This website and our services are not intended for children and we do not knowingly collect data relating to children.
This privacy notice includes the following sections:
- Cataphract Privacy Statement
- Overall Principles
- About this policy
- What personal data we hold
- Responsibility for your personal data
- Use of your personal data
- What personal data is necessary for a Disclosure Application?
- Special categories of personal data
- Pre-Employment Screening and Vetting
- Retention of personal data
- Storage of personal data
- Right to Erasure
- Individual rights
- Third party links
- Transfer outside the European Economic Area
- Data Security
- Notification of changes
- Contact details and disputes
1. Cataphract Privacy Statement
We are fully committed to privacy issues and process all personal data in accordance with this policy which details our approach on such issues, and commitment to meeting our obligations under the General Data Protection Regulations (GDPR).
2. Overall Principles
- Only personal data that we need to provide our services or carry out the relevant screening is processed
- Your personal data is only seen by those who need it to do their jobs
- Personal data is retained only for as long as it is required
- Decisions affecting you are made on the basis of reliable and up to date information
- Your personal data is protected from unauthorised or accidental disclosure as described in this Policy
- Inaccurate or misleading personal data will be corrected as soon as possible after it is notified to us
3. About this policy
You have rights under the General Data Protection Regulations. This Policy describes how Cataphract will comply with the regulations when processing your personal data.
This Policy applies to users of the Cataphract Disclosure and Pre-employment Screening and Vetting services (“Clients”), those apply for DBS checks or other form of screening (“Applicants”) and website users.
Legal grounds for processing personal information
- our legitimate interests in the effective delivery of information and services to you and in the effective and lawful operation of our businesses (provided these do not interfere with your rights);
- to satisfy any legal and regulatory obligations to which we are subject; or
- to perform our obligations under a contract we are about to enter into or have entered into with you ;
- where no other condition for processing is available, if you have agreed to us processing your personal information for the relevant purpose; or
- where something is done in the public interest.
4. What personal data we hold
Personal data, or personal information, means any information about an individual from which that person can be identified. It does not include data where the identity has been removed (anonymous data).
We will only hold your personal data if you are a Client (where we need personal data for account administration) or Applicant (where we need personal data for processing the relevant disclosure (“Disclosure”)) or background check or security vetting.
If you are processing your criminal record check through Cataphracts DBS, Access NI or Disclosure Scotland service, we will not hold any data relating to this, only the Disclosure number and date of issue if applicable.
If we are processing your criminal reference for the purposes of Security Vetting, we will hold necessary data that is required for the purpose of applying to and managing your clearance.
Cataphract does not capture or store data about visitors to its website. However, if you choose to give us personal data such as your name, address, or e-mail for the purpose of making an enquiry, the personal data will be kept for the time taken to process that enquiry. Client names, postal addresses, e-mail addresses and telephone numbers of the lead contact for each client are retained for contact and administration purposes only.
5. Responsibility for your personal data
Cataphract is the data controller of all personal data it holds. This means that we are responsible under the General Data Protection Regulations for the safety of the data. Where Cataphract must disclose any personal data to any third party organisation for pre-employment screening and vetting working on Cataphract’s behalf, we require the third party to respect the security of your personal data and to treat it in accordance with the law. We do not allow third-party service organisations to use your personal data for their own purposes and only permit them to process your personal data for specified purposes and in accordance with our instructions.
6. Use of your personal data
Your personal data will only be used as necessary to provide our services that you have requested and for contact and administration purposes. Cataphract staff will use your personal data to conduct the checks that are necessary for the issue of Disclosures. As part of this, your personal data may be passed to other organisations involved in the obtaining of Disclosures and Pre Employment Screening services. These may include:
- The Disclosure and Barring Service, Disclosure Scotland & AccessNI
- Police Forces in England, Wales and Northern Ireland, the Isle of Man and the Channel Islands – searches will be made on the PNC and data may be passed to local police forces in the area where you live, or have previously lived. The data will be used to update any personal data the police currently hold about you
- Department of Health/Department for Education– data may be passed to the relevant department if your job involves working with children or vulnerable adults in relation to the lists held
- Scottish Criminal Record Office (SCRO) – if you have spent any time living in Scotland
- Customer satisfaction surveys – the Cataphract may conduct customer satisfaction surveys and may employ a specialised organisation to conduct the survey on their behalf. The data used will be restricted to name and address
- United Kingdom Central Authority – for information exchange with other EU countries in accordance with the decision made by the council of The European Union
- Home Office Detention & Escorting Services Immigration Enforcement Team for staff working in Immigration Removal Centres
- Airport Authorities for staff working “airside”
- HelloSign – Request and receive authority to complete pre employment screening checks
- Call Credit – If you are subject to a credit worthiness check for a regulated or Home office position
- Licence Bureau – checks to validate driving licence points
- Cataphract DBS System – own system to process Basic, Standard and Enhanced DBS Checks
- Care Check DBS system – For Cataphract to process Basic DBS Checks.
- Cataphract Vetting System (CVS) – control and manage all applicants in regard to vetting and pre employment screening.
All our staff are data protection trained and are aware of their responsibilities under the GDPR and this policy.
We conduct regular compliance checks on all our systems. An external independent inspection is carried out annually by Quality Management Systems as part of their audit for BS EN ISO 9001 & 27001.
7. What personal data is necessary for a Disclosure application?
The online application form asks only for personal data that is necessary to carry out a Disclosure.
- Name and Contact information
- Age, gender and nationality
- Occupation and company details
- Addresses you have lived in the last 5 years
- National Insurance Number
- Details from at least 3 pieces of ID
Other forms of screening may require additional personal data as described in the Disclosure application form.
8. Special categories of personal data
Special Category Data is not collected or needed for any work Cataphract undertake and will not be stored or collected. These can be classed as
- ethnic origin;
- trade union membership;
- biometrics (where used for ID purposes);
- sex life; or
- sexual orientation.
9. Pre-Employment Screening and Vetting
For all enquiries relating to Pre-Employment screening and vetting we work to the requirements of BS 7858:2012. Information on identity, previous employments and referees are retained only as long as is needed for enquiries to be made as to the suitability of the candidate and we have a legitimate interest and authorization to undertake the searches and checks.
10. Retention of personal data
Cataphract will ensure that personal data is not held for longer than is necessary for the purpose and that Disclosures will not be held for longer than the period recommended by the Criminal Records Bureau (currently 6 months) except if:
- a Disclosure is in dispute
- an employment decision is in dispute and the Disclosure is central to the enquiry
- the Applicant has provided consent
- permission has been gained from the CRB’s Data Protection Officer.
In establishing retention and archiving periods, Cataphract will make provision for repeat applications, complaints and legal requirements.
Data relating to pre–employment screening will be held for 6 months from the date of the application or if the account your aligned to has special requirements for regulated positions or environments.
Where we are holding your data for security clearance management purposes, we will hold this for one year after you leave the employment to ensure we have a footprint incase you wish to return to the employer. After this time, the data will be deleted.
11. Storage of personal data
Your personal data will be held in secure computer files, which have restricted access. We have put measures in place to ensure an appropriate level of security (given the harm that unauthorised or unlawful processing might cause and the nature of the personal data) to stop unlawful access and disclosure. Our online form is protected by a 128-bit SSL Certificate issued by Thawte. All personal data entered is encrypted to this standard. Our secure pages are marked with the Thawte Trusted Site Seal.
12. Right to Erasure
You have the right to request erasure of personal data related to you on any one of a number of grounds including non-compliance with article 6.1 (lawfulness) that includes a case where the legitimate interests of the controller is overridden by your interests or fundamental rights and freedoms which require protection of personal data.
You have the right to erasure
- the personal data is no longer necessary for the purpose which you originally collected or processed it
- you are relying on consent as your lawful basis for holding the data, and the individual withdraws their
- you feel there is no more legitimate interests for processing, the you object to the processing of your data, and there is no overriding legitimate interest to continue this
- cataphract have processed the personal data unlawfully (ie in breach of the lawfulness requirement of the 1st principle);
- you have to do it to comply with a legal obligation;
- you have processed the personal data to offer information society services to a child.
13. Individual rights
Personal data should only be processed in accordance with the rights of an individual. These rights include:
- to know what personal data we hold about you, and
- to ask us to amend any personal data if it is incorrect
- to receive a copy of that personal data if requested
Subject Access Requests should be sent to firstname.lastname@example.org and will be actioned within a month of request.
You can request
- confirmation what data is being processed
- Access to your personal Data
- Other supplementary information – this largely corresponds to the information that should be provided in a privacy notice (see Article 15).
- Rectification of data if incorrect or out of date
Our website may invite you to sign up for certain features, such as newsletters, email updates and other general interactive features. Where you provide information for these purposes, we will use your information to provide the relevant service that you have requested and to manage your preferences. We may also gather statistics around email opening and clicks using technologies to help us monitor and improve our newsletters and email subscriptions. You will have the ability to unsubscribe from any repeat communications at any time. You are also welcome to contact us at email@example.com to unsubscribe.
Cookies are text files placed on your computer to collect standard internet log information and visitor behaviour information. This information is used to track visitor use of the website and to compile statistical reports on website activity. After termination of the visit to our site, you can always delete the cookie from your system if you
16. Third Party Links
This website may include links to third-party websites, plug-ins and applications. Clicking on those links or enabling those connections may allow third parties to collect or share data about you. We do not control these third-party websites and are not responsible for their privacy statements. When you leave our website, we encourage you to read the privacy notice of every website you visit.
17. Transfer outside the European Economic Area
If you have recently lived in the Channel Islands or the Isle of Man, it is likely that we will pass your personal data to police forces in the that area as necessary for obtaining the Disclosure. As part of applying to us for a Disclosure, you consent to this transfer.
18. Data security
We have put in place appropriate security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your personal data to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal data on our instructions and they are subject to a duty of confidentiality.
We have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.
19. Notification of changes
20. Contact details and disputes
We will be happy to answer any questions on this policy. Please notify any dispute to Barry Clark (Cataphract’s Data Protection Compliance Manager).
Data Protection Officer
PO Box 70507, London, N20 2DB
Tel: 020 8446 4695
You have the right to make a complaint at any time to the Information Commissioner’s Office (ICO), the UK supervisory authority for data protection issues (www.ico.org.uk). We would, however, appreciate the chance to deal with your concerns before you approach the ICO so please contact us in the first instance.