This privacy notice explains your rights under the Data Protection Act 2018 (DPA) and General Data Protection Regulation (GDPR). It describes how we use, store and share the personal information we collect about you.
Personal data (which we will refer to as ‘data’ throughout this notice) means any information about an individual from which that person can be identified.
Why we are collecting data
Your personal data will be processed as part of the requirement to undertake pre-employment checks under HMG’s Baseline Personnel Security Standard (BPSS) for our non- permanent staff. BPSS is the minimum level of security control applied to anyone who requires access to our premises, assets or information for work purposes. These checks are conducted in order to:
- ensure that sensitive assets are protected
- reduce the risks to people and information
- create and maintain an effective security culture
- provide a basis for subsequent National Security Vetting
Legal basis for processing data
We will only process your data when required to by the HMG Baseline Personnel Security Standard policy which states that BPSS “must be applied to any individual who, in the course of their work, has access to government assets”. Scottish Government Personnel Security apply these checks to all non-permanent staff who have access premises, assets or information for work purposes.
Your personal data is collected in line with UKGDPR Article 6 6(1)(e) – performance of a task in the public interest.
Some of the data that we process is classed as ‘special category’ data. We process this data in line with UKGDPR Article 9.2 (b) that “processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment”.
We collect data relating to criminal convictions and offences in line with UKGDPR Article 10. The processing of this information is necessary for us to undertake employment checks and we have appropriate safeguards in place to protect this information.
Who we will share your data with
Our Security and Business Continuity BPSS Team records this data on a central security-vetting database and in Amiqus where you upload the data. Amiqus acts as the data processer and has data sub-processors (Onfido, TransUnion, Disclosure Scotland and Stripe) who process data on behalf of Amiqus to complete the necessary checks. Full details of how this information is processed and stored can be found in the Amiqus privacy notice. There may be circumstances in which we lawfully share your data with third parties where, for example, we are required to do so by law, by court order, or to prevent fraud or other crimes. Where we share data, we shall do so in accordance with data protection laws. We will not share your information with any other bodies without notifying you.
The safeguard which is applied to restricted transfers, the EU UK adequacy decision, which allows transfers of data freely, can be found on the Information Commissioner's Office website.
How long we will keep your data
Your personal data and that of third parties (for example, past employment references) will be retained for as long as it is necessary for the purpose it was collected. The data in Amiqus will be retained for three years and three months. Three years for the period that BPSS is granted and three months to allow time for BPSS clearance to be renewed.
Your data rights
In relation to your personal data held by our Security and Business Continuity BPSS Team, you have the right to:
- object – request that your data is not processed for certain purposes
- restrict processing – request that the processing of your personal data is restricted in certain circumstances, for example, where accuracy is contested
- rectification – request that any inaccuracies in your personal data are rectified immediately and request that any incomplete personal data is completed, including by means of a supplementary statement
- access – request information about how your personal data is processed and to request a copy of that personal data
- deletion – request that your data be removed from our systems. Due to the legal requirements we are under to carry out security checks, we may not be able to carry out this right
- these rights are not absolute, and may be subject to exemptions in the Data Protection Act 2018
If you have any questions about anything in this privacy notice or if you consider that your personal data has been misused, or you would like to exercise any of your rights, contact:
Data Protection Officer
If you are not satisfied with the response, you have the right to make a complaint to:
The Information Commissioner
Telephone: 0303 123 1113
There is a problem
Thanks for your feedback