Guidance

Border Force personnel security: privacy information notice

Updated 29 August 2023

Privacy notice

Border Force is an operational command of the Home Office with law enforcement functions and delegated authority to conduct additional security checks during recruitment and additional processing of information during employment to ensure that Border Force staff at the border are fit for the critical and sensitive tasks that they are to perform, securing the national border.

This specific privacy notice has been created to make it easier for you to understand what personal data the Home Office and Border Force processes about you, and how and why we use it.

You should read this PIN in conjunction with the Home Office recruitment privacy notice and employee life cycle privacy notice.

The Home Office and Border Force is entitled to check employee’s suitability in order to safeguard border security. It is of substantial public interest to ensure those who work for and/or with do not compromise Border Force’s operational and strategic aims securing the national border.

The information that we will process about you will not vary depending on your role or position. Everyone’s data will be processed in the same way.

This privacy information notice applies to all external recruits to Border Force who have been successful in a Border Force recruitment campaign, including those who are recruited directly from another civil service department. It does not apply to recruitment from other parts of Home Office nor to short term surge or contingency measures outside of a recruitment campaign.

This privacy information notice also applies to the processing of your data during the lifecycle of your employment in Border Force, including under the various Insider Threat and People Protection policies deriving from the Border Force code of ethics.

These include additional security checks, open source checks, mandatory declarations, intelligence gathering and HR discipline & misconduct information. Additional Insider Threat and People Protection policies will be introduced from time to time. This privacy information notice will apply to the processing of your data under such policies, which will be drawn to the attention of all Border Force employees.

We are committed to ensuring that the personal data of Border Force employees is handled in accordance with the principles set out in the Commissioner’s Guide to Data Protection.

The Home office is the data controller of this information, and your personal information will be held and processed by the Home Office – 2 Marsham Street, London SW1P 4DF, unless this notice specifically states otherwise. This also includes when it is collected or processed by third parties on our behalf. The department’s data protection officer can be contacted at: DPO@homeoffice.gov.uk

Lawful basis for processing your personal data

The Border Force integrity team collects, processes, and shares personal information to enable it to carry out its statutory and other functions.

Depending on the processing activity, we rely on the following lawful basis for processing your personal data under the Data Protection Act 2018 (DPA 2018), more specifically under Part 2 – General Processing (UK General Data Protection Regulations (UK GDPR)) :

• Article 6 (1) (b) ‘contract’ –processing is necessary for the performance of a contract to which you are a party, or in order to take steps at your request prior to entering into a contract. In this case, the contract would be your contract of employment with Border Force.

• Article 6 (1) (c) ‘legal obligation’ - for the compliance with a legal obligation (e.g. tax, pension contributions).

• Article 6 (1) (f) ‘legitimate interests’ - processing is necessary for the purposes of the legitimate interests pursued by Border Force or by a third party. In this instance, the legitimate interest of Border Force is to assess employee suitability to ensure that employees are fit for the tasks that they perform of protecting the border. To this end, checks are carried out on candidates to assess their suitability to have access to sensitive information, assets and equipment as potential employees. The risk to data subjects arising from these checks is that if adverse information is discovered during the recruitment process, Border Force may not provide or confirm an offer of employment to a candidate. It is therefore in a candidate’s best interest to provide full disclosure during pre-employment assurance processes, so any risks they present as a potential employee can be properly assessed.

We will also collect, process, and share sensitive personal data which is known as special category data. This is covered under the following Articles of the UK GDPR:

• Article 9 (2) (b) - compliance with a legal obligation in connection with employment (e.g. reporting Trade Union Representative data, or medical information in order to apply a work place adjustment).

• Article 9 (2) (g) - reasons of substantial public interest.

When we process special category data using the lawful basis of “substantial public interest” under Article 9 (2) (g), we meet the following conditions set out in Part 2 of Schedule 1 of the DPA 2018:

10. Preventing or detecting unlawful acts

11. Protecting the public

14. Preventing fraud

15. Suspicion of terrorist financing or money laundering

18. Safeguarding of children and individuals at risk

Data sharing

Personal data that we collect and process for the security checks during recruitment and, during employment, under Insider Threat and People Protection policies is strictly controlled and protected by a high level of physical, cyber and personnel security measures and access is only provided for the purpose of personnel security checks, and those with a strict ‘need to know ‘basis. Information submitted for security vetting will not be used for any other exceptions to this policy include legal obligations (e.g. court order, police warrant, vetting purpose, appeals, MPs requests), or where there is an overriding corporate duty of care to the vetting subject.

We may process your personal data under part 3 of the Data Protection Act 2018 (law enforcement processing). Part 3 of the DPA 2018 sets out a separate data protection regime for authorities with law enforcement functions when they are processing for law enforcement purposes. Therefore, very exceptionally, data supplied by you or by a third party may be sufficiently serious that the data controllers consider it is necessary and in the public interest to share relevant information with an appropriate authority, such as the police.

How we obtain your information

We get information about you from the following sources:

• directly from you – e.g. declaring sponsorship of someone if you are a Home Office employee and determining legitimate sponsorship through mandatory declarations, social media handles

• from an employment agency

• from your employer if you are a secondee

• from security clearance providers

• from occupational health and other health providers

• from pension administrators and other government departments, for example tax details from HMRC

• from human resources

• from other law enforcement agencies

• from financial institutes

• from internal home office systems

• from any other governmental departments

We may share your information with other organisations in the course of carrying out our functions, or to enable others to perform theirs, but only where it is lawful. We use data processors who are third parties to provide elements of the services in the department. We have data sharing agreements in place with our data processors which means that they cannot do anything with your personal information unless we have instructed them to do it. They will not share your personal information with any organisation apart from us. They will hold it securely and retain it for the period we instruct. These organisations include, but are not limited to:

• other parts of government – HMPPS, HMRC, DWP

• National Crime Agency (NCA)

• any police force

• HR enablers

• government vetting agencies

More information about the ways in which the Home Office may use your personal information, including the purposes for which we use it, the legal basis, and who your information may be shared with can be found in the Personal Information Charter and the Policy on Processing Special Category Data.

Please note that the checks we carry out are different to the standard vetting checks that all staff would require. This can be found at: Cluster 2 Security Unit Personnel Security

Third party data

During the personnel security checks on recruitment and pursuant to the Insider Threat and People Protection policies during employment, personal data belonging to Third Parties may be collected.

The third-party data is processed for the same purpose and on the same legal basis. Third party personal data is collected via the sponsored individual through the mandatory declaration process and under other Insider Threat and People Protection policies during employment (including via an initial mandatory declaration on joining Border Force, any further new declaration due to a change in circumstance or via the annual requirement to complete a mandatory declaration). What is collected might depend on your connection to the third party involved. In first instance the personal data sets being processed will be name, date of birth and address. Further details may be required depending on a case-by case basis.

Storing your information

Your personal information will be held for as long as necessary for the purpose for which it is being processed and in line with departmental retention policy. For the purposes of the processing activity, your personal data will be held for the length of employment plus an additional 3 years. This can be found at: Retention and Disposal Standards.

Requesting access to your personal data

You have the right to request access to the personal information the Home Office holds about you. You can make your request by emailing: Info.access@homeoffice.gov.uk

Other rights

For more information about your information rights please see the Recruitment Privacy Notice and Employee Life Cycle Privacy Notice.

In instances when your personal data is processed under Part 3 of the Data Protection Act (for law enforcement purposes), there may be a number of legal or other official reasons why we need to continue to keep or use your data and your rights may differ.

Questions or concerns about your personal data

You may also contact the data protection officer (DPO) directly to voice a concern or make a complaint about the way that your personal data has been handled.

The Home Office has a data protection officer who can be contacted by:

Email: dpo@homeoffice.gov.uk

Telephone: 020 7035 6999

Or write to:

Office of the DPO
Home Office
Peel Building
2 Marsham Street
London
SW1P 4DF

When we process your information we will comply with the law, including data protection legislation. Should you feel that your data is being processed in breach of data protection law or other legislation, you can report your concern to our data protection officer using the contact details provided above, or contact the information commissioner’s office at:

Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF

Telephone: 08456 30 60 60 or 01625 54 57 45. Fax: 01625 524510

You can also visit the Information Commissioner’s Office website.