Privacy Policy

In this Privacy Policy, 'We', 'Vetting.com' and 'us' means Sphinx Technology Limited, a company incorporated in England and Wales (Company Registration Number 13204878) with registered office at:
7 Bell Yard, London
WC2A 2JR, UK

This Privacy Policy explains how VETTING.com handles personal data, including how we collect, use and disclose personal data. We are committed to being open and transparent about our personal data handling practices and to comply with the General Data Protection Regulation (GDPR), for as long as the GDPR is effective in the UK, and the Data Protection Act 2018 (DPA 2018) and any national implementing laws, regulations and secondary legislation. We respect the confidentiality of the personal data that we handle and take steps to ensure that information is safeguarded. We endeavour to take a 'privacy by design' approach in incorporating data protection into the development and implementation of our systems and services.

1. The personal data we collect (and why)

We collect personal data to provide our services to our clients. Our services include (but are not limited to) conducting background screening, verifying identity information and providing probity information related to individuals who are seeking:

In this policy 'you' and 'your' refers to the individual to whom the personal data we process relates, and 'client' refers to our client who has requested that we process your personal data as part of our services.

We may collect and hold the following personal data:

Type of personal data collected Where (or who) we collect this personal data from Reasons for collection
Full Name (including former names)
  • You or our client;
  • Publicly available sources;
  • Credit reference agencies;
  • Government agencies.
To identify you. We may need your current and former names to access all relevant records for background checking.
Date and place of birth
  • You or our client.
To identify you.
Sex or gender
  • You or our client.
To complete some background checking services that require information about gender in order to identify you.
Address history
  • You or our client;
  • Publicly available sources;
  • Credit reference agencies;
  • Government agencies.
To complete some background checking services (e.g. criminal history checks and credit checks) that require this information.
Contact information
  • You or our client.
We may collect your postal address, email address and telephone number in order to contact you in relation to performing the services requested by our client.
Nationality
  • You or our client.
Some of the services we use and provide require us to provide information about your nationality.
Biometric information (i.e. fingerprints; facial recognition data)
  • You or our client.
Some services, such as criminal history checks from some jurisdictions, use fingerprint or other biometric data to locate and identify relevant records.
Copies of photograph ID (often the original copies may need to be signed or the copies certified)
  • You or our client.
Some services, particularly those provided by government agencies, require a photograph ID, including as part of confirming our authorisation to request information from them about you.
Copies of Identity documents (often the original copies may need to be signed or the copies certified)
  • You or our client;
  • A third party that we are requesting information from.
To verify your identity or address where requested to do so by our client or a third party who we are requesting your information from.
Government issued identifiers (e.g. social security number; national insurance number; driving licence number; Passport identifier etc.)
  • You or our client;
  • Publicly available sources;
  • Credit reference agencies;
  • Government agencies.
To conduct searches, or request searches, from third parties where the records being searched are associated with a government identifier (e.g. driving records).
Immigration status
  • You or our client;
  • Government agencies.
To confirm eligibility to work in the relevant jurisdiction (e.g. where a role being applied for is located).
Criminal history information and police records
  • You or our client;
  • Publicly available sources;
  • Credit reference agencies;
  • Government agencies.
This information is often provided as part of the background screening process, in particular for certain positions or roles.
Credit or bankruptcy history
  • Credit reference agencies;
  • Government agencies;
  • Publicly available sources.
Some clients request financial or identity information from credit files held by credit reference agencies or in public record information. This type of information is particularly relevant for some positions of trust.
Civil court records
  • Government agencies;
  • Courts;
  • Publicly available sources;
  • Credit reference agencies.
Some clients request information about your litigation history in the civil courts.
Salary/Income details
  • You or our client;
  • Third parties that provide information in relation to credit and/or employment history.
Some clients disclose this information to us and/or request that we verify this information.
Property ownership information
  • Credit reference agencies;
  • Government agencies.
In providing our services, some clients request that we verify the ownership of your residence and provide information about any mortgages on it.
Government watch or sanctions lists
  • Government agencies (including law enforcement and fraud prevention agencies).
To check whether or not you appear on any government watch or sanctions lists. This may be particularly relevant for specific roles or positions of trust.
Directorship; shareholding and corporate governance history
  • You or our client;
  • Publicly available sources;
  • Credit reference agencies;
  • Government agencies;
  • Corporations and/or charities that you have previously been involved with.
To provide to our client the opportunity to review your history or current status as a director, officer, trustee or shareholder with corporations and charities and to confirm that you are not barred from holding such positions.
Employment and volunteering history
  • You or our client;
  • Your current or past employers;
  • Organisations you currently, or have previously, volunteered with;
  • Third parties that hold employment records on behalf of your current or past employers or bodies you have volunteered with;
  • Employment/recruitment agencies that placed you with current or former employers;
  • Referees that you have provided;
  • Credit reference agencies;
  • Government agencies.
To verify your employment history, as requested by our clients.
Education information and history
  • You or our client;
  • Educational institutions that you have attended, or currently attend;
  • Third parties that hold records on behalf of educational institutions that you have attended or currently attend;
  • Government education authorities in jurisdictions where you have attended an educational institution;
  • Referees that you have provided.
To verify your education or education activity history.
Professional memberships; licences; designations; awards; credentials; sanctions or disciplinary decisions
  • You or our client;
  • Professional organisations that you have been association with or are a current member of;
  • Third parties that hold records on behalf of professional associations you are or have been a member of or associated with;
  • Publicly available sources;
  • Referees that you have provided;
  • Employment history sources.
To verify your membership of a professional association; your standing as a member of a profession; your completion of professional development, sanctions or disciplinary actions against you.
Information about your activity during periods of absence form work or study
  • You or our client;
  • Referees that you have provided.
To verify your activity history, for example to confirm reasons you have provided for a gap in employment or study history (i.e. travel).
Referee reports; opinions about you
  • You or our client;
  • Professional organisations that you have been association with or are a current member of;
  • Third parties that hold records on behalf of professional associations you are or have been a member of or associated with;
  • Educational institutions that you have attended, or currently attend;
  • Third parties that hold records on behalf of educational institutions that you have attended or currently attend;
  • Publicly available sources;
  • Referees that you have provided;
  • Employment history sources.
To obtain references about you, as requested by our client, including about your character. Opinions about you may also be given by other third parties including when we are verifying your employment, study or volunteering history.
Health information, including results from pre-employment medical tests
  • You or our client;
  • Drug testing services;
  • Medical practitioners (i.e. your GP) that conduct a consultation with you as part of our services.
To test for drug use or health conditions, as requested by our client.
A copy of your driving licence (often the original copies may need to be signed or the copies certified) and your driving record.
  • You or our client;
  • Government agencies.
To confirm you hold a valid licence, including for a specific category of vehicle, and review your driving history.
Information relating to firearm and vehicle registration.
  • Government motor registration agencies;
  • Firearm registration sources.
To confirm your current vehicle and firearm registrations, where this is requested by our client.
Media, including social media posts
  • Publicly available sources;
  • Social media sites.
As part of our services provided to our client, we may search for media content about you, assess your publicly available social media activity, or search for references to you that appear online.
Telephone call recordings
  • Callers to our telephone numbers.
We monitor some telephone calls for quality-assurance and training purposes.
Your opinions about us
  • Feedback providers (e.g. you or our client).
We may seek, or be provided with, feedback about our conduct, services or operations.

2. How we collect personal data

Where it is practicable to do so, we collect personal data directly from the individual to whom it relates. However, given the nature of our services, particularly where we act on our clients' instructions as a background screening provider, there may be circumstances where we need to collect personal data from a third party including those listed in the table above.

Where required, we take steps to ensure that you provide the appropriate authorisation for the collection and handling of your personal data by us and/or that our clients provide you with the required notifications for the handling of your personal data by us.

3. How we use personal data and for what purposes

We use the personal data we collect in order to provide our services to our clients, such as conducting pre-employment screening (including volunteers) and checking the identity information on identity documents with the government agencies that issued them. For a list of the specific uses for each type of personal data we use please see the table above.

Where necessary, we may need to use personal data to comply with applicable laws (e.g. to meet obligations we may have under legislation).

We use the personal data that we hold for internal audit and quality assurance purposes to ensure that access to the personal data that we hold is monitored, recorded and auditable. We also use the personal data that we hold to develop and train staff on system improvements and enhancements to our services.

Our lawful basis for processing

Under the GDPR, we can only process your personal data where we have a valid lawful basis to do so.

When we process your personal data for the purposes of providing our services, we work with and rely on our client for deciding the lawful basis for processing where our client has contact with you.

Depending on the circumstances, our clients may rely on the following lawful bases for processing your personal data:

Generally, depending on the circumstances, we rely on the lawful bases of legitimate interest, contract, consent, or compliance with a legal obligation to process your personal data. We rely on the basis of consent to process any special category personal data and your consent is usually collected from you by our client or suppliers. On rare occasions, we will request your consent prior to collecting and / or processing special category personal data.

We have no control over decisions made by our clients or any action they may take, as a result of the outcome of a background screening service provided by us or in response to you withholding your consent to the processing of your personal data by us.

If you have any questions about the consequences of not providing your personal data or refusing consent to your personal data being processed by us, these questions should be directed to our client (e.g. your potential employer).

4. Disclosure of personal data

As part of providing our services we may disclose the personal data that we collect to third parties.

Disclosure to verification sources

In particular, the services we provide often involve verifying or checking the validity of personal data with third party sources. To do this, we usually need to disclose to the verifying third party:

In some cases, we may provide this personal data to the third party via an online portal, over the telephone, via email, by letter or in person.

As part of providing our services, we also provide our client with the results of our background screening, and other personal data they may have requested, in the form that the client has requested it.

Third party verification source Personal data disclosed Purpose of disclosure
Employers, employment agencies, referees, educational institutions and authorities; professional associations; licensing and registration authorities and organisations that hold records on behalf of the above. Personal data required to verify employment; educational and professional qualifications and history; licenses and registration; and to obtain references. To obtain:
  • verification of employment; verification of qualifications and licences; and
  • references.
Agencies including credit, criminal records, social media, identity verification, watchlists, sanctions and PEPS, international criminal and credit Personal data necessary to conduct credit, bankruptcy, court, identity searches, criminal record searches, social media searches, watchlist, sanctions and PEPS searches, international criminal records and/or international credit checks. To provide credit, bankruptcy, court and identity searches.
Your clients, accountant, lawyer, management company or agencies you registered with Personal data needed to verify your self-employment and obtain references for you. To verify your self-employment; to obtain references.

Disclosure to third party service providers

We use third parties to process personal data on our behalf in some circumstances, and to perform some limited tasks, including hosting and background screening. The table below sets out the type of third-party providers we use; the type of personal data we disclose to them and why.

Third party verification source Personal data disclosed Purpose of disclosure
Hosting providers All of the personal data we hold. To ensure secure availability of VETTING.com's services.
Data services Data listed in section 1 To support the third parties to identify individuals that data has been requested for.
Auditing services Personal data the enables monitoring of the security, integrity and quality of our services. For quality assurance and security auditing.

Transfer of personal data to other countries

If you have lived, worked or studied overseas we may need to transfer your personal data to countries that are outside of the UK, particularly in order to verify that information. If so, we will ensure the appropriate safeguards are in place with the recipient to ensure the continued protection of your personal data. Generally, we transfer personal data to other countries in situations where:

Disclosures required or authorised by or under law

In some circumstances, we may be required or authorised to provide personal data to government authorities including law enforcement and national security agencies, courts, or other public authorities in jurisdictions where we are subject to the law. Where that information was collected from, or on behalf of, a client we will consult that client before releasing the information unless such consultation is prohibited by law. Any such disclosures will be made in compliance with the law, including any applicable data protection laws.

5. Storage and security of personal data

We take the security of the personal data that we hold seriously and implement measures to ensure its protection. All VETTING.com staff handle personal data sensitively and in accordance with the applicable privacy and data protection laws.

We take all reasonable steps to protect the personal data we hold from misuse, interference and loss, and from unauthorised access, modification or disclosure. These steps include using electronic and physical security measures, including VETTING.com word protected software and hardware, firewalls, monitoring and alert systems to detect and prevent intrusion attempts, and industry standard encryption. VETTING.com performs regular penetration testing to maintain the security of the systems under our control. In addition, we are certified to the Cyber Essentials Plus standard.

Retention

We hold personal data for no longer than required and take reasonable steps to destroy or de-identify that information. We keep personal data that was collected from or on behalf of a client for the time period requested by the client- please direct questions about this retention period to our client. It may be necessary for us to retain personal data to comply with our legal obligations, or for insurance or audit purposes.

6. Data quality and accuracy

To perform our services, we rely on the accuracy of the personal data that is provided to us by you, our client or any of the sources listed at the table at section 1. If you have any concerns about the accuracy of the personal data processed about you, on behalf of our client, you should first contact our client. We implement rigorous quality controls of our processes to assist in ensuring accuracy as far as possible. We will update or correct your personal data if we confirm it is inaccurate.

7. Automated decision-making and profiling

We do not make decisions about you and do not use automated decision-making or undertake profiling using your personal data. If our client instructs us to do so, we may conduct automated processing of personal data on our client's behalf.

8. Data Subject Access Request (DSAR), correction, deletion, portability, privacy complaints and enquiries

We usually act as processor as we process personal data for and on behalf of our clients. Therefore, where we are acting as a data processor in relation to your personal data on behalf of a client, you should direct any requests to our client in the first instance.

However, where we act as data controller, you can request access to the personal data that we hold about you (e.g. in relation to the personal data collected via our website). You can also ask us to correct inaccurate personal data about you and/or to add comments or explanations to records we hold about you. In addition, you can request the erasure/deletion of your personal data or ask that we not use your personal data for certain purposes, or request that we transfer to a third party.

In order to respond to your request, we may need to consider a number of factors, including the lawful basis for the processing of the personal data your request relates to. We will provide you with clear reasons for our response.

You may request to update, delete or access personal data, or make a privacy complaint or enquiry, by contacting us at support@vetting.com

Sphinx Technology Limited
7 Bell Yard, London
WC2A 2JR, UK

If we are unable to resolve your privacy complaint to your satisfaction, you may contact the Information Commissioner's Office.

Our Information Commissioner's Office Registration Number: ZA561360

9. Incident Reporting and Potential Data Breaches

If you suspect that your data has been breached as a result of our processing, or that of one of our subprocessors, then please send an email to security@vetting.com with details of the incident, including:

We will then complete an investigation within 48 hours and provide an appropriate response, with any discoveries or mitigations put in place.

10. Marketing

For the delivery of direct marketing to you via e-mail, we need your consent, which can be via an express opt-in or soft-opt-in:

if you are not satisfied about our approach to marketing, you have the right to withdraw consent at any time.

11. Changes of business ownership and control

We may, from time to time, expand or reduce our business and this may involve the sale and/or the transfer of control of all or part of the company or business. Data provided by you may be transferred. The new owner or newly controlling party will, under the terms of this privacy policy, be permitted to use the personal data for the purposes for which it was originally supplied to us.

We may also disclose your personal data to a prospective purchaser of our business/ company or any part of it.

In the above instances, we will take steps with the aim of ensuring your privacy is protected.

12. Data Processing Agreement

Our Data Processing Agreement


Date of Last Review: 16 October 2023