OneID® Business Privacy Notice

31 March 2023

Overview

*PLEASE NOTE: If you are a user of our OneID® service, this privacy notice does not apply to you. The basis upon which we use all personal information in relation to users of the OneID®  service is governed by a separate privacy notice, which can be found here.

This privacy notice explains the following about our use of personal information relating to our various external contacts* such as OneID®  Trust Scheme participants, customers, suppliers, advisers, regulators, service providers etc:

  • Who we are (and how you can check), and the data laws that govern us
  • What information we collect about you
  • How we collect and use information about you
  • What we use the information for
  • How long we keep it for
  • How we keep it safe and secure
  • Why we may need to share it, and who with
  • International transfers of your information
  • Your rights to your information
  • Other points of note

Who we are

We are OneID® , a UK company whose mission is to help people prove who they are online in a safe and secure way, under their control and consent.

For the purpose of applicable data laws, we are the controller of the personal information processed for the purposes set out below.

Further details can be found on our website.

How you can check who we are

Enabling trust online is at the heart of what we do, and that starts with us as a company.

We are registered with:

  • UK Companies House (company no. 11800511).
  • The Information Commissioner’s Office (ICO) as a data controller (reg. no. ZA741907).
  • The Financial Conduct Authority (FCA) as an Account Information Service Provider (AISP, ref. no 928911)
  • The Age Check Certification Scheme (ACCS) as an Age Check Provider (certificate ref. ACCS:0005)
  • United Kingdom Digital Identity & Attributes Trust Framework, as an Identity Service Provider (Certificate ref. UKDIATF 2024/03)

Laws that govern what we do

We are committed to ensuring that your privacy is protected, and we comply with the relevant parts of the following laws:

  • Data Protection Act 2018
  • General Data Protection Regulation (UK-GDPR)
  • other data protection rules, including marketing laws, together with associated guidance

What information do we collect about you?

We may collect, use, store and transfer different kinds of personal information about you depending upon the nature of our relationship, and we have grouped them together as follows with some examples:

  • Identity Data: such as first name, last name, title, date of birth, gender and images.
  • Contact Data: such as billing address, delivery address, email address, telephone numbers.
  • Financial Data: such as bank account details (if you supply us with services in your own name).
  • Business Data: such as details about our various transactions, communications and other interactions.
  • Technical Data: such as internet protocol (IP) address, your login data, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform and other technology on the devices you use to access our various websites/platforms/apps/services (collectively, “Products”).
  • Profile Data: such as your username(s) and password(s) and other online identifiers, credentials and personalisations you use in relation to our Products.
  • Usage Data: such as information about how you use our various Products – this may overlap with/relate to the Business Data referred to above.
  • Marketing and Communications Data: such as your preferences in receiving marketing from us and your communication preferences. In certain circumstances, (but only where you have opted-in), this may also include things like whether or not you have opened, read or forwarded marketing emails you have received from us.

We may also collect, use and share aggregated, anonymised data relating to use of our various Products and our business more generally for any purpose (“Stats”). These Stats may be derived from your personal information but are not considered personal data in law so long as they cannot be used directly or indirectly to reveal your identity. For example, we may aggregate your Usage Data to calculate the percentage of users accessing a specific Product or feature and to identify which, and to analyse why, Products or features are over or under-used.

Generally speaking, we do not want or need to collect any special categories of personal information about you such as sexual orientation, political beliefs, health, genetic or biometric data. However, on rare occasions you may decide to provide us with information regarding you dietary requirements or health (eg in relation to our meetings or events which you attend), in which case we will only use it for the purpose for which you disclosed it to us.

Where we need to collect personal information by law, or under the terms of a contract we have with you or your company, and you fail to provide that information when requested, we may not be able to perform the contract we have, or are trying to enter into, with you or your company. In this case, we may have to cancel or refuse to provide a service or remove or deny access to a Product, but we will notify you if this is the case at the time.

 

How we collect your personal information

We use different methods to collect information from and about you, including:

Direct interactions. You may give us personal information by filling in forms or by corresponding with us by post, phone, email, through our various Products, via text and other messaging services, through social media (such as LinkedIn, Twitter, Facebook and Instagram), or otherwise. This includes personal information you provide when you:

  • register, log-in to, create an account for, or use, any of our various Products;
  • contact, visit, deal or interact with us in the normal course, including in relation to the OneID Trust Scheme;
  • provide us with references or other information in relation to job applicants;
  • provide us with, or contact/negotiate with us about, goods or services of any sort;
  • subscribe to our newsletters, blogs or other publications;
  • join or follow our social media initiatives;
  • request marketing to be sent to you (or opt-out of it);
  • enter a competition, promotion or survey; or
  • provide us with feedback.

Automated technologies or interactions. As you interact with our Products, we (and/or our service providers) may automatically collect Technical Data about your equipment, browsing actions and patterns. We collect this personal information by using cookies, server logs and other similar technologies. Please see below for further detail about our use of cookies. If you have opted-in, we may use technology to track whether or not you have opened, read or forwarded marketing emails you have received from us. We may also collect Usage, Marketing and Communications and Business Data to generate Stats.

Cookies. Some of our Products use cookies. You can set your browser to refuse all or some browser cookies or to alert you when cookies are set or accessed. If you disable or refuse cookies, please note that some parts of the relevant Product may become inaccessible or not function properly. For more information about the cookies we use for our Products, please see their respective cookie notices.

Third parties or publicly available sources. We may receive or obtain various personal information about you from your company/employer/colleagues and various other third parties and public sources, including as set out below:

  • from your employer or your colleagues in the normal course of their creation and pursuit of a commercial relationship with us;
  • from OneIDTrust Scheme participants, suppliers and advisers;
  • from the third parties we use to help us provide and support (and any third parties you use to access) our Products and the OneID Trust Scheme more generally;
  • Technical Data from analytics providers and search information providers such as Google; and
  • Identity and Contact Data from publicly availably sources such as Google, LinkedIn, Facebook, Twitter, Companies House the Electoral Register and other websites and services.

PLEASE NOTE: our systems and Products and your communications of any sort with us may be monitored/recorded for training, regulatory, security or quality control purposes and to help us generate our Stats.

What do we use your information for?

We may use personal information for the following purposes:

  • Generally to run, improve, test and protect our business, its Products, platforms, services and premises, and the OneID Trust Scheme
  • To create and manage our contractual relationship with your or your employer (e.g where you work for an entity which is participating in our Trust Scheme or a supplier, service provider or adviser) including processing payments, accounting, auditing, billing and collection and support services
  • To analyse and improve our communications and interactions with you and to generate Stats
  • Recruitment activities (including requesting and processing references for employees)
  • To provide you with newsletters or any other information or services which you request
  • Marketing and promoting our services and our business more generally (in accordance with applicable laws and rules)
  • Managing our legal, compliance and record-keeping obligations and any potential or actual disputes or complaints
  • For insurance purposes
  • For monitoring and assessing compliance with our policies and standards
  • For any purpose related or ancillary to any of the above or any other purpose for which your personal information was provided to us.

Depending on which of the above purposes we use your personal information for, we may process it on one or more of the following legal grounds:

  • where you have given consent;
  • to comply with our legal and regulatory obligations;
  • for the performance of our contract with you or your company or to take steps at your or your company’s request before entering into a contract; or
  • for our legitimate interests or those of a third party. A “legitimate interest” is when we have a business or commercial reason to use your information, so long as this is not overridden by your own rights and interests.

How long do we keep your information for?

We wish to retain as little personal information as possible, for the shortest time we legitimately can. That generally means that we retain personal information whichever is the longest of the following:

·     as long as is necessary to fulfil the purpose for which it was collected;

·     to comply with legal, regulatory, accounting, audit, reporting and internal policy requirements – this will often require us to retain information for 7 years;

·     for the establishment or defence of actual and/or anticipated legal claims; and

·     as long as any other legitimate reason may require/justify

We will review the above from time to time. If there is no longer a reason for certain information to be retained, we will erase it securely, or in some cases anonymise it. We may use Stats and other anonymised information indefinitely without further notice.

How we keep your information secure

We are committed to keeping your personal information secure. We have systems and processes to prevent unauthorised access or disclosure of your personal information – for example, we protect your personal information using varying levels of encryption.

We also make sure that any third parties that we deal with keep all personal information they process on our behalf secure. We will notify you and any applicable regulator of a suspected data security breach where we are legally required to do so.

We will never sell your information

We will never sell and/or share your personal information with third parties for their own marketing purposes.

How we may use your information for marketing

If we ever use your personal information to provide you with marketing and promotional materials this will be because you have opted-in/subscribed, or because we have a legitimate interest in contacting you. Either way, you will always be able to opt out from receiving those materials in the future. This is in addition to your more general legal rights described below.

 Why we may need to share your information, and who we might share it with

We may share your information with others where lawful to do so including where we or they:

  • have a legitimate business reason for doing so, e.g. in order to manage and operate all aspects of our business, including the OneID Trust Scheme and the OneID service;
  • have a public or legal duty to do so, e.g. to assist with detecting and preventing fraud;
  • need to in connection with regulatory reporting;
  • help support operational processes such as dispute management; or
  • have asked you for your permission to share it, and you’ve agreed.

We may also share your information with others where lawful to do so, including:

  • companies within our group;
  • our professional advisors;
  • other third-party suppliers, business partners and sub-contractors for business administration, support, IT purposes and hosting services;
  • our regulators, law enforcement or fraud prevention agencies, as well as courts, the police and any other authorised bodies, for the purposes of investigating any actual or suspected criminal activity or other regulatory or legal matters;
  • third parties to whom we may choose to sell, transfer, or merge parts of our business or our assets. Alternatively, we may seek to acquire other businesses or merge with them. If a change happens to our business, then the new owners may use your personal information in the same way as set out in this privacy notice; and
  • HMRC or other tax bodies or agencies to comply with our legal and regulatory obligations.

 Transferring your information overseas

If we transfer personal information to countries outside the UK and/or EEA to countries that may not have the same level of data protection as the UK or EEA, we will only do so where appropriate safeguards are in place to enable us to legitimately and legally transfer data to them, such as: (i) transfers to countries with EEA/UK “adequacy” rulings; and/or (ii) where appropriate contractual (or other) arrangements are in place.

 Your rights in relation to your information

Depending upon your exact circumstances, you have various rights, including the following:

  • the right to be informed if your information is being used
  • to get a copy of your information (right of access)
  • to get your information corrected (right of rectification)
  • to get your information deleted (right to erasure)
  • the right to restrict processing (right to restriction)
  • the right to data portability (to any other third party, if reasonable)
  • the right to object to the use of your information

More detailed information about your data protection rights can be found at the ICO here.

You will not normally have to pay a fee to access your personal information (or to exercise any of your other rights). However, we may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive. Alternatively, we could refuse to comply with your request in these circumstances.

We may need to request specific information from you to help us confirm your identity and confirm your right to access your personal information (or to exercise any of your other rights). This is a security measure to ensure that personal information is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response.

We try to respond to all legitimate requests within one month. Occasionally it could take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.

 Links to third-party websites and services

Our Products may include links to third-party websites, services, plug-ins, applications etc (“Third-Party Products”). Clicking on those links or enabling those connections may allow third parties to collect or share data about you. We do not control these Third-Party Products and are not responsible for their privacy statements or practices. When you leave our Product, we encourage you to read the privacy policy of every Third-Party Product you visit.

 How to contact us

If you would like more information or have questions about this privacy notice, please contact us via email or letter to:

  • DPO@oneid.uk
  • Work.Life, CORE, 30 Brown Street, Manchester, M2 1DH

If you have a concern about your information, please contact us first to help you resolve it. The ICO provides some guidance on how to do this here.

 Changes to this privacy notice etc

This privacy notice supplements any other fair processing or privacy notice that may we may provide to you from time to time and we may change this privacy notice from time to time. When we do, we will also post an updated copy on our website at www.oneid.uk