We fully comply with GDPR.
The EU privacy directive known as the General Data Protection Regulation (GDPR) came into effect on 25 May 2018. At Staffvetting.com, we believe the GDPR presents an opportunity to transform the way we organise and process the personal data we hold; increasing the value our customers get from it and reinforcing data-security led business practices that are essential to our commitment to high standards of information security, privacy and transparency.
By using our services, you agree to these changes and our Terms and policies:
- All Online Systems
All of our systems have been updated as part of GDPR compliance. We have added new security features, updated processes and provided more support for candidates and customers etc.
- Business Terms and Conditions
Updates have been made to further clarify our processing and non-processing of data in accordance with the GDPR.
- Data Processing Agreement
What is the GDPR?
The General Data Protection Regulation is a new, European-wide law that replaces the Data Protection Act 1998 in the UK. It places greater obligations on how organisations handle personal data. It came into effect on 25 May 2018.
Staffvetting and GDPR?
Staffvetting has always taken data privacy and security practices very seriously. With the introduction of GDPR we have reviewed our systems – and continue to do so – processes and procedures to ensure we’re fully compliant For example we are:
- we have updated all of our electronic systems increasing data integrity, confidentiality and availability.
- a new Data Processing Agreement which we and you agree to undertake from May 25, 2018 onwards.
- reviewing Staffvetting’s functionality to make Staffvetting is more effective and efficient for users who are subject to the GDPR.
- making all our consents clearer and understandable.
What information does the GDPR apply to?
The GDPR applies to ‘personal data’, which means any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier.
Who does GDPR affect?
It affects every business within all EU member states.
GDPR also affects businesses outside the EU who process the personal data of EU residents and offer them goods and services, irrespective of whether payment is required; or where the processing by a business relates to the monitoring of the behaviour of EU residents in so far as their behaviour takes place within the EU.
How does the GDPR relate to the Data Protection Act?
The Data Protection Act is a UK law, whereas the GDPR is a European Union law. We manage data processing with regard to both these laws because we are a UK company who process data for UK and non-UK subjects.
How long do you keep data?
Only as long as necessary. The GDPR doesn’t prescribe a set period of time we should or shouldn’t keep data. The retention period is determined by necessity. In our case, for example, we judge how long to keep data based on the nature of the work needed to be carried out, the contracts with our clients and our legal, compliance and audit requirements. Once we no longer need it, data will be deleted and/or anonymised which typically means we will remove all but the core data e.g. name, consent, customer name and submittal date.
What data will you keep relating to me?
We only ask for data that relates to your screening, and we only keep the data you provide to us with your consent as part of your screening application e.g. your name, address and data of birth. The amount and type of data we request and keep varies per applicant depending on the type of screening we are doing and the nature of the contract we have in place with the Sponsor (the organisation paying for the screening).
What is a Subject Access Request (SAR)?
Individuals (e.g. employees) have a right to request and be informed by an organisation (e.g. their employer) whether or not it is processing personal data that relates to them and, if so, to be told:
- What personal data it is being processed.
- The purposes for which the personal data is being processed.
- Who, if anyone, the personal data is disclosed to.
- The extent to which it is using the personal data for the purpose of making automated decisions relating to the data subject and, if so, what logic is being used for that purpose.
Employers are also required to provide, in an intelligible form, copies of the personal data if the Subject requests this. There is currently a 30 calendar day time limit to respond to the request (unless exceptional circumstances apply which can reasonably justify an extension to 3 months).
Applicants can make a Subject Access Request by phoning or emailing us directly. We will verify all SARs to confirm they are legitimate. This means we will contact the applicant using the contact details we hold on record for them and not by any other means. If the request originates from different contact details compared to the details we hold on record, we may seek an extension to the response time while the applicant’s identity can be verified. See our list of Subprocessors.
Do you have a nominated Data Protection Officer?
Yes, our Data Protection Officer is contactable at firstname.lastname@example.org.
Are you a Data Controller or Data Processor?
It depends on the nature of the contract we have with a client, but usually we are the Data Processor because we usually only request and process applicant data on behalf of a client. We never collect data for our own purposes. The client in this scenario is the Data Controller, because they are the ones contracting us to request and process the data on their behalf.
What about data breaches?
If an applicant or their sponsor (the organisation paying for the screening) thinks their data may have been breached, please contact our Data Protection Officer at email@example.com, or call us on 0191 5887980. We will investigate and report back to you as soon as possible. It may also be worth using the Protective Registration service available from CIFAS. This won’t affect your credit score. It’s an identity fraud prevention measure and not a form of insurance against losses caused by fraud.