This website and our services are not intended for children and we do not knowingly collect data relating to children.
This privacy notice includes the following sections:
We are fully committed to privacy issues and process all personal data in accordance with this policy which details our approach on such issues, and commitment to meeting our obligations under the General Data Protection Regulations (GDPR).
You have rights under the General Data Protection Regulations. This Policy describes how Cataphract will comply with the regulations when processing your personal data.
This Policy applies to users of the Cataphract Disclosure and Pre-employment Screening and Vetting services (“Clients”), those apply for DBS checks or other form of screening (“Applicants”) and website users.
Legal grounds for processing personal information
Personal data, or personal information, means any information about an individual from which that person can be identified. It does not include data where the identity has been removed (anonymous data).
We will only hold your personal data if you are a Client (where we need personal data for account administration) or Applicant (where we need personal data for processing the relevant disclosure (“Disclosure”)) or background check or security vetting.
If you have a police record, we will not hold any data relating to this, only the Disclosure number and date of issue of the Disclosure Certificate will be retained.
Cataphract does not capture or store data about visitors to its website. However, if you choose to give us personal data such as your name, address, or e-mail for the purpose of making an enquiry, the personal data will be kept for the time taken to process that enquiry. Client names, postal addresses, e-mail addresses and telephone numbers of the lead contact for each client are retained for contact and administration purposes only.
Cataphract is the data controller of all personal data it holds. This means that we are responsible under the General Data Protection Regulations for the safety of the data. Where Cataphract must disclose any personal data to any third party organisation for pre-employment screening and vetting working on Cataphract’s behalf, we require the third party to respect the security of your personal data and to treat it in accordance with the law. We do not allow third-party service organisations to use your personal data for their own purposes and only permit them to process your personal data for specified purposes and in accordance with our instructions.
Your personal data will only be used as necessary to provide our services that you have requested and for contact and administration purposes. Cataphract staff will use your personal data to conduct the checks that are necessary for the issue of Disclosures. As part of this, your personal data may be passed to other organisations involved in the obtaining of Disclosures and Pre Employment Screening services. These may include:
All our staff are data protection trained and are aware of their responsibilities under the GDPR and this policy.
We conduct regular compliance checks on all our systems. An external independent inspection is carried out annually by Quality Management Systems as part of their audit for BS EN ISO 9001 & 27001.
The online application form asks only for personal data that is necessary to carry out a Disclosure.
Other forms of screening may require additional personal data as described in the Disclosure application form.
For all enquiries relating to Pre-Employment screening and vetting we work to the requirements of BS 7858:2019. Information on identity, previous employments and referees are retained only as long as is needed for enquiries to be made as to the suitability of the candidate and we have a legitimate interest and authorization to undertake the searches and checks.
Cataphract will ensure that personal data is not held for longer than is necessary for the purpose and that Disclosures will not be held for longer than the period recommended by the Criminal Records Bureau (currently 6 months) except if:
In establishing retention and archiving periods, Cataphract will make provision for repeat applications, complaints and legal requirements.
Data relating to pre–employment screening will be held for 6 months from the date of the application.
Where we are holding your data for security clearance management purposes, we will hold this for one year after you leave the employment to ensure we have a footprint incase you wish to return to the employer. After this time, the data will be deleted.
Your personal data will be held in secure computer files, which have restricted access. We have put measures in place to ensure an appropriate level of security (given the harm that unauthorised or unlawful processing might cause and the nature of the personal data) to stop unlawful access and disclosure. Our online form is protected by a 128-bit SSL Certificate issued by Thawte. All personal data entered is encrypted to this standard. Our secure pages are marked with the Thawte Trusted Site Seal.
You have the right to request erasure of personal data related to you on any one of a number of grounds including non-compliance with article 6.1 (lawfulness) that includes a case where the legitimate interests of the controller is overridden by your interests or fundamental rights and freedoms which require protection of personal data.
You have the right to erasure if
· the personal data is no longer necessary for the purpose which you originally collected or processed it for;
· you are relying on consent as your lawful basis for holding the data, and the individual withdraws their consent;
· you feel there is no more legitimate interests for processing, the you object to the processing of your data, and there is no overriding legitimate interest to continue this processing;
· cataphract have processed the personal data unlawfully (ie in breach of the lawfulness requirement of the 1st principle);
· you have to do it to comply with a legal obligation; or
· you have processed the personal data to offer information society services to a child.
Personal data should only be processed in accordance with the rights of an individual. These rights include:
Subject Access Requests should be sent to firstname.lastname@example.org and will be actioned within a month of request.
You can request
Our website may invite you to sign up for certain features, such as newsletters, email updates and other general interactive features. Where you provide information for these purposes, we will use your information to provide the relevant service that you have requested and to manage your preferences. We may also gather statistics around email opening and clicks using technologies to help us monitor and improve our newsletters and email subscriptions. You will have the ability to unsubscribe from any repeat communications at any time. You are also welcome to contact us at email@example.com to unsubscribe.
Cookies are text files placed on your computer to collect standard internet log information and visitor behaviour information. This information is used to track visitor use of the website and to compile statistical reports on website activity. After termination of the visit to our site, you can always delete the cookie from your system if you wish.
Third Party Links
This website may include links to third-party websites, plug-ins and applications. Clicking on those links or enabling those connections may allow third parties to collect or share data about you. We do not control these third-party websites and are not responsible for their privacy statements. When you leave our website, we encourage you to read the privacy notice of every website you visit.
Transfer outside the European Economic Area
If you have recently lived in the Channel Islands or the Isle of Man, it is likely that we will pass your personal data to police forces in the that area as necessary for obtaining the Disclosure. As part of applying to us for a Disclosure, you consent to this transfer.
We have put in place appropriate security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your personal data to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal data on our instructions and they are subject to a duty of confidentiality.
We have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.
We will be happy to answer any questions on this policy. Please notify any dispute to Barry Clark (Cataphract’s Data Protection Compliance Manager).
Data Protection Officer
PO Box 70507, London, N20 2DB
Tel: 020 8446 4695