Guidance

PSC Operations personnel security: privacy information notice

Updated 29 March 2023

PSC Operations (PSC Ops)

PSC Ops provides personnel security and national security vetting services to a number of government departments with the Home Office as the host and lead department.

This privacy notice applies when a National Security Vetting (NSV) application is processed by PSC Operations (PCS Ops) Personnel Security in conjunction with United Kingdom Security Vetting (UKSV) and explains how we store and handle personal data processed as part of NSV. This notice will be updated from time to time when there is a change to the way in which personal data is stored or handled and the latest version will be the version available on gov.uk.

Further information on how your personal data is processed can be found on UKSV Privacy Notice and Personnel Security Controls

Data controller and contact details

PSC Ops carries out NSV in conjunction with UKSV for several government departments including the Home Office and is the joint data controller with UKSV for personal data used in the NSV process. The Data Protection Officer (DPO) for PSC Operations is the Home Office DPO who can be contacted via DPO@homeoffice.gov.uk. Information on the DPO for UKSV can be found in the UKSV Privacy Notice.

If you wish to exercise your rights under data protection legislation, you should contact the Home Office Information Rights Team, Knowledge and Information Management Unit at info.access@homeoffice.gov.uk.

Purpose of processing personal data

PSC Ops processes personal data for the purpose of carrying out NSV. NSV is necessary and proportionate to safeguard the United Kingdom’s national security and is therefore of substantial public interest and constitutes the exercise of official authority. We may process your data for ancillary purposes. For example, to fulfil legal and regulatory requirements.

Legal basis for processing

PSC Ops processes personal data and that of third parties in accordance with the General Data Protection Regulation and Data Protection Act 2018, UK GDPR Article 6(1)(e), 9(2)(g) and 10. The processing of personal data is necessary for the purpose of NSV, which is carried out for reasons of substantial public interest and in the exercise of official authority vested in the data controllers. It is necessary for the performance of a public task.

How your data will be processed

Personal data and that of third parties will be processed as described in the ‘Statement of HM Government Personnel Security and National Security Vetting Policy’, which is described in the vetting forms as an annex to the document Personnel Security Controls. The categories of personal data which we process are described in those documents.

Data sharing

Personal data that we collect and process for NSV is strictly controlled and protected by a high level of physical, cyber and personnel security measures and access is only provided for the purpose of NSV and those with a strict ‘need to know’ basis.

Information submitted for security vetting will not be used for any other purpose. Exceptions to this policy include legal obligations (e.g. Court order, Police warrant, Vetting Appeals, MPs requests), or where there is an overriding corporate duty of care to the vetting subject.

To perform the NSV checks and reach a security clearance decision, PSC Ops may need to share some of your data with:

• your sponsor Government department (to request access to relevant personnel records or notify them on your security clearance decision)
• public authorities which maintain national security and criminal record databases
• credit reference agencies
• referees (e.g. supervisors, character and academic)

Data retention

Personal data and that of third parties will be retained for so long as is necessary for the purpose for which it was collected and in accordance with the General Data Protection Regulations (UK GDPR) and Data Protection Act (2018). Personal data and documentations collected during the NSV process will normally be retained for as long as there is a legitimate reason to do so.

Your rights

You have considerable say over what happens to your personal data. Your rights and how you may exercise them are fully detailed on the ICO website. In relation to your personal data held by PSC Ops you have the right:

a. To request a copy of your personal data

b. To require us to restrict the processing of your data in certain circumstances

c. To request your data be deleted or corrected

d. To object to the processing of your data

e. To lodge a complaint with the Information Commissioner’s Office (ICO) if you think we are not handling your data fairly or in accordance with the law.

National Security exemptions may apply to your requests in accordance with the Data Protection Act (2018). If exemptions apply, you will be informed.

Decisions based on automated processing

NSV decision are not based solely on automated processing, including profiling. The decision whether to grant or refuse security clearance is taken on a case by case basis by the relevant personnel in PSC Ops.

How to complain

If you are not satisfied with the way in which your personal data is processed by PSC Ops, you may make a complaint to:

• PSC Ops: PSCOpsContactUs@homeoffice.gov.uk, or
• Office of the Data Protection Officer (ODPO): DPO@homeoffice.gov.uk

Information Commissioner’s Office

You also have the right to take your complaint to the Information Commissioner’s Office, who is an independent regulator. The Information Commissioner can be contacted at:

Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF

Telephone: 0303 123 1113

Make a complaint on the Information Commissioner’s Office website