Terms & Conditions
Statement of Fair Processing
Terms and Conditions: By accessing Myvetting.com website and providing Myvetting.com with your personal details, you agree to accept and be bound by the terms of this statement of fair processing which is summarised below.
Using the Technical specification outlined and approved by the UK Home Office, Disclosure and Barring Service (DBS), including but not exclusive to (Disclosure Scotland, Access NI & the ECRIS system), Myvetting.com has produced an online paperless system, using proprietary software to process Right To Work, Right To Rent, International Criminal Record and DBS Checks in a safe and secure encrypted environment, from where client and client applicants can submit applications online and track progress in real time, all from the comfort of their PC, tablet or smartphone.
As registered Data processors, we are committed to protecting the privacy of our client (Data Controllers) and Client Applicants (Data Owners). When you supply any personal information to this site, we have legal obligations towards you in the way we deal with your data as follows:
We promise to only process information with your explicit consent, and to only retain personal information on our systems for the duration of the screening. All data, including personal data you provide, will be purged from our servers, within 90 days from screening end.
We guarantee that all personal information is stored in an encrypted, secure, password-protected and with-MFA-access environment, and in full compliance to UK Data Protection Legislation and the European General Data Protection Regulation (GDPR).
You will remain the Data Owner for any information you submit to Myvetting.com. This data will remain yours and private, and is only used for the purposes set out below;
- We will only process personal information with your explicit consent.
- Only personal information that is required for the check, will be requested/processed.
- Your personal information is only seen on a need-to-know basis.
- Your personal information is retained only for duration of the process.
- Any inaccurate or misleading data will be corrected for you as soon as it is brought to our attention.
- We have a Data Breach policy in place for dealing promptly with any dispute.
All information requested is used solely for the purpose of producing a check, explicitly requested by you the Data Owner.
We promise to treat your personal information as confidential and we will not disclose it to any third party except: (i) with your prior agreement or (ii) as required by law.
Any organisation which uses this eBulkPlus online disclosure service is obliged to sign a service contract requiring them to:
The Myvetting.com Proprietary solution is certified to the ISO27001 standard and hosted by the Microsoft Azure datacentres, where all components of the service are protected by intrusion detection and intrusion prevention devices. Completed applications are fully encrypted and securely transferred to inspectorates for completion of checks before been returned to Client / Data Controller.
The Disclosure and Barring Service, including other relevant inspectorates (Access NI, Disclosure Scotland, ECRIS) will refer the details provided on this application form to government and law enforcement bodies in accordance with any relevant legislation. The details provided to these bodies will be used for identifying possible matches to records held by them. Where such a match is established, data may be released to the inspectorate for inclusion on any certificate issued. The details provided on this form may be used to update the records held by the bodies specified above. The details provided on the application form may be used to verify your identity for authentication purposes. The Inspectorate may use any information provided by the Inspectorates on a certificate or otherwise held by the Inspectorate to inform any of its barring decisions made under its powers within the Safeguarding Vulnerable Groups Act 2006
Terms & Conditions
1. DEFINITIONS:
In this Agreement:
Myvetting.com/you/your means Myvetting.com Limited, part of the Myvetting.com Group, a company incorporated in England and Wales with company number 14530019 and registered office address at 2nd Floor, 4 Beaconsfield Road, St. Albans, Hertfordshire, United Kingdom, AL1 3RD, trading as Myvetting.com.
Client/we/us/our means the party for whom Myvetting.com carries out the Services, as more particularly set out in Schedule 1;
1.1 Client Data means any data or information in any form or medium provided by or on behalf of us to you, or which you are required to process as part of the Services, and including without limitation, any Personal Data;
1.2 Controller, Processor, Data Subject, Personal Data, Personal Data Breach, processing and appropriate technical and organisational measures have the meanings as defined in the Data Protection Legislation;
1.3 Data Protection Legislation means the UK Data Protection Legislation and any other European Union legislation relating to personal data and all other legislation and regulatory requirements in force from time to time which apply to a party relating to the use of Personal Data (including, without limitation, the privacy of electronic communications);
1.4 UK Data Protection Legislation means all applicable data protection and privacy legislation in force from time to time in the UK and EU including the General Data Protection Regulation ((EU) 2016/679); the Data Protection Act 2018; the Privacy and Electronic Communications Directive 2002/58/EC (as updated by Directive 2009/136/EC) and the European Communities (Electronic Communications Networks and Services) (Privacy and Electronic Communications) Regulations 2011 (S.I. No. 336 of 2011) as amended; and
1.5 Services means the applicant and employee background checking services provided by Myvetting.com to the Client.
2. DATA PROTECTION
2.1 Both parties will comply with all applicable requirements of the Data Protection Legislation. This Agreement is in addition to, and does not relieve, remove or replace, a party’s obligations or rights under the Data Protection Legislation. In this Agreement, Applicable Laws means (for so long as and to the extent that they apply to Myvetting.com) the law of the European Union, the law of any member state of the European Union and/or Domestic Law UK; and Domestic Law UK means the UK Data Protection Legislation and any other law that applies in UK.
2.2 The parties acknowledge that for the purposes of the Data Protection Legislation, the Client is the Controller and Myvetting.com is the Processor on behalf of the Client in respect of the Client Data for the purposes of providing the Services. The Client determines the purposes for which, and the manner in which, Personal Data is, or is to be, processed by Myvetting.com on the Client’s behalf.
2.3 Schedule 1 sets out the scope, nature and purpose of processing by Myvetting.com, the duration of the processing and the types of Personal Data and categories of Data Subject.
2.4 Without prejudice to the generality of clause 2.1, the Client will ensure that it has all necessary appropriate consents and notices in place to enable lawful transfer of the Personal Data to Myvetting.com and/or lawful collection of the Personal Data by Myvetting.com on behalf of the Client for the duration and purposes of this agreement.
2.5 Without prejudice to the generality of clause 2.1, Myvetting.com shall, in relation to any Personal Data processed in connection with the performance by Myvetting.com of its obligations under this agreement:
2.5.1 process that Personal Data only on the documented written instructions of the Client which are set out in Schedule 1 and in each written instruction given to Myvetting.com by the Client, unless Myvetting.com is required by Applicable Laws to otherwise process that Personal Data. Where Myvetting.com is relying on Applicable Laws as the basis for processing Personal Data, Myvetting.com shall promptly notify the Client of this before performing the processing required by the Applicable Laws unless those Applicable Laws prohibit Myvetting.com from so notifying the Client;
2.5.2 ensure that it has in place appropriate technical and organisational measures to protect against unauthorised or unlawful processing of Personal Data and against accidental loss or destruction of, or damage to, Personal Data, appropriate to the harm that might result from the unauthorised or unlawful processing or accidental loss, destruction or damage and the nature of the data to be protected, having regard to the state of technological development and the cost of implementing any measures (those measures may include, where appropriate, pseudonymising and encrypting Personal Data, ensuring confidentiality, integrity, availability and resilience of its systems and services, ensuring that availability of and access to Personal Data can be restored in a timely manner after an incident, and regularly assessing and evaluating the effectiveness of the technical and organisational measures adopted by it); ensure that all personnel who have access to and/or process Personal Data are obliged to keep the Personal Data confidential; and
2.5.3 not transfer any Personal Data outside of the European Economic Area unless the prior written consent of the Client has been obtained and the following conditions are fulfilled:
(a) the Client or Myvetting.com has provided appropriate safeguards in relation to the transfer;
(b) the data subject has enforceable rights and effective legal remedies;
(c) myvetting.com complies with its obligations under the Data Protection Legislation by providing an adequate level of protection to any Personal Data that is transferred; and
(d) myvetting.com complies with reasonable instructions notified to it in advance by the Client with respect to the processing of the Personal Data;
2.5.4 assist the Client, at the Client’s cost, in responding to any request from a Data Subject where the assistance is material. Client and Myvetting.com will agree from time to time in respect of reasonable costs to be borne by each party for breach notifications, and in ensuring compliance with its obligations under Data Protection Legislation with respect to security, impact assessments and consultations with supervisory authorities or regulators. In the event that any communication is received from a data subject or supervisory authority directly by Myvetting.com, Myvetting.com shall promptly inform the Client.
2.5.5 myvetting.com will promptly and without undue delay notify the Client if any Personal Data is lost or destroyed or becomes damaged, corrupted or unusable. Myvetting.com will restore such Personal Data at its own expense for any of the following Data breach incidents;
(a) any accidental, unauthorised or unlawful processing of the Personal Data; or
(b) any Personal Data Breach
2.5.6 Where Myvetting.com becomes aware of (a) or (b) above, it shall, without delay and in any event within 24 hours of becoming aware of the breach also provide the Client with the following information;
(a) description of the nature of (a) and/or (b), including the categories and approximate number of both Data Subjects and Personal Data records concerned;
(b) the likely consequences; and
(c) description of the measures taken, or proposed to be taken, to address (a) and/or (b), including measures to mitigate its possible adverse effects.
2.5.7 Immediately following any unauthorised or unlawful Personal Data processing or Personal Data Breach, the parties will co-ordinate with each other to investigate the Myvetting.com will reasonably co-operate with Client in Client’s handling of the matter, including:
(a) assisting with any investigation;
(b) providing Client with physical access to any facilities and operations affected;
(c) making available all relevant records, logs, files, data reporting and other materials required to comply with all Data Protection Legislation or as otherwise reasonably required by Client; and
(d) taking reasonable and prompt steps to mitigate the effects and to minimise any damage resulting from the Personal Data Breach or unlawful Personal Data processing.
2.5.8 Deletion and/or Disposal of Personal Data – at the written direction of the Client, delete or return Personal Data and copies thereof to the Client on termination of the agreement unless required by Applicable Law to store the Personal Data; and permit Client to audit Myvetting.com’s premises, systems, records and procedures once per year upon reasonable advance written notice to verify your compliance with this Agreement and the Data Protection Legislation
(a) The Data Processor shall, at the written request of the Data Controller, delete (or otherwise dispose of) the Personal Data or return it to the Data Controller in the format(s) reasonably requested by the Data Controller within a reasonable time after the earlier of the following:
(b) the end of the provision of the Services [under the Service Agreement]; or
(c) the processing of that Personal Data by the Data Processor is no longer required for the performance of the Data Processor’s obligations under [this Agreement] AND/OR [the Service Agreement].
(d) Following the deletion, disposal, or return of the Personal Data under sub-Clause 11.1, the Data Processor shall delete (or otherwise dispose of) all further copies of the Personal Data that it holds, unless retention of such copies is required by law, in which case the Data Processor shall inform the Data Controller of such requirement(s) in writing.
(e) All Personal Data to be deleted or disposed of under this Agreement shall be deleted or disposed of using the following method(s): Data Cleanse via system.
2.5.9 maintain complete and accurate records and information to demonstrate its compliance with this Agreement and immediately inform the Client if, in the opinion of Myvetting.com, an instruction infringes the Data Protection
2.6 myvetting.com may engage other processors for the processing of Client personal data in accordance with this GDPR Addendum. Myvetting.com shall maintain a list of such processors at https://Myvetting.com.co.uk/privacy-policy/ which Myvetting.com may update from time to time. At least 14 days before authorising any new such processor to process personal data, Myvetting.com shall update the list on its website. Client may object to the change without penalty, by initiating the Agreement’s dispute resolution process, or in the absence of a dispute resolution procedure, Myvetting.com shall use reasonable endeavors to change, modify or remove the affected products or services, in order to avoid processing of Client personal data by such new processor to which Client reasonably objects. Myvetting.com shall impose data protection terms on any sub processor it appoints that protect the Client Data to the same standard required by this Agreement and Myvetting.com remains fully liable for any breach of this Agreement that is caused by an act, error or omission of the sub processor
3. GENERAL TERMS
3.1 This letter agreement and any dispute or claim (including non-contractual disputes or claims) arising out of or in connection with it or its subject matter or formation shall be governed by and interpreted in accordance with the laws of England and Wales.
3.2 The parties irrevocably agree that the courts of England and Wales have exclusive jurisdiction to settle any dispute or claim (including non-contractual disputes or claims) that arises out of, or in connection with, this letter agreement or its subject matter or formation.
3.3 The Service – See ’products’ from your Dashboard on the Myvetting.com portal for detailed list of Screening products/checks being used by your Team
3.4 Scope of Vetting – Includes verification of data as made available by ‘Client’ applicants (Applicant/Data Owner) via the Myvetting.com application vetting form.
3.5 Service charges are detailed from the online Portal
3.6 Turnaround Times (TATs) are explicit from online portal and include DBS basic checks (48 hours), Standard & enhanced Checks (within 10 working days), ECRIS checks (within 10 working days), Right to Work & Right to Rent are real time (Instant results) checks
3.7 Online Process – ‘Client’ will submit to Myvetting.com relevant ‘Applicant’ information via the online application platform, which shall as a minimum include the ‘Applicant’ name, email and (Ideally) mobile number. An Alert will be automated out to applicant to complete the online GDPR compliant application form. This follows a simple ‘3-click process’. Upon completion, Client will be notified when they can download the applicants final report.
3.8 The Disclosure & Barring Service (DBS) Code of practise – Our client organisations must adhere to the following conditions when applying for, receiving, holding and disposing of Criminal Disclosures via the e-Bulk Online application channel or Paper Route.
3.8.1 The Client must nominate a designated individual(s) who will act as the clients contact point for all DBS matters and receive Disclosure information.
3.8.2 The client organisation will provide details of the person(s) who will verify the identity of the applicant, and that identity validation will be done in accordance with DBS guidelines using only original documents and ensure that all applicant details are checked in the same manner.
3.8.3 The client organisation must inform Myvetting.com immediately in writing should the person(s) checking the identity of the applicants change.
3.8.4 The client organisation will observe and fully adhere to the DBS (CRB) code of practice.
3.8.5 Clients using the e-Bulk system will ensure that the “Statement of Fair Processing” is made available to all applicants upon request.
3.8.6 The client organisation is likely and will remain likely to genuinely ask an exempted question.
3.8.7 The client organisation will make all disclosure applicants aware of the Code of Practice when recruiting and will make a copy available to all disclosure applicants upon request.
3.8.8 The client organisation has a satisfactory written policy on the recruitment of ex-offenders and issues a copy of the policy to all disclosure applicants at the start of the recruitment process.
3.8.9 The client organisation is aware that a statement must be included on its application forms or accompanying documentation, that a disclosure will be requested in the event of an applicant being offered a position.
3.8.10 The client organisation is aware that it must include a statement on its application forms, or accompanying documentation, that a criminal record will not necessarily be a bar to obtaining a position.
3.8.11 The client organisation must provide a statement in all employment advertisements that Disclosure will be required in the event that a post is offered.
3.8.12 The client organisation has a written policy on the secure storage, handling, retention and disposal of disclosure information.
3.8.13 The client organisation will not retain disclosures or a record of the information contained within them for longer than is required for the particular purpose. This should be no longer than 6 months after the date on which the recruitment or other relevant decisions have been taken, or after the date on which any dispute about the accuracy of the disclosure information has been resolved. The period should only be exceeded in very exceptional circumstances, which justify retention for a longer period. (Disclosure information may be retained for longer than 6 months for the purpose of audit where organisations are regulated by CQC or OFSTED)
3.8.14 All Disclosure certificates will be destroyed in accordance with the DBS (CRB) Code of Practice by shredding, pulping or burning.
3.8.15 The client organisation will keep all Disclosure information kept securely, in accordance with the DBS (CRB) Code of practice, separate from their staff members files and within a locked storage unit that cannot be moved by less than 2 persons.
3.8.16 The client organisation is aware of what additional information is, and that under no circumstances can this information be divulged to an applicant (or person who is not authorised to have access to this information) and that to do so would constitute a criminal offence.
3.8.17 Additional information is very sensitive and must be treated with the utmost caution. Should the client organisation be informed of additional information then they should be careful to base their withdrawal of an offer on employment on pre-employment checks, and avoid letting the applicant know that there is “additional information”
3.8.18 Client organisations should discuss any matters revealed in the disclosure with the applicant before withdrawing the offer of employment.
3.8.19 Information provided on the disclosure is confidential, and as such should only be available to those persons named in the client contract. (Unless the person is a registered inspector with the CQC, CSCIW or OFSTED)
3.8.20 Myvetting.com reserves the right to make assurance visits to our client organisations to ensure that they are fully complying with the terms and conditions of our contract and the DBS (CRB) Code of Practice.
3.8.21 Should Myvetting.com find that any part of this contract is being breached, it reserves the right to withdraw its service with immediate effect.
3.8.22 It is the client organisations responsibility to state the level of check they require and if the applicant is working with Children, Vulnerable Adults or both.
3.8.23 Myvetting.com shall have no liability for defective services where the defect has been caused or contributed by the client organisation
3.8.24 Myvetting.com shall have no liability for defective services where the defect has been caused or contributed by DBS (CRB).
3.8.25 Myvetting.com shall have no liability to the client organisation for services if invoice payments have not been received by the due dates of payment.
3.8.26 Myvetting.com have no liability for additional damage, loss, liability, claims or expenses caused or contributed to by the Client’s continued use of services or the continued engagement of an Applicant once an error or defect in the relevant Disclosure has become apparent.
3.8.27 Myvetting.com shall have no liability for any matters which are outside its reasonable control.
3.8.28 Myvetting.com shall have no liability to the client for any consequential losses, loss or profits and/or damage to goodwill, economic losses, special damages and indirect losses or business interruption, loss of business, contracts, opportunity and production.
3.8.29 Invoiced Clients shall pay Myvetting.com for all invoices within 15 days of receipt. invoices are raised and sent upon receipt of application. Invoices will be raised for the application if completed correctly or if in need of amendment.
3.8.30 Clients using the e-Bulk online channel will ensure that all passwords and log on details are kept private and are under no circumstances passed on to any other person.
3.8.31 Clients using the e-Bulk system will change their passwords on a regular basis, preferably every month not rotating the same password within a three-month period.
3.8.32 Clients using the e-Bulk system shall take reasonable care to ensure that no person is within distance to take note of log on details or disclosure information when accessing the e-Bulk system.
3.8.33 ID Checkers using the e-Bulk system shall always check original ID, no photocopies at the time that the information is imputed into the e-Bulk system.
3.8.34 Clients using the e-Bulk system shall keep the information held securely on it, unless it needs to be printed for the purposes of audit.
3.8.35 Clients using the e-Bulk system who print disclosures for the purpose of audit shall only print them once and shall keep them in accordance with the DBS (CRB) Code of Practice and their policy on the secure storage, retention and disposal of disclosure information.
3.8.36 Responsible persons using the e-Bulk system, or the responsible persons Employers shall inform Myvetting.com immediately if they are to leave the client organisation or cease using the system so their log on details can be deleted immediately.
3.8.37 ID Checkers, using the e-Bulk system, or the ID Checker employers shall inform Myvetting.com immediately if they are to cease being employed by the client organisation or cease using the system so their log on details can be deleted immediately.
3.8.38 Disclosure certificates shall not be passed on to persons not named in the service contract without the written consent of the applicant.
3.9 Processing by Myvetting.com
| Nature of processing: | Myvetting.com is authorised to access, collect, sort and process Client Data provided by existing or prospective employees of the Client. |
| Purpose of processing: | Myvetting.com processes Client Data solely for the purpose of providing the Services. |
| Duration of processing: | Myvetting.com is authorised by the Client to process Client Data for up to 90 days after receipt of such Client Data, unless requested earlier by the relevant Data Subject. |
| Types of Personal Data | 1. Name
2. Contact details 3. Personal financial information 4. Payroll data 5. Immigration information 6. Recruitment data 7. Disciplinary information 8. Criminal record. |
| Categories of Data Subject | Existing or prospective employees of the Client. |
