Privacy Policy

Our policy will give you information about how, why and when we collect and use personal information and what we might do with it.

Whenever you are asked to provide personal information to us, we will always give you a specific privacy notice telling you exactly how that information will be used and who, if anyone, we’ll share it with. However, you should refer to this Privacy Policy for more detailed information.

This Privacy Policy is our overarching Privacy Notice.

Contents

This policy covers the following topics:

What is personal information?

Personal information (sometimes called ‘personal data’) is any information that identifies and relates to a living person. This can include information that, when put together with other information, can then identify a person.

Because personal information allows people to know things about you, we need to protect this information and only use it for certain purposes.

Some information needs more protection. It might be information that you wouldn’t want widely known or that is very personal to you. This is sometimes also referred to as ‘sensitive personal data’ or ‘special categories of data’. This would include anything that relates to your:

  • Physical and sexual health
  • Religious or philosophical beliefs
  • Ethnicity
  • Physical or mental health
  • Trade union membership
  • Political opinion
  • Genetic/biometric data
  • Criminal history

Back to top of page


What personal information do we collect about you and what do we do with it

Visitors to our websites

We collect standard internet log information and basic details of visitor behaviour so that we can work out the cause of any problems with our websites. We collect this information in a way that does not personally identify you, so it isn’t personal information.

If we do want to collect personal information through our website we will always tell you and will explain what we will do with the information you provide.

Use of cookies on our websites

Cookies are small text files that are placed on your computer by websites that you visit. They are used in order to make websites work (or work better) as well as to provide information to the owners of the site. We use cookies on our websites.

Read about the cookies we use

Market research

We conduct market research regarding the private security industry, and when we do we may exchange your personal data with carefully selected third parties. This is permitted by Section 1 of the Private Security Industry Act 2001, which allows us to undertake, to arrange for or support the carrying out of research (which includes the exchange of personal data) relating to the provision of security industry services and of other services involving the activities of security operatives.

Any personal data that is shared is securely destroyed immediately after any research has been completed.

Links to other websites

www.sia.homeoffice.gov.uk contains links to other websites, both those of government departments and of other organisations. This privacy policy only applies to our website.

When you are moving to another website you should read the privacy statement of any site which collects personal information. We do not pass on any of your personal information you have given us when you link to another site.

E-mail newsletter

To help us monitor and improve our SIA Update and ACS Update e-newsletters we gather statistics around e-mail opening and clicks using industry standard technologies. Any collected data and e-mail addresses will not be used, shared, sold or rented in any shape or form.

Information we collect for marketing purposes

We collect personal data, including contact details and email information preferences, in order to provide relevant information to people interested in the private security industry. In order to receive this information from us people are required to give their consent when they sign. This consent can be withdrawn at any time. We will only contact you with information you have told us you want to receive.

See our sign up for information page

Security and performance

We use a third-party service to help maintain the security and performance of our website. To deliver this service it processes the IP addresses of visitors to our website.

If you contact us via social media

We use a third-party provider, Sprout Social to help us process our social media interactions.

If you send us a private or direct message via social media the message will be stored by Sprout Social for three months. It will not be shared with any other organisations.

Please note that all comments and messages, including direct messages, posted to our social media sites Facebook, Twitter or LinkedIn belong to the person posting.

We do not own or hold any of the data that individual's post. As a result, we are unable to delete this information. However, we do take steps to remove personal information so that it is not visible to the public.

If you email us

We use Government Secure Intranet (GSI) anti-virus service to encrypt and protect email traffic in line with government. If your email service does not support GSI, you should be aware that any emails we send or receive may not be protected in transit.

We will also monitor any emails sent to us, including file attachments, for viruses or malicious software. Please be aware that you have a responsibility to ensure that any email you send is within the bounds of the law.

If you phone us

When we receive phone calls we record it for the purposes of quality monitoring and to assist us when we make individual licensing and approved contractor decisions. We may also keep a written record of personal information you provide us over the phone and store it against your SIA account or on our intelligence database.

When you phone us you will be required to answer security questions so we can be sure you are who say you are.

If you make a complaint to us

When we receive a complaint about the SIA we make a file containing the details of the complaint. This normally contains the identity of the complainant and any other individuals involved in the complaint.

We will use the personal information we collect to process the complaint and to check on the level of service we provide. We do compile and publish statistics showing the number of complaints we receive, but not in a form which identifies anyone.

We usually have to disclose the complainant’s identity to whoever the complaint is about. This is inevitable where, for example, the accuracy of a person’s record is in dispute. If a complainant doesn’t want information identifying him or her to be disclosed, we will try to respect that. However, it may not be possible to handle a complaint on an anonymous basis.

We will keep personal information contained in complaint files in line with our retention schedules. It will be retained in a secure environment and access to it will be restricted to those staff that require access for their role.

See our complaints policy

If you provide us with intelligence

We do not run a formal complaints scheme in relation to the conduct of businesses or individuals operating in the private security industry.

When we receive information from a member of the public regarding the conduct of a private security business or its operatives it is treated as intelligence. This is because any information received can only be used by us in so far as it informs any investigation into breaches of the Private Security Industry Act 2001 and/or the individual licence or Approved Contractor Scheme conditions.

We do not typically release intelligence or provide an update regarding any action taken in relation to intelligence if it relates to investigations or proceedings we are conducting or the disclosure would prejudice our / our partner’s ability to exercise our / their statutory functions. Unless required by law, we would never release the name or contact details of an individual who has provided us with intelligence.

When we take enforcement action against someone as a result of intelligence we have received we may publish the identity of the defendant in our Annual Report or elsewhere. Usually we do not identify any complainants unless the details have already been made public.

If you create an online account

When you set up an online account we ask you to give us some personal information, including your name, address, unique personal identification information, and contact details. We use this information to maintain an SIA account in your name, assess applications you submit, share information with other government agencies and to contact you.

See our online account privacy notice

If you sign up to receive text messages from us

When you make a licence application we will always keep you up-to-date with the status of your application via your online account. However, we can also send you text messages if you provide your consent.

We will continue to send you text messages until you withdraw your consent or a decision is reached regarding your application.

See our text messaging service consent

If you apply for an SIA licence

We use the information you provide on your application form to decide whether you are a fit and proper person to hold an SIA licence. In doing so, we make a variety of checks against the SIA licence criteria.

Identity checks

To verify they are correct, we provide:

  • your name and address history to Experian.
  • your passport number to HMPO.

Criminality checks

We are allowed to ask for your criminal history as our statutory licensing criteria require us to check applicant’s criminality and there is a substantial public interest in us doing so.

We will obtain a copy of your criminal record certificate from the Disclosure and Barring Service, Disclosure Scotland or Access Northern Ireland. To do so, we provide them with your name, address and date of birth so they can identify records held about you and verify your identity.

If you believe that your criminal record certificate contains inaccurate information, you should notify the disclosure body and us without delay. If you tell us that your certificate may contain inaccurate information we will discuss the matter with the disclosure body and not take a final licensing decision until the disclosure body has confirmed the accuracy of relevant information. We will not take into account any inaccurate information.

When we receive a copy of your criminal record certificate we save it against your SIA account. This information is stored on our STeP licensing system and can only be accessed by those staff requiring access to undertake their roles. Your criminal record certificate is retained for a period of 10 years.

See our criminality privacy notice

See our policy on processing special categories of health information and criminal convictions data

Qualifications checks

We will check applicants have a valid qualification by checking our Qualifications Database. When you obtain a qualification from a training provider it is their responsibility to let us know you hold this qualification by uploading your name, address, date of birth, photograph and qualification onto our Qualifications Database.

Mental health checks

We will check any mental health information you declare to us with your treating medical professional. So that your treating practitioner knows they can legally share this information with us, we will ask you to give your signed consent for this to happen.

See our mental health consent

See our policy on processing special categories of health information and criminal convictions data

Right to work checks

We will check whether applicants have the right to work in the UK. To do this we will check the right to work of non-EU applicants with the Home Office. To do this we will send your name, date of birth, gender and nationality details to the Home Office.

Non-conviction information

While we don’t actively seek out non-conviction information, if it is provided to us by a partner agency or a member of the public, we will consider whether this information may be relevant to whether you are a fit and proper person to hold a licence. If the information may be relevant, we will conduct checks to verify or obtain further information. For example, we may obtain copies of CCTV footage.

If non-conviction information is provided in the form of CCTV footage, we ensure the footage is securely stored on DVD in a locked safe and is only accessible by SIA Decisions staff.

If we decide to rely on CCTV footage to make a licensing decision we will always provide you with a copy of that footage. Before doing so, we will provide the CCTV footage to a specialist redaction company to edit the footage so only the relevant data subjects are visible. We have contractual arrangements with a specialist redaction company that we use and this ensures that any footage sent is encrypted and securely stored.

See our individual licensing privacy notice

If you use our Pay Only, Licence Assist or Licence Management products

We offer a range of services to help make it easier for people to submit licence applications and manage their relationship with us. Pay Only, Licence Assist and Licence Management allow you to have a business collect and provide information to us on your behalf. When you choose to do this, we

Pay Only

You can link your online account to a business’ online account to allow the business to pay your licence application fee. When this happens the business will see your name, application reference number, licence sector and the status of your licence application.

The link between the accounts will break when the application fee is paid. However, you can break the link at any time by clicking ‘unlink’ in your online account.

See our Pay Only privacy notice

Licence Assist

You can link your online account to a business’ online account to allow a business to make an application on your behalf. When this happens the business will see the most up to date personal information that we hold about the applicant. However, the business will never see your mental health or criminality information unless you provide it to the business.

The link between the accounts will break when a licence decision is made. However, you can break the link at any time by clicking ‘unlink’ in your online account.

See our Licence Assist privacy notice

Licence Management

You can link your online account to a business’ online account to allow a business to make an application on your behalf and manage your relationship with the us on an ongoing basis. When this happens the business will see the most up to date personal information that we hold about you. However, the business will never see your mental health or criminality information unless you provide it to the business.

The link between the accounts will break when either the business or the applicant unlink the accounts. An applicant can break the link at any time by clicking ‘unlink’ in their online account.

Businesses that are approved to use the licence management service conduct checks against our identity licensing criteria on our behalf. We have a contractual relationship with these businesses and ensure they meet our security standards.

See our Licence Management privacy notice

If you apply to join the Approved Contractor Scheme (ACS)

We use the information you provide on your application form to decide whether a business is fit and proper to become and approved contractor. In doing so, we undertake a variety of checks against the ACS eligibility criteria and the ACS Standard.

While much of the information you will be asked to provide is about the business, and is therefore not personal information, we do ask for some personal information regarding the individuals in control of, employed by or associated with that business. In most cases this will only include their name, address, contact details and licence number (if applicable). Although, in some circumstances you will also be asked to provide full staff lists and the details of staff that have worked on specific contracts or at specific sites.

Where we have has asked for personal information, it will typically be used to conduct identity checks, to verify the controlling minds of the business, to verify that all staff are SIA licensed, and to verify the business model that has been adopted.

At times we may also share your personal information with assessing bodies, for example we may instruct them to undertake specific checks against the ACS Standard that involve particular individuals. Assessing bodies operate under contract with us and all information shared and stored is done so securely in accordance with the terms of that agreement.

See our ACS privacy notice

If we have a contractual relationship with you

We collect personal information about the staff of organisations we enter into agreements with, for example ACS Assessing Bodies, Awarding Bodies and companies approved to use our Licence Management services. Typically we collect the name and contact details of staff so we can undertake due diligence and effectively manage the contractual relationship. Details about how we manage the data collected under each specific contract are included in the clauses of each agreement.

If we take enforcement action against you

When we investigate breaches of the law or the conditions of our individual licensing regime or approved contractor scheme we collect personal data.

If we decide to take criminal enforcement action we try to publicise as much information about our cases as we can without compromising law-enforcement work, prejudicing the right of defendants to a fair trial, or causing avoidable reputational damage or harm to individuals or businesses under investigation. Typically we will publish details of an investigation once it results in a decision to prosecute and a company or individual has been charged with an offence. However, in certain limited circumstances, we may choose to publish information about an investigation before charges are laid.

Following the closure of a case or judgment from the court we may continue to make summary information available on our website for a period of up to one year in relation to individuals and up to five years in relation to businesses.

Job applicants

We collect personal information about applicants through the application and recruitment process, either directly from candidates or sometimes from an employment agency, previous employers or from organisations that assist us with our background checks.

Our staff

We collect a range of personal data about employee, agency and contract staff in order to manage their employment relationship with us during the recruitment process, while they are working for us, at the time their employment ends and after they have left. Staff should see our Internal Data Protection Policy for more information regarding how we handle their data. Former staff should contact recruitment@sia.gsi.gov.uk to obtain a copy of our current Data Protection Policy.

Back to top of page


Why we ask for your personal information

We will only ask you to provide personal information if we need it. Typically, when we collect the information we will tell you why we need it, what we will do with it and whether we will share it with anyone else.

In general, we collect and use personal information where:

  • It is necessary to perform our statutory functions under the Private Security Industry Act 2001 e.g. to operate our individual licensing or our approved contractor regimes, conduct market research regarding the private security industry or manage the business of our organisation.
  • It is required by law e.g. to comply with employment law or health and safety legislation.
  • We have a contract with you e.g. you work for us, you provide a service to us or we have approved you to do something i.e. offer licence linked qualifications or conduct approved contractor assessments.
  • You (or your legal representative) have given us your consent e.g. you signed up to receive marketing information from us, receive text messages from us or agreed to the use of cookies on our website.
  • We will never sell your personal information to anyone else.

    Back to top of page


    Who we share your personal information with

    We can only share information when the law tells us we can do so.

    We share information with core service providers and third party platforms as required for our business to function e.g. IT providers, payroll providers, pension scheme providers, auditors, legal advisors etc.

    We also share and receive information we collect for our statutory purposes with other government agencies in order to:

    • Conduct checks against our licensing or approved contractor criteria or conditions
    • To check the accuracy of information we hold
    • To prevent or detect crime
    • To protect public funds
    • As otherwise permitted by law.

    The agencies we typically share and receive personal information with relating to whether you are fit and proper to hold our SIA licence are:

    • The Home Office
    • The Police
    • The Department for Work and Pensions (DWP)
    • Her Majesty’s Passport Office (HMPO)
    • Her Majesty’s Revenue and Customs (HMRC)
    • The National Crime Agency (NCA)
    • Experian
    • Vetting agencies (the Disclosure and Barring Service (DBS), AccessNI and Disclosure Scotland).

    We will also share your personal information with any business you link your online account with.

    The agencies we typically share and receive information with in relation to whether you are fit and proper to join the approved contractor scheme include:

    • The Home Office
    • The Police
    • The Department for Work and Pensions (DWP)
    • Her Majesty’s Revenue and Customs (HMRC)
    • Local authorities
    • Experian
    • The Insolvency Service
    • Equifax
    • Assessing Bodies
    • Customers of applicant businesses
    • Payroll or finance companies associated with applicant businesses
    • Consultants acting on behalf of applicant businesses

    The agencies we typically share and receive information with in order to manage our relationship with staff and prospective staff include:

    • Home Office Departmental Security Unit
    • Vetting agencies (the Disclosure and Barring Service (DBS), AccessNI and Disclosure Scotland)
    • UK Border Agency
    • Foreign and Commonwealth Office
    • Occupational health providers
    • Pay and Pension Providers (RSM, National Audit Office, HMRC, MyCSP, Opus Trust Marketing and, if appropriate, a Partnership Pension Scheme provider)

    Back to top of page


    How we store your personal information

    Most of the information we hold on you will be stored electronically. Even if you send us documents, we will usually scan these and then either return the originals to you or destroy them. Please see ‘How do we protect your information?’ for details of how we keep this safe.

    Back to top of page


    How we protect your personal information

    The security of your personal information is very important to us. There are a number of ways we make sure that the information we hold about you (on paper and electronically) is secure. We make sure that we only make this information available to those who have a legal right to see it.

    Examples of our security include:

    • Securely storing electronic information with appropriate encryption or security controls where required, both at rest and in transit in accordance with industry best practice and available technologies.
    • Processing information in accordance with HMG IA policies and industry standard risk assessments.
    • Independently accrediting ICT systems to Government standards by an independent accreditor.
    • Controlling access to systems and networks so that only those people who need to and are allowed to see your personal information and able to access it.
    • Training for our staff to make sure that they know how to handle personal information and how and when to report when something goes wrong.
    • Making sure we only discuss personal information with a data subject once we’ve confirmed their identity.
    • Regular independent testing of our technology is carried out through IT Health Checks and Penetration Tests to mitigate vulnerabilities which could lead to breaches and ensure we are keeping up to date with the latest security and software updates (sometimes called ‘patches’).
    • Ensuring all information you give us relating to payment details is handled in a PCI DSS compliant way.

    Back to top of page


    How long we store your personal information

    How long we keep information you give to us depends on exactly what information it is, why we need it, and what we use it for. There will usually be a legal reason for keeping your personal information for a particular period of time. We try to include all of these in our retention schedule.

    For example, we will usually keep information you provide or that we collect in relation to an application for a licence or any further decision we might make about your licence (such as suspension or revocation) for ten years. We will usually keep messages you send to us or that we might send to you for seven years. We keep criminality information for ten years.

    If you would like to know exactly how long we will keep a particular piece of personal information, please contact us using the ‘Contact Us’ form on our website. Please select 'General Enquiry' as the category and 'Freedom of Information/DPA subject access request' as the topic. In your request, please make clear which types of information you are asking about.

    Go to the contact us form

    Back to top of page


    Transfers of your data outside the EU

    We do not routinely transfer data outside of the EU. However, we do use Mail Chimp; an e-mail marketing provider that stores data in USA. If you sign up to receive information from us, your email address and contact preferences will be stored and managed by Mail Chimp. We have a contractual relationship with Mail Chimp and are satisfied that data held in the US is appropriately secure because of the following assurances:

    • MailChimp Complies with the US Privacy Shield framework and has self-certified to both the EU-US Privacy Shield and Swiss-Us Privacy Shield regimes.
    • MailChimp lawfully transfers EU/EEA personal data to the U.S pursuant to their Privacy Shield Certification.
    • MailChimp completes a SOC II Type 2 examination on an annual basis for the Trust Principle Criteria of Security, Processing Integrity, Confidentiality and Availability.
    • The MailChimp website contains a significant amount of information on their GDPR readiness and acknowledges the importance of protecting personal data and privacy.
    • MailChimp’s US datacentres manage 24/7 physical security controls.
    • MailChimp publishes details on application level, internal IT, and internal protocol security controls utilised; exhibiting cyber security awareness and appropriate resilience.

    If we decide to store any other data outside of the EU, we will tell you before we do so.

    Back to top of page


    Automatic processing / Profiling

    We use an online licensing system to automatically assess and profile information held about licence applicants in order to make a decision whether they are fit and proper to hold an SIA licence. However, we will not take any licensing decision that negatively affects an applicant without a member of our staff reviewing the application. Additionally, applicants will always be given the opportunity to provide further information for us to consider before we make a final licensing decision.

    Back to top of page


    Your rights

    Data Protection law gives you rights about the personal information we hold and how we use it.

    The right to ask for the information we hold on you

    You have the right to ask for all the information we have about you. This is called a ‘Subject Access Request’.

    There is some information we may not be able to share with you. Some examples of this are:

    • Information that is also about other identifiable people
    • Information that might stop us preventing or detecting a crime if we were to share it

    If you would like to submit a request for information we hold about you, please click here for further information: Request Personal Information

    The right to ask us to change information you think is inaccurate

    You should let us know if you think information we hold on you is out-of-date or inaccurate. We may not always be able to change or remove that information but we’ll correct any factual inaccuracies and will include your comments in the record to show that you disagree with it.

    There is some information you can update or correct without needing to contact us:

    • If you need to change the address details we hold for you, you can update these in the ‘My Account’ section of your SIA online account.
    • You can use the ‘Notify the SIA’ tab on your SIA online account to inform us of any changes to your name, criminal record, right to work in the UK, mental health or gender.

    If you would like to ask us to change information we hold on you that isn’t included above, use the ‘Contact Us’ form on our website. Please select the category ‘The personal information we hold on you’ and then the topic ‘Ask us to change inaccurate information’.

    Go to the contact us form

    The right to ask us to delete information (sometimes called ‘the right to be forgotten’)

    In some circumstances you can ask for your personal information to be deleted, for example:

    • Where your personal information is no longer needed for the reason why it was collected in the first place
    • Where you have removed your consent for us to use your information and there is no other legal reason we need to use it for
    • Where deleting the information is a legal requirement

    Where your personal information has been shared with others, we’ll do what we can to make sure those using your personal information comply with your request for erasure.

    There are some circumstances in which we will not be able to delete information. For example:

    • We’re required to keep the information by law
    • Holding the information is required for us to carry out our statutory duties
    • Holding the information is required for the detection or prevention of crime

    If you would like to ask us to delete information we hold on you, use the ‘Contact Us’ form on our website. Please select the category ‘The personal information we hold on you’ and then the topic ‘Ask us to delete information’.

    Go to the contact us form

    The right to ask us to limit what we use your personal data for

    You have the right to ask us to restrict what we use your personal information for if:

    • You have identified inaccurate information, and have told us about it
    • We have no legal reason to use that information but you want us to restrict what we use it for rather than erase the information altogether

    When information is restricted it can be stored but it can’t be used without your consent, other than to handle legal claims and protect others, or where it’s in the public interest.

    There are some circumstances in which we will not be able to limit how we use your information. For example:

    • We’re required to use the information by law
    • Using the information is required for us to carry out our statutory duties
    • Using the information is required for the detection or prevention of crime

    If you would like to ask us to limit how we use information we hold on you, use the ‘Contact Us’ form on our website. Please select the category ‘The personal information we hold on you’ and then the topic ‘Ask us to limit how we use your information’.

    Go to the contact us form

    The right to ask for your personal information to be moved to another agency (knows as ‘Data Portability’).

    You can ask for your personal information to be given back to you or another service provider of your choice in a commonly used format.

    This only applies if we’re using your personal information with consent (not if we’re required to by law) and if decisions were made by a computer and not a human being.

    It’s likely that data portability won’t apply to information we hold on you, but If you would like to ask us to move your information to another agency, use the ‘Contact Us’ form on our website. Please select the category ‘The personal information we hold on you’ and then the topic ‘Ask us to move your information to another provider’.

    Go to the contact us form

    Back to top of page


    What to do if you have questions or concerns

    If you have questions about how we collect, use or store your personal information, or your rights, please contact our Data Protection Officer, Lisa Targowska, at dpo@sia.gsi.gov.uk.

    For independent advice about data protection, privacy and data sharing issues, you can contact the Information Commissioner's Office (ICO).

    You can visit the ICO website at www.ico.org.uk- this link opens in a new windowor email them at casework@ico.org.uk

    Telephone numbers for the ICO are 0303 123 1113 (local rate) or 01625 545 745 if you prefer to use a national rate number.

    The address to write to is:

    Information Commissioner's Office
    Wycliffe House
    Water Lane
    Wilmslow
    Cheshire
    SK9 5AF

    Back to top of page


    Changes to this Privacy Policy

    We keep our Privacy Policy under regular review. This privacy notice was last updated on 25 May 2018.

    Back to top of page


    Who is the data controller

    The SIA is the data controller. You can contact us by writing to:

    Security Industry Authority
    PO Box 74957
    London
    E14 1UG

    Back to top of page