Biometric Identification Checks
Privacy governance and compliance
Key points:
Our biometric identification service has a comprehensive privacy governance framework in place, with additional local measures where needed. This is led and overseen by a designated Data Protection Officer.
- It has both ISO 27001 and SOC 2 certifications for information security, please see our SOC 2 report for more information.
- It uses both UK datacentres and AWS EU servers. Some products allow local data storage for customers in certain countries.
How the service complies with privacy laws:
The biometric identification services and operations are built and run in jurisdiction, subject to the GDPR / UK Data Protection Act 2018 and have user privacy at their core. Privacy and security by design are the unique selling point of this service. It has a comprehensive Privacy Government Framework in place to implement the requirements and obligations of the GDPR, Data Protection Act 2018 and any other privacy or data protection legislation we may be subject to. This Governance Framework is based on established privacy management and accountability frameworks and includes policies, procedure, privacy risk assessments, training and awareness and supplier diligence. The service has a Data Protection Officer who monitors implementation of this Governance Framework and advises the businesses in all matters of data protection compliance.
Security:
The service has a variety of security certifications and the technology undergoes regular penetration testing by leading security consultancies.
Audits and certifications:
The service is audited annually by a top four auditing firm to ISAESOC2 security standards. This is an internationally recognised security standard used by large banks and leading technology firms. The report is available upon request under NDA to potential customers. The service has also been recently audited against the HIPAA Security and Privacy Rules (US medical data regulation) and is also certified to ISO 27001.
Security by design:
Data is generally stored in UK Tier 3 datacentres.
Some products also allow local storage for customers in certain countries.
There is an appointed CISO who is ultimately responsible for security. The CISO chairs a monthly Security Forum which includes senior staff from across the business.
How the service can help with your privacy law compliance:
This service is a secure and privacy-friendly identity solution. Outsourcing your identity needs to us can help with your privacy compliance in several ways. Here is how this service puts into practice several key privacy principles and requirements, helping you do more compliant identity or age verification and authentication.
Privacy by design:
GDPR and other privacy laws oblige you to design privacy into everything you do: products, services, systems, databases and process. This service takes a privacy-by-design approach to the development of our products and services, so it will likely be more privacy friendly than your current systems and processes.
You can use this service as an ‘out-of-the-box’ solution for identity verification, authentication and login safe in the knowledge that our services are compliant with the privacy-by-design principle. This service can help you improve on current practices as our products are simple privacy-friendly solution – rather than a combination of processes, systems, access controls and data handling practices that may not be joined up.
Data minimisation:
Many privacy laws require you to only collect and use the minimum amount of data necessary for your purpose. This service allows you to request, and users to share, only the information that is relevant and necessary – so complying with the data minimisation principle. This product can help you improve on current practices because you will no longer need to collect excessive information from your users.
Information security:
Most privacy laws contain provisions on security and GDPR has prescriptive requirements for keeping data secure. This service keeps user data secure in Tier 3 datacentres and we follow security-by-design principles.
Businesses carrying out identity verification and authentication no longer have to deal with insecure transfers of personal information and with managing, storing and retaining securely paper copies of documents or scanned copies in emails. Identity details are shared securely and stored securely in servers. Even where you extract and keep information in your own systems, you only have the minimum information necessary, reducing your security risk.
Transparency and choice:
Privacy laws require you to provide information about your data collection and use practices. When you interact with your customers using Doc Scan, they are clearly presented with the details you require, and choose whether to share them. Once shared, both you and your customer get a receipt showing what data has been shared, with whom and when. When you integrate this service to allow your customers to verify and authenticate themselves you have the option to present appropriate privacy notice information before any details are shared.
Accountability:
The principle is built into different privacy laws in different ways and GDPR explicitly requires you to be able to evidence and demonstrate compliance. The service provides an easy way for both individuals and organisations to have a record of what information was collected / shared. It can help you improve on current practices as the record of what information you collected from users is stored securely and accessible in one place.
Identity verification for individual rights requests:
GDPR, CCPA and other privacy laws require you to confirm the identity of an individual before disclosing any personal data to them (such as following an access request), or acting on their rights requests (such as correction, deletion and so on). This service provides a quick, online, privacy-friendly and secure way to carry out this identity verification without having to collect and store copies of ID and other documents. It can help you improve on current practices by giving you the ability to quickly verify the identity of a consumer online, with a record of that verification, avoiding the need to deal with posted copies of documents or images scanned into emails.
Privacy governance framework:
The service has a comprehensive privacy governance framework in place to implement the requirements of the privacy laws we are subject to. This section provides an overview of all the elements of the framework, which should assist your diligence.
Governance structure:
- Company business principles
- Guardian council
- CFO is accountable, Commercial Management Team make the final decisions
- Data Protection Officer leads on data protection / privacy; consults and works with the business, specifically Legal, Finance, Regulatory Policy and Technology
- Ethics and Trust Committee
Privacy by design:
- Privacy risk assessments
- Privacy compliance checklist
- Privacy-by-design documents for non-tech functions
- Software change management process
- Infrastructure commissioning process
- Privacy and ethics impact assessments carried out where required legally or by the DPO
Operation policies and procedures:
- Policies and processes are listed on the controlled documents register and reviewed at least annually
- Controlled documents process for creating, reviewing and updating policies and processes
- Key privacy documents:
- Privacy standards
- Data handling principles for staff
- Individual rights policy and process; Checklist for handling requests from individuals
- General security incident management policy and process
- Acceptable use and monitoring policy
- Law enforcement data request principles, disclosure and transparency policy
- Dawn raid policy
- Sensitive data policy document (required under UK DPA 2018)
- Risk Register
Transparency:
- Product privacy notices
- Just-in-time information in the products and services where possible and relevant
- Employee privacy notice
- Applicant privacy notice
- Visitor privacy notice
Accountability:
The principle is built into different privacy laws in different ways and GDPR explicitly requires you to be able to evidence and demonstrate compliance. The service provides an easy way for both individuals and organisations to have a record of what information was collected / shared. It can help you improve on current practices as the record of what information you collected from users is stored securely and accessible in one place.
Identity verification for individual rights requests:
GDPR, CCPA and other privacy laws require you to confirm the identity of an individual before disclosing any personal data to them (such as following an access request), or acting on their rights requests (such as correction, deletion and so on). This service provides a quick, online, privacy-friendly and secure way to carry out this identity verification without having to collect and store copies of ID and other documents. It can help you improve on current practices by giving you the ability to quickly verify the identity of a consumer online, with a record of that verification, avoiding the need to deal with posted copies of documents or images scanned into emails.