Privacy Policy
In this Privacy Policy, 'We', 'VETTING.com' and 'us' means Sphinx Technology Limited,
a company incorporated in England and Wales (Company Registration Number
13204878)
with registered office at:
7 Bell Yard, London
WC2A 2JR, UK
This Privacy Policy explains how VETTING.com handles personal data, including how we collect,
use and disclose personal data. We are committed to being open and transparent about our personal data
handling practices and to comply with the General Data Protection Regulation (GDPR),
for as long as the GDPR is effective in the UK,
and the Data Protection Act 2018
(DPA 2018) and any national implementing laws, regulations and secondary legislation.
We respect the confidentiality of the personal data that we handle and take steps to ensure that
information is safeguarded. We endeavour to take a 'privacy by design' approach in incorporating data
protection into the development and implementation of our systems and services.
1. The personal data we collect (and why)
We collect personal data to provide our services to our clients. Our services include (but are not
limited to) conducting background screening, verifying identity information and providing probity
information related to individuals who are seeking:
- employment;
- enrolment in an educational institution or course;
- provision or maintenance of a professional licence or credential; and/or
- appointments to positions of trust.
In this policy 'you' and 'your' refers to the individual to whom the personal data we process
relates, and 'client' refers to our client who has requested that we process your personal data as
part of our services.
We may collect and hold the following personal data:
Type of personal data collected |
Where (or who) we collect this personal data from |
Reasons for collection |
Full Name (including former names) |
- You or our client;
- Publicly available sources;
- Credit reference agencies;
- Government agencies.
|
To identify you. We may need your current and former names to access all relevant records for
background checking.
|
Date and place of birth |
|
To identify you.
|
Sex or gender |
|
To complete some background checking services that require information about gender in order
to identify you.
|
Address history |
- You or our client;
- Publicly available sources;
- Credit reference agencies;
- Government agencies.
|
To complete some background checking services (e.g. criminal history checks and credit checks)
that require this information.
|
Contact information |
|
We may collect your postal address, email address and telephone number in order to contact you
in relation to performing the services requested by our client.
|
Nationality |
|
Some of the services we use and provide require us to provide information about your nationality.
|
Biometric information (i.e. fingerprints; facial recognition data) |
|
Some services, such as criminal history checks from some jurisdictions, use fingerprint or other
biometric data to locate and identify relevant records.
|
Copies of photograph ID (often the original copies may need to be signed or the copies certified) |
|
Some services, particularly those provided by government agencies, require a photograph ID,
including as part of confirming our authorisation to request information from them about you.
|
Copies of Identity documents (often the original copies may need to be signed or the copies certified) |
- You or our client;
- A third party that we are requesting information from.
|
To verify your identity or address where requested to do so by our client or a third party who we are
requesting your information from.
|
Government issued identifiers (e.g. social security number; national insurance number; driving
licence number; Passport identifier etc.) |
- You or our client;
- Publicly available sources;
- Credit reference agencies;
- Government agencies.
|
To conduct searches, or request searches, from third parties where the records being searched are
associated with a government identifier (e.g. driving records).
|
Immigration status |
- You or our client;
- Government agencies.
|
To confirm eligibility to work in the relevant jurisdiction (e.g. where a role being applied for
is located).
|
Criminal history information and police records |
- You or our client;
- Publicly available sources;
- Credit reference agencies;
- Government agencies.
|
This information is often provided as part of the background screening process, in particular
for certain positions or roles.
|
Credit or bankruptcy history |
- Credit reference agencies;
- Government agencies;
- Publicly available sources.
|
Some clients request financial or identity information from credit files held by credit
reference agencies or in public record information. This type of information is particularly
relevant for some positions of trust.
|
Civil court records |
- Government agencies;
- Courts;
- Publicly available sources;
- Credit reference agencies.
|
Some clients request information about your litigation history in the civil courts.
|
Salary/Income details |
- You or our client;
- Third parties that provide information in relation to credit and/or employment history.
|
Some clients disclose this information to us and/or request that we verify this information.
|
Property ownership information |
- Credit reference agencies;
- Government agencies.
|
In providing our services, some clients request that we verify the ownership of your residence
and provide information about any mortgages on it.
|
Government watch or sanctions lists |
- Government agencies (including law enforcement and fraud prevention agencies).
|
To check whether or not you appear on any government watch or sanctions lists. This may be
particularly relevant for specific roles or positions of trust.
|
Directorship; shareholding and corporate governance history |
- You or our client;
- Publicly available sources;
- Credit reference agencies;
- Government agencies;
- Corporations and/or charities that you have previously been involved with.
|
To provide to our client the opportunity to review your history or current status as a
director, officer, trustee or shareholder with corporations and charities and to confirm that
you are not barred from holding such positions.
|
Employment and volunteering history |
- You or our client;
- Your current or past employers;
- Organisations you currently, or have previously, volunteered with;
- Third parties that hold employment records on behalf of your current or past employers or bodies you have volunteered with;
- Employment/recruitment agencies that placed you with current or former employers;
- Referees that you have provided;
- Credit reference agencies;
- Government agencies.
|
To verify your employment history, as requested by our clients.
|
Education information and history |
- You or our client;
- Educational institutions that you have attended, or currently attend;
- Third parties that hold records on behalf of educational institutions that you have attended or currently attend;
- Government education authorities in jurisdictions where you have attended an educational institution;
- Referees that you have provided.
|
To verify your education or education activity history.
|
Professional memberships; licences; designations; awards; credentials; sanctions or disciplinary decisions |
- You or our client;
- Professional organisations that you have been association with or are a current member of;
- Third parties that hold records on behalf of professional associations you are or have been a member of or associated with;
- Publicly available sources;
- Referees that you have provided;
- Employment history sources.
|
To verify your membership of a professional association; your standing as a member of a
profession; your completion of professional development, sanctions or disciplinary actions
against you.
|
Information about your activity during periods of absence form work or study |
- You or our client;
- Referees that you have provided.
|
To verify your activity history, for example to confirm reasons you have provided for a gap in
employment or study history (i.e. travel).
|
Referee reports; opinions about you |
- You or our client;
- Professional organisations that you have been association with or are a current member of;
- Third parties that hold records on behalf of professional associations you are or have been a member of or associated with;
- Educational institutions that you have attended, or currently attend;
- Third parties that hold records on behalf of educational institutions that you have attended or currently attend;
- Publicly available sources;
- Referees that you have provided;
- Employment history sources.
|
To obtain references about you, as requested by our client, including about your character.
Opinions about you may also be given by other third parties including when we are verifying your
employment, study or volunteering history.
|
Health information, including results from pre-employment medical tests |
- You or our client;
- Drug testing services;
- Medical practitioners (i.e. your GP) that conduct a consultation with you as part of our services.
|
To test for drug use or health conditions, as requested by our client.
|
A copy of your driving licence (often the original copies may need to be signed or the copies
certified) and your driving record. |
- You or our client;
- Government agencies.
|
To confirm you hold a valid licence, including for a specific category of vehicle, and review
your driving history.
|
Information relating to firearm and vehicle registration. |
- Government motor registration agencies;
- Firearm registration sources.
|
To confirm your current vehicle and firearm registrations, where this is requested by our client.
|
Media, including social media posts |
- Publicly available sources;
- Social media sites.
|
As part of our services provided to our client, we may search for media content about you,
assess your publicly available social media activity, or search for references to you that
appear online.
|
Telephone call recordings |
- Callers to our telephone numbers.
|
We monitor some telephone calls for quality-assurance and training purposes.
|
Your opinions about us |
- Feedback providers (e.g. you or our client).
|
We may seek, or be provided with, feedback about our conduct, services or operations.
|
2. How we collect personal data
Where it is practicable to do so, we collect personal data directly from the individual to whom it
relates. However, given the nature of our services, particularly where we act on our clients'
instructions as a background screening provider, there may be circumstances where we need to collect
personal data from a third party including those listed in the table above.
Where required, we take steps to ensure that you provide the appropriate authorisation for the
collection and handling of your personal data by us and/or that our clients provide you with the
required notifications for the handling of your personal data by us.
3. How we use personal data and for what purposes
We use the personal data we collect in order to provide our services to our clients, such as
conducting pre-employment screening (including volunteers) and checking the identity information on identity documents with
the government agencies that issued them. For a list of the specific uses for each type of personal
data we use please see the table above.
Where necessary, we may need to use personal data to comply with applicable laws (e.g. to meet
obligations we may have under legislation).
We use the personal data that we hold for internal audit and quality assurance purposes to ensure
that access to the personal data that we hold is monitored, recorded and auditable. We also use the
personal data that we hold to develop and train staff on system improvements and enhancements to our
services.
Our lawful basis for processing
Under the GDPR, we can only process your personal data where we have a valid lawful basis to do so.
When we process your personal data for the purposes of providing our services, we work with and rely
on our client for deciding the lawful basis for processing where our client has contact with you.
Depending on the circumstances, our clients may rely on the following lawful bases for processing
your personal data:
- compliance with a legal obligation: where the processing is necessary for our
client to comply with the law.
- performance of a contract: where the processing is necessary for the
performance of a contract our client has with you, or because you have asked the client to take
steps before entering into a contract with you.
- legitimate interest: where the processing is necessary for your legitimate
interests, or those of a third party (subject to any reasons for the protection of your personal
data that may override those interests).
- public interest: where the processing is necessary for the client to perform
a task in the public interest or for their official functions, and the task or function has a
clear basis in law; or
- where you have provided your consent.
Generally, depending on the circumstances, we rely on the lawful bases of legitimate interest,
contract, consent, or compliance with a legal obligation to process your personal data. We
rely on the basis of consent to process any special category personal data and your consent is usually
collected from you by our client or suppliers. On rare occasions, we will request your consent prior
to collecting and / or processing special category personal data.
We have no control over decisions made by our clients or any action they may take, as a result of the
outcome of a background screening service provided by us or in response to you withholding your
consent to the processing of your personal data by us.
If you have any questions about the consequences of not providing your personal data or refusing
consent to your personal data being processed by us, these questions should be directed to our client
(e.g. your potential employer).
4. Disclosure of personal data
As part of providing our services we may disclose the personal data that we collect to third parties.
Disclosure to verification sources
In particular, the services we provide often involve verifying or checking the validity of personal
data with third party sources. To do this, we usually need to disclose to the verifying third party:
- the personal data that the third party requires in order to locate your records and also to verify
your identity; and/or
- your authority to provide us with the information.
In some cases, we may provide this personal data to the third party via an online portal, over the
telephone, via email, by letter or in person.
As part of providing our services, we also provide our client with the results of our background
screening, and other personal data they may have requested, in the form that the client has requested it.
Third party verification source |
Personal data disclosed |
Purpose of disclosure |
Employers, employment agencies, referees, educational institutions and authorities;
professional associations; licensing and registration authorities and organisations that hold
records on behalf of the above. |
Personal data required to verify employment; educational and professional qualifications and
history; licenses and registration; and to obtain references.
|
To obtain:
- verification of employment; verification of qualifications and licences; and
- references.
|
Agencies including credit, criminal records, social media, identity verification,
watchlists, sanctions and PEPS, international criminal and credit |
Personal data necessary to conduct credit, bankruptcy, court, identity searches, criminal
record searches, social media searches, watchlist, sanctions and PEPS searches, international
criminal records and/or international credit checks. |
To provide credit, bankruptcy, court and identity searches. |
Your clients, accountant, lawyer, management company or agencies you registered with |
Personal data needed to verify your self-employment and obtain references for you. |
To verify your self-employment; to obtain references. |
Disclosure to third party service providers
We use third parties to process personal data on our behalf in some circumstances, and to perform
some limited tasks, including hosting and background screening. The table below sets out the type of
third-party providers we use; the type of personal data we disclose to them and why.
Third party verification source |
Personal data disclosed |
Purpose of disclosure |
Hosting providers |
All of the personal data we hold. |
To ensure secure availability of VETTING.com's services. |
Data services |
Data listed in section 1 |
To support the third parties to identify individuals that data has been requested for. |
Auditing services |
Personal data the enables monitoring of the security, integrity and quality of our services. |
For quality assurance and security auditing. |
Transfer of personal data to other countries
If you have lived, worked or studied overseas we may need to transfer your personal data to countries
that are outside of the
UK,
particularly in order to verify that information. If so, we will ensure
the appropriate safeguards are in place with the recipient to ensure the continued protection of your
personal data. Generally, we transfer personal data to other countries in situations where:
- You have provided your consent;
- We have a contract in place with the receiving entity to ensure adequate protection of your personal
data, in line with requirements from the relevant data protection supervisory authority;
- We are transferring to a country that the relevant data protection supervisory authority
considers gives adequate protection of personal data;
- the transfer is necessary for the performance of a contract in your interest between us
and another party; and/or
- the transfer is necessary for the performance of a contract with you or because you have
asked us to take specific steps before entering into a contract with us.
Disclosures required or authorised by or under law
In some circumstances, we may be required or authorised to provide personal data to government
authorities including law enforcement and national security agencies, courts, or other public
authorities in jurisdictions where we are subject to the law. Where that information was collected
from, or on behalf of, a client we will consult that client before releasing the information unless
such consultation is prohibited by law. Any such disclosures will be made in compliance with the
law, including any applicable data protection laws.
5. Storage and security of personal data
We take the security of the personal data that we hold seriously and implement measures to ensure
its protection. All VETTING.com staff handle personal data sensitively and in accordance with
the applicable privacy and data protection laws.
We take all reasonable steps to protect the personal data we hold from misuse, interference and loss,
and from unauthorised access, modification or disclosure. These steps include using electronic and
physical security measures, including VETTING.com word protected software and hardware,
firewalls, monitoring and alert systems to detect and prevent intrusion attempts, and industry
standard encryption. VETTING.com performs regular penetration testing to maintain the security
of the systems under our control. In addition, we are certified to the Cyber Essentials Plus standard.
Retention
We hold personal data for no longer than required and take reasonable steps to destroy or de-identify
that information. We keep personal data that was collected from or on behalf of a client for the time
period requested by the client- please direct questions about this retention period to our client.
It may be necessary for us to retain personal data to comply with our legal obligations, or for
insurance or audit purposes.
6. Data quality and accuracy
To perform our services, we rely on the accuracy of the personal data that is provided to us by you,
our client or any of the sources listed at the table at section 1. If you have any concerns about the
accuracy of the personal data processed about you, on behalf of our client, you should first contact
our client. We implement rigorous quality controls of our processes to assist in ensuring accuracy as
far as possible. We will update or correct your personal data if we confirm it is inaccurate.
7. Automated decision-making and profiling
We do not make decisions about you and do not use automated decision-making or undertake profiling
using your personal data. If our client instructs us to do so, we may conduct automated processing of
personal data on our client's behalf.
8. Data Subject Access Request (DSAR), correction, deletion, portability, privacy complaints and enquiries
We usually act as processor as we process personal data for and on behalf of our clients. Therefore,
where we are acting as a data processor in relation to your personal data on behalf of a client, you
should direct any requests to our client in the first instance.
However, where we act as data controller, you can request access to the personal data that we hold
about you (e.g. in relation to the personal data collected via our website). You can also ask us to
correct inaccurate personal data about you and/or to add comments or explanations to records we hold
about you. In addition, you can request the erasure/deletion of your personal data or ask that we not
use your personal data for certain purposes, or request that we transfer to a third party.
In order to respond to your request, we may need to consider a number of factors, including the
lawful basis for the processing of the personal data your request relates to. We will provide you
with clear reasons for our response.
You may request to update, delete or access personal data, or make a privacy complaint or enquiry,
by contacting us at support@vetting.com
Sphinx Technology Limited
7 Bell Yard, London
WC2A 2JR, UK
If we are unable to resolve your privacy complaint to your satisfaction, you may contact the
Information Commissioner's Office.
Our Information Commissioner's Office Registration Number: ZA561360
9. Incident Reporting and Potential Data Breaches
If you suspect that your data has been breached as a result of our processing, or that of one of
our subprocessors, then please send an email to security@vetting.com
with details of the incident, including:
- The date and time it occurred
- What you were doing when it happened
- Details of any suspicious content (e.g hyperlinks)
- Details of suspicious contacts (i.e names, email addresses)
- Anything else you think is relevant to help investigate
We will then complete an investigation within 48 hours and provide an appropriate response, with
any discoveries or mitigations put in place.
10. Marketing
For the delivery of direct marketing to you via e-mail, we need your consent, which can be via an
express opt-in or soft-opt-in:
- soft opt-in consent is a specific type of consent which applies when you have previously engaged
with us (for example, you contact us to ask us for more details about a particular product/service,
and we are marketing similar products/services). Under "soft opt-in" consent, we will take your
consent as given unless you opt-out.
- for other types of e-marketing, we are required to obtain your explicit consent; that
is, you need to take positive and affirmative action when consenting by, for example,
checking a tick box that we provide.
if you are not satisfied about our approach to marketing, you have the right to withdraw consent at
any time.
11. Changes of business ownership and control
We may, from time to time, expand or reduce our business and this may involve the sale and/or the
transfer of control of all or part of the company or business. Data provided by you may be
transferred. The new owner or newly controlling party will, under the terms of this privacy policy,
be permitted to use the personal data for the purposes for which it was originally supplied to us.
We may also disclose your personal data to a prospective purchaser of our business/ company or any
part of it.
In the above instances, we will take steps with the aim of ensuring your privacy is protected.
12. Data Processing Agreement
Our Data Processing Agreement
Date of Last Review: 16 October 2023