GuardCheck Privacy Policy

a. GuardCheck is a background screening service operated by GuardPass Ltd., a company registered in England and Wales. This Privacy Policy outlines how we collect, process, store, and protect personal data, in accordance with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and applicable international data transfer requirements.

b. GuardCheck is used by employers to carry out BS7858 and NSI NCP 119-compliant vetting. This process requires the collection and processing of highly sensitive personal data. We are committed to handling this data lawfully, transparently, and securely.

a. Data Controller: GuardPass Ltd.

b. Registered Address: 20-22 Wenlock Road, London, England, N1 7GU

c. DPO Contact: Shahab Ali, shahab@get-licensed.co.uk

a. This is our privacy policy, written in accordance with the UK General Data Protection Regulation (UK GDPR) and Data Protection Act 2018. It explains what personal data we collect, how we use it, and what rights you have.

a. To carry out background screening under BS7858 and NSI NCP 119, we collect and process the following data:

• Full name, date of birth, contact details
• Current and previous addresses (last 5 years)
• Employment history (last 5 years)
• Education and training records
• Proof of right to work (e.g., passport, visa)
• Identification documents (passport, driving licence)
• Criminal record history (DBS)
• Financial records (credit checks)
• References (character and employment)
• SIA licence number
• National insurance number
• Biometric data (selfie for ID verification)

a. We are GuardPass Limited, trading as GuardCheck, providing BS7858-compliant background screening for UK organisations

b. Company Number: 8710545

• Address: 1 Fore Street Avenue, London, EC2Y 9DT

c. Data Protection Officer (DPO) Shahab Ali,

• Email: shahab@get-licensed.co.uk

a. Candidate: The individual being screened.

b. Client: The employer or organisation requesting the screening.

c. Personal Data: Any data relating to an identified or identifiable person.

d. Data Controller: The Client.

e. Data Processor: GuardCheck.

f. Special Category Data: Sensitive data like criminal history or biometric information.

g. Third-Party Verifiers: Yoti, Credit Safe, Care Check, and similar partners who support verification.

a. Data Processor/Controller

GuardCheck generally acts as a Data Processor on behalf of Clients. In limited cases where GuardCheck determines the technical means of processing for fraud prevention, security monitoring, or compliance purposes, it acts as an independent Data Controller for that specific activity.

a. We collect this data solely to fulfil employment vetting obligations under:

• UK GDPR Article 6(1)(b): Processing necessary for the performance of a contract
• UK GDPR Article 9(2)(b): Processing necessary for carrying out obligations in the field of employment
• UK GDPR Article 9(2)(g): Processing necessary for reasons of substantial public interest

Processing is done to:

• Comply with BS7858 and NSI NCP 119 requirements
• Conduct identity verification
• Confirm employment and address history
• Complete criminal and financial background checks

a. We collect your data through:

• GuardCheck App
• Authorised third-party sources (Yoti, Care Check, Credit Safe)
• Automated monitoring systems (IP logs, login tracking)
• Regulatory and public databases

a. Your data is used to:

• Conduct BS7858-compliant vetting
• Verify identity, career history, address history, and criminal/financial standing
• Deliver screening reports to Clients
• Meet obligations under NSI NCP 119 and SIA licensing requirements
• Monitor internal platform usage, investigate anomalies, and maintain system integrity

b. We do not use your data for profiling, automated decision-making, or marketing.

a. We share your data only with:

• Authorised third-party verifiers:
1. Yoti – Identity verification, PEP and sanctions screening
2. Care Check – DBS criminal background checks
3. Credit Safe – Credit and financial verification
• Our internal vetting admins (under NDA and strict access control);
• Clients (your employer or contractor) as part of the completed vetting report;
• UK regulators or law enforcement where legally required (e.g. ICO, SIA, Police).

b. We do not sell your data.

a. UK Storage

• All data is stored in encrypted cloud environments hosted in the UK (e.g. AWS S3).
• Backups are encrypted and retention-controlled in line with UK GDPR

b. International Transfers to Pakistan

• As part of our vetting process, some candidate information is viewed by our authorised vetting staff in Pakistan. This includes:

a. Basic details (name, date of birth, gender, nationality)

b. Identity documents (passport, driving licence)

c. Photographs and facial scan results

d. Address history (covering 5 years)

e. Employment history and references

f. Right-to-work and SIA licence details

g. DBS check results

h. Credit check reports

i. App activity logs (IP, login records)

c. Legal Basis

• These transfers are necessary to perform BS7858-compliant screening and are carried out under:

a. UK GDPR Article 6(1)(b) (contractual necessity with clients), and

b. Article 9(2)(b) & (g) (processing of special category data where necessary for employment law and substantial public interest in the UK security industry).

a. GuardCheck operates a secure, UK-hosted vetting system. However, to deliver the screening service efficiently and cost-effectively, certain personal data is accessed by our in-house vetting team based in Pakistan.

b. This access is conducted under strict compliance with UK GDPR, using:

• UK International Data Transfer Agreement (IDTA)
• Standard Contractual Clauses (SCCs)
• Data Transfer Impact Assessment (DTIA)

The following data is accessed in Pakistan:

• Candidate identity documents
• Employment and address history
• Right to work documents
• DBS and credit check results
• Any additional documentation required for vetting

Safeguards include:

• Data is accessed remotely only via secure, UK-based systems
• No data is downloaded, printed, or stored locally in Pakistan
• Systems are protected by AES-256 encryption and full endpoint monitoring
• All access is restricted via biometric login and secured by CCTV-monitored facilities
• No subcontractors are used in Pakistan; all personnel are direct GuardPass employees vetted and trained internally

e. These transfers are essential for performing the contract and are legally justified under Articles 44-49 of the UK GDPR.

a. Transfers are governed by the UK International Data Transfer Agreement (IDTA) and our Data Transfer Impact Assessment (DTIA).

b. Clients and candidates may request a copy of our DTIA by emailing info@guardpass.com.

c. Strict technical, legal, and organisational measures apply, including:

• AES-256 encryption at rest / TLS 1.2+ in transit
• DLP systems to prevent data extraction
• No download, printing, or screen capture permissions
• VPN-only, role-based access for Pakistan staff
• CCTV-monitored, fingerprint-secured rooms
• Staff police-verified and trained in UK GDPR

a. Data is retained for 60 days after completion of the vetting file for employer review.

b. After 60 days, all personal data is automatically and securely deleted from our systems.

c. An audit trail of vetting actions (not containing personal data) is maintained for compliance purposes.

a. Under UK GDPR, you have the following rights:

• Right to access your data
• Right to rectify inaccuracies
• Right to erasure (where applicable)
• Right to restrict processing
• Right to data portability
• Right to object
• Right to lodge a complaint with the ICO

b. Requests can be made by emailing shahab@get-licensed.co.uk.

a. We implement robust physical, technical, and organisational measures including:

• UK-hosted cloud infrastructure (ISO 27001 certified)
• AES-256 encrypted data transmission and storage
• Data Loss Prevention (DLP) tools
• Access restrictions with role-based permissions
• Endpoint monitoring, biometric logins, and CCTV surveillance

a. Your personal data is never stored locally in Pakistan; it is only accessed through secure, monitored UK systems.

b. Clients and candidates may request a copy of our DTIA by emailing info@guardpass.com

a. All incidents are investigated by our DPO and security team.

b. Breaches are logged, contained, and reported within 72 hours to affected parties and the ICO (if applicable).

c. Clients and Candidates will be notified without undue delay if a personal data breach is likely to result in a high risk to their rights and freedoms, in accordance with Article 34 UK GDPR.

a. We use minimal analytics tools solely to:

• Monitor system uptime and error rates;
• Detect fraud, misuse, or anomalous behaviour;
• Improve platform performance.

b. We do not use personal data for targeted advertising or third-party profiling.

a. GuardCheck does not make any solely automated decisions that significantly affect individuals.

a. We may update this policy to reflect changes in law or service models. You will be notified via:

• Email (if a user or Client)
• Website notices

b. Material changes will include a clear version history and take effect 30 days after publication.