnel and third parties EY engages to process your personal data are obliged to respect your data’s confidentiality.

9. Controlling your personal data

EY will not transfer your personal data to third parties (other than any external parties referred to in section 6 above) unless we have your prior permission or are required by law to do so.  

You are legally entitled to request details of EY’s personal data about you.

To confirm whether your personal data is processed in the tool or to access your personal data in the tool or (where applicable) to withdraw your consent, contact your usual EY representative or email your request to the data protection team

10. Rectification, erasure, restriction of processing or data portability

You can confirm your personal data is accurate and current. You can object to the processing of your personal data or request rectification, erasure, restriction of processing or a readily portable copy of your personal data by contacting your usual EY representative or by sending an e-mail to the data protection team

11. Complaints

If you are concerned about an alleged breach of privacy law or any other regulation, contact EY’s Global Privacy Leader, Office of the General Counsel, 6 More London Place, London, SE1 2DA, United Kingdom or via email to the data protection team or via your usual EY representative. An EY Privacy Leader will investigate your complaint and provide information about how it will be handled and resolved.

If you are not satisfied with how EY resolved your complaint, you have the right to complain to your country’s data protection authority. You can also refer the matter to a court of competent jurisdiction.

12. Contact us

If you have additional questions or concerns, contact your usual EY representative or email the data protection team.

13. Acknowledgement and Consent

By clicking the 'Yes, I agree' button below you are agreeing and consenting to your personal information being processed and used as outlined in this Privacy Notice. You have the right to withdraw your consent or to object to the further processing of your personal information at any time by contacting your usual EY representative or email data protection team.