Right to Work Right to Rent Data Protection Notice

DATA PROTECTION INFORMATION NOTICE

ID-PAL LIMITED

A certified Identity Service Provider

With effect from September 2022

Who we are?

Part I – App Users

How does the ID-Pal app work and what personal data is processed?
Who is the Data Controller for the various processing activities outlined above?
What legal bases do ID-Pal rely on for the processing of personal data?
Who do ID-Pal share with /disclose to your personal data?
1. CIFAS
Do we transfer personal data outside the United Kingdom?
How do ID-Pal keep my personal data safe and secure?
How long do we retain your personal data for?
What data protection rights do you have?

Part II – Our Customers

What personal data of customers do ID-Pal process?
What do you do with this personal data?
What legal basis do you rely on for these processing activities?
Who do you share the personal data with?
How long do you retain personal data for?
What data protection rights do you, our customer have?

Who we are?

We are ID-Pal Limited, a company incorporated under the laws of Ireland with company registration number 578727, whose registered office is at 145 Pearse Street, Dublin, 2, D02 CP08, Ireland.

We provide mobile and web application software to customers which verifies and authenticates identity information and documentation submitted to us.

We have been certified as an Identity Service Provider and meet the relevant requirements of the United Kingdom Digital Identity & Attributes Trust Framework. Our Schedule of Certification can be viewed here.

Our Data Protection Officer (‘DPO’) is Sinead McDonald who can be contacted at our registered address and at [email protected]

ID-Pal Limited (‘ID-Pal’) and our DPO are registered with the Information Commissioners Office (‘ICO’).

Our UK Representative is Waystone Compliance Solutions (UK) Limited.

This Data Protection Information Notice outlines our processing activities as a data controller.

Part I- App users

2. How does the ID-Pal app work and what personal data is processed?

We provide our software to customers who are obliged under the Rent to Work or Right to Rent schemes in the United Kingdom to verify the identity of prospective employees or tenants (the ‘Purpose’). Only certified Identity Service Providers can assist in this exercise.

Our customers will send you a link via SMS or email and request you download the ID-Pal app from either the App Store/Google play store. Once downloaded, you will be asked to:

Upload your identity document which can be a passport, a driver licence or National Identity Document
Take a selfie and submit it
Submit your name, address, date of birth, gender, email address and mobile number.

We will also automatically collect certain technical information when you use our app such as device make and model and IP address.

We will undertake a number of technical checks on the identity document and selfie image to ensure their authenticity. We will check all details against a number of fraud databases, for the purposes of preventing fraud and money laundering.

We will provide a report to our customers outlining the results of our fraud, verification and authentication checks, in the form of a due diligence report.

If we detect fraud on documentation or information submitted as well as advising our clients, we may also file a case with CIFAS a fraud prevention service.

3. Who is the Data Controller for the various processing activities outlined above?

ID-Pal is the data controller of the personal data submitted or uploaded to our App as we have determined the purpose and means of the processing. The purpose is to verify and authenticate identities and the means is through use of our mobile app.

We provide our app and service to prospective employers and landlords, (‘Our Customers’) who are also data controllers of your personal data. They will have a separate Data Protection Information Notices.

If we have cause to file a case with CIFAS they are a data controller for the maintenance of those databases. See section 5 below.

4. What legal basis do ID-Pal rely on for the processing of personal data?

The processing of the personal data outlined in section 2 above is necessary for the purpose of the legitimate interest pursued by ID-Pal (Article 6(1)(f) of the GDPR). This legitimate interest is to provide robust, safe and secure software to our customers to verify and authenticate identities in order to assist them in complying with their legal obligations.

Biometric checks on a ‘Selfie’ fall within definition of special categories of personal data and the legal basis relied on here is your explicit consent (Article 9(2)(a)) which is requested in the app before you submit your Selfie. If you do not provide your consent, we will be unable to verify and authenticate your identity.

Where we disclose our verification and authentication checks to CIFAS, we do on the basis that it is in the public interest to takes measures to detect and prevent fraud as set out in paragraph 14 of Schedule 1, Part 2 of the Data Protection, Act 2018.

Our customers may ask us to store our due diligence report, once complete and if they do, we will be acting as their data processor.

5. Who do ID-Pal share with /disclose to your personal data?

Our Customers

We prepare a due diligence report for delivery to our customers which contains images of the identity documentation and information submitted as well as the results of our verification and authentication checks which we present in the form of a due diligence report.

Our data processors:

The information we collect from you may be transferred to third parties in connection with our service model and the technology infrastructure we use. It may also be processed by these companies and/or by our and their respective employees and service providers. These third parties are our data processors. We will take steps to ensure that these third parties will:

only receive the personal data necessary for them to provide us with their service;
take appropriate security measures to protect your personal data;
commit themselves and their employees to confidentiality;
provide assistance to us in the discharge of our obligations to you; and
report all data breaches to us without undue delay.

CIFAS

CIFAS is a not-for-profit fraud prevention membership organisation. They are the UK’s leading fraud prevention service, managing the largest database of instances of fraudulent conduct in the country.

Their members are organisations from all sectors, sharing their data across those sectors to reduce instances of fraud and financial crime.

ID-Pal are a member of CIFAS and can search their databases for records of fraudulent conduct by individuals. Should ID-Pal identify fraudulent conduct at any time that meets CIFAS’ standard of proof, ID-Pal are required to file a new case to the database. In addition, we will advise our customers of findings of fraud who may in turn decide not to proceed with your application for employment or to rent. A record of any fraud or money laundering risk will also be retained by CIFAS and may result in other members of CIFAS refusing to provide services, financing or employment to you.

CIFAS may also share your personal data with law enforcement agencies who detect, investigate and prevent crime.

Others

ID-Pal may also have to share information with third parties to meet any applicable law, regulation or lawful request from a law enforcement agency. When we believe we have been given false or misleading information, or we suspect criminal activity we have an obligation to record this and report to law enforcement agencies, which may be either in or outside Ireland.

ID-Pal may also disclose information to our professional advisors in order for them to provide us with advice.

6. Do we transfer personal data outside the United Kingdom?

Personal Data may be transferred to third parties who are our processors/sub processors as part of our business model as described in sections 5 above. This may include the transfer of data to other jurisdictions for processing at a destination outside the United Kingdom. Such transfers only occur either on the basis of an adequacy decision made by the United Kingdom Government or an approved safeguard measure such as standard contractual clauses.

7. How do ID-Pal keep my personal data safe and secure?

All information including personal data is encrypted at rest and in transit. We use AWS in Europe, for storage. We have firewalls on our application and database servers. Personal data is logically segmented to ensure that only the customer you are submitting to (and ID-Pal, when reviewing submissions), have access to the personal data. Customers must be authenticated, before they can access their account on the platform. All ID-Pal employees are subject to contractual obligations of confidentiality and must undertake annual data protection and information security training.

While we take these steps to maintain the security of your information, you should be aware of the many information security risks that exist and take appropriate care to help safeguard your information. The nature of the internet is such that we cannot guarantee the security of the information you transmit to us via email, and any transmission is at your own risk.

ID-Pal is ISO 27001 certified.

8. How long do we retain your personal data for?

ID-Pal retain the completed due diligence report in our systems for 30 days following completion, unless our customers instruct us, as their data processor, to store it for longer to enable them to comply with their obligations under the right to work or right to rent schemes.

Our customers have different retention periods to ID-Pal. They are required to retain the due diligence report we have prepared for the duration of your employment/tenancy and up to 2 years thereafter.

CIFAS have also different retention periods to ID-Pal. If you are considered to pose a fraud or money laundering risk, they will retain your personal data for up to 6 years.

9. What data protection rights do you have?

Under UK GDPR you have the following rights:

You have the right to withdraw your consent for the processing of personal data.
You have the right to request information about whether we hold your personal data, and, if so, what that personal data is and why we are holding/using it.
You have the right to request access to your personal data (commonly known as a “data subject access request”). This enables you to receive a copy of the personal data we hold about you and to check that we are lawfully processing it.
You have the right to request correction of the personal data that we hold about you. This enables you to have any incomplete or inaccurate personal data we hold about you corrected.
You have the right to request erasure of your personal data. This enables you to ask us to delete or remove personal data where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal data where you have exercised your right to object to processing (see below).
You have the right to object to processing of your personal data where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground. You also have the right to object where we are processing your personal data for direct marketing purposes.
You have the right to object to automated decision-making including profiling, that is not to be the subject of any automated decision-making by us using your personal data or profiling of you. ID-Pal does not make decisions based solely on automated processing. If any of our checks indicate a concern, a member of the ID-Pal team will assess that specific submission before completion of the due diligence report.
You have the right to request the restriction of processing of your personal data.
You have the right to request transfer of your personal data in an electronic and structured form to you or to another party (commonly known as a right to “data portability”).

Not all data protection rights are absolute and some, not all, may be restricted in certain circumstances.

You can submit a data protection rights request to our DPO at [email protected] and we will respond without undue delay and in any event within one month of receipt.

You also have the right to complain to the ICO if you have concerns about how we process your personal data. Make a complaint | ICO

Part II- Our customers

10. What personal data of customers do ID-Pal process?

In order to provide our product and service to you, our customers, we will process the some or all of following personal data belonging to you and your employees:

Name
Address
Email address
Contact details including mobile numbers and LinkedIn profiles
Credit card/bank account (if you are a sole trader)
Username and password
Log activity
Telephone messages
Job role

11. What do you do with this personal data?

We use this personal data to

deliver our product to you,
provide secure access to the web platform,
investigate any issues you may have,
answer your queries,
provide you with updates on features and upgrades,
assist you and your team with implementation and training,
advise you of regulatory developments,
invite you to events, and
ask you for feedback on our product and services.

12. What legal basis do you rely on for these processing activities?

We rely on one of the following:

Processing is necessary for the performance of the contract we have with you.
Processing is necessary for the legitimate interest pursued by ID-Pal which is to deliver the best-in-class product and customer service to our customers.

13. Who do you share the personal data with?

We use a range of information technology and software to deliver our product and services to you and these providers are our data processors. In addition, we may also disclose your personal data to our professional advisers such as lawyers, information security and data protection specialists and accountants.

Some of our data processors are located outside the United Kingdom. Personal data is transferred either on the basis of an adequacy decision made by the United Kingdom Government or an approved safeguard measure such as standard contractual clauses.

14. How long do you retain personal data for?

ID-Pal will retain customer personal data for the duration of our business relationship and seven years thereafter as required for tax and accounting purposes.

15. What data protection rights do you, our customer have?