Guidance

Security Vetting Appeals Panel (SVAP) privacy notice

Updated 10 January 2025

© Crown copyright 2025

This publication is licensed under the terms of the Open Government Licence v3.0 except where otherwise stated. To view this licence, visit nationalarchives.gov.uk/doc/open-government-licence/version/3 or write to the Information Policy Team, The National Archives, Kew, London TW9 4DU, or email: psi@nationalarchives.gov.uk.

Where we have identified any third party copyright information you will need to obtain permission from the copyright holders concerned.

This publication is available at https://www.gov.uk/government/publications/security-vetting-appeals-panels-svap-privacy-notice/security-vetting-appeals-panel-svap-privacy-notice

1. Definitions

1.1. DPA 2018: Data Protection Act 2018 (as amended). 

1.2. UK GDPR: The UK General Data Protection Regulation (as amended). 

1.3. Sponsor Organisations: government departments and agencies, the Armed Forces, Police forces and any other organisation that sponsors an individual’s National Security Vetting (NSV). 

1.4. Sponsored Individual(s): individual(s) for whom the Sponsor Organisation requires NSV. 

1.5. Third Party: individual(s) connected to the Sponsored Individual such as: current or former spouse or partner, parent, parent-in-law, family member, cohabitant, character referee, supervisor or ex-supervisor. 

1.6. NSV Service Provider: An organisation instructed by the Sponsor Organsation to provide NSV services: including but not limited to: the initial application process, annual security appraisals; enquiries scheduled during security clearance to monitor identified risk factors; unscheduled enquiries necessitated during the life of a clearance by an unforeseen event such as a change of circumstances or a report of security concerns regarding a clearance holder (an “Aftercare Incident Report”); and other clearances or related authorisations. 

2. Why we will process your data

2.1. We will process your data and that of third parties for the purpose of considering your appeal regarding the refusal or withdrawal of your national security vetting (NSV)

2.2. We will assess the merits and reasonableness of adverse NSV decisions and to inform its report and recommendation(s) in each case.

2.3. We may process your data for the purpose of video-conferencing to allow provision for remote hearings. 

2.4. We may also process your data for ancillary purposes, for example, in an anonymised way for business monitoring and planning purposes. 

2.5. We may also process your data to meet legal obligations.

2.6. We may also process your data to safeguard national security. 

2.7. We will also process your data to inform SVAP policy and precedent.

3. The categories of personal data we will process

3.1. Depending on the level of security clearance in question, we may process all categories of personal data which were collected in the course of the National Security Vetting (NSV) process. 

3.2. These may include, the following categories of personal data:

  • full current and former names
  • identity documentation
  • level of security clearance held or required
  • date and place of birth
  • grade or rank
  • job title and staff or service number
  • National Insurance number
  • current and former nationality
  • current and former addresses
  • work addresses
  • work and personal email addresses
  • work and personal landline and mobile numbers
  • marriage and partnerships
  • details about natural and other parents
  • details about siblings
  • details about a partner’s natural or other parents
  • details about co-residents
  • education and employment history
  • details of current and former supervisors
  • character referees
  • criminal convictions and related matters
  • financial information and history
  • Racial or ethnic origin
  • Political opinions
  • Religious or philosophical beliefs
  • Trade union membership
  • Health (including disability and dietary requirements)
  • Data concerning sex life or sexual orientation

3.3. We may also process data on a Third Party such as relatives and associates of a Sponsored Individual, including but not limited to their parents, their partners and their children. This information may be provided to the SVAP by the Sponsored Individual directly in support of their appeal and/or by the Sponsor Organisation or NSV Service provider. In most cases, this information would be captured in the vetting questionnaire which all Sponsored Individuals complete.

4. Third Party data

4.1. Third Party data is processed for the same purpose and on the same legal basis as the Sponsored Individual’s personal data. 

4.2. Third Party personal data is collected via the Sponsored Individual, the Sponsor Organisation and/or the NSV Service Provider. Depending on the level of security clearance in question, your connection to the Sponsored Individual, the Sponsor Organisation and/or the NSV Service Provider, we may process all categories of personal data which were collected in the course of the NSV process. 

4.3. If you are a Third Party that might be affected, you should review this privacy notice in its entirety to understand how and why your data is processed. You have the same rights as Sponsored Individuals. See section 12 for more detail on what these are and how to act on them. 

5.1. The legal basis for processing personal data and that of any Third Party is that it is necessary for the performance of a task carried out in the public interest and in the exercise of official authority vested in the data controller. 

5.2. Special category data and/or criminal offence data will also be processed in accordance with one or more of the following conditions: processing is necessary for reasons of substantial public interest, in the exercise of a function of a government department (conducting NSV appeals is a function of the SVAP,) and/or processing is necessary for the preventing or detecting of unlawful acts and is necessary for reasons of substantial public interest. 

6. How your personal data will be processed

6.1. Your personal data and that of any Third Party will be processed to follow the stages as described in the Security Vetting Appeals Panel’s Procedural Guidance Document. This document is provided to Sponsored Individuals when you have submitted a notice of your intention to appeal to the Panel. This document explains the process and what the Security Vetting Appeals Panel will do. This document can also be downloaded from the SVAP’s gov.uk webpage.

7. Who we share your data with

7.1. The personal data we collect and process for NSV appeals is very strictly controlled and protected by a high level of physical, cyber and personnel security measures. Access to your personal data is only provided for the purpose of determining your NSV appeal and to those with a strict ‘need to know’, such as the members of the SVAP hearing your appeal and the SVAP Secretariat, who are subject to an ongoing duty of confidentiality.

7.2. To conduct your appeal it will be necessary to share your personal data with the Sponsor Organisation that took the decision and any other authority (such as the NSV Service Provider) that provided information relevant to that decision. 

7.3. Depending on the sensitivities involved in your case, it may be necessary to share your personal data with a person or persons chosen or appointed to act on your behalf, for example, a legal adviser or Special Advocate. 

7.4. In exceptional circumstances, information containing personal data may be sufficiently serious that SVAP may consider it necessary to share relevant information without consent and for purposes which are not related to NSV with competent authorities that discharge statutory law enforcement functions, such as the police. This might occur, for example, when information suggests that an individual may have committed a previously undetected criminal offence of a sufficiently serious nature, that an offence may be about to be committed, that individuals may be at risk of harm, and/or that action is required to safeguard national security. 

7.5. We will also share your data with our IT providers who provide platforms that hold vetting data. This includes our secure document workspace that provides a platform to share official information and our casework management system supplier.

8. How long will we keep your personal data?

8.1. Your personal data will normally be retained for 6 years from the date of the conclusion of the SVAP process for the purpose for which it is processed. 

8.2. It may be necessary to retain some personal data beyond this period for the same purposes for which it is processed. 

8.3. Individual SVAP reports, that detail the Panel’s conclusions and recommendations, are required to inform SVAP policy and precedent and are stored indefinitely.

9. Failure to provide data

9.1. To enable SVAP to provide its full service, Sponsored Individuals are required to provide the personal data requested by the SVAP as part of the independent appeals process. If you do not provide the requested data, it will impact our ability to consider your appeal and may mean we are unable to consider your appeal.

10. Where you have not provided your personal data

10.1. Where you have not provided your personal data, it was provided to us by a Sponsored Individual who has raised an appeal with SVAP, or by another authority relevant to the NSV decision. For example, the SVAP will not obtain the personal data of a Sponsored individual’s character referee directly from the individual but it may be provided to the SVAP by the NSV service provider.

11. Decisions are not based on automated processing

11.1. The SVAP is an advisory body and can only recommend, rather than decide, that an appeal be upheld or dismissed. Recommendations are made by the Panel on an individual basis after consideration of all relevant information before them. NSV decisions are ultimately the responsibility of the personnel security risk owner, normally the Sponsor Organisation.

12. Your data rights

12.1. You have a considerable say over what happens to your personal data. Your rights and how you may exercise them are fully detailed on the ICO website.

12.2. These rights include: 

12.2.1. to request information about how your personal data are processed, and to request a copy of that personal data;

12.2.2. to request that any inaccuracies in your personal data be rectified without delay;

12.2.3. to request that any incomplete personal data be completed, including by means of a supplementary statement;

12.2.4. to request that your personal data be erased if there is no longer a justification for them to be processed;

12.2.5. in certain circumstances, for example, where accuracy is contested, to request that the processing of your personal data is restricted;

12.2.6. to object to the processing of your personal data.

12.2.7. To lodge a complaint with the independent Information Commissioner’s Office (ICO) if you think we are not handling your data fairly or in accordance with the law. You can contact the ICO website or telephone 0303 123 1113. Any complaint to the Information Commissioner is without prejudice to your right to seek redress through the courts.

12.3. The exercise of these rights may be subject to certain limitations or exemptions, including (but not limited to) where an exemption is required for national security or where processing is necessary for the prevention and/or detection of crime. 

12.4. If you have any concerns about how the SVAP is handling your personal data, you may contact our Data Protection Officer (DPO). The DPO provides independent advice and monitoring of SVAP’s use of personal information. As the SVAP is an independent arms-length body supported by the Cabinet Office, the Data Protection Officer for the SVAP can be contacted via the Cabinet Office at the following email address: dpo@cabinetoffice.gov.uk

Back to top