1. What is personal information?
Personal information (sometimes called ‘personal data’) is any information that identifies and relates to a living person. This can include information that, when put together with other information, can then identify a person.
Because personal information allows people to know things about you, we need to protect this information and only use it for certain purposes.
Some information needs more protection. It might be information that you would not want widely known or that is very personal to you. This is sometimes also referred to as ‘sensitive personal data’ or ‘special categories of data’. This would include anything that relates to your:
- physical and sexual health
- religious or philosophical beliefs
- physical or mental health
- trade union membership
- political opinion
- genetic/biometric data
- criminal history
2. What personal information do we collect about you and what do we do with it?
2.1 Visitors to our websites
We collect standard internet log information and basic details of visitor behaviour so that we can work out the cause of any problems with our websites. We collect this information in a way that does not personally identify you, so it is not personal information.
If we do want to collect personal information through our website we will always tell you and will explain what we will do with the information you provide.
2.2 Market research
We conduct market research regarding the private security industry, and when we do we may exchange your personal data with carefully selected third parties. This is permitted by Section 1 of the Private Security Industry Act 2001, which allows us to undertake, to arrange for or support the carrying out of research (which includes the exchange of personal data) relating to the provision of security industry services and of other services involving the activities of security operatives.
Any personal data that is shared is securely destroyed immediately after any research has been completed.
2.3 Our e-mail newsletters
To help us monitor and improve our SIA Update and ACS Update e-newsletters we gather statistics around e-mail opening and clicks using industry standard technologies. Any collected data and e-mail addresses will not be used, shared, sold or rented in any shape or form.
2.4 Information we collect for marketing purposes
We collect personal data, including contact details and email information preferences, in order to provide relevant information to people interested in the private security industry. In order to receive this information from us people are required to give their consent when they sign up. This consent can be withdrawn at any time. We will only contact you with information you have told us you want to receive.
2.5 Security and performance
We use a third-party service to help maintain the security and performance of our website. To deliver this service it processes the IP addresses of visitors to our website.
2.6 If you contact us via social media
We use a third-party provider, Sprout Social, to help us process our social media interactions.
If you send us a private or direct message via social media the message will be stored by Sprout Social for 3 months. It will not be shared with any other organisations.
Please note that all comments and messages, including direct messages, posted to our social media sites Facebook, Twitter or LinkedIn belong to the person posting.
We do not own or hold any of the data that you post. As a result, we are unable to delete this information. However, we do take steps to remove personal information so that it is not visible to the public.
2.7 If you email us
We use Government Secure Intranet (GSI) anti-virus service to encrypt and protect email traffic in line with government. If your email service does not support GSI, you should be aware that any emails we send or receive may not be protected in transit.
We will also monitor any emails sent to us, including file attachments, for viruses or malicious software. Please be aware that you have a responsibility to ensure that any email you send is within the bounds of the law.
2.8 If you phone us
When we receive phone calls we record them for the purposes of quality monitoring and to assist us when we make individual licensing and approved contractor decisions. We may also keep a written record of personal information you provide us over the phone and store it against your SIA account or on our intelligence database.
When you phone us you will be required to answer security questions so that we can be sure you are who say you are.
2.9 If you make a complaint to us
When we receive a complaint about the SIA we make a file containing the details of the complaint. This normally contains the identity of the complainant and any other individuals involved in the complaint.
We will use the personal information we collect to process the complaint and to check on the level of service we provide. We do compile and publish statistics showing the number of complaints we receive, but not in a form which identifies anyone.
We usually have to disclose the complainant’s identity to whoever the complaint is about. This is inevitable where, for example, the accuracy of a person’s record is in dispute. If a complainant doesn’t want information identifying him or her to be disclosed, we will try to respect that. However, it may not be possible to handle a complaint on an anonymous basis.
We will keep personal information contained in complaint files in line with our retention schedules. It will be retained in a secure environment and access to it will be restricted to those staff that require access for their role.
2.10 If you provide us with intelligence
We do not run a formal complaints scheme in relation to the conduct of businesses or individuals operating in the private security industry.
When we receive information from a member of the public regarding the conduct of a private security business or its operatives it is treated as intelligence. This is because any information received can only be used by us in so far as it informs any investigation into breaches of the Private Security Industry Act 2001 and/or the individual licence or Approved Contractor Scheme conditions.
We do not typically release intelligence or provide an update regarding any action taken in relation to intelligence if it relates to investigations or proceedings we are conducting or the disclosure would prejudice our / our partner’s ability to exercise our / their statutory functions. Unless required by law, we would never release the name or contact details of an individual who has provided us with intelligence.
When we take enforcement action against someone as a result of intelligence we have received we may publish the identity of the defendant in our annual report or elsewhere. Usually we do not identify any complainants unless the details have already been made public.
2.11 If you create an SIA online account
When you set up an online account we ask you to give us some personal information, including your name, address, unique personal identification information, and contact details. We use this information to maintain an SIA account in your name, assess applications you submit, share information with other government agencies and to contact you.
2.12 If you sign up to receive text messages from us
When you make a licence application we will always keep you up-to-date with the status of your application via your online account. However, we can also send you text messages if you provide your consent.
If you would like us to send you text messages regarding the status of any applications made by you, or on your behalf, you should log into your SIA online account and choose “Yes” to SMS in your account settings.
We will continue to send you text messages until you withdraw your consent or a decision is reached regarding your application.
2.13 If you apply for an SIA licence
We use the information you provide on your application form to decide whether you are a fit and proper person to hold an SIA licence. In doing so, we make a variety of checks against the SIA licence criteria.
To verify they are correct, we provide:
- your name and address history to Experian
- your passport number to HMPO
We are allowed to ask for your criminal history as our statutory licensing criteria require us to check applicants’ criminality and there is a substantial public interest in us doing so.
We will obtain a copy of your criminal record certificate from the Disclosure and Barring Service, Disclosure Scotland or Access Northern Ireland. To do so, we provide them with your name, address and date of birth so they can identify records held about you and verify your identity.
If you believe that your criminal record certificate contains inaccurate information, you should notify the disclosure body and us without delay. If you tell us that your certificate may contain inaccurate information we will discuss the matter with the disclosure body and not take a final licensing decision until the disclosure body has confirmed the accuracy of relevant information. We will not take into account any inaccurate information.
When we receive a copy of your criminal record certificate we save it against your SIA account. This information is stored on our licensing system and can only be accessed by those staff requiring access to undertake their roles. Your criminal record certificate is retained for a period of 10 years.
See also our policy on processing special categories and criminal convictions data.
We will check applicants have a valid qualification by checking our Qualifications Database. When you obtain a qualification from a training provider it is their responsibility to let us know you hold this qualification by uploading your name, address, date of birth, photograph and qualification onto our qualifications database.
Mental health checks
One of the checks we undertake is to confirm with a medical professional that anyone who has been subject to compulsory detention or other compulsory measures in the last five years is fit to work in the industry.
To do this check we obtain a medical report from your psychiatrist, psychologist, therapist or GP, and we review the recommendations they make.
So that your treating practitioner knows they can legally share this information with us, we will ask you to give your signed consent for this to happen.
You can withdraw this consent at any time prior to when we request the medical report. You can do this by submitting a request through your SIA online account. However, your application cannot proceed until we receive a medical report in relation to any relevant mental health information that you have declared.
See also our policy on processing special categories and criminal convictions data.
Right to work checks
We will check whether applicants have the right to work in the UK. To do this we will check the right to work of non-EU applicants with the Home Office. To do this we will send your name, date of birth, gender and nationality details to the Home Office.
While we do not actively seek out non-conviction information, if it is provided to us by a partner agency or a member of the public, we will consider whether this information may be relevant to whether you are a fit and proper person to hold a licence. If the information may be relevant, we will conduct checks to verify or obtain further information. For example, we may obtain copies of CCTV footage.
If non-conviction information is provided in the form of CCTV footage, we ensure the footage is securely stored on DVD in a locked safe and is only accessible by SIA Decisions staff.
If we decide to rely on CCTV footage to make a licensing decision we will always provide you with a copy of that footage. Before doing so, we will provide the CCTV footage to a specialist redaction company to edit the footage so only the relevant data subjects are visible. We have contractual arrangements with a specialist redaction company that we use and this ensures that any footage sent is encrypted and securely stored.
Equalities monitoring questions
As part of the Public Sector Equality Duty, we are required to analyse the effect of what we do on all protected groups. When you apply for an SIA licence we will ask you equalities monitoring questions regarding age, disability, gender reassignment, sex, race, religion or belief and sexual orientation.
We may use the equalities data we collect in the following ways:
- to publish anonymised equalities data regarding the industry
- in our regulatory reform work to help us monitor the diversity impact of the changes we make
- to inform our publications or engagement with people as part of our work to promote diversity in the industry
- to help us meet our public sector equality duty, for example monitoring our decision making by protected characteristics
- to facilitate research and analysis by others
- to meet any reporting requirements to the Home Office
You do have not to answer these questions. Any information you choose to provide will be held in the strictest confidence and will only be seen by the SIA staff involved in equalities monitoring. It will not be seen by SIA staff involved in making decisions in relation to your licence application or licence. We make sure that no-one can be identified from any equalities monitoring data we publish or share with others.
2.14 If you use our Pay Only, Licence Assist or Licence Management services
We offer a range of services to help make it easier for people to submit licence applications and manage their relationship with us. Pay Only, Licence Assist and Licence Management allow you to have a business collect and provide information to us on your behalf.
You can link your online account to a business’ online account to allow the business to pay your licence application fee. When this happens the business will see your name, application reference number, licence sector and the status of your licence application.
The link between the accounts will break when the application fee is paid. However, you can break the link at any time by clicking ‘unlink’ in your SIA online account.
You can link your online account to a business’ online account to allow them to make an application on your behalf. When this happens the business will see the most up to date personal information that we hold about you. However, the business will never see your mental health or criminality information unless you give it to them.
The link between the accounts will break when a licence decision is made. However, you can break the link at any time by clicking ‘unlink’ in your SIA online account.
You can link your online account to a business’ online account to allow them to make an application on your behalf and manage your relationship with us on an ongoing basis. When this happens the business will see the most up to date personal information that we hold about you. However, the business will never see your mental health or criminality information unless you give it to them.
The link between the accounts will break when either the business or you unlink the accounts. You can break the link at any time by clicking ‘unlink’ in your SIA online account.
Businesses that are approved to use the licence management service conduct checks against our identity licensing criteria on our behalf. We have a contractual relationship with these businesses and ensure they meet our security standards.
2.15 If you apply to join our Approved Contractor Scheme (ACS)
We use the information you provide on your application form to decide whether your business is fit and proper to become and approved contractor. In doing so, we undertake a variety of checks against the ACS eligibility criteria and the ACS Standard.
While much of the information you will be asked to provide is about the business, and is therefore not personal information, we do ask for some personal information regarding the individuals in control of, employed by or associated with that business. In most cases this will only include their name, address, contact details and licence number (if applicable). Although, in some circumstances you will also be asked to provide full staff lists and the details of staff that have worked on specific contracts or at specific sites.
Where we have asked for personal information, it will typically be used to conduct identity checks, to verify the controlling minds of the business, to verify that all staff are SIA licensed, and to verify the business model that has been adopted.
At times we may also share your personal information with assessing bodies – for example, we may instruct them to undertake specific checks against the ACS Standard that involve particular individuals. Assessing bodies operate under contract with us and all information shared and stored is done so securely in accordance with the terms of that agreement.
2.16 If we have a contractual relationship with you
We collect personal information about the staff of organisations we enter into agreements with, for example ACS assessing bodies, awarding organisations and companies approved to use our Licence Management service. Typically we collect the name and contact details of staff so we can undertake due diligence and effectively manage the contractual relationship. Details about how we manage the data collected under each specific contract are included in the clauses of each agreement.
2.17 If we take enforcement action against you
When we investigate breaches of the law or the conditions of our individual licensing regime or approved contractor scheme we collect personal data.
If we decide to take criminal enforcement action we try to publicise as much information about our cases as we can without compromising law-enforcement work, prejudicing the right of defendants to a fair trial, or causing avoidable reputational damage or harm to individuals or businesses under investigation. Typically we will publish details of an investigation once it results in a decision to prosecute and a company or individual has been charged with an offence. However, in certain limited circumstances, we may choose to publish information about an investigation before charges are laid.
Following the closure of a case or judgment from the court we may continue to make summary information available on our website for a period of up to 1 year in relation to individuals and up to 5 years in relation to businesses.
2.18 Job applicants
We collect personal information about applicants through the application and recruitment process, either directly from candidates or sometimes from an employment agency, previous employers or from organisations that assist us with our background checks.
2.19 Our staff
We collect a range of personal data about employee, agency and contract staff in order to manage their employment relationship with us during the recruitment process, while they are working for us, at the time their employment ends and after they have left. Staff should see our Internal Data Protection Policy for more information regarding how we handle their data. Former staff should contact email@example.com to obtain a copy of our current Data Protection Policy.
3. Why we ask for your personal information
We will only ask you to provide personal information if we need it. Typically, when we collect the information we will tell you why we need it, what we will do with it and whether we will share it with anyone else.
In general, we collect and use personal information where:
- it is necessary to perform our statutory functions under the Private Security Industry Act 2001 – for example, to operate our individual licensing regime or our Approved Contractor Scheme
- it is required by law – for example, to comply with equalities, employment, or health and safety legislation
- we have a contract with you – for example: you work for us, you provide a service to us or we have approved you to do something (such as conduct approved contractor assessments)
- you (or your legal representative) have given us your consent – for example, you signed up to receive text messages from us
We will never sell your personal information to anyone else.
4. Who we share your personal information with
We can only share information when the law tells us we can do so.
We share information with core service providers and third party platforms as required for our business to function e.g. IT providers, payroll providers, pension scheme providers, auditors, legal advisors etc.
We also share and receive information we collect for our statutory purposes with other government agencies in order to:
- conduct checks against our licensing or approved contractor criteria or conditions
- check the accuracy of information we hold
- prevent or detect crime
- protect public funds
- as otherwise permitted by law
The agencies we typically share and receive personal information with relating to whether you are fit and proper to hold our SIA licence are:
- The Home Office
- The Police
- The Department for Work and Pensions (DWP)
- Her Majesty’s Passport Office (HMPO)
- Her Majesty’s Revenue and Customs (HMRC)
- The National Crime Agency (NCA)
- Vetting agencies (the Disclosure and Barring Service (DBS), AccessNI and Disclosure Scotland)
We will also share your personal information with any business you link your online account with.
The agencies we typically share information with / receive information from in relation to whether you are fit and proper to join our Approved Contractor Scheme include:
- The Home Office
- The Police
- The Department for Work and Pensions (DWP)
- Her Majesty’s Revenue and Customs (HMRC)
- Local authorities
- The Insolvency Service
- Assessing Bodies
- Customers of applicant businesses
- Payroll or finance companies associated with applicant businesses
- Consultants acting on behalf of applicant businesses
The agencies we typically share and receive information with in order to manage our relationship with staff and prospective staff include:
- Home Office Departmental Security Unit
- Vetting agencies (the Disclosure and Barring Service (DBS), AccessNI and Disclosure Scotland)
- UK Border Agency
- Foreign and Commonwealth Office
- Occupational health providers
- Pay and Pension Providers (RSM, National Audit Office, HMRC, MyCSP, Opus Trust Marketing and, if appropriate, a Partnership Pension Scheme provider)
5. How we store your personal information
Most of the information we hold on you will be stored electronically. Even if you send us documents, we will usually scan these and then either return the originals to you or destroy them.
6. How we protect your personal information
The security of your personal information is very important to us. There are a number of ways we make sure that the information we hold about you (on paper and electronically) is secure. We make sure that we only make this information available to those who have a legal right to see it.
Examples of our security include:
- securely storing electronic information with appropriate encryption or security controls where required, both at rest and in transit in accordance with industry best practice and available technologies
- processing information in accordance with HMG IA policies and industry standard risk assessments
- independently accrediting ICT systems to Government standards by an independent accreditor
- controlling access to systems and networks so that only those people who need to and are allowed to see your personal information and able to access it
- training for our staff to make sure that they know how to handle personal information and how and when to report when something goes wrong
- making sure we only discuss personal information with a data subject once we have confirmed their identity
- regular independent testing of our technology is carried out through IT health checks and penetration tests to mitigate vulnerabilities which could lead to breaches and ensure we are keeping up to date with the latest security and software updates (sometimes called ‘patches’)
- ensuring all information you give us relating to payment details is handled in a PCI DSS compliant way
7. How long we store your personal information
How long we keep information you give to us depends on exactly what information it is, why we need it, and what we use it for. There will usually be a legal reason for keeping your personal information for a particular period of time. We try to include all of these in our retention schedule.
For example, we will usually keep information you provide or that we collect in relation to an application for a licence or any further decision we might make about your licence (such as suspension or revocation) for 10 years. We will usually keep messages you send to us or that we might send to you for 7 years. We keep criminality information for 10 years.
If you would like to know exactly how long we will keep a particular piece of personal information, you can ask us.
8. Transfer of information outside of the EU
We do not routinely transfer data outside of the EU. However, we do use MailChimp; an e-mail marketing provider that stores data in USA. If you sign up to receive information from us, your email address and contact preferences will be stored and managed by MailChimp. We have a contractual relationship with MailChimp and are satisfied that data held in the US is appropriately secure because of the following assurances:
- MailChimp Complies with the US Privacy Shield framework and has self-certified to both the EU-US Privacy Shield and Swiss-Us Privacy Shield regimes
- MailChimp lawfully transfers EU/EEA personal data to the U.S pursuant to their Privacy Shield Certification
- MailChimp completes a SOC II Type 2 examination on an annual basis for the Trust Principle Criteria of Security, Processing Integrity, Confidentiality and Availability
- the MailChimp website contains a significant amount of information on their GDPR readiness and acknowledges the importance of protecting personal data and privacy
- MailChimp’s US datacentres manage 24/7 physical security controls
- MailChimp publishes details on application level, internal IT, and internal protocol security controls utilised; exhibiting cyber security awareness and appropriate resilience
If we decide to store any other data outside of the EU, we will tell you before we do so.
9. Automatic processing / profiling
We use an online licensing system to automatically assess and profile information held about licence applicants in order to make a decision whether they are fit and proper to hold an SIA licence. However, we will not take any licensing decision that negatively affects you without a member of our staff reviewing the application. Additionally, you will always be given the opportunity to provide further information for us to consider before we make a final licensing decision.
10. Your rights
Data Protection law gives you rights about the personal information we hold and how we use it.
10.1 The right to ask for the information we hold on you
You have the right to ask for all the information we have about you. This is called a ‘Subject Access Request’.
There is some information we may not be able to share with you. Some examples of this are:
- information that is also about other identifiable people
- information that might stop us preventing or detecting a crime if we were to share it
10.2 The right to ask us to change information you think is inaccurate
You should let us know if you think information we hold on you is out-of-date or inaccurate. We may not always be able to change or remove that information but we will correct any factual inaccuracies and will include your comments in the record to show that you disagree with it.
There is some information you can update or correct without needing to contact us:
- if you need to change the address details we hold for you, you can update these in the ‘My Account’ section of your SIA online account.
- you can use the ‘Notify the SIA’ tab on your SIA online account to inform us of any changes to your name, criminal record, right to work in the UK, mental health or gender.
10.3 The right to ask us to delete information (sometimes called ‘the right to be forgotten’)
In some circumstances you can ask for your personal information to be deleted, for example:
- where your personal information is no longer needed for the reason why it was collected in the first place
- where you have removed your consent for us to use your information and there is no other legal reason we need to use it for
- where deleting the information is a legal requirement
Where your personal information has been shared with others, we will do what we can to make sure those using your personal information comply with your request for erasure.
There are some circumstances in which we will not be able to delete information. For example:
- we are required to keep the information by law
- holding the information is required for us to carry out our statutory duties
- holding the information is required for the detection or prevention of crime
10.4 The right to ask us to limit what we use your personal data for
You have the right to ask us to restrict what we use your personal information for if:
- you have identified inaccurate information, and have told us about it
- we have no legal reason to use that information but you want us to restrict what we use it for rather than erase the information altogether
When information is restricted it can be stored but it cannot be used without your consent, other than to handle legal claims and protect others, or where It is in the public interest.
There are some circumstances in which we will not be able to limit how we use your information. For example:
- we are required to use the information by law
- using the information is required for us to carry out our statutory duties
- using the information is required for the detection or prevention of crime
10.5 The right to ask for your personal information to be moved to another agency (knows as ‘Data Portability’)
You can ask for your personal information to be given back to you or another service provider of your choice in a commonly used format.
This only applies if we are using your personal information with consent (not if we are required to by law) and if decisions were made by a computer and not a human being.
11. What to do if you have questions or concerns
If you have questions about how we collect, use or store your personal information, or your rights, please contact our Data Protection Officer, Lisa Targowska, at firstname.lastname@example.org.
For independent advice about data protection, privacy and data sharing issues, you can contact the Information Commissioner’s Office (ICO).
You can visit the ICO website or email them at email@example.com.
Telephone numbers for the ICO are 0303 123 1113 (local rate) or 01625 545 745 if you prefer to use a national rate number.
The address to write to is:
Information Commissioner’s Office
13. Who is the data controller?
The SIA is the data controller. You can contact us by writing to:
Security Industry Authority
PO Box 74957
We have closed our office in response to the coronavirus pandemic and we cannot receive or process any physical documents sent to us. If you need to contact us, please do so through your SIA online account or through the contact form on our website.