Guidance

UK National Security Authority privacy notice

Published 24 July 2018

This notice sets out how the Cabinet Office, as UK National Security Authority (UK NSA), will use your personal data in relation to the activities described below and explains your rights.

Your data

Purpose

The UK NSA is undertaking the activities described below that may involve the processing of personal data.

Confirming and verifying Personnel Security Clearances (PSCs) of individuals who are required to handle classified information. Personal data can be communicated to and by the UK NSA in several formats, including but not limited to:

• Personnel Security Clearance Information Sheet (PSCIS) – A form used to seek verification of a clearance;

• Personnel Security Clearance Certificate (PSCC) – A form used to confirm an individual has a NATO, EU or ESA clearance;

• Request for Visit (RFV) – A form used to confirm clearances ahead of proposed visits to sites;

• Transportation Plan – A form used to confirm clearances of any personnel involved in transports of classified information;

• Courier Certificate – A form used to confirm that an individual hand carrying classified information has an appropriate level of clearance.

Processing security assistance requests from HMG organisations when an individual undergoing security vetting has not resided in the UK but in a nation which is a NATO, EU or ESA Member State.

Processing security assistance requests from NSAs of other states when an individual undergoing security vetting has resided in the UK.

Processing National Security Vetting Solution (NSVS) Sponsor Account applications when NSAs or other competent security authorities, international organisations, or contractors performing international classified contracts, require an individual to be granted a PSC in order to access classified information.

When non-British nationals working for UK contractors on international classified contracts require to undergo their national PSC process the UK NSA will receive and then forward those vetting applications to the appropriate NSA or other competent security authority for further processing.

Categories of personal data processed

The UK NSA may process the following personal data for the activities outlined above:

• Full name

• Date of birth

• Place of birth

• Passport number

• National Insurance Number

• Nationality(s)

• Home Address

• Personal contract details (i.e. phone number and email)

For assistance requests and replies, the UK NSA may handle and pass on criminal and security related information to the relevant security authorities.

Legal basis of processing

The UK NSA processes your personal data and that of third parties in accordance with the General Data Protection Regulation, as applied by Chapter 3 of Part 2 of the Data Protection Act 2018 (‘the Applied GDPR’). The functions of the UK NSA are exercised for the purposes of safeguarding national security.

The processing of your personal data and that of third parties is necessary for the purposes described above, which are carried out for reasons of substantial public interest and in the exercise of official authority vested in the data controller. Conducting these activities are functions of the Cabinet Office, which is a government department.

The UK NSA confirms and verifies PSCs and processes security assistance requests in order to comply with NATO, EU, ESA and other relevant International Organisations’ security policy and to meet other bilateral and multilateral security obligations (e.g. bilateral General Security Agreements).

Who we share your personal data with

In order to process a NSVS Sponsor Account request, some of your personal data will be provided to UK Security Vetting - UKSV (part of the Ministry of Defence), who will consider and process your request for a NSVS Sponsor Account.

For important reasons of public and national security, confirmation and verification of PSCs will be provided to the relevant NSAs or other competent authorities of international partners, international organisations, UK public authorities, or contractors undertaking classified contracts. Some of these organisations and contractors may be located within the EU, but others may be located in countries where the EU Commission has not issued an adequacy decision to confirm that it considers the country provides an adequate level of data protection. In such cases the UK NSA will transfer data where the transfer is necessary for important reasons of public interest.

Security assistance requests and replies containing personal data will be provided to the relevant UK public authorities responsible for carrying out security checks. Security assistance requests and replies containing your personal data will be provided to the relevant NSAs or other competent authorities of international partners.

Failure to provide data

You are required to provide the personal data requested in order to either obtain a NSVS sponsor account, obtain a PSC necessary for your role, or have an existing PSC confirmed in order access secure areas, hand carry classified information, or be employed in a position requiring a PSC. It is likely that the obtaining of a PSC is necessary as part of your employment with a third party. If you do not provide the requested personal data we will be unable to process your application or provide the necessary confirmation or authorisation for you to fulfil these activities and this may impact on your employment.

Retention

Personal data obtained for the purposes listed above will normally be retained by the UK NSA for a period of one year for NSVS sponsor applications, and up to and including six years for verifying clearances and security assistance requests and replies, after which time the data will be deleted. Personnel Security Certificates obtained for the purposes listed above may be retained up to the length of time that they are valid for, which may be up to and including ten years.

Your rights

You have considerable say over what happens to your personal data. Your rights and how you may exercise them are fully detailed on the ICO website. In relation to your personal data held by the UK NSA, unless an exemption applies, you have the right:

• to request information about how your personal data are processed, and to request a copy of that personal data.

• to request that any inaccuracies in your personal data are rectified without delay.

• request that any incomplete personal data are completed, including by means of a supplementary statement.

• to request that your personal data are erased if there is no longer a justification for them to be processed.

• in certain circumstances (for example, where accuracy is contested) to request that the processing of your personal data is restricted.

• to object to the processing of your personal data.

• to lodge a complaint with the independent Information Commissioner’s Office (ICO) if you think we are not handling your data fairly or in accordance with the law.

Contact details

The data controller for your personal data is the Cabinet Office. The contact details for the data controller are:

Cabinet Office
70 Whitehall
London
SW1A 2AS

Public Enquiries: Online Contact Form

The Data Protection Officer provides independent advice and monitoring of Cabinet Office’s use of personal information.

The contact details for the data controller’s Data Protection Officer are: dpo@cabinetoffice.gov.uk

Complaints

If you consider that your personal data has been misused or mishandled you can make a complaint to the DPO at the address above. If you are not satisfied, you may make a complaint to the Information Commissioner, who is an independent regulator. The Information Commissioner can be contacted at:

Information Commissioner's Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF
0303 123 1113
casework@ico.org.uk