Yoti Identity Verification within the UK Digital Identity and Attribute Trust Framework (UKDIATF)

• Yoti clients (such as HR vetting companies or employers) will send a link for individuals to complete a digital DBS, Right to Work or Right to Rent check.
• We will then collect information from those using Yoti’s Identity Verification service to send our clients an assertion of identity so that they can conduct digital DBS, Right to Work or Right to Rent checks on you. 
• Yoti’s Identity Verification service is a one- off verification journey, so we do not create an account for you unless:.
  • You are using Web Account in which case the Web Account Privacy Notice will apply: https://www.yoti.com/privacy/web-account/
  • You are using the Yoti /Easy ID Digital ID app in which case the Digital ID Privacy Notice will apply: https://www.yoti.com/privacy/app/

Where we have the Yoti client’s permission, Yoti also uses some of your data to improve upon our identity and age verification services and help prevent fraud in our products and services. 

We collect your selfie, a cropped picture of your ID document photo, your gender, month and year of birth and some other non-personal information such as your device type e.g. Android, iOS, desktop, ID document country of issue and document type (passport, drivers licence etc). Our R&D team uses this information to conduct testing and training of our models, which help prevent fraud and reduce bias in Yoti products. 

Separately we collect and store your date of birth and hashed name so that if you request deletion of your data, we can locate it in our database.

We collect this data on the basis of our legitimate interest and the substantial public interest in making sure our identity services are secure against fraud attempts and to reduce bias in how our technology performs. Given how important it is to prevent fraud and to make sure products and services are accessible to all, we think it is in everyone’s interest to conduct this testing and research. At the same time we understand individuals may not want their data to be used in this way – so we allow individuals to opt-out at any time. To opt-out and have your data deleted from our database, please send an email to privacy@yoti.com.

Under data protection laws we need to have a reason or lawful basis for using your personal data. 

These lawful bases are as follows:

• Performance of a contract
• Consent and explicit consent
• Legitimate interest
• Legal obligation
• Public interest
• Vital interest

We use consent for 

• Liveness and face match – if you do not want to consent to this use of your data then you should contact the Yoti Client (the organisation that asked you to complete the check) and ask for an alternative way to verify your identity.

We use legitimate interests for

• Checking your ID document to validate your identity
• Verifying your address with third parties
• Conducting fraud checks with third parties
•  Yoti’s internal use of data for research and development

Yoti acts as processor for any ongoing storage of your check results by the Yoti client – you should contact the organisation that asked you to complete the check for any questions relating to the results including the lawful basis.

The maximum amount of time that Yoti will have access to your data to perform the check is 28 days.

Following the check Yoti will send the results to the Yoti client that requested you complete the check. After 28 days Yoti will continue to store the data on behalf of the client, according to the retention period set by them. At this point the client is the controller of your data and is responsible for any ongoing storage or use. You should contact them for any questions about your results or ongoing use of your data.

Separately, Yoti will retain a copy of your data for our internal research and development for 6 years.

Where Yoti is under a legal or statutory obligation to retain your data, for example due to a valid request from law enforcement, we will keep your data for longer.

We will put your data into a report and send that report to our client. Our client is the organisation who requested that you undergo Yoti’s Identity Verification. The form of the report is dictated by the DBS or UK Home Office requirements for DBS, Right to Work and Right to Rent. You should contact the HR vetting company or employer that requested you complete the check for any questions about your results.

Credit Reference Agencies and third party providers

If we need to use a credit reference agency or other third party to verify your address or other part of your identity then we send the relevant details to the relevant provider and use the response in our report to Yoti clients.

Currently we use the following providers to assist with these checks:

• TransUnion: We will share your data (ID document and relevant data fields such as name, DoB, address) with TransUnion in order to check your identity and prevent criminal activity such as fraud and money laundering. More information about TransUnion and the ways in which it uses and shares personal information can be found in its privacy notice at https://www.transunion.co.uk/legal-information/bureau-privacy-notice
• Experian: We will share your data (ID document and relevant data fields such as name, DoB, address) with Experian in order to check your identity and prevent criminal activity such as fraud and money laundering. More information about Experian and the ways in which it uses and shares personal information can be found in its privacy notice at https://www.experian.co.uk/legal/crain/
• Aristotle: We will share your information with Aristotle if required for the relevant check. You can find more information about how Aristotle processes your personal information at https://integrity.aristotle.com/privacy-policy/ 
• ComplyAdvantage: We will share your information (name, DoB, address) with ComplyAdvantage if required for the relevant check. You can find more information about how ComplyAdvantage processes your personal information at https://complyadvantage.com/privacy-notice/ 
• CitizenCard: When you upload a CitizenCard we will validate your information with them as the issuing authority. You can find more information about how CitizenCard  processes your personal information at https://www.citizencard.com/cookie-privacy-policy

Fraud Bodies

As part of the check we will also conduct fraud checks. In some cases, for example where we suspect you are committing identity fraud or a criminal offence, we will share a copy of your information with the appropriate authorities. 

• Cifas: We check your information against Cifas. If, after investigation, we determine that there has been fraud that meets the criteria for reporting to Cifas, we will pass on the details to prevent further fraud and money laundering.Cifas keeps fraud reports for six years. Other Cifas members may use the information we report to refuse to provide you with services, financing or employment. You can find the Cifas privacy information at https://www.cifas.org.uk/fpn and individuals who want to dispute a Cifas record, must contact Cifas directly at https://www.cifas.org.uk/contact-us/I-Want-To-Make-A-Complaint  
• Synectics: We check your information against National SIRA and NFI databases. You can read more about Synectics here: https://www.synectics-solutions.com/privacy-policy 
• Metropolitan Police Service Amberhill Identity Team: We will share the document and information with Amberhill where we find that there is a match to their database of false identity documents/information. You can read more about Amberhill here.

Law Enforcement of other official body

We will have a legal obligation to share the information if we receive a court or similar legal order ordering us to disclose it.

Where we are required to share information with law enforcement or other government authority we will ensure

• The request is valid;
• The information requested is no more than necessary;
• That, where possible, we have tried to redirect the request to the relevant client; and
• That, where possible, we have informed the relevant client of the request.

We keep the data encrypted in the UK and, depending on the type of check, the data could be sent to our security centre in India for manual checks. 

We always ensure any transfers of data follow the relevant legal requirements, such as entering into standard contractual clauses (SCCs) and completing transfer impact assessments to ensure that any data transferred is protected to an adequate standard. 

We are audited annually by KPMG against the SOC2 Type 2 Security control standards and we also maintain our ISO 27001, ISO9001 and ISO27701 certification. You can see more about Yoti’s technical and organisational measures at https://www.yoti.com/security/

Please see below for the data protection rights that apply to Yoti. Please send any rights requests to: privacy@yoti.com

You are entitled to know what personal information we hold about you and to receive a copy of it. 

Please note that we do not have to share information about fraudulent indicators. In this case you must  contact the relevant fraud prevention agency for further information. See the Fraud Bodies section above for the contact information.

If you spot an error in the data we have processed then please re-submit your document again. 

You are entitled to correct personal information we hold about you that is inaccurate.

In certain circumstances you are entitled to ask us to delete the personal information we hold about you. If you would like to request deletion please email privacy@yoti.com.

In certain circumstances you are entitled to object to Yoti processing your personal information. There are unlikely to be any circumstances when this right applies howevero if you want to contact us about your objection rights, please email: privacy@yoti.com.

In certain circumstances you are entitled to ask us to restrict our processing of your personal information.

You can ask us to do this if:

• you dispute the accuracy of your personal information; 
• our processing is unlawful but you prefer restriction to deletion; or 
• you have objected to our processing and we are still dealing with this objection.
  

If you want to contact us about your restriction rights, please email: privacy@yoti.com.

In certain circumstances, you are entitled to receive the personal information you have provided us in a structured, commonly used and machine-readable format.

Yoti does not make any automated decisions when performing the check – we merely provide results of the checks to the Yoti clients for their manual review. If you would like to have your identity verified a different way or if you would like to dispute the results of your check, you should contact the Yoti client and request for them to complete your check manually.

You can also complain to the Information Commissioner’s Office (ICO) who is responsible for making sure that organisations comply with the law on handling personal information. https://ico.org.uk/global/contact-us/.

Understanding how people use the Yoti Identity Verification service is essential. We need to know what’s working, and what isn’t, so we can improve. As a business, we need to know how many people are using it, where they are in the world, and which aspects are most popular.

We collect information about your device and your use of our websites using in-house analytics. We de-identify and aggregate the information we collect so we can’t identify you personally. Unlike most other companies, we don’t build individual profiles of the people who use the Yoti Identity Verification service. We simply look for trends and patterns to inform business decisions.

Using our in-house software, we collect some information from users and some information on when certain things happen as you use Yoti Identity Verification service. This information includes information about your phone, such as make and model, operating system, app version and screen size information. Our in-house software does not identify you personally.

We perform analytics on information created automatically by our internal systems when things happen. Our analytics looks at, on an aggregated and anonymous basis, the actions performed on our own servers, for example: how many sessions are created, how many of a particular document type are uploaded and the outcomes for particular checks (but without recording personal data). 

We do not perform any analytics on actions you take on your own device, such as clicking buttons. 

We do not store device IDs or any other unique device identifiers.  

We do not use any personal data, such as your mobile phone number or IP address, to identify you in our analytics. All we do is note your country location based on your IP address (but we do not store the full IP address).  

• We updated the information on the third parties and providers we use.
• We also added a link to our separate IDV privacy notice, where we act as processor on behalf of the Yoti client that asked you to complete the check
• We have added a new data use and purpose of processing for Yoti internal research and development

For general questions on Yoti or our products:  hello@yoti.com 

For questions about the results of your check: Contact the Organisation that requested you do the check

For questions on privacy: privacy@yoti.com

Or write to

Yoti DPO

Yoti Ltd, 6th Floor, 

107 Leadenhall St, 

London, EC3A 4AF