Trusted specialists in employment screening, committed to providing unparalleled support to both our partners and their applicants.
Accredited, regulated & certified
NSA Group Limited. We are a company registered in England and Wales under registration number 07254697. Our registered office is at NSA Group Suite 1 The Old Dairy, Elm Farm, Norwich Common, Wymondham, NR18 0SW.
Please contact NSA Group's Data Protection Office if you have any questions about how we use personal data on 0800 999 7858 or dpo@nsagroup.co.uk. We review our policy every year or sooner if regulations change or if we change our data handling processes.
We are committed to ensuring that your privacy is protected and to developing suitable technology to provide you with a safe online experience. This Privacy Notice sets out our responsibilities under the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, the Privacy and Electronic Communications Regulations (PECR) where applicable, and other relevant legislation relating to the processing and security of personal information.
This policy also explains how we use and secure your personal information when using this website or when we are processing screening checks for you.
We process personal information for the following purposes and under the following lawful bases:
Verifying identity, employment history, qualifications, criminal records, financial status, right to work, driving licence information, company directorships, business ownership, sanctions and watchlist status, social media and open-source intelligence information, and other information relevant to the screening process.
We rely on legitimate interests to assist our clients in assessing suitability for employment, engagement, accreditation or regulatory compliance purposes and to identify potential reputational, integrity or security-related risks.
Personal details including name and contact details. We will also ask about previous experience, education, referees and for answers to questions relevant to the role they have applied for or are already carrying out. We may also collect identity verification information, right to work information, driving licence information, financial information, criminal records information where legally permitted, company directorship and business ownership information, sanctions and watchlist screening information, and publicly available social media and open-source intelligence information where relevant to the screening process.
When someone visits nsagroup.co.uk we use a third-party service, Google Analytics, to collect standard internet log information and details of visitor behaviour patterns. We do this to find out things such as the number of visitors to the various parts of the site. This information is only processed in a way which does not identify anyone. We do not make, and do not allow Google to make, any attempt to find out the identities of those visiting our website. If we do want to collect personally identifiable information through our website, we will be up front about this. We will make it clear when we collect personal information and will explain what we intend to do with it.
If you use our contact form, we will collect your name, telephone number and email address so we can respond to your request for information.
If you ring us, we will collect your name and contact number so we can respond to your enquiry.
We will only share personal information where there is a lawful basis for doing so, including where it is necessary to provide our services, comply with legal or regulatory obligations, respond to lawful requests from public authorities or law enforcement agencies, pursue legitimate business interests, or where consent has been obtained where required by law.
Below are the data processors we use during the screening process:
Criminal Record Disclosure applications are processed by the Disclosure and Barring Service and they will hold the information you submit and we will have access to it.
Disclosure and Barring Service Privacy Notice
If you do not live in the UK, we may use the equivalent relevant body in your country to obtain a criminal records disclosure.
Where requested by our clients and authorised by the individual concerned, we may obtain information from the Driver and Vehicle Licensing Agency (DVLA) to verify driving licence details, driving entitlements, endorsements, penalty points and licence validity.
Information obtained from the DVLA will be retained by us and shared with our client where relevant to the screening process.
DVLA Personal Information Charter
Where required as part of our screening, due diligence or verification services, we may obtain information from Companies House to verify company directorships, Persons with Significant Control (PSC), company ownership, appointment histories, insolvency information and other publicly available corporate records.
Information obtained from Companies House may be combined with information supplied by the individual and may be retained by us and shared with our client as part of the screening process.
Companies House Personal Information Charter
If we conduct a consumer information search for you, we use TransUnion and we will send them your name, date of birth and address history. The information they return will be held by us and shared with our client.
If you do not live in the UK, we may use the equivalent relevant body in your country to carry out a financial check.
Where required by our clients, we may use Neotas Limited to conduct social media, adverse media and open-source intelligence (OSINT) screening.
To carry out these checks, we may share identifying information including your name, date of birth, email address and other information necessary to accurately identify relevant publicly available information.
Information obtained through Neotas may include publicly available social media content, adverse media reports and other open-source intelligence data. The results of these checks may be retained by us and shared with our client as part of the screening process.
For applicants based in Spain, we use eInforma to request Solvency Reports for individuals. We will share your name and email address with eInforma and you will be sent an email requesting your consent before the check is processed.
Where required by our clients, we may use OneID to digitally verify your identity, address and right to work status.
To carry out these checks, we may share personal information including your name, date of birth, address history, nationality and other information required for identity verification purposes.
Information obtained through OneID may be retained by us and shared with our client as part of the screening process.
If we conduct sanctions, politically exposed person (PEP), adverse media or watchlist screening, we use Simplified.ID Ltd. We will send them your name, date of birth, nationality, address history and other identifying information required to conduct sanctions, PEP, and watchlist checks. The information they return will be held by us and shared with our client.
We are regulated by the National Security Inspectorate and during audit inspections they are given access to our screening files to ensure that we are carrying out screening in accordance with BS7858 and ISO 9001.
National Security Inspectorate Privacy Statement
We are also regulated by the SSAIB and during audit inspections they are given access to our screening files to ensure that we are carrying out screening in accordance with BS7858.
We will only market services and products to you if we have your consent and at any time you can contact us and withdraw that consent and we will update our records accordingly.
We do not make decisions about individuals based solely on automated processing which produce legal or similarly significant effects.
We work hard to make sure the data we hold is accurate. If you believe that the data we hold may be inaccurate then please contact us and we will correct any inaccuracies.
We will only retain personal information for as long as necessary to fulfil the purposes for which it was collected, including to satisfy legal, regulatory, contractual, accounting and reporting requirements.
As a provider of employment screening services, retention periods may be determined by applicable industry standards, contractual obligations with our clients, legal requirements, and our legitimate business needs.
In general:
Where retention periods cannot be specified precisely, we determine them by considering the nature of the information, the purpose of processing, legal requirements and the risk of harm arising from unauthorised use or disclosure.
Under the UK GDPR and Data Protection Act 2018 you have the following rights:
To exercise any of these rights, please contact us using the details provided in this Privacy Notice.
You can read more about these rights here: ICO guidance on personal information rights.
Some of our service providers may process personal information outside the United Kingdom. Where personal information is transferred internationally, we will ensure appropriate safeguards are in place in accordance with UK GDPR, including adequacy regulations, the UK International Data Transfer Agreement (IDTA), or other approved transfer mechanisms where required.
We try to meet the highest standards when collecting and using personal information. For this reason, we take any complaints we receive about this very seriously. We encourage people to bring it to our attention if they think that our collection or use of information is unfair, misleading or inappropriate. We would also welcome any suggestions for improving our procedures.
This privacy policy was drafted with brevity and clarity in mind. It does not provide exhaustive detail of all aspects of our collection and use of personal information. However, we are happy to provide any additional information or explanation needed. Any requests for this should be sent to the address below.
If you want to make a complaint about the way we have processed your personal information, you can contact the ICO, the statutory body which oversees data protection law: www.ico.org.uk/concerns.
Under Article 15 UK GDPR, you have the right to obtain confirmation as to whether we process your personal information and, where we do, to receive a copy of that information.
Subject Access Requests are normally provided free of charge. However, we may charge a reasonable fee or refuse a request where it is manifestly unfounded, excessive or repetitive, as permitted by law.
We will respond to your request without undue delay and in any event within one month of receipt. Where requests are particularly complex or numerous, this period may be extended by up to a further two months, in which case we will notify you of the extension and the reasons for it.
Email: dpo@nsagroup.co.uk
Telephone: 0800 999 7858
While we may assist individuals informally where appropriate, any informal response does not affect your statutory rights under the UK GDPR and Data Protection Act 2018.
If you are dissatisfied with our response, you have the right to lodge a complaint with the Information Commissioner's Office (ICO) at www.ico.org.uk and you may also seek a judicial remedy through the courts where permitted by law.
Security of the information we hold is paramount. All databases are hosted on Microsoft Azure within the UK which are ISO27001, ISO 9001 and ISO 20000-1 certified and also has CSA STAR Certification. Information on these certifications can be found at Microsoft Trust Center. Access to the database is restricted by IP address and requires unique username and strong passwords. All databases employ Microsoft’s encryption of data at rest and on critical data such as Personal Data we have deployed further encryption measures to protect the confidentiality.
Enterprise level Unified Threat Management systems are deployed to control access to all applications and locations. Access to all data is limited based on a strict access control policy. Access and operational logs are retained and audited on a regular basis. Any systems that process credit card data are PCI-DSS Certified and subject to strict auditing procedures.
In addition to the above we have services that are Cyber Essentials accredited. This means our systems have been independently assessed and approved with regard to their ability to protect against common cyber-attacks.
This privacy policy does not cover all the links within this site linking to other websites. We encourage you to read the privacy statements on the other websites you visit.
We keep our privacy policy under regular review. This privacy notice was last updated on .
If you want to request information about our privacy policy you can call us 0800 999 7858, email us dpo@nsagroup.co.uk or write to:
© NSA Group Limited. Privacy Notice.
