DBT's national security vetting privacy notice
Updated 11 April 2024
This notice sets out how we will use your personal data, and your rights.
Articles 13 and/or 14 of the UK General Data Protection Regulation (UK GDPR) specify what individuals have the right to be informed about. This privacy notice applies to all previous and current National Security Vetting (NSV) applications processed and held by the Department for Business and Trade (DBT) and should be read in conjunction with the United Kingdom Security Vetting (UKSV) privacy notice and personnel security controls.
DBT treats all personal information in accordance with data protection legislation, including the UK GDPR and the Data Protection Act 2018.
Personal data
Personal data we process includes:
- personal contact details such as name, title, addresses, telephone numbers, and personal email addresses
- dates of birth, marriage, and divorce
- gender
- marital status
- caring responsibilities
- next of kin, emergency contact and death benefit nominee(s) information
- national insurance number
- bank account details, payroll records and tax status information
- start date and leaving date including service with other government departments (OGDs)
- location of employment or workplace (and home to office travel details)
- copy of driving paperwork, passport, birth and marriage certificates, decree absolute
- recruitment information (including copies of right to work documentation, references and other information included in a CV or cover letter or gathered as part of the application process)
- full employment records for Civil Service employment including contract, contractual status, terms and conditions, job titles, work history, probation, working hours (including overtime), promotion, absences and reasons, attendances, workplace allowances, skills and training records and professional memberships. Retirement status (including partial retirement)
- ‘special categories’ of personal data such as information about your race or ethnicity, political opinions, health, religious beliefs, or sexual orientation
- disciplinary and grievance information
- secondary employment, conflict of interest, volunteering, and reservist information
- evidence of how you meet the Civil Service nationality rules and confirmation of your security clearance. This can include passport details, nationality details and information about convictions/allegations of criminal behaviour
- evidence of your right to work in the UK and immigration status
We process criminal offence data under Article 10 of the UK GDPR. We will only use information relating to criminal convictions or alleged criminal behaviour as part of the vetting process and where the law allows us to do so. This can arise when it is necessary for us to comply with the law or for another reason where there is a substantial public interest in us doing so.
UKSV and DBT are joint data controllers of NSV data processed by UKSV for the purpose of providing NSV services. This is because we are both processing personal data for the purposes of conducting and managing NSV. UKSV will start to be a joint data controller of personal data when it receives an application from DBT for the provision of NSV services in respect of the Sponsored Individual[footnote 1] and starts processing NSV data in respect of that Sponsored Individual.
How your personal information is collected
DBT initially collect personal information about employees, workers and contractors through the application and recruitment process. We may collect information from Cabinet Office, OGDs, as well as directly from the individual as part of NSV.
We will sometimes collect additional information from third parties including:
- Disclosure Barring Services
- Government Recruitment Service
- OGDs or previous employers
Purpose
We will process your personal data and that of third parties for the purpose of carrying out NSV, including aftercare. NSV is necessary and proportionate to safeguard the UK’s national security. We may also process your data for ancillary purposes, for example, to facilitate an appeal to the Security and Vetting Appeals Panel, to fulfil legal and regulatory requirements or, in an anonymised way for business monitoring and planning purposes.
Legal basis of processing
The legal basis for processing your personal data is:
Personal data
UK GDPR Article 6(1)(e) Public task: processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the data controller. The public task is the preservation of national security standards and the protection of government assets.
Personal data may also be processed in accordance with Article 6(1)(a) or (c) of the UK GDPR, where consent is obtained, or it is necessary for compliance with a legal obligation to which the data controller is subject.
Special category data and criminal offence data
We process criminal offence data under Article 10 of the UK GDPR. We will only use information relating to criminal convictions or alleged criminal behaviour as part of the vetting process and where the law allows us to do so. This can arise when it is necessary for us to comply with the law or for another reason where there is a substantial public interest in us doing so.
Special category data may also be processed in accordance with Article 9(2)(g) where processing is necessary for reasons of substantial public interest, on the basis of Domestic Law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject.
Special category data and/or criminal offence data will also be processed in accordance with one or more of the following conditions:
-
paragraph 6 of Schedule 1 of the DPA 2018 (processing necessary for reasons of substantial public interest, in the exercise of a function of a government department); and/or
-
paragraph 11 of Schedule 1 of the DPA 2018 (processing is necessary for the exercise of a protective function and is necessary for reasons of substantial public interest)
Data sharing
Your personal data will be shared by us with:
- UKSV
- OGDs only if a clearance is being transferred or shared with them
- your sponsor government department (to request access to relevant personnel records or notify them on your security clearance decision)
- public authorities which maintain national security and criminal record databases
- credit reference agencies
- referees (for example, supervisors, character and academic)
We will in some circumstances have to share your data with third parties, including other Civil Service bodies and in particular the UKSV and this notice should be read in conjunction with the UKSV Privacy notice for processing personal data during NSV. We may also notify your sponsor or employer whether your clearance has been granted, refused, or withdrawn.
Very exceptionally, data supplied by you or by a third party may be sufficiently serious that the DBT as the data controller may consider it necessary and in the public interest to share information with an appropriate authority, such as the police. This might occur when information suggests that:
- you may have committed a previously undetected criminal offence, or that an offence may be about to be committed
- you or others may be at risk to harm
- action is required to safeguard national security
Retention
We will only retain your personal information for as long as necessary to fulfil the purposes we collected it for (safeguarding national security), including for the purposes of satisfying any legal, accounting, or reporting requirements.
To determine the appropriate retention period for personal data, DBT considers the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the business need for retention and purposes for which we process your personal data. The other considerations are whether we can achieve those purposes through other means, and the applicable legal requirements.
In some circumstances we will anonymise your personal information so that it can no longer be associated with you, in which case we will use such information without further notice to you.
In general, for information collected for vetting purposes, DBT will adhere to the accepted government standard for data retention for NSV, which is 5 years after retirement of the applicant or one year after death.
The joint data controller relationship of NSV data processed ends when that data is deleted or destroyed from UKSV systems.
Your rights
Your rights and how you may exercise them are fully detailed on the Information Commissioner Office (ICO) website. In short, you have the right to:
- request information about how your personal data are processed, and to request a copy of that personal data
- request that any inaccuracies in your personal data are rectified without delay
- request that any incomplete personal data are completed, including by means of a supplementary statement
- in certain circumstances (for example, where accuracy is contested) to request that the processing of your personal data is restricted
- object to the processing of your personal data where it is processed for direct marketing purposes
- object to the processing of your personal data
Contact details
The data controller for your personal data is the Department for Business and Trade. You can contact the DBT Data Protection Officer at:
Data Protection Officer
Department for Business and Trade
Old Admiralty Building
Admiralty Place
London
SW1A 2DY
You can contact the UKSV Data Protection Officer at dpo@cabinetoffice.gov.uk.
Complaints
If you consider that your personal data has been misused or mishandled, you may make a complaint to the Information Commissioner, who is an UK independent regulator. The Information Commissioner can be contacted at:
Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF
Monday to Friday 9am to 4:30pm
Make a complaint on the ICO website
Any complaint to the Information Commissioner is without prejudice to your right to seek redress through the courts.
-
Sponsored individual: applicant (you) for whom DBT (sponsoring organisation) requires National Security Vetting. ↩