When providing this information to us Credence recognises the importance of looking after your data: keeping it secure and only using it for the purpose for which we have been engaged, to do your background screening checks. This document explains in more detail what information we require, what we will do with your data and what you can expect from us. It will also explain your rights under the Data Protection Act 2018, the GDPR and related legislation.
Lawful Basis of Processing
In the screening process Credence is the Data Processor and your employer or future employer is the Data Controller (unless they process your personal data on behalf of someone else; e.g. if you are working through an employment agency), please contact your employer to find out more about the specific Lawful Basis on which they have based your data processing.
Credence will request, either directly or through your employer, for your Consent prior to commencing the background screening checks. The Consent is requested mainly for screening practical reason (e.g. to be able to obtain your employment/educational reference from former employers/educational institutions); for data transfers outside the EU (see below reasons and conditions of this transfers); and for criminal records checks.
You can, at any time, withdraw your consent and we will immediately restrict the processing of your data. We will notify your current or future employer that you have withdrawn your consent. To withdraw your consent you should notify Credence or the Data Controller. Credence’s contact details are included in the invitation email that you received with the link to the screening process.
Collection of data
Our online screening form is designed only to collect the information necessary in order to carry out the background checks that your current or future employer has asked us to undertake. In doing so it is important that you complete the form, providing as much information as possible to help us complete the screening process as quickly as possible.
In the course of our work we also collect information from other private and government organisations.
Depending on the Service Level Agreement set up between Credence and each of its Clients, it may be required to undertake a Credit Check on your financial activity (generally for the past 5 years). In order to vet for that information, we use TransUnion, a Credit Reference Agency compliant with the CRAIN Privacy Policies drawn up by the ICO and major financial services trade associations. The CRAIN privacy notice can be found at the following address: https://www.callcredit.co.uk/legal-information/bureau-privacy-notice
Who will see your data?
Credence will only disclose your personal information to individuals and private and government organisations where it is necessary for the purpose of undertaking background screening checks in accordance with the agreement with our client.
We will only use this information for the sole purpose for which it is collected, i.e. your background screening: specifically, we will not sell this information, transfer it to third parties unconnected with your screening or use it for marketing purposes.
Transfer of Data
As part of the background screening, we may use other organisations to process data (sub-processors); for example, where we need assistance to obtain the results of your background screening checks. We only use sub-processors where it is either necessary to obtain the information required, or where due to language needs or time differences it makes sense to use a sub-processor. We use a very limited number of companies who are subject to a supplier evaluation review and with whom we have contracts in place to ensure your data protection rights.
In the course of processing your data it may be necessary for us to transfer some of it to other countries, including those outside the EEA. This will be because you have worked or lived outside the EEA during the period covered by your screening. We may also transfer your data to Egypt (to our selected subcontractor) if any of your checks require an Arabic or French speaker to handle your case. Before doing so we will ask your permission which is included in the consent you are asked to sign prior to us commencing your background screening. If we need to send your personal data outside the EEA, we will only send the information required to complete that element of your background screening.
Protection of data
We have taken measures to ensure your data is protected from unauthorised access. Your data is stored in a secure ISO 27001 data centre located in the UK. Access to our online system is through unique user ids and passwords. Access to the internal processing application is linked to authorised IP addresses only. Our data host provider encrypts the data and we also have a second level of encryption of all personal data using AES 256 and our own private encryption key.
You can exercise different data protection rights (rights of access, rectification, erasure, restriction of processing, data portability, and right to object), and the Controller have the responsibility to respond to these timely.
Therefore, to exercise any of your data protection rights, contact your Controller directly. However, should you contact Credence to assist you in getting these rights upheld, Credence will pass these on to the Controller and assist in what is necessary.
In most cases, you should expect a response from your data Controller, unless otherwise is instructed to Credence.
Access to data
You have the right to request access to the personal data that Credence holds on behalf of the Controller. And the Controller have the responsibility to respond to these in a timely fashion.
Data subjects are advised to contact their data Controller directly for a more prompt and efficient response. However, if you send your request to Credence, Credence will acknowledge it and inform the Controller without undue delay so that they can deal with it accordingly.
Regardless how this is exercised –either through Credence or directly with the Controller–, Credence is committed to assist the Controller in meeting their obligations under the Data Protection regulations, by providing Controller access to all data collected in the process of your background screening.
This request can be made verbally or in writing, however in other to ensure the process begins as soon as possible, please send it to firstname.lastname@example.org.
In line with Data Protection regulations, we will keep your personal data for no longer than is necessary. This period is defined by the agreement between your employer/future employer and us. In their capacity as data Controller your employer will instruct Credence on the specific retention period for your case. Credence’ standard retention period is 6 months following the completion of your background screening, and that is the period that is recommended to all clients. However, it is the Controller’s ultimate responsibility to determine the retention period after which all your personal data is automatically removed from our systems.
For more information about your specific retention period please contact your employer. Alternatively, you can email us at email@example.com and we can assist you in finding out your retention period.
Correction of data
Where we are made aware of personal or sensitive personal data that has been processed by Credence that is incorrect, we will take reasonable steps to investigate whether the information is incorrect and, if so, update our records to reflect the correct position. We will also notify details of the changes to any parties with whom we have shared the data.
If you have any questions in connection with this Privacy Statement or concerns regarding privacy issues or other requests, email us at firstname.lastname@example.org or write to:
Data Protection Officer,
Credence Background Screening,
160 London Road, Suite 4A, 2nd Floor,
Kent, TN13 1BT
Should you wish to report a complaint or if you feel that Credence has not addressed your concern in a satisfactory manner, you may contact the Information Commissioner’s Office.