This policy statement provides information on the obligations and policies of IDScan Biometrics Limited (the “Company”).
This policy specifically addresses the Company’s obligations in respect of the data privacy law. The Company believes the principles embedded in the ICO Statement offer no less protection in personal data privacy than those in other jurisdictions. As such, the Company undertakes to apply, where practicable, those principles and the processes set out herein to its operations globally.
Where the Company’s operations are subject to privacy legislation other than that of the UK, then this policy shall be applied so far as practicable and consistent with such local legislation. For further details on the Company’s compliance with the ICO Statement and any other privacy legislations, please contact IDScan’s Compliance Officer at the address listed below.
Throughout this policy, the meaning of the term “personal data” is as defined in the ICO Statement.
COMPANY CORPORATE POLICY
The Company shall fully comply with the obligations and requirements of the ICO Statement. The Company’s officers, management, and members of staff shall, at all times, respect the confidentiality of and endeavour to keep safe any and all personal data collected and/or stored and/or transmitted and/or used for, or on behalf of, the Company.
The Company shall endeavour to ensure all collection, storage, transmission and other handling or usage of personal data by the Company shall be done in accordance with the obligations and requirements of the ICO Statement.
Where an individual legitimately requests access to and/or correction of personal data relating to the individual, held by the Company, then the Company shall provide and/or correct that data in accordance with the time and manner stipulated within the ICO Statement.
STATEMENT OF PRACTICES
TYPES OF PERSONAL DATA COLLECTED
For the purpose of carrying on the Company’s businesses, including sale, provision, registration and administration of the Company’s products and services (including relevant online services), you may be requested to provide personal data such as, but not limited to, the following, without which it may not be possible to satisfy your request:
(a) Your name;
(b) Address and or previous address(s);
(c) Account details, including account numbers, service numbers, or user accounts;
(d) Payment details, including credit card and banking information;
(e) Contact details, including contact name and telephone number or email address; or
(f) Information for the verification of identity, including identification type and identification number and in some circumstances a biometric print.
In some instances, you may also be requested to provide certain data that may be used to further improve the Company’s products and services and/or better tailor the type of information presented to you. In most cases, this type of data is optional although, where the requested service is a personalised service, or provision of a product is dependent on your providing all requested data, failure to provide the requested data may prevent the Company from providing the service to you.
This type of data includes, but is not limited to:
(a) Your age;
(c) Employment details;
(d) Education and Profession;
(e) Hobbies and leisure activities;
(f) Other related products and services subscribed to; and
(g) Household demographics.
(h) Financial Data
In support of the products and other services offered by the Company, information may be automatically collected relating to those services so the Company may perform accurate reporting and administration of your accounts such as, but not limited to, shared restrictions, FOG data, system feedback reports, document samples.
The Company’s web servers may receive data relating to your session, the use of which is to provide aggregated, anonymous, statistical information on the types of documents and any way we can improve the operational levels of our equipment. This type of data may include, but is not limited to:
(a) Document Samples (reported by you);
(b) System Logs, and
(c) Usage reports
(d) Site scan statistics for remote viewing by clients
(e) The IP address and/or country
Some of the Company’s web sites may place a “cookie” on your machine; for example to provide personalised services and/or maintain your identity across multiple pages within or across one or more sessions. This information may include, but is not limited to, relevant login and authentication details as well as information relating to your activities and preferences across the Company’s web sites.
Under certain circumstances, telephone calls made to the Company’s order and/or service lines and/or inquiry telephone numbers will be recorded for the purposes of quality control, appraisal, as well as staff management and development. Unless expressly indicated otherwise at the time of calling, such recordings are NOT personal data of the caller and therefore, in respect of the caller, are not subject to the various provisions of the ICO Statement and the caller has no rights and/or claims; either statutory, contractual or tortious, over or to such data. At all times, every care is taken to protect such recordings from inadvertent and/or unauthorised access.
USE OF PERSONAL DATA
Your personal data may be used for:
- verifying your identity;
- provision of goods and services to you;
- matching (as defined in the ICO Statement) your personal data with other data collected for other purposes and from other sources including third parties in relation to the provision of goods and services to you;
- marketing and advertising of any goods and/or services to you by the Company, related companies, agents, contractors and third party suppliers;
- business planning and improving goods and/or services for supply to you, by the Company.
- analysing, verifying and/or checking of your credit, payment and/or status in relation to supply of goods and services to you;
- processing of any payment instructions, direct debit facilities and/or credit facilities in relation to supply of goods and services to you;
- enabling the daily operation of your account and/or the collection of amounts outstanding in your account with the Company including the use of debt collection agents;
- enabling the Company to comply with any obligations to interconnect, with other industry practices, or with obligations to third parties or government agencies in relation to the supply of goods and services to you;
- keeping you informed about goods and services supplied to you and other goods and services made available by the Company;
- prevention or detection of crime;
- disclosure as permitted or required by law; and
- any other purposes as may be agreed to between you and the Company, including the purposes set out in any application or terms and conditions for the supply of specific goods and services.
ACCURACY OF PERSONAL DATA
Where possible, the Company will validate data provided using its own software and guidelines. This includes the use of check sum verification on some numeric fields such as account numbers or credit card numbers. In some cases, as per the requirements of the ICO Statement, the Company is required to see original documentation before the personal data may be used, such as with Personal Identifiers and/or proof of address. Physical documents will be validated using White light, Infrared and UV technology and passed through an intense test of around 3000 checks. In some instances, the data provided will be validated against pre-existing data held by the Company or 3rd party organisations such as the Metropolitan Police Service.
The Company fully complies with the “Rights of Access and Correction” obligations of the ICO Statement. Please refer to the section titled “Access and Correction of Personal Data” below for details on how you can obtain and correct any personal data relating to you that the Company may hold.
PROCESSING OF PERSONAL DATA
Data processed by the Company will be done in line with its internal policy. Should the company review the method of processing client data to ensure efficiency, all such clients will be notified of new procedures for review and acceptance.
RETENTION OF PERSONAL DATA
The Company will destroy any personal data it may hold in accordance with its internal policy. Generally speaking, the Company’s policies cover the following principles:
(a) Personal data will only be retained for as long as is necessary to fulfil the original or directly related purpose for which it was collected, unless the personal data is also retained to satisfy any applicable statutory or contractual obligations; and
(b) Personal data are purged from the Company’s electronic, manual, and other filing systems in accordance with specific schedules based on the above criteria and the Company’s internal procedures.
DISCLOSURE OF PERSONAL DATA
All personal data held by the Company will be kept confidential but the Company may (where permitted), where such disclosure is necessary to satisfy the purpose, or a directly related purpose, for which the data was collected provide such information to the following parties:
- Any subsidiaries or contractors controlled by, or under common control with the Company;
- Any other person or company who is under a duty of confidentiality to the Company and has undertaken to keep such information confidential, provided such person or company has a legitimate right to such information;
- the Company’s, contractors, suppliers and other sites, accountants, auditors and lawyers;
- Government and regulatory authorities and law enforcement agencies and other organisations, as required or authorised by law; and
- Any financial institutions, charge or credit card issuing companies, credit information or reference bureaux, or collection agencies, necessary to establish and support the payment of any services being requested.
Personal data may also be disclosed to any person or persons pursuant to any statutory or contractual obligations or as required by court of law, provided such person or persons are able to prove the required right/authority to access such information. In addition, personal data may be disclosed under any of the circumstances described in the Exemptions section of the ICO website.
TRANSFER OF PERSONAL DATA OUTSIDE THE UK
At times it may be necessary and/or prudent for the Company to transfer certain personal data to places outside of the UK in order to carry out the purposes, or directly related purposes, for which the personal data were collected. Where such a transfer is performed, it will be done in compliance with the requirements of the ICO.
SECURITY OF PERSONAL DATA
Physical records containing personal data are securely stored in locked areas and/or containers when not in use.
Computer data are stored on computer systems and storage media to which access is strictly controlled and/or are located within restricted areas and controlled by an internal security policy.
Access to records and data without appropriate management authorisation are strictly prohibited. Authorisations are granted only on a “need to know” basis that is commensurate with an individual’s Company responsibilities and their training.
Where the Company holds, uses and/or transmits the Customers’ personal data it will be adequately protected from accidental and/or unauthorised disclosure, change and/or destruction.
In the unlikely failure in the company’s security policy this will be addressed and audited by the Information Security Team and relevant client(s) will be notified of such a breach.
ACCESS AND CORRECTION OF PERSONAL DATA
Under the terms of the ICO, individuals have the right to:
(a) Ascertain whether the Company holds any personal data relating to them and, if so, obtain copies of such data (“right of access”);
(b) Require the Company to correct personal data in its possession which is inaccurate for the purpose for which it is being used by means of a data access request (right of correction); and
(c) Ascertain the Company’s policies and practices in relation to personal data, which are those policies and practices set out in their entirety herein.
An individual may exercise his or her right of access by:
(a) Completing the “Data Access Request Form” as prescribed by the Information Commissioner for Personal data;
(b) Sending the completed form, along with appropriate proof of identity (a copy of the applicant’s Identity Card or Passport) to the Company’s Privacy Compliance Officer at the address listed below;
(c) Alternatively, if you do not wish to provide a copy of your proof of identity, you may present the completed form in person, along with appropriate identification. There, staff will verify your identity.
The Company will, upon satisfying itself of the authenticity and validity of the access request, make every endeavour to comply with and respond to the request within the period set by the ICO(i. e. within 30 days after receiving the request).
An individual may exercise their right of correction by writing to the Company’s Privacy Compliance Officer at the address listed below, specifying the data obtained through the Data Access Request mentioned above which needs to be corrected.
Satisfactory proof and/or explanation of the inaccuracy is essential before the Company would consider correcting the specified data. Upon satisfying itself of the authenticity and validity of the correction request, the Company will comply with and respond to the request as required by the ICO.
Complaints regarding the accuracy of personal data can also be made in writing to the address listed below. These will be handled personally by the Data privacy Manager and a response to these complaints will be answered within 72 hours.
In accordance with the requirements of the ICO, the Company will honour a customer’s request not to use his or her personal data for the purposes of direct marketing. Should you wish not to receive direct marketing material from the Company, please write to the Company’s Privacy Compliance Officer at the address listed below.
Any such request should clearly state details of the personal data in respect of which the request is being made. Specifically, it is requested that you include the corresponding Company assigned account numbers which are printed on the Company’s statements/invoices.
RECRUITMENT AND EMPLOYMENT
During the recruitment process, job applicants may be required to provide sufficient personal data so that the Company may, as appropriate and/or applicable:
(a) Assess the applicant’s suitability for the position being applied for;
(b) Assess the applicant’s suitability for other positions the Company may have available;
(c) Verification of credentials and/or experience; and
(d) Perform security vetting and/or integrity checking.
At a minimum, such personal data will include:
(a) The applicant’s name and contact details, including address (Past 5 years) and telephone number(s);
(b) Previous employment and relevant experience; and
(c) Education and relevant training.
Additional information may also be required dependant on the nature of the position being applied for. The applicant is responsible for ensuring all personal data they provide is accurate and complete. The provision of inaccurate information or the withholding of requested information prior or during employment may:
(a) Prevent the Company from making an offer of employment;
(b) Invalidate such offer if the inaccuracy or omission is discovered after an offer has been made; or
(c) Lead to termination of employment if the inaccuracy or omission is discovered after employment has commenced.
The personal data so provided may be transferred to persons within the Company and its clients in client projects; who are involved in the assessment of the applicant’s suitability for the position applied for and/or other positions, which may be, or may become, available within the Company. The data may also be transferred to third parties, such as investigation agencies, as are necessary to satisfy the purposes set out above.
The Company shall retain the personal data of unsuccessful applicants for future recruitment purposes for a period of two years from the day on which the recruitment period ends. The personal data of successful applicants shall be retained for the duration of their employment by the Company and as described below under the heading of “Employment, Including Post Employment”.
EMPLOYMENT, INCLUDING POST EMPLOYMENT
In the course of employment by the Company, personal data of employees and their families, as appropriate, will be collected and used on an ongoing basis for various Human Resource purposes including but not limited to; administering staffing, performance management, training, career development, salary and benefits administration, communication (e.g. Company news, staff benefit offerings and promotions), insurance, taxation, welfare and providing information in compliance with legal requirements.
The Company retains certain personal data of employees when they cease to be employed by the Company (and such data will be retained for no longer than seven years after their cessation of employment). Such data are required for any residual employment-related activities of the former employee including, but not limited to:
(a) The provision of job references;
(b) Processing applications for re-employment;
(c) Matters relating to disclosure; and
(d) Allowing the Company to fulfil contractual or statutory obligations.
Further details regarding the Company’s polices and practices in respect of its handling of personal data relating to its employees, including post-employment, are included in the Company’s Human Resources Policies and Staff Handbooks. They are also available to the Company’s employees from either the Company’s Privacy Compliance Officer or directly from their respective Human Resources representative.
USE OF CONTRACTORS
The company’s use of sub contracted staff will receive equal pre-employment checks. All contractors are CRB checked and have to complete application forms and produce identity documents and proof of address. The use of sub-contracted staff prior to the return of such documents is not allowed. Where required sub-contracted staff may be required by ”the company” to seek further approval from the client(s).
THE COMPANY’S PERSONAL DATA (PRIVACY) ICO STATEMENT CONTACT DETAILS
All enquiries regarding the Company’s compliance with its obligations under the ICO statement should be in writing to:
Privacy Compliance Manager
IDScan Biometrics LTD
13 Lanark Square