Guidance

OISC Privacy Notice

This is an explanation of how we process personal data.

• From: Office of the Immigration Services Commissioner
• Published: 24 May 2018
• Last updated: 14 February 2023 — See all updates

1. Applications

1.1 Application for Registration

To process your application, we must process your personal data. When you apply for registration you must complete the relevant forms:

• Application for Registration
• New Adviser Application and Competence Statement

What personal data do we process?

When applying for registration you must provide us with:

• data relating to the organisation
• data relating to the individual advisers

To find out more about what data we process about organisations please click here.

To find out more about what data we process about advisers please click here.

To find out more about what data we process about owners and trustees please click here.

Why do we process your personal data?

Under section 83(5)(a) of the Immigration and Asylum Act 1999 (as amended), we have a statutory duty to ensure that those who provide immigration advice and/or services are fit and competent to do so.

Under Schedule 6, paragraph 2 of the Immigration and Asylum Act 1999 (as amended), you must be registered if we consider you are fit and competent to provide immigration advice and/or services.

We must therefore process your data in the following ways to determine and ensure that you are fit and competent to provide immigration advice and/or services.

Therefore, as a public body, it is necessary for us to process your data in the following ways for the exercise of official authority vested in us (Article 5 GDPR).

As part of your application, we will process special category data (Article 9 GDPR). The processing of this data is necessary for reasons of substantial public interest, as the Immigration and Asylum Act 1999 (as amended) imposes a statutory duty on us to ensure that those who provide immigration advice and/or services are fit and competent to do so.

Processing this data forms part of our assessment as to whether you are fit and competent to provide immigration advice and/or services.

Some declarations in the application form relate to criminal convictions. As such, we are effectively processing personal data relating to criminal convictions and offences (Article 10 GDPR).

We also require a DBS check for every adviser as part of the application. As such, this is also considered processing personal data relating to criminal convictions and offences (Article 10 GDPR).

The processing of this data is necessary for reasons of substantial public interest, as the Immigration and Asylum Act 1999 (as amended) imposes a statutory duty on us to ensure that those who provide immigration advice and/or services are fit and competent to do so.

Processing this data forms part of our assessment as to whether you are fit to provide immigration advice and/or services.

How do we process your personal data?

Your data is provided to us when you submit your completed application form. Once you submit the completed form to us, we update our case management system accordingly and store any hard copy application forms in secure lockable cabinets in the office.

Hard copy application forms are then scanned into our case management system. They are then securely destroyed.

To find out more about how we retain data please click here.

Sharing your data outside the OISC:

HJT Training Limited

Adviser’s name, date of birth and email address are shared with HJT Training Limited who administer the OISC competence assessments.

Your data will be shared with them so that they can enter you into the relevant OISC competence assessment, issue you with your candidate number and issue you with your assessment results.

The purpose for sharing this data is to enter you into our competence assessments process. Sitting the competence assessments are a way in which we assess your competence to provide immigration advice and/or services at the level you have applied for.

Disclosure and Barring Service

Your personal data will be shared with DBS so that they can do the necessary checks on you to verify whether you have any unspent convictions, cautions, reprimands, warnings, etc.

The purpose of this is to verify that what you have declared in your application form is true and to ensure that you are fit to provide immigration advice and/or services.

Home Office

The OISC Intelligence team will conduct vetting checks on advisers/organisations to ensure they are fit and competent to provide immigration advice and/or services.

As part of this the organisation’s name and address, adviser’s name, date of birth, Home Office reference number(s) and the information from the declarations in the application form will be shared with the Home Office.

This will also include the Home Office checking whether you are permitted to stay and work in the UK.

To find out more about what data the OISC Intelligence team processes please click here.

Other organisations

If you are declaring to be a solicitor, barrister and/or member of CILEx, your personal data will be shared with the SRA, BSB and CILEx to verify this.

Declarations

If you have answered ‘Yes’ to any of the declarations, your data will be shared with external organisations to verify your answer.

An example of this is if you declare you have been involved in the running of any other business or are employed at another organisation, we will contact this organisation to verify your answer.

Section 93 Immigration and Asylum Act 1999 (as amended)

There is nothing preventing a person from giving us information that is necessary for the discharge of our functions (i.e. to determine whether you are fit and competent).

Therefore, when we request information from other organisations to determine whether you are fit and competent, they can give us any information that is necessary for us to do so.

1.2 Application for Continued Registration

To process your application, we must process your personal data. When you apply for continued registration you must complete the relevant form:

• Application for Continued Registration (Repeat Registration)

What personal data do we process?

As you are applying for continued registration, we would already hold data from your initial application for registration.

To find out more about what data we process about organisations please click here.

To find out more about what data we process about advisers please click here.

To find out more about what data we process about owners and trustees please click here.

Why do we process your personal data?

Under section 83(5)(a) of the Immigration and Asylum Act 1999 (as amended), we have a statutory duty to ensure that those who provide immigration advice and/or services are fit and competent to do so.

Under Schedule 6, paragraph 3 of the Immigration and Asylum Act 1999 (as amended), we determine intervals where a person must submit an application for their registration to be continued.

We will continue your registration only if you are fit and competent to provide immigration advice and/or services.

We must therefore process your data in the following ways to determine and ensure that you are fit and competent to provide immigration advice and/or services.

Therefore, as a public body, it is necessary for us to process your data in the following ways for the exercise of official authority vested in us (Article 5 GDPR).

As part of your application, we will process special category data (Article 9 GDPR). The processing of this data is necessary for reasons of substantial public interest, as the Immigration and Asylum Act 1999 (as amended) imposes a statutory duty on us to ensure that those who provide immigration advice and/or services are fit and competent to do so.

Processing this data forms part of our assessment as to whether you are fit and competent to provide immigration advice and/or services.

How do we process your personal data?

As you are applying for continued registration, you would have provided us with your personal data when you initially applied for registration.

When you submit the completed form to us we update our case management system accordingly and store any hard copy application forms in secure lockable cabinets in the office.

Hard copy application forms are then scanned into our case management system. They are then securely destroyed.

To find out more about how we retain data please click here.

Multiple Applications

You may need to submit multiple applications at the same time depending on your circumstances. Please read the relevant guidance notes to the application form you are submitting for further guidance on what forms need to be submitted.

If you are making multiple applications at the same time, please refer to the relevant sections of this privacy notice to find out how we process personal data.

Some examples are listed below to help you understand what we mean:

• If you are applying for continued registration and to add a new adviser at the same time, your personal data will be processed in accordance with our privacy notice sections regarding Applications for Continued Registration and Adding a New Adviser.

• If you are applying for continued registration and to register a new legal entity at the same time, your personal data will be processed in accordance with our privacy notice sections regarding Applications for Continued Registration and Application for Registration of a New Legal Entity.

• If you are applying for continued registration and to raise levels at the same time, your personal data will be processed in accordance with our privacy notice sections regarding Applications for Continued Registration and Applications to Raise Levels.

1.3 Adding a New Adviser

To process your application, we must process your personal data. When you apply for this you must submit the relevant form:

• New Adviser Application and Competence Statement

What personal data do we process?

As this is an application to add an adviser to an existing organisation, we would already hold data relating to the organisation.

To find out more about what data we process about organisations please click here.

To find out more about what data we process about advisers please click here.

To find out more about what data we process about owners and trustees please click here.

Why do we process your personal data?

Under section 83(5)(a) of the Immigration and Asylum Act 1999 (as amended), we have a statutory duty to ensure that those who provide immigration advice and/or services are fit and competent to do so.

Under Schedule 6, paragraph 2 of the Immigration and Asylum Act 1999 (as amended), you must be registered if we consider you are fit and competent to provide immigration advice and/or services.

We must therefore process your data in the following ways to determine and ensure that you are fit and competent to provide immigration advice and/or services.

Therefore, as a public body, it is necessary for us to process your data in the following ways for the exercise of official authority vested in us (Article 5 GDPR).

As part of your application, we will process special category data (Article 9 GDPR). The processing of this data is necessary for reasons of substantial public interest, as the Immigration and Asylum Act 1999 (as amended) imposes a statutory duty on us to ensure that those who provide immigration advice and/or services are fit and competent to do so.

Processing this data forms part of our assessment as to whether you are fit and competent to provide immigration advice and/or services.

Some declarations in the application form relate to criminal convictions. As such, we are effectively processing personal data relating to criminal convictions and offences (Article 10 GDPR).

We also require a DBS check for every adviser as part of the application. As such, this is also considered processing personal data relating to criminal convictions and offences (Article 10 GDPR).

The processing of this data is necessary for reasons of substantial public interest, as the Immigration and Asylum Act 1999 (as amended) imposes a statutory duty on us to ensure that those who provide immigration advice and/or services are fit and competent to do so.

Processing this data forms part of our assessment as to whether you are fit to provide immigration advice and/or services.

How do we process your personal data?

When you submit your completed application form to us we update our case management system accordingly and store any hard copy application forms in secure lockable cabinets in the office.

Hard copy application forms are then scanned into our case management system. They are then securely destroyed.

To find out more about how we retain data please click here.

Sharing your data outside the OISC:

HJT Training Limited

Adviser’s name, date of birth and email address are shared with HJT Training Limited who administer the OISC competence assessments.

Your data will be shared with them so that they can enter you into the relevant OISC competence assessment, issue you with your candidate number and issue you with your assessment results.

The purpose for sharing this data is to enter you into our competence assessments process. Sitting the competence assessments are a way in which we assess your competence to provide immigration advice and/or services at the level you have applied for.

Disclosure and Barring Service

Your personal data will be shared with DBS so that they can do the necessary checks on you to verify whether you have any unspent convictions, cautions, reprimands, warnings, etc.

The purpose of this is to verify that what you have declared in your application form is true and to ensure that you are fit to provide immigration advice and/or services.

Home Office

The OISC Intelligence team will conduct vetting checks on advisers/organisations to ensure they are fit and competent to provide immigration advice and/or services.

As part of this the organisation’s name and address, adviser’s name, date of birth, Home Office reference number(s) and the information from the declarations in the application form will be shared with the Home Office.

This will also include the Home Office checking whether you are permitted to stay and work in the UK.

To find out more about what data the OISC Intelligence team processes please click here.

Other organisations

If you are declaring to be a solicitor, barrister and/or member of CILEx, your personal data will be shared with the SRA, BSB and CILEx to verify this.

Declarations

If you have answered ‘Yes’ to any of the declarations, your data will be shared with external organisations to verify your answer.

An example of this is if you declare you have been involved in the running of any other business or are employed at another organisation, we will contact this organisation to verify your answer.

Section 93 Immigration and Asylum Act 1999 (as amended)

There is nothing preventing a person from giving us information that is necessary for the discharge of our functions (i.e. to determine whether you are fit and competent).

Therefore, when we request information from other organisations to determine whether you are fit and competent, they can give us any information that is necessary for us to do so.

Multiple Applications

You may need to submit multiple applications at the same time depending on your circumstances. Please read the relevant guidance notes to the application form you are submitting for further guidance on what forms need to be submitted.

If you are making multiple applications at the same time, please refer to the relevant sections of this privacy notice to find out how we process personal data.

Some examples are listed below to help you understand what we mean:

• If you are applying for continued registration and to add a new adviser at the same time, your personal data will be processed in accordance with our privacy notice sections regarding Applications for Continued Registration and Adding a New Adviser.

• If you are applying for continued registration and to register a new legal entity at the same time, your personal data will be processed in accordance with our privacy notice sections regarding Applications for Continued Registration and Application for Registration of a New Legal Entity.

• If you are applying for continued registration and to raise levels at the same time, your personal data will be processed in accordance with our privacy notice sections regarding Applications for Continued Registration and Applications to Raise Levels.

1.4 Application for Registration of a New Legal Entity

To process your application, we must process your personal data. When you apply for this you must submit the relevant form:

• Application for Registration of a New Legal Entity

What personal data do we process?

As you are applying for registration of a new legal entity, we would already hold data from your initial application for registration.

To find out more about what data we process about organisations please click here.

To find out more about what data we process about advisers please click here.

To find out more about what data we process about owners and trustees please click here.

Why do we process your personal data?

Under Schedule 6, paragraph 6 of the Immigration and Asylum Act 1999 (as amended), we have a statutory duty to keep an open register listing every immigration adviser registered with the OISC. This register must be available to members of the public for inspection.

We must process your data in the following ways to ensure that our register is accurate and up to date.

Therefore, as a public body, it is necessary for us to process your data in the following ways for the exercise of official authority vested in us (Article 5 GDPR).

Additionally, we process this data to ensure that any decisions we make in respect of any application you submit to us are addressed to the correct legal person.

Some declarations in the application form relate to criminal convictions. As such, we are effectively processing personal data relating to criminal convictions and offences (Article 10 GDPR).

The processing of this data is necessary for reasons of substantial public interest, as the Immigration and Asylum Act 1999 (as amended) imposes a statutory duty on us to keep an open register listing every immigration adviser registered with the OISC.

Processing this data forms part of our assessment as to whether you are fit to provide immigration advice and/or services. If you are considered unfit you cannot be registered with the OISC. As such, your registration will be cancelled and you will be removed from the open register.

How do we process your personal data?

When you submit the completed form to us we update our case management system accordingly and store hard copy application forms in secure lockable cabinets in the office.

Hard copy application forms are then scanned into our case management system. They are then securely destroyed.

To find out more about how we retain data please click here.

Sharing your data outside the OISC:

You would have provided us with your personal data when you initially applied for registration. As such, all the necessary background checks would have been done.

However, if changing your legal entity involves the adding new advisers, then their personal data will be shared outside of the OISC in accordance with the section of our privacy notice titled Adding a New Adviser.

HJT Training Limited

Adviser’s name, date of birth and email address are shared with HJT Training Limited who administer the OISC competence assessments.

Your data will be shared with them so that they can enter you into the relevant OISC competence assessment, issue you with your candidate number and issue you with your assessment results.

The purpose for sharing this data is to enter you into our competence assessments process. Sitting the competence assessments are a way in which we assess your competence to provide immigration advice and/or services at the level you have applied for.

Disclosure and Barring Service

Your personal data will be shared with DBS so that they can do the necessary checks on you to verify whether you have any unspent convictions, cautions, reprimands, warnings, etc.

The purpose of this is to verify that what you have declared in your application form is true and to ensure that you are fit to provide immigration advice and/or services.

Home Office

The OISC Intelligence team will conduct vetting checks on advisers/organisations to ensure they are fit and competent to provide immigration advice and/or services.

As part of this the organisation’s name and address, adviser’s name, date of birth, Home Office reference number(s) and the information from the declarations in the application form will be shared with the Home Office.

This will also include the Home Office checking whether you are permitted to stay and work in the UK.

To find out more about what data the OISC Intelligence team processes please click here.

Other organisations

If you are declaring to be a solicitor, barrister and/or member of CILEx, your personal data will be shared with the SRA, BSB and CILEx to verify this.

Declarations

If you have answered ‘Yes’ to any of the declarations, your data will be shared with external organisations to verify your answer.

An example of this is if you declare you have been involved in the running of any other business or are employed at another organisation, we will contact this organisation to verify your answer.

Section 93 Immigration and Asylum Act 1999 (as amended)

There is nothing preventing a person from giving us information that is necessary for the discharge of our functions (i.e. to determine whether you are fit and competent).

Therefore, when we request information from other organisations to determine whether you are fit and competent, they can give us any information that is necessary for us to do so.

Multiple Applications

You may need to submit multiple applications at the same time depending on your circumstances. Please read the relevant guidance notes to the application form you are submitting for further guidance on what forms need to be submitted.

If you are making multiple applications at the same time, please refer to the relevant sections of this privacy notice to find out how we process personal data.

Some examples are listed below to help you understand what we mean:

• If you are applying for continued registration and to add a new adviser at the same time, your personal data will be processed in accordance with our privacy notice sections regarding Applications for Continued Registration and Adding a New Adviser.

• If you are applying for continued registration and to register a new legal entity at the same time, your personal data will be processed in accordance with our privacy notice sections regarding Applications for Continued Registration and Application for Registration of a New Legal Entity.

• If you are applying for continued registration and to raise levels at the same time, your personal data will be processed in accordance with our privacy notice sections regarding Applications for Continued Registration and Applications to Raise Levels.

1.5 Application for Raising Levels

Use these application forms when you are applying to raise the levels of an adviser at the organisation:

• Application to Raise Levels
• Adviser Raising Levels Competence Statement

If you are also adding a new adviser to your organisation you must use the adding a new adviser application form.

When doing so, your personal data will also be processed in accordance with the section of our privacy notice regarding Adding a New Adviser.

What personal data do we process?

As you are applying to raise levels, we would already hold data from your initial application for registration.

To find out more about what data we process about organisations please click here.

To find out more about what data we process about advisers please click here.

To find out more about what data we process about owners and trustees please click here.

Why do we process your personal data?

Under section 83(5)(a) of the Immigration and Asylum Act 1999 (as amended), we have a statutory duty to ensure that those who provide immigration advice and/or services are fit and competent to do so.

Under Schedule 6, paragraph 2 of the Immigration and Asylum Act 1999 (as amended), you must be registered if we consider you are fit and competent to provide immigration advice and/or services.

We must therefore process your data in the following ways to determine and ensure that you are fit and competent to provide immigration advice and/or services.

Therefore, as a public body, it is necessary for us to process your data in the following ways for the exercise of official authority vested in us (Article 5 GDPR).

As part of your application, we will process special category data (Article 9 GDPR). The processing of this data is necessary for reasons of substantial public interest, as the Immigration and Asylum Act 1999 (as amended) imposes a statutory duty on us to ensure that those who provide immigration advice and/or services are fit and competent to do so.

Processing this data forms part of our assessment as to whether you are fit and competent to provide immigration advice and/or services.

Some declarations in the application form relate to criminal convictions. As such, we are effectively processing personal data relating to criminal convictions and offences (Article 10 GDPR).

The processing of this data is necessary for reasons of substantial public interest, as the Immigration and Asylum Act 1999 (as amended) imposes a statutory duty on us to ensure that those who provide immigration advice and/or services are fit and competent to do so.

Processing this data forms part of our assessment as to whether you are fit to provide immigration advice and/or services.

How do we process your personal data?

When you submit your completed application forms to us we update our case management system accordingly and store hard copy application forms in secure lockable cabinets in the office.

Hard copy application forms are then scanned into our case management system. They are then securely destroyed.

To find out more about how we retain data please click here.

Sharing your data outside the OISC:

If you are also adding a new adviser to your organisation you must use the adding a new adviser application form.

When doing so, your personal data will also be processed in accordance with the section of our privacy notice regarding Adding a New Adviser.

HJT Training Limited

Adviser’s name, date of birth and email address are shared with HJT Training Limited who administer the OISC competence assessments.

Your data will be shared with them so that they can enter you into the relevant OISC competence assessment, issue you with your candidate number and issue you with your assessment results.

The purpose for sharing this data is to enter you into our competence assessments process. Sitting the competence assessments are a way in which we assess your competence to provide immigration advice and/or services at the level you have applied for.

Disclosure and Barring Service

Your personal data will be shared with DBS so that they can do the necessary checks on you to verify whether you have any unspent convictions, cautions, reprimands, warnings, etc.

The purpose of this is to verify that what you have declared in your application form is true and to ensure that you are fit to provide immigration advice and/or services.

Home Office

The OISC Intelligence team will conduct vetting checks on advisers/organisations to ensure they are fit and competent to provide immigration advice and/or services.

As part of this the organisation’s name and address, adviser’s name, date of birth, Home Office reference number(s) and the information from the declarations in the application form will be shared with the Home Office.

This will also include the Home Office checking whether you are permitted to stay and work in the UK.

To find out more about what data the OISC Intelligence team processes please click here.

Other organisations

If you are declaring to be a solicitor, barrister and/or member of CILEx, your personal data will be shared with the SRA, BSB and CILEx to verify this.

Declarations

If you have answered ‘Yes’ to any of the declarations, your data will be shared with external organisations to verify your answer.

An example of this is if you declare you have been involved in the running of any other business or are employed at another organisation, we will contact this organisation to verify your answer.

Section 93 Immigration and Asylum Act 1999 (as amended)

There is nothing preventing a person from giving us information that is necessary for the discharge of our functions (i.e. to determine whether you are fit and competent).

Therefore, when we request information from other organisations to determine whether you are fit and competent, they can give us any information that is necessary for us to do so.

Multiple Applications

You may need to submit multiple applications at the same time depending on your circumstances. Please read the relevant guidance notes to the application form you are submitting for further guidance on what forms need to be submitted.

If you are making multiple applications at the same time, please refer to the relevant sections of this privacy notice to find out how we process personal data.

Some examples are listed below to help you understand what we mean:

• If you are applying for continued registration and to add a new adviser at the same time, your personal data will be processed in accordance with our privacy notice sections regarding Applications for Continued Registration and Adding a New Adviser.

• If you are applying for continued registration and to register a new legal entity at the same time, your personal data will be processed in accordance with our privacy notice sections regarding Applications for Continued Registration and Application for Registration of a New Legal Entity.

• If you are applying for continued registration and to raise levels at the same time, your personal data will be processed in accordance with our privacy notice sections regarding Applications for Continued Registration and Applications to Raise Levels.

1.6 Application for Judicial Review Case Management

This application can only be made by advisers already registered at Level 3. The relevant form to complete is:

• Judicial Review Case Management Application and Competence Statement

What personal data do we process?

As you are applying for JRCM, we would already hold data from your initial application for registration.

To find out more about what data we process about organisations please click here.

To find out more about what data we process about advisers please click here.

To find out more about what data we process about owners and trustees please click here.

Why do we process your personal data?

Under section 83(5)(a) of the Immigration and Asylum Act 1999 (as amended), we have a statutory duty to ensure that those who provide immigration advice and/or services are fit and competent to do so.

When you apply for JRCM, we must assess whether you are fit and competent to provide immigration advice and/or services, in particular advice about JRCM, to the necessary standard.

We must therefore process your data in the following ways to determine and ensure that you are fit and competent to provide immigration advice and/or services.

Therefore, as a public body, it is necessary for us to process your data in the following ways for the exercise of official authority vested in us (Article 5 GDPR).

As part of your application, we will process special category data (Article 9 GDPR). The processing of this data is necessary for reasons of substantial public interest, as the Immigration and Asylum Act 1999 (as amended) imposes a statutory duty on us to ensure that those who provide immigration advice and/or services are fit and competent to do so.

Processing this data forms part of our assessment as to whether you are fit and competent to provide immigration advice and/or services.

Some declarations in the application form relate to criminal convictions. As such, we are effectively processing personal data relating to criminal convictions and offences (Article 10 GDPR).

The processing of this data is necessary for reasons of substantial public interest, as the Immigration and Asylum Act 1999 (as amended) imposes a statutory duty on us to ensure that those who provide immigration advice and/or services are fit and competent to do so.

Processing this data forms part of our assessment as to whether you are fit to provide immigration advice and/or services.

How do we process your personal data?

When you submit your completed application form to us we update our case management system accordingly and store hard copy application forms in secure lockable cabinets in the office.

Hard copy application forms are then scanned into our case management system. They are then securely destroyed.

To find out more about how we retain data please click here.

Sharing your data outside the OISC:

Declarations

If you have answered ‘Yes’ to any of the declarations, your data will be shared with external organisations to verify your answer.

An example of this is if you declare you have been involved in the running of any other business or are employed at another organisation, we will contact this organisation to verify your answer.

Section 93 Immigration and Asylum Act 1999 (as amended)

There is nothing preventing a person from giving us information that is necessary for the discharge of our functions (i.e. to determine whether you are fit and competent).

Therefore, when we request information from other organisations to determine whether you are fit and competent, they can give us any information that is necessary for us to do so.

1.7 Application for Registration (N&SCS)

To process your application, we must process your personal data. When you apply for registration you must complete the relevant forms:

• Application for Registration (Local Authority Nationality & Settlement Checking Services)

• Nationality & Settlement Checking Services Adviser Competence Statement

What personal data do we process?

To process your application, we must process your personal data. When applying for registration you must provide us with:

• data relating to the organisation

• data relating to the individual advisers

To find out more about what data we process about organisations please click here.

To find out more about what data we process about advisers please click here.

To find out more about what data we process about owners and trustees please click here.

Why do we process your personal data?

Under section 83(5)(a) of the Immigration and Asylum Act 1999 (as amended), we have a statutory duty to ensure that those who provide immigration advice and/or services are fit and competent to do so.

Under Schedule 6, paragraph 2 of the Immigration and Asylum Act 1999 (as amended), you must be registered if we consider you are fit and competent to provide immigration advice and/or services.

We must therefore process your data in the following ways to determine and ensure that you are fit and competent to provide immigration advice and/or services.

Therefore, as a public body, it is necessary for us to process your data in the following ways for the exercise of official authority vested in us (Article 5 GDPR).

As part of your application, we will process special category data (Article 9 GDPR). The processing of this data is necessary for reasons of substantial public interest, as the Immigration and Asylum Act 1999 (as amended) imposes a statutory duty on us to ensure that those who provide immigration advice and/or services are fit and competent to do so.

Processing this data forms part of our assessment as to whether you are fit and competent to provide immigration advice and/or services.

We also require a DBS check for every adviser as part of the application. As such, this is considered processing personal data relating to criminal convictions and offences (Article 10 GDPR).

The processing of this data is necessary for reasons of substantial public interest, as the Immigration and Asylum Act 1999 (as amended) imposes a statutory duty on us to ensure that those who provide immigration advice and/or services are fit and competent to do so.

Processing this data forms part of our assessment as to whether you are fit to provide immigration advice and/or services.

How do we process your personal data?

Your data is provided to us when you submit your completed application form. Once you submit the completed form to us, we update our case management system accordingly and store any hard copy application forms in secure lockable cabinets in the office.

Hard copy application forms are then scanned into our case management system. They are then securely destroyed.

To find out more about how we retain data please click here.

Sharing your data outside the OISC:

Disclosure and Barring Service

Your personal data will be shared with DBS so that they can do the necessary checks on you to verify whether you have any unspent convictions, cautions, reprimands, warnings, etc.

The purpose of this is to verify that what you have declared in your application form is true and to ensure that you are fit to provide immigration advice and/or services.

Home Office

The OISC Intelligence team will conduct vetting checks on advisers/organisations to ensure they are fit and competent to provide immigration advice and/or services.

As part of this the organisation’s name and address, adviser’s name, date of birth, Home Office reference number(s) and the information from the declarations in the application form will be shared with the Home Office.

This will also include the Home Office checking whether you are permitted to stay and work in the UK.

To find out more about what data the OISC Intelligence team processes please click here.

Other organisations

If you are declaring to be a solicitor, barrister and/or member of CILEx, your personal data will be shared with the SRA, BSB and CILEx to verify this.

Declarations

If you have answered ‘Yes’ to any of the declarations, your data will be shared with external organisations to verify your answer.

An example of this is if you declare you have been involved in the running of any other business or are employed at another organisation, we will contact this organisation to verify your answer.

Section 93 Immigration and Asylum Act 1999 (as amended)

There is nothing preventing a person from giving us information that is necessary for the discharge of our functions (i.e. to determine whether you are fit and competent).

Therefore, when we request information from other organisations to determine whether you are fit and competent, they can give us any information that is necessary for us to do so.

1.8 Application for Continued Registration (N&SCS)

To process your application, we must process your personal data. When you apply for continued registration you must complete the relevant form:

• Application for Continued Registration (Local Authority Nationality & Settlement Checking Services)

What personal data do we process?

As you are applying for continued registration, we would already hold data from your initial application for registration.

To find out more about what data we process about organisations please click here.

To find out more about what data we process about advisers please click here.

To find out more about what data we process about owners and trustees please click here.

Why do we process your personal data?

Under section 83(5)(a) of the Immigration and Asylum Act 1999 (as amended), we have a statutory duty to ensure that those who provide immigration advice and/or services are fit and competent to do so.

Under Schedule 6, paragraph 3 of the Immigration and Asylum Act 1999 (as amended), we determine intervals where a person must submit an application for their registration to be continued.

We will continue your registration only if you are fit and competent to provide immigration advice and/or services.

We must process your data in the following ways to determine and ensure that you are fit and competent to provide immigration advice and/or services.

Therefore, as a public body, it is necessary for us to process your data in the following ways for the exercise of official authority vested in us (Article 5 GDPR).

As part of your application, we will process special category data (Article 9 GDPR). The processing of this data is necessary for reasons of substantial public interest, as the Immigration and Asylum Act 1999 (as amended) imposes a statutory duty on us to ensure that those who provide immigration advice and/or services are fit and competent to do so.

Processing this data forms part of our assessment as to whether you are fit and competent to provide immigration advice and/or services.

How do we process your personal data?

When you submit your completed form to us we update our case management system accordingly and store any hard copy application forms in secure lockable cabinets in the office.

Hard copy application forms are then scanned into our case management system. They are then securely destroyed.

To find out more about how we retain data please click here.

Multiple Applications

You may need to submit multiple applications at the same time depending on your circumstances. Please read the relevant guidance notes to the application form you are submitting for further guidance on what forms need to be submitted.

If you are making multiple applications at the same time, please refer to the relevant sections of this privacy notice to find out how we process personal data.

An example is listed below to help you understand what we mean:

If you are applying for continued registration and to add a new adviser to the N&SCS at the same time, your personal data will be processed in accordance with our privacy notice sections regarding Applications for Continued Registration for Nationality & Checking Services and Adding a New Adviser for Nationality & Checking Services.

1.9 Adding a New Adviser (N&SCS)

To process your application, we must process your personal data. When you apply for this you must submit the relevant form:

• Nationality & Settlement Checking Services Adviser Competence Statement

What personal data do we process?

As this is an application to add an adviser to an existing organisation, we would already hold data relating to the organisation.

To find out more about what data we process about organisations please click here.

To find out more about what data we process about advisers please click here.

To find out more about what data we process about owners and trustees please click here.

Why do we process your personal data?

Under section 83(5)(a) of the Immigration and Asylum Act 1999 (as amended), we have a statutory duty to ensure that those who provide immigration advice and/or services are fit and competent to do so.

Under Schedule 6, paragraph 2 of the Immigration and Asylum Act 1999 (as amended), you must be registered if we consider you are fit and competent to provide immigration advice and/or services.

We must therefore process your data in the following ways to determine and ensure that you are fit and competent to provide immigration advice and/or services.

Therefore, as a public body, it is necessary for us to process your data in the following ways for the exercise of official authority vested in us (Article 5 GDPR).

As part of your application, we will process special category data (Article 9 GDPR). The processing of this data is necessary for reasons of substantial public interest, as the Immigration and Asylum Act 1999 (as amended) imposes a statutory duty on us to ensure that those who provide immigration advice and/or services are fit and competent to do so.

Processing this data forms part of our assessment as to whether you are fit and competent to provide immigration advice and/or services.

Some declarations in the application form relate to criminal convictions. As such, we are effectively processing personal data relating to criminal convictions and offences (Article 10 GDPR).

We also require a DBS check for every adviser as part of the application. As such, this is also considered processing personal data relating to criminal convictions and offences (Article 10 GDPR).

The processing of this data is necessary for reasons of substantial public interest, as the Immigration and Asylum Act 1999 (as amended) imposes a statutory duty on us to ensure that those who provide immigration advice and/or services are fit and competent to do so.

Processing this data forms part of our assessment as to whether you are fit to provide immigration advice and/or services.

How do we process your personal data?

When you submit the completed form to us we update our case management system accordingly and store hard copy application forms in secure lockable cabinets in the office.

Hard copy application forms are then scanned into our case management system. They are then securely destroyed.

To find out more about how we retain data please click here.

Sharing your data outside the OISC:

Disclosure and Barring Service

Your personal data will be shared with DBS so that they can do the necessary checks on you to verify whether you have any unspent convictions, cautions, reprimands, warnings, etc.

The purpose of this is to verify that what you have declared in your application form is true and to ensure that you are fit to provide immigration advice and/or services.

Home Office

The OISC Intelligence team will conduct vetting checks on advisers/organisations to ensure they are fit and competent to provide immigration advice and/or services.

As part of this the organisation’s name and address, adviser’s name, date of birth, Home Office reference number(s) and the information from the declarations in the application form will be shared with the Home Office.

This will also include the Home Office checking whether you are permitted to stay and work in the UK.

To find out more about what data the OISC Intelligence team processes please click here.

Other organisations

If you are declaring to be a solicitor, barrister and/or member of CILEx, your personal data will be shared with the SRA, BSB and CILEx to verify this.

Declarations

If you have answered ‘Yes’ to any of the declarations, your data will be shared with external organisations to verify your answer.

An example of this is if you declare you have been involved in the running of any other business or are employed at another organisation, we will contact this organisation to verify your answer.

Section 93 Immigration and Asylum Act 1999 (as amended)

There is nothing preventing a person from giving us information that is necessary for the discharge of our functions (i.e. to determine whether you are fit and competent).

Therefore, when we request information from other organisations to determine whether you are fit and competent, they can give us any information that is necessary for us to do so.

Multiple Applications

You may need to submit multiple applications at the same time depending on your circumstances. Please read the relevant guidance notes to the application form you are submitting for further guidance on what forms need to be submitted.

If you are making multiple applications at the same time, please refer to the relevant sections of this privacy notice to find out how we process personal data.

An example is listed below to help you understand what we mean:

• If you are applying for continued registration and to add a new adviser to the N&SCS at the same time, your personal data will be processed in accordance with our privacy notice sections regarding Applications for Continued Registration for Nationality & Checking Services and Adding a New Adviser for Nationality & Checking Services.

2. Complaints

When you send us a compliant about an adviser and/or organisation you should use our complaints form.

What personal data do we process?

To find out more about what data we process about complaints please click here.

Why do we process your personal data?

Under Schedule 5, paragraph 5(1) of the Immigration and Asylum Act 1999 (as amended), we must have a complaints scheme to investigate complaints. We must investigate complaints regarding:

• an adviser’s/organisation’s fitness or competence
• an alleged breach of the Code of Standards

Members of the public can also make a complaint about unregistered people/organisations providing or advertising the provision of immigration advice and/or services unlawfully. These complaints will be passed on to the Intelligence and Investigations team who will process the data for the prevention, investigation, detection or prosecution of criminal offences.

As part of our investigation, we will consider all the evidence available to us to reach an informed decision as to whether the complaint has been substantiated.

Therefore, as part of our investigation, we must process your personal data and the personal data of third parties.

Therefore, as a public body, it is necessary for us to process your data in the following ways for the exercise of official authority vested in us (Article 5 GDPR).

As part of the complaint investigation, we will process special category data (Article 9 GDPR). The processing of this data is necessary for reasons of substantial public interest, as the Immigration and Asylum Act 1999 (as amended) imposes a statutory duty on us to investigate relevant complaints, such as those listed above.

Processing your data forms part of our assessment as to whether the complaint is substantiated.

We will also process data relating to criminal convictions, but only if the complaint case file states that a party involved in the case has a criminal conviction(s), warning(s), reprimand(s), etc. This would be considered as processing personal data relating to criminal convictions and offences (Article 10 GDPR).

The processing of this data is necessary for reasons of substantial public interest, as the Immigration and Asylum Act 1999 (as amended) imposes a statutory duty on us to investigate relevant complaints, such as those listed above.

How do we process your personal data and third party personal data?

Your data and third party data is provided to us whenever you provide us with information about your complaint or when evidence is provided to us.

Your complaint form and any evidence in relation to the complaint will be stored on our case management system accordingly. Any hard copy documents we receive will be stored in secure lockable cabinets in the office.

Hard copy documents are then scanned into our case management system. They are then securely destroyed.

To find out more about how we retain data please click here.

If you or the adviser/organisation provide us with original documents, they will be returned once the complaint investigation has finished.

Data will also be collected and processed from the complainant’s file. This is the file that the adviser has on the complainant.

To find out more about what data we process from the complainant’s case file please click here.

Sharing your data outside the OISC:

Home Office

• Your name, date of birth and Home Office reference number will be shared with the Home Office if part of the complaint requests us to check the status of your immigration application.

• The Home Office provides us with information regarding whether an adviser/organisation is regulated to provide immigration advice and/or services.

3. Audits

We conduct audits to regularly assess whether the work being done by the adviser/organisation is fit and competent.

What personal data do we process?

We examine case files selected by us to assess the quality of work being done. We determine whether the work that has been done is to a fit and competent standard. We also make any suggestions for improvement.

To find out more about data we process from audits please click here.

Why do we process your personal data?

Under section 83(5)(a) of the Immigration and Asylum Act 1999 (as amended), we have a statutory duty to ensure that those who provide immigration advice and/or services are fit and competent to do so.

Our audits procedure allows us to inspect the work being done by advisers/organisations and make an informed decision as to whether an adviser/organisation is fit and competent to provide immigration advice and/or services.

We must process your data in the following ways to determine and ensure that you are fit and competent to provide immigration advice and/or services to the necessary standard.

Therefore, as a public body, it is necessary for us to process your data in the following ways for the exercise of official authority vested in us (Article 5 GDPR).

As part of the audit, we will process special category data by conducting the case file reviews (Article 9 GDPR).

The processing of this data is necessary for reasons of substantial public interest, as the Immigration and Asylum Act 1999 (as amended) imposes a statutory duty on us to ensure that those who provide immigration advice or immigration services are fit and competent.

Processing your data forms part of our assessment as to whether you are fit and competent to provide immigration advice and/or services.

We will also process data relating to criminal convictions when we audit case files, but only if the audit case file states that a party involved in the case has a criminal conviction(s), warning(s), reprimand(s), etc. This would be considered as processing personal data relating to criminal convictions and offences (Article 10 GDPR).

The processing of this data is necessary for reasons of substantial public interest, as the Immigration and Asylum Act 1999 (as amended) imposes a statutory duty on us to ensure that those who provide immigration advice or immigration services are fit and competent.

How do we process your personal data and third party personal data?

When we arrange an audit we use the personal data we store about you to schedule an audit. For example, we contact you using the email address and contact number you have provided to us and schedule the audit to take place at your office address.

Personal data is also collected when auditing case files. We process personal data contained in those case files. This is the data you have on your client.

In almost every case, this will also include the personal data of third parties, such as your client’s family members.

The facts of every case will be different, so the personal data that will be on the file will be different. As such, the personal data we process will be different for every case file we audit.

For further detail on what data we process from a case file please click here.

Our findings from an audit will be consolidated into an Identified Issues Report. This will be stored on our case management system and securely destroyed.

To find out more about how we retain data please click here.

4. Data Inside the OISC

Intelligence:

Your personal data will be shared with the OISC Intelligence team so that they can do an intelligence check to verify whether there are any concerns with your fitness to provide immigration advice, namely your character.

The team will record, task and disseminate any intelligence gathered to caseworkers, investigators and Legal team. Information shared with caseworkers will be used to help caseworkers identify any issue(s) or potential issue(s) with the adviser’s/organisation’s fitness and competence.

The Intelligence team will request an applications list from the Home Office. This is a complete list of all the applications you/your organisation has submitted to the Home Office.

The Intelligence team will process your data, including sharing your data with other law enforcement agencies, such as the police, for the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties.

Data that will be shared with other law enforcement agencies include your name, your organisation’s name, your address and post code, your organisation’s address and post code, your date of birth, any Home Office reference numbers and any information given to us from the declarations in your past application forms.

Under section 93 of the Immigration and Asylum Act 1999 (as amended), there is nothing preventing a person from giving us information that is necessary for the discharge of our functions (i.e. to determine whether you are fit and competent).

Therefore, when we request intelligence from other organisations to determine whether you are fit and competent, they can give us any information that is necessary for us to do so.

Investigations:

The Investigations team will process personal data for the purposes of the prevention, investigation, detection or prosecution of criminal offences.

Legal:

The Legal team will have regular access to your personal data on the case management system and will process your personal data for the purpose and in connection with any legal proceedings or prospective legal proceedings.

Under section 93 of the Immigration and Asylum Act 1999 (as amended), there is nothing preventing a person from giving the First-tier Tribunal information which is necessary for the discharge of its functions (i.e. making decisions of any appeals lodged).

As such, if you decide to appeal a decision made against you, the Legal team will disclose your personal data to the Tribunal over the course of the legal proceedings.

The Legal team will only process personal data that is relevant to the proceedings, such as the data regarding an application, audit and/or complaint.

The Legal team also provide overall support to caseworkers and advise them whenever their advice is sought on whether an adviser is fit and competent to provide immigration advice and/or services. To do this, the Legal Team will process your data (examine the data) to help them form their advice.

Finance:

Payments of registration fees and requests for refunds are processed by the finance team.

We will share your organisation’s bank details with the Finance team for payments of registration fees or if you request a refund of a registration fee.

HR:

If you make a complaint against a member of OISC staff, it will be investigated by the HR department.

HR have regular access to our case management system. If you are an adviser or an applicant adviser and make a complaint against a member of OISC staff, HR will have access to your personal file on our case management system.

IT:

The IT team backup all data stored on our servers for the purposes of disaster resilience.

This is done on a daily basis. All backup tapes are encrypted. Back up tapes are stored in our office with one tape being stored at a secure offsite location.

The data contained on the backup tape is not processed at the offsite location.

Backup tapes are securely destroyed once they are no longer fit for purpose.

5. Retention

We hold personal data for a period of six years. After this the personal data is securely destroyed.

We only store data for longer than this:

• for the prevention, investigation, detection or prosecution of criminal offences

• for the purpose of, or in connection with, legal proceedings (including prospective legal proceedings)

• for the purpose of obtaining legal advice or otherwise establishing, exercising or defending legal rights

When deciding whether to retain the data for the above purposes, we consider all the circumstances and evidence before us.

This includes the case history between a caseworker and an adviser/organisation.

6. Your Rights

As a data subject, you have the following rights:

• to be informed of how we process your personal data

• subject access

• rectification

• erasure

• restriction

• portability

• objection

Under GDPR there are also rights attached to the automated individual decision-making (i.e. profiling). However, we do not process your data using automated decision-making means.

Exercise Your Rights

If you choose to exercise your rights, please contact the OISC Information Officers who will take the necessary steps. They can be contacted on legalteam@oisc.gov.uk.

Rights You Cannot Exercise

The reason we process personal data, as explained in this document, is because it is necessary for the exercise of official authority vested in us. This is our lawful basis.

Our lawful basis affects certain rights that you can exercise.

If you have applied for any of the following, you cannot exercise your right to erasure or data portability:

• Application for Registration

• Application for Continued Registration

• Adding a New Adviser

• Application for Registration of a New Legal Entity

• Application for Raising Levels

• Application for Judicial Review Case Management

• Any of our N&SCS applications

You can exercise every other right, however, if you want to restrict or object to how we process your data, we will not be able to consider your application, as all of our processing activities are done to ensure you are fit and competent to provide immigration advice and/or services.

How do I complain about information security?

In the first instance, you can email the Data Protection Officers to submit a complaint. The DPOs will investigate the matter and respond to you by email.

If you are not satisfied with the response, you can submit a complaint to the ICO on their website.

7. Who is the Data Controller?

Office of the Immigration Services Commissioner

Office of the Immigration Services Commissioner (OISC)
5th Floor
21 Bloomsbury Street
London
WC1B 3HF

Email: info@oisc.gov.uk

Telephone: 0345 000 0046

8. Who are the Data Protection Officers?

Jennifer Terry

Office of the Immigration Services Commissioner (OISC)
5th Floor
21 Bloomsbury Street
London
WC1B 3HF

Email: jennifer.terry@oisc.gov.uk

Telephone: 0207 211 1585

Christopher Mopas

Office of the Immigration Services Commissioner (OISC)
5th Floor
21 Bloomsbury Street
London
WC1B 3HF

Email: christopher.mopas@oisc.gov.uk

Telephone: 0207 211 1615

9. Publishing

Under section 83(6)(a) of the Immigration and Asylum Act 1999 (as amended), we must arrange for the publication, in such form and manner and to such extent as we consider appropriate, of information about our functions and about the matters falling within the scope of our functions.

Under sections 91 and 92 of the Immigration and Asylum Act 1999 (as amended), it is a criminal offence to offer, advertise and/or provide unregulated immigration advice and/or services.

As part of our functions, we investigate and prosecute these offences. Therefore, as a public body, it is necessary for us to process your data in the following ways for the exercise of official authority vested in us (Article 6 GDPR).

We will publish details of ongoing criminal prosecutions and warrants on our website, including information relating to:

• The defendant’s name, age and regional location
• An update on the criminal proceedings

The purpose for publishing this data are for statutory purposes, to safeguard vulnerable advice-seekers and to prevent any further provision of unregulated immigration advice and/or services.

ANNEX A: Data we process about organisations

We process data relating to the organisation. This includes:

• the organisation’s name, address and contact details
• the organisation’s legal status
• the organisation’s Companies House/charity registration number
• the organisation’s bank details
• the organisation’s OISC registration number
• what OISC Level the organisation are registered at and permitted to work at
• the OISC categories they are permitted to work at (i.e. Immigration and/or Asylum & Protection)
• whether the organisation is a fee charging organisation or a non-fee charging organisation
• the name(s) of the advisers working at the organisation
• data of advisers working or who have worked at the organisation. For more detail on what data we process relating to adviser please click here.

ANNEX B: Data we process about advisers

We process data relating to the advisers of the organisation. This data includes:

Adviser details:

• their name, previous name(s), title, gender, date and place of birth, nationality and contact details
• their employment status at the organisation
• their NI number
• their employment history
• their previous employer’s details which includes:
• the organisation’s name, address and contact details
• their job title whilst employed there
• the organisation’s overseeing regulatory body
• the dates they were employed by the organisation
• details of their training and qualifications
• whether they currently employed or own/work in any other business
• copies of their identity (such as passports, identity cards, etc.)

Information about an adviser’s ability to work in the UK:

• whether they are subject to restrictions on their residence in the UK or permission to work in the UK

Information about an adviser’s financial background:

• whether they have ever been declared bankrupt
• whether they have been disqualified or banned from being a director of a company
• whether they have ever been disqualified as acting as a charity trustee

Information about an adviser’s OISC registration:

• their OISC registration number
• what OISC Level they are registered at
• the OISC categories they are permitted to work at (i.e. Immigration and/or Asylum & Protection)
• whether you work for a fee charging organisation or a non-fee charging organisation
• the name(s) of the organisation(s) the adviser works for and has worked at
• address of the organisation(s) the adviser works at or has worked at

Data we already have on you:

If you are or have been in the OISC scheme before and we hold data on you. That data will be used to consider whether you are fit and competent to provide immigration advice and/or services, along with any new data you have provided to us.

This includes data collected from previous audits and any investigated complaints made against you.

To find out more about what data we process from audits please click here.

To find out more about what data we process about complaints please click here.

If the organisation is an N&SCS:

• whether the adviser is part of the nationality checking service and/or settlement checking service
• what organisation they are part of

Information about an adviser’s character:

• whether they have convictions, cautions, reprimands or final warnings that are not “protected” as defined by the Rehabilitation of Offenders Act 1974 (Exceptions) Order 1975 (as amended in 2013)
• whether they have been or currently are subject to any criminal proceedings in the UK or abroad
• information contained on an adviser’s DBS Disclosure Certificate (standard check)
• whether they have been subject to any adverse finding or settlement in civil proceedings
• whether they have been dismissed or asked to resign and resigned from employment or from a position of trust, fiduciary appointment or similar position
• whether they have traded under a different name or been known by a different name in the last 5 years
• whether they are currently regulated by or have previously been regulated by the OISC
• whether they have/are a member of a professional body in the UK or abroad
• whether they have been or are subject to any existing/previous disciplinary proceedings by other regulatory authorities or professional bodies in the UK or abroad
• whether they or any business with which they have been an owner or manager has been subject to any substantiated complaint relating to regulated activities
• whether they or any business with which they have been involved have ever been refused the right to carry out a trade, business or profession requiring a licence or other authority
• whether they or any business with which they have been involved have ever had this authorisation revoked, withdrawn or terminated, or have been expelled by a regulatory or government body
• whether they or any business that they have been involved has been investigated, disciplined, censured or suspended or criticised by a regulatory or professional body, a Court or Tribunal (publicly or privately)
• whether they have been a barrister, solicitor, advocate or a member of CILEx, or supervised by one of the above
• whether they have ever been subject to disciplinary action or intervention by a Designated Professional Body or Designated Qualifying Regulator or overseas body equivalent
• whether they are prohibited by The Law Society’s Rules or equivalent from being employed as a solicitor’s clerk
• whether they have been sued by a client or made a claim on their Professional Indemnity Insurance in the last 5 years
• whether they have ever been involved in any conduct that may call into question their honesty, integrity or respect for the law

ANNEX C: Data we process about owners and trustees

We process data relating to the owner(s)/manager(s) or trustees of the organisation or charity. This includes:

• their name(s)
• their date(s) of birth
• their title(s)
• their nationality
• their role(s) and position(s) within the organisation
• details of any shares held
• whether they have traded under a different name or been known by a different name in the last 5 years
• whether they are involved in the running of any other business or employed at any other organisation
• whether they have ever been involved in any conduct that may call their honesty, integrity or respect for the law into question

Owners’ character:

• whether they have any unspent criminal convictions in the UK or abroad
• whether they are currently subject to any criminal proceedings in the UK or abroad
• whether they are subject to, or ever been, subject to disciplinary proceedings by regulatory/professional bodies in the UK or abroad

Owners’ financial background:

• whether they have been a director of a company or member of an LLP that has been subject to a winding up order, an administrative order or administrative receivership, or entered into a voluntary arrangement under the Insolvency Act 1986, or whether the company has been wound up or put into administration in circumstances of insolvency
• whether they have been declared bankrupt or entered into an individual voluntary arrangement or a partnership voluntary arrangement under the Insolvency Act 1986
• whether they have ever been disqualified or banned from being a director of a company or from acting as a charity trustee

ANNEX D: Data we process about complaints

When submitting a formal complaint, the complainant must provide us with their personal data in accordance with our complaints scheme.

Details of the complainant:

• their name, date of birth, address, email address and contact numbers
• name, date of birth, address, email address and contact numbers of person who submits the complaint on behalf of the complainant

Details of adviser and/or organisation they are complaining about:

• adviser and/or organisation’s name, address, email address and contact numbers

Details of the complaint:

• whether the complaint has been reported to any other agencies and details of the other agencies’ investigation
• facts of the complaint, including information from any work undertaken by the adviser/organisation (i.e. the complainant’s case file)

For further detail on what data we process from the complainant’s case file please click here.

ANNEX E: Data we process from a complainant’s case file

If you make a complaint about the work undertaken by an adviser/organisation, as part of our investigation, we will request your case file(s) from the adviser/organisation to examine the work done on the file.

For example, if your complaint is about an adviser who did work on your asylum application and you allege that they did this work incompetently, we will request your case file. A complaints caseworker will then review the file and determine whether the work was done incompetently.

By doing this we are processing the data contained in your case file.

Your case file will in most cases contain personal information relating to third parties. This can be family members, witnesses or unmarried partners.

Every case file is different and the data processed from a case file will be different in every investigation.

Below is a list of all the data that we can process from a case file (your data and third party data).

Data from case file (yours and third parties):

This data will mainly come from any attendance notes, applications, submissions or representations contained in the case file.

• facts of the case
• date and place of births
• names and previous names/identities
• addresses and previous addresses
• gender and sexual orientation
• nationality and any other nationality/citizenships held
• addresses and contact numbers
• passport number, place of issue, issuing authority, date of issue, date of expiry
• language(s) familiar with
• NI numbers
• BRP numbers
• Home Office and/or Case ID reference numbers
• immigration history
• details of education, employment history and tax history (including details of payments made to HMRC)
• relationship history including details of previous partners (name and date of birth), date and place of marriage and date of divorce
• details of any children and/or parental responsibility arrangements
• details of nature and dependency child has on client
• details any visits to any other countries and time spent outside of UK
• details of residency outside of UK
• history relating to claiming any welfare benefit
• details of living arrangements including number of rooms, people living there and whether it is rented or mortgaged
• details of any business interests outside of the UK
• details of any property owned in and outside of the UK
• details regarding annual/monthly income
• details of any employment benefits/arrangements
• details of any court judgments/civil penalties
• details of registered GP
• bank details contained in application forms (business accounts and individuals’ accounts and any joint holder accounts)
• name and address of any joint account holders
• name and address of any person providing financial support
• information relating to the complainant’s racial/ethnic origins, political opinions, religious beliefs, trade union membership(s), physical/mental conditions, sexual life
• information relating to the commission or alleged commission of any criminal offence, the proceedings for the commission or alleged commission of a criminal offence
• information (as above) relating to children
• information (as above) relating to family members, unmarried partners, dependents (adult or child), sponsors, or anyone else mentioned in the complainant’s case file(s)
• copies of any documents that are held on the case file. This can include copies of:
• photographs
• passports
• BRPs
• driving licences
• national ID cards
• travel documents
• bank statements
• payslips
• certificates
• marriage certificates
• correspondence (emails, letters, attendance notes/minutes)
• mortgage/rent agreements and other financial agreements
• contracts
• birth certificates
• bills and invoices
• police registration certificates

Under Code 26(k) of the OISC Code of Standards 2016, in the client care letter, advisers must confirm to their clients that they are regulated by us and that we have the power to examine the client’s file.

ANNEX F: Data we process from an audit

Data processed from case file (yours and third parties):

This data will mainly come from any attendance notes, applications, submissions or representations contained in the case file.

• facts of the case
• date and place of births
• names and previous names/identities
• addresses and previous addresses
• gender and sexual orientation
• nationality and any other nationality/citizenships held
• addresses and contact numbers
• passport number, place of issue, issuing authority, date of issue, date of expiry
• language(s) familiar with
• NI numbers
• BRP numbers
• Home Office and/or Case ID reference numbers
• immigration history
• details of education, employment history and tax history (including details of payments made to HMRC)
• relationship history including details of previous partners (name and date of birth), date and place of marriage and date of divorce
• details of any children and/or parental responsibility arrangements
• details of nature and dependency child has on client
• details any visits to any other countries and time spent outside of UK
• details of residency outside of UK
• history relating to claiming any welfare benefit
• details of living arrangements including number of rooms, people living there and whether it is rented or mortgaged
• details of any business interests outside of the UK
• details of any property owned in and outside of the UK
• details regarding annual/monthly income
• details of any employment benefits/arrangements
• details of any court judgments/civil penalties
• details of registered GP
• bank details contained in application forms (business accounts and individuals’ accounts and any joint holder accounts)
• name and address of any joint account holders
• name and address of any person providing financial support
• information relating to the complainant’s racial/ethnic origins, political opinions, religious beliefs, trade union membership(s), physical/mental conditions, sexual life
• information relating to the commission or alleged commission of any criminal offence, the proceedings for the commission or alleged commission of a criminal offence
• information (as above) relating to children
• information (as above) relating to family members, unmarried partners, dependents (adult or child), sponsors, or anyone else mentioned in the complainant’s case file(s)
• copies of any documents that are held on the case file. This can include copies of:
• photographs
• passports
• BRPs
• driving licences
• national ID cards
• travel documents
• bank statements
• payslips
• certificates
• marriage certificates
• correspondence (emails, letters, attendance notes/minutes)
• mortgage/rent agreements and other financial agreements
• contracts
• birth certificates
• bills and invoices
• police registration certificates

Under Code 26(k) of the OISC Code of Standards 2016, in the client care letter, advisers must confirm to their clients that they are regulated by us and that we have the power to examine the client’s file.

Published 24 May 2018
Last updated 14 February 2023 + show all updates

1. 14 February 2023

   Added new section relating to publishing information

2. 24 May 2018

   First published.