Baseline Personnel Security Standard on Amiqus - processing data: privacy notice

This privacy notice explains your rights under the Data Protection Act 2018 (DPA) and General Data Protection Regulation (GDPR). It describes how we use, store and share the personal information we collect about you.

Personal data (which we will refer to as ‘data’ throughout this notice) means any information about an individual from which that person can be identified.

Amiqus acts as a data processor for Scottish Government (SG). You can read Amiqus' privacy policy on the Amiqus website.

Why we are collecting data

Your personal data will be processed as part of the requirement to undertake pre-employment checks under HMG’s Baseline Personnel Security Standard (BPSS) for our non- permanent staff. BPSS is the minimum level of security control applied to anyone who requires access to our premises, assets or information for work purposes. These checks are conducted in order to: 

• ensure that sensitive assets are protected
• reduce the risks to people and information
• create and maintain an effective security culture
• provide a basis for subsequent National Security Vetting

Legal basis for processing data

We will only process your data when required to by the HMG Baseline Personnel Security Standard policy which states that BPSS “must be applied to any individual who, in the course of their work, has access to government assets”. Scottish Government Personnel Security apply these checks to all non-permanent staff who have access premises, assets or information for work purposes.

Your personal data is collected in line with UKGDPR Article 6 6(1)(e) – performance of a task in the public interest.

Some of the data that we process is classed as ‘special category’ data. We process this data in line with UKGDPR Article 9.2 (b) that “processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment”.

We collect data relating to criminal convictions and offences in line with UKGDPR Article 10. The processing of this information is necessary for us to undertake employment checks and we have appropriate safeguards in place to protect this information.

What data we collect

In undertaking this procedure, we will process the following categories of personal and special category data:

• full name
• title
• date of birth
• nationality
• UK residence status
• place of residence in the UK
• previous addresses in the UK or abroad in the last five years
• name and current address combination in the TransUnion database
• telephone number
• email address
• unspent criminal history
• any court martial/detention or dismissal if you served in the Armed Forces (except those ‘spent’ under the Rehabilitation of Offenders Act 1974)
• employment role
• any conflict of interest relating to the role
• employment history in the last three years
• any gaps in employment during the last three years
• employer referee name and email

Physical documentation

If we are unable to verify your photographic ID through Amiqus, you will be required to send your passport, driving licence or national ID card to Saughton House to be physically inspected by the BPSS team. Your document will be stored in a securely locked cabinet in a pass-controlled room and sent back via Royal Mail Special Delivery once processed.

Who we will share your data with

Our Security and Business Continuity BPSS Team records this data on a central security-vetting database and in Amiqus where you upload the data. Amiqus acts as the data processer and has data sub-processors (Onfido, TransUnion, Disclosure Scotland and Stripe) who process data on behalf of Amiqus to complete the necessary checks. Full details of how this information is processed and stored can be found in the Amiqus privacy notice. There may be circumstances in which we lawfully share your data with third parties where, for example, we are required to do so by law, by court order, or to prevent fraud or other crimes. Where we share data, we shall do so in accordance with data protection laws. We will not share your information with any other bodies without notifying you.

The safeguard which is applied to restricted transfers, the EU UK adequacy decision, which allows transfers of data freely, can be found on the Information Commissioner's Office website. 

How long we will keep your data

Your personal data and that of third parties (for example, past employment references) will be retained for as long as it is necessary for the purpose it was collected. The data in Amiqus will be retained for three years and three months. Three years for the period that BPSS is granted and three months to allow time for BPSS clearance to be renewed.

Your data rights

In relation to your personal data held by our Security and Business Continuity BPSS Team, you have the right to:

• object – request that your data is not processed for certain purposes
• restrict processing – request that the processing of your personal data is restricted in certain circumstances, for example, where accuracy is contested
• rectification – request that any inaccuracies in your personal data are rectified immediately and request that any incomplete personal data is completed, including by means of a supplementary statement
• access – request information about how your personal data is processed and to request a copy of that personal data
• deletion – request that your data be removed from our systems. Due to the legal requirements we are under to carry out security checks, we may not be able to carry out this right
• these rights are not absolute, and may be subject to exemptions in the Data Protection Act 2018