Yoti Identity Verification within the UK Digital Identity and Attribute Trust Framework (UKDIATF)

• Yoti clients (such as HR vetting companies or employers) will send a link for individuals to complete a digital DBS, Right to Work or Right to Rent check.
• We will then collect information from those using Yoti’s Identity Verification service to send our clients an assertion of identity so that they can conduct digital DBS, Right to Work or Right to Rent checks on you. 
• Yoti’s Identity Verification service is a one- off verification journey, so we do not create an account for you unless:.
  • You are using Web Account in which case the Web Account Privacy Notice will apply: https://www.yoti.com/privacy/web-account/
  • You are using the Yoti /Easy ID Digital ID app in which case the Digital ID Privacy Notice will apply: https://www.yoti.com/privacy/app/

The maximum amount of time that Yoti will have access to your data to perform the check is 28 days.

Following the check Yoti will send the results to the Yoti client that requested you complete the check. After 28 days Yoti will continue to store the data on behalf of the client, according to the retention period set by them. At this point the client is the controller of your data and is responsible for any ongoing storage or use. You should contact them for any questions about your results or ongoing use of your data.

Where Yoti is under a legal or statutory obligation to retain your data, for example due to a valid request from law enforcement, we will keep your data for longer.

Other companies’ use of your personal information

We will put your data into a report and send that report to our client. Our client is the organisation who requested that you undergo Yoti’s Identity Verification. The form of the report is dictated by the DBS or UK Home Office requirements for DBS, Right to Work and Right to Rent. You should contact the HR vetting company or employer that requested you complete the check for any questions about your results.

Credit Reference Agencies and third party providers

If we need to use a credit reference agency or other third party to verify your address or other part of your identity then we send the relevant details to the relevant provider and use the response in our report to Yoti clients.

Currently we use the following providers to assist with these checks:

• TransUnion: We will share your data (ID document and relevant data fields such as name, DoB, address) with TransUnion in order to check your identity and prevent criminal activity such as fraud and money laundering. More information about TransUnion and the ways in which it uses and shares personal information can be found in its privacy notice at https://www.transunion.co.uk/legal-information/bureau-privacy-notice
• Experian: We will share your data (ID document and relevant data fields such as name, DoB, address) with Experian in order to check your identity and prevent criminal activity such as fraud and money laundering. More information about Experian and the ways in which it uses and shares personal information can be found in its privacy notice at https://www.experian.co.uk/legal/crain/
• Aristotle: We will share your information with Aristotle if required for the relevant check. You can find more information about how Aristotle processes your personal information at https://integrity.aristotle.com/privacy-policy/ 
• ComplyAdvantage: We will share your information (name, DoB, address) with ComplyAdvantage if required for the relevant check. You can find more information about how ComplyAdvantage processes your personal information at https://complyadvantage.com/privacy-notice/ 
• CitizenCard: When you upload a CitizenCard we will validate your information with them as the issuing authority. You can find more information about how CitizenCard  processes your personal information at https://www.citizencard.com/cookie-privacy-policy

Fraud Bodies

As part of the check we will also conduct fraud checks. In some cases, for example where we suspect you are committing identity fraud or a criminal offence, we will share a copy of your information with the appropriate authorities. 

• Cifas: We check your information against Cifas. If, after investigation, we determine that there has been fraud that meets the criteria for reporting to Cifas, we will pass on the details to prevent further fraud and money laundering.Cifas keeps fraud reports for six years. Other Cifas members may use the information we report to refuse to provide you with services, financing or employment. You can find the Cifas privacy information at https://www.cifas.org.uk/fpn and individuals who want to dispute a Cifas record, must contact Cifas directly at https://www.cifas.org.uk/contact-us/I-Want-To-Make-A-Complaint  
• Synectics: We check your information against National SIRA and NFI databases. You can read more about Synectics here: https://www.synectics-solutions.com/privacy-policy 
• Metropolitan Police Service Amberhill Identity Team: We will share the document and information with Amberhill where we find that there is a match to their database of false identity documents/information. You can read more about Amberhill here.

Law Enforcement of other official body

We will have a legal obligation to share the information if we receive a court or similar legal order ordering us to disclose it.

Where we are required to share information with law enforcement or other government authority we will ensure

• The request is valid;
• The information requested is no more than necessary;
• That, where possible, we have tried to redirect the request to the relevant client; and
• That, where possible, we have informed the relevant client of the request.

We keep the data encrypted in our UK data centres and, depending on the type of check, the data could be sent to our security centre in India for manual checks. 

We always ensure any transfers of data follow the relevant legal requirements, such as entering into standard contractual clauses (SCCs) and completing transfer impact assessments to ensure that any data transferred is protected to an adequate standard. 

We are audited annually by KPMG against the SOC2 Type 2 Security control standards and we also maintain our ISO 27001, SIO9001 and ISO27701 certification. You can see more about Yoti’s technical and organisational measures at https://www.yoti.com/security/

Please see below for the data protection rights that apply to Yoti Identity Verification personal information. 

Please send any rights requests to: privacy@yoti.com

You are entitled to know what personal information we hold about you and to receive a copy of it. 

Please note that we do not have to share information about fraudulent indicators. In this case you must  contact the relevant fraud prevention agency for further information. See the Fraud Bodies section above for the contact information.

If you spot an error in the data we have processed then please re-submit your document again. 

You are entitled to correct personal information we hold about you that is inaccurate.

In certain circumstances you are entitled to ask us to delete the personal information we hold about you. Please note that e we do not  keep your data for longer than 28 days unless otherwise required by law.

In certain circumstances you are entitled to object to Yoti processing your personal information. There are unlikely to be any circumstances when this right applies howevero if you want to contact us about your objection rights, please email: privacy@yoti.com.

In certain circumstances you are entitled to ask us to restrict our processing of your personal information.

You can ask us to do this if:

• you dispute the accuracy of your personal information; 
• our processing is unlawful but you prefer restriction to deletion; or 
• you have objected to our processing and we are still dealing with this objection.
  

If you want to contact us about your restriction rights, please email: privacy@yoti.com.

In certain circumstances, you are entitled to receive the personal information you have provided us in a structured, commonly used and machine-readable format.

You have the right to object to automated decisions made about you and have a person within our business to review this decision. Please email cs@yoti.com and our Customer Support can help you with your request.

You can also complain to the Information Commissioner’s Office (ICO) who is responsible for making sure that organisations comply with the law on handling personal information. https://ico.org.uk/global/contact-us/.

Understanding how people use the Yoti Identity Verification service is essential. We need to know what’s working, and what isn’t, so we can improve. As a business, we need to know how many people are using it, where they are in the world, and which aspects are most popular.

We collect information about your device and your use of our websites using in-house analytics. We de-identify and aggregate the information we collect so we can’t identify you personally. Unlike most other companies, we don’t build individual profiles of the people who use the Yoti Identity Verification service. We simply look for trends and patterns to inform business decisions.

Using our in-house software, we collect some information from users and some information on when certain things happen as you use Yoti Identity Verification service. This information includes information about your phone, such as make and model, operating system, app version and screen size information. Our in-house software does not identify you personally.

We perform analytics on information created automatically by our internal systems when things happen. Our analytics looks at, on an aggregated and anonymous basis, the actions performed on our own servers, for example: how many sessions are created, how many of a particular document type are uploaded and the outcomes for particular checks (but without recording personal data). 

We do not perform any analytics on actions you take on your own device, such as clicking buttons. 

We do not store device IDs or any other unique device identifiers.  

We do not use any personal data, such as your mobile phone number or IP address, to identify you in our analytics. All we do is note your country location based on your IP address (but we do not store the full IP address).  

• We updated the information on the third parties and providers we use.
• We also added a link to our separate IDV privacy notice, where we act as processor on behalf of the Yoti client that asked you to complete the check.

For general questions on Yoti or our products:  hello@yoti.com 

For questions about the results of your check: Contact the Organisation that requested you do the check

For questions on privacy: privacy@yoti.com

Or write to

Yoti DPO

Yoti Ltd, 6th Floor, 

107 Leadenhall St, 

London, EC3A 4AF