Guidance

Security Security Vetting Appeals Panel (SVAP) privacy notice

Updated 3 February 2021

The identity of the SVAP data controller and contact details

The Security Vetting Appeals Panel (SVAP), including the Secretariat, is the sole data controller for the SVAP process. The contact details for SVAP are:

Secretary SVAP
Cabinet Office
70 Whitehall
London
SW1A 2AS

Email: svap@cabinetoffice.gov.uk

If you wish to make any complaint or exercise any of your rights SVAP will acknowledge your complaint within five working days and send you a full response within 20 working days. If we are unable to respond fully in this time, we will write and let you know why and tell you when you should get a full response.

Why we will process your data

We will process your data and that of third parties for the purpose of considering your appeal. We may process your data for the purpose of video-conferencing to allow provision for remote hearings. We may also process your data for ancillary purposes, for example, in an anonymised way for business monitoring and planning purposes. We may also process your data to meet legal obligations.

The categories of personal data we will process

Depending on the level of security clearance in question, all details relating to the National Security Vetting (NSV) process and provided by way of Security Questionnaires and at interview. These may include, but are not necessarily limited to the following categories of personal data:

  • full current and former names
  • identity documentation
  • level of security clearance held or required
  • date and place of birth
  • grade or rank
  • job title and staff or service number
  • National Insurance number
  • current and former nationality
  • current and former addresses
  • work addresses
  • work and personal email addresses
  • work and personal landline and mobile numbers
  • marriage and partnerships
  • details about natural and other parents
  • details about siblings
  • details about partner’s natural or other parents
  • details about co-residents
  • education and employment history
  • details of current and former supervisors
  • character referees
  • health declaration
  • criminal convictions and related matters
  • security information
  • financial information and history

In addition, we will process reports of interviews, carried out by trained Vetting Officers, which will go into greater detail about all aspects of lifestyle, in order to build a sufficiently full and rounded picture of the subject on which to make a risk-based decision to grant or refuse or withdraw security clearance.

The SVAP will process your personal data, and that of any third parties such as relatives, which were processed in the course of your vetting application, in accordance with the General Data Protection Regulation, as applied by Chapter 3 of Part 2 of the Data Protection Act 2018 (‘the Applied GDPR’).

The processing of your personal data and that of third parties is necessary for the purpose of determining an appeal against an adverse national security vetting decision, which is carried out for reasons of public interest and in the exercise of official authority vested in the data controller. Conducting NSV appeals is a function of the SVAP, which is a body of the Cabinet Office, a government department. Sensitive personal data is personal data revealing:

  • racial or ethnic origin
  • political opinions
  • religious or philosophical beliefs
  • trade union membership
  • the processing of genetic data
  • biometric data for the purpose of uniquely identifying a natural person
  • data concerning health
  • data concerning a natural person’s sex life or sexual orientation.

Where we process sensitive personal data, our legal basis for doing so is that it is necessary for reasons of substantial public interest for the exercise of a function of the Crown, a Minister of the Crown, or a government department.

How your data will be processed

Your personal data and that of any third parties will be processed as described in the document ‘Security Vetting Appeals Panel: Guidance for Appellants and Organisation’, which you will receive when you have submitted notice of your intention to appeal to the Panel.

Who we share your data with

The personal data we collect and process for appeals is very strictly controlled and protected by a high level of physical, cyber and personnel security measures. Access to your personal data is only provided for the purpose of determining your NSV appeal and to those with a strict ‘need to know’, such as the members of the SVAP hearing your appeal and the SVAP Secretariat, who are subject to an ongoing duty of confidentiality.

To conduct your appeal it may be necessary to share some of your personal data with the public authority which made the adverse vetting decision and any other authority which provided information relevant to that decision. Also, depending on the sensitivities involved in your case, it may be necessary to share some of your personal data with a person or persons chosen or appointed to act on your behalf, for example, a legal adviser or Special Advocate.

How long will we keep your personal data?

Your personal data will be retained for so long as is necessary for the purpose for which it was collected, the processing of your appeal and safeguarding national security. Your personal data will normally be retained by the SVAP for 12 months from the date of the conclusion of the SVAP process. However, it may be necessary to retain some personal data beyond this period in the interests of national security or for the purposes of legal proceedings. Individual SVAP case reports, which detail the Panel’s conclusions and recommendations are required to inform SVAP policy and precedent, and are stored indefinitely.

Your data rights

You have a considerable say over what happens to your personal data. Your rights and how you may exercise them are fully detailed on the ICO website.

Unless an exemption applies in relation to your personal data held by the SVAP, you have the right:

a. to request information about how your personal data are processed, and to request a copy of that personal data

b. to request that any inaccuracies in your personal data are rectified without delay

c. to request that any incomplete personal data are completed, including by means of a supplementary statement

d. to request that your personal data are erased if there is no longer a justification for them to be processed

e. in certain circumstances, for example, where accuracy is contested, to request that the processing of your personal data is restricted

f. to object to the processing of your personal data

g. to lodge a complaint with the independent Information Commissioner’s Office (ICO) if you think we are not handling your data fairly or in accordance with the law. You can contact the ICO website or telephone 0303 123 1113. Any complaint to the Information Commissioner is without prejudice to your right to seek redress through the courts.

International data transfers and international organisations

In certain circumstances and for important reasons of public interest to enable the determination of your appeal, it may be necessary for the SVAP to liaise with individuals in another country or with an international organisation such as NATO. This may relate to a country or organisation for which the UK has not issued an adequacy decision to confirm that it considers the country or organisation provides an adequate level of data protection.

SVAP decisions are not based on automated processing, including profiling

The SVAP is an advisory body and can only recommend, rather than decide, that an appeal be upheld or dismissed. Recommendations are made by the Panel on an individual basis after consideration of all relevant material before them. National security vetting decisions are ultimately the responsibility of the personnel security risk owner, normally the relevant employing organisation.

Where you have not provided your personal data

Where you have not provided your personal data, it was provided to us by your employer, or by an appellant, or by an appellant’s employer, or by the public authority which made the adverse vetting decision, or by another authority which provided information relevant to that decision.

Failure to provide data

You are required to provide the personal data requested by the SVAP as part of the independent appeals process. If you do not provide the requested data, we will be unable to consider your appeal.

If you are not satisfied with the way in which your personal data is being processed:

If you have any concerns about how the SVAP is handling your personal data, you may contact our Data Protection Officer (DPO). The DPO provides independent advice and monitoring of SVAP’s use of personal information. They can be contacted at the following email address: dpo@cabinetoffice.gov.uk

As the SVAP is an independent arms-length body supported by the Cabinet Office, the Data Protection Officer for the SVAP can be contacted via the Cabinet Office.