In line with GDPR, we only keep applicant data for as long as necessary, and we only keep data that is strictly related to the purpose for which we need it. The specific amount, type and length of time we keep data varies per client, applicant, screening type being undertaken and the nature of the contract in place with our client. For example, in some cases we may only keep data for twelve months or less, while in other cases we may need to keep it for longer e.g. for clients with applicants who need to undergo periodic renewal screening. We may also keep certain types of data for longer if our legal, regulatory or compliance commitments require it.

We may always need to keep a basic level of data about an applicant such as their name and the date screening was undertaken so that we are able to provide evidence that a relationship existed between us and them. This can help us satisfy Subject Access Requests or formal reviews and enquiries for example.

Each type of data we hold has a retention period and once the data retention period is reached, the data will be anonymised. This typically removes everything except the basic data e.g. the client name, the applicant name, proof of consent, the type of screening undertaken and the completion dates.

Data retention falls into the category of our information security management. We always keep the specific details of our information security management policies and procedures confidential because it would expose the data we hold to an unacceptable risk. You can however read more about how we manage data on our GDPR page.