Last Updated: 26 November 2018
NSI is the leading Certification Body for the security and fire protection industries in the UK and Eire, and provides certification and auditing services to companies within these sectors. NSI operates from a central Head Office in Maidenhead, Berkshire, with field based auditors attending clients’ premises whilst auditing.
NSI is committed to protecting your personal information and respecting your privacy and rights when it comes to information processing. NSI is committed to maintaining compliance with current data protection legislation, any future legislation that comes into force as and when required, and to maintain transparency about how it processes personal data. NSI processes the personal data of both its own employees and its business contacts and works to robust information security policies to ensure this data is kept secure and the risk of data breach is reduced to a minimum. NSI holds Cyber Essentials Plus certification and undergoes annual penetration testing by an external body to search and mitigate vulnerabilities if identified.
This Privacy Notice informs you how and why NSI collects your personal information, how NSI processes your personal information, who has access to your personal information, and details your rights as an individual to control how your personal information is processed.
By continuing to use NSI’s services you give NSI permission to process your personal data for the purposes identified as set out within this Privacy Notice.
This Privacy Notice contains information regarding:
- LAWFUL BASIS FOR PROCESSING YOUR INFORMATION
- COLLECTION OF PERSONAL INFORMATION
- HOW NSI USES YOUR INFORMATION
- VISITORS TO THE NSI WEBSITE
- PEOPLE WHO CONTACT NSI VIA SOCIAL MEDIA
- NSI APPROVED AND APPLICANT COMPANIES
- PEOPLE WHO USE NSI SERVICES
- RECRUITMENT, STAFF DETAILS AND SECURITY SCREENING
- BOARD, SUBCONTRACTORS AND COMMITTEE MEMBERS
- YOUR RIGHTS
- SUBJECT ACCESS REQUESTS
- CHANGES TO THIS PRIVACY NOTICE
- HOW TO CONTACT US
- LINKS TO OTHER WEBSITES
Lawful basis for processing your information
To comply with the data protection requirements of the General Data Protection Regulation (GDPR), there must be a lawful basis to collect, process and store any personal data that you provide NSI with. For NSI as a data controller, the lawful bases under which personal data is processed include:
- The contractual agreement with each approved company for the provision of audit services. Personal information that NSI collects during the application and approval processes will be limited to what is necessary and processed for the purposes of fulfilling its contractual obligations. See the ‘NSI approved and applicant companies’ section below.
- Where the processing is necessary for the purposes of legitimate interests pursued by NSI or by yourselves as a third party. For example, NSI may occasionally send out communications using your contact details that are of specific importance to approved companies, including Circular Letters and Technical Bulletins, or may ask for your input when developing a new service. See the ‘Communications’ section below. (Where such interests are overridden by your interests or fundamental rights and freedoms, NSI will instead ask for your consent.)
- Any active consent you may have given NSI to receive or access particular services where another lawful basis does not apply. You will be asked to demonstrate your consent with an affirmative action, such as ticking a box or filling in your email address.
Collection of Personal Information
When you access and browse the NSI website and when you correspond with NSI by phone, post or email, you may give NSI information about yourself. This information can include your name, postal address, email address, landline and/or mobile telephone number and information about your employment (including your job title, responsibilities and employer’s details) as well as other personal information.
This Privacy Notice applies, but is not limited to, personal information that NSI collects from:
- visitors to the NSI website;
- applicant companies wishing to obtain NSI approval;
- approved companies maintaining their NSI approval;
- associated third party organisations, stakeholders, suppliers and subcontractors;
- complainants and other individuals in relation to a complaint or enquiry;
- individuals who use NSI services (e.g. Standards on Subscription);
- external committee members;
- job applicants and NSI current and former employees;
- visitors to the NSI Head Office (including passersby).
How NSI uses your information
Where NSI collects personal data (for example your name, postal address or e-mail address) this information is used exclusively by NSI for providing the services you have requested or which are detailed within your service contract, or for controlling access to restricted areas. NSI will only pass your personal data to relevant third party organisations or individuals either as a contractual requirement, with your explicit consent, or if specifically compelled to do so by law or court order or other legitimate reason.
Unfortunately, the transmission of information via the internet is not completely secure. Although NSI does its best to protect your personal data, it cannot guarantee the security of your data transmitted to the NSI site; any transmission is at your own risk. Once NSI has received your information, robust information security measures in place protect it and minimise the risk of unauthorised access.
Visitors to the NSI Website
Public Website Areas
You can visit the NSI website without revealing who you are or giving any information about yourself, except where you voluntarily choose to give NSI your personal details via e-mail or by enquiring about any of NSI’s services.
Secure Website Areas
If you register to use the password protected areas of the website, you will be asked to provide NSI with certain data about yourself, such as your email address. This data is used to help control access to these protected areas, managed securely by NSI.
In order to access certain services on the NSI website you may be required to fill in a web form which includes completing your personal details. When you submit a web form, this information is sent directly to NSI only, and is then processed as appropriate.
Users choose their own passwords for logging into the Approved Company area of the NSI website. NSI does not have access to these passwords. NSI recommends that passwords are changed every 90 days to prevent data breaches, and that they conform to the format set out in the login area. If a user forgets their password, they are able to reset their password themselves within the login area.
Cookies are small pieces of information that are stored by your browser on your computer’s hard drive. NSI will occasionally place a cookie on the visitor’s hard drive in order to provide more user-friendly browsing or useful features to the web site visitor. Most browsers are initially set to automatically accept cookies. If you prefer, you can reconfigure your browser to reject cookies, but you may not be able to take full advantage of our website if you do so.
NSI occasionally monitors the IP addresses of visitors to assess the usage of the site and, for example, identify which pages are most popular. NSI does not link these IP addresses to personal data such as a visitor’s name and/or e-mail address etc. The data collected in this way is completely anonymised.
With regard to each of your visits to NSI’s website, NSI may also collect the following information:
- technical information, including the Internet protocol (IP) address used to connect your computer to the internet, your login information, browser type and version, time zone setting, browser plug-in types and versions, operating systems and platforms; and
- information about your visit, including the full Uniform Resource Locators (URL) clickstreams to, through and from NSI’s websites, information you viewed or searched for, page response times, download errors, length of visits to certain pages, page interaction information (such as scrolling, clicks and mouse-overs), methods used to browse away from that page and any phone number used to call us.
People who email NSI
NSI may monitor any emails sent to us, including file attachments, for viruses or malicious software. Please be aware that you have a responsibility to ensure that any email you send is within the bounds of the law.
People who contact NSI via social media
You can contact NSI via Facebook, Twitter, Linked In, Pinterest or YouTube by direct message if you wish to enquire about NSI services or wish to comment on NSI services. These communications are managed by NSI’s Marketing department and are only ever shared internally at NSI, either for the purpose of providing you with the information you have requested, or directing you to an Applications Advisor if you wish to become an approved company. Should NSI wish to quote your comment with your name and company within NSI marketing literature or on the NSI website, you will be first contacted by the NSI Marketing department to ask for your explicit consent to do so.
NSI receives enquiries about approval and other services through the website and by telephone, post and email. Enquiries will typically require the person to enter some form of contact details to allow NSI to follow them up.
For general enquiries, a record of the enquiry is retained by NSI until the enquiry has been dealt with and no further follow up is needed.
If a company makes an application enquiry, but does not wish to progress the application at that time, the details are held on NSI’s internal system for 18 months. This is because NSI is often contacted by companies that are aiming for approval, but that are a long way off being ready for audit. If a company needs more time to provide application documents, NSI will ask for a suggested time to regain contact with them in the future, and will keep the details on record until then for that purpose.
NSI approved and applicant companies
NSI retains all information regarding an approval throughout the life of the approval and then for 7 years should that approval cease. This includes audit records, contact details, and any other information collected by NSI as part of the approval process. This retention period ensures NSI complies with relevant data retention legislation where applicable, and allows NSI to follow up with any legal proceedings or further actions following the approval ceasing.
All information provided to NSI by approved and applicant companies is treated as Confidential. This information is stored securely on NSI’s internal CRM database and is only used for purposes related to the approval. Any financial details given have access limited to the relevant NSI departments only.
All information collected throughout the approval, including audit reports and evidence, is also treated as Confidential and is stored securely on NSI’s internal CRM database. Evidence collected during audits may contain samples of personnel files, which could in turn contain personal data. NSI collects this information as evidence for the audit process in order to deliver its Certification Body services, and will only ever take a record of personal data where necessary for the purpose of the approval.
NSI may request a Personal Data Form be completed by senior management or persons with an influential role within an approved or applicant company. Information requested includes current and previous employment details, qualifications and industry experience, details of directorships held, and information regarding criminal convictions and legal proceedings. NSI collects this information for the legitimate interest of protecting its own reputation and that of its scheme(s), by ensuring, to an extent it sees fit, the reputation and experience of those companies it certifies.
Approval information is only shared with a third party with a legitimate interest in the approval, for example the SIA or BAFE, when necessary. NSI may also share information with the Police if there is a lawful basis for doing so, or with the United Kingdom Accreditation Service (UKAS) as part of NSI’s continued accreditation as a Certification Body.
All companies have the option for their approval information to appear in the ‘Company Finder’ service on the NSI website, however this is optional and companies may opt out at any time. A non-generic business email address may be displayed in Company Finder where that person has consented to their information being displayed in the original Application Form for approval. This can be amended by that company to a generic email address at any time. The other information displayed includes company name, address/location, phone number, fax, website and the approvals you hold.
As part of NSI approval and as a legitimate interest of NSI approved companies, contacts from approved companies are sent Circular Letters from NSI which contain either general information or information relevant to the approvals they hold. These may include important technical updates about standards, Technical Bulletins, or marketing information on new services offered by NSI. You do have the option to opt out of receiving Circular Letters at any time, but please bear in mind this may mean that you miss out on important updates.
NSI’s Marketing department may, from time to time, send approved and confirmed applicant companies invitations to events hosted by NSI or attended by NSI which are in the company’s interest. Registration to these events is entirely optional, and you will be informed of any third parties that your details will be shared with prior to, during and after the event, with the option to immediately opt out of any unwanted communications. By registering to attend an NSI hosted event, you agree to receive important details about the event using the contact information provided. You may unsubscribe from these emails if you wish using the link at the bottom of the email.
NSI’s Marketing department may, from time to time, send approved and confirmed applicant companies direct marketing emails or invitations to participate in surveys or certain activities in the company’s interest. You may unsubscribe from these emails if you wish using the link at the bottom of the email.
People who use NSI services
Standards on Subscription
NSI offers an electronic British Standards Subscription Service in conjunction with the British Standards Institution (BSI). This service is exclusively available to NSI approved companies, and those interested in gaining NSI approval who have reached the later stages of the application process. To apply for access to this service, the applicant completes the application form on the NSI website and provides NSI with their name, company address, email address and telephone number. NSI uses this information to verify the applicant against the company information it holds, and then sends an invoice for the subscription. The subscription is automatically renewed annually, with the option to opt out of the service at any point. NSI does not share these details with any other party including BSI, and retains the information as part of the company’s approval record.
NSI hosts a range of classroom-based training courses, and can also offer training at a customer’s own premises. Delegates are asked to provide their contact details so that they can receive information about the course, such as the agenda, the Terms and Conditions, and any follow-up material. Occasionally, NSI uses these details to promote new training courses, but the delegate has the option to unsubscribe from these emails at any point.
NSI uses a trusted third party company, Nimble, as the provider of eLearning software used to create NSI online training courses, available through the NSI website. NSI uses the Nimble software to create and run these training courses, and has full control over the learners that are enrolled. The details required to enroll a learner are first name, surname and email address.
Certificates of Compliance (see T&Cs on certificates)
NSI retains a full record of each Certificate of Compliance issued, including name and address details of the end user. This allows a revised or copy certificate to be issued on the request of the Issuing Company. The names of domestic end users are deleted from the certificate record after 7 years for data protection purposes.
A record of the certificate is held securely on the NSI database with access limited to the Issuing Company only. Any personal data referenced will not be shared or processed otherwise by NSI.
Recruitment, Staff Details and Security Screening
Applicants for roles at NSI are asked to provide their personal information for the application process, including their current Curriculum Vitae and a Covering Letter, either directly or through a Recruitment Agency. This information is used solely by NSI management for the purpose of assessing the applicant’s suitability for the role, leading to a possible invitation to interview.
Personal details of unsuccessful applicants are held by the NSI HR Manager for a period of 6 months after the decision, for the legitimate interest of assessing eligibility for any other roles that may be more suitable. NSI does not share this information with any other party within this time. Applicants do have the right to contact the HR Manager and withdraw their details at any time during the recruitment process, and the HR Manager will then update the records accordingly.
NSI requires successful applicants to provide proof of identity, such as a passport or a birth certificate, to ensure the applicant is eligible to work in the UK, which is a legal requirement. NSI also requires the applicant’s full name, contact details, home address, bank details and name and contact details of their next of kin. NSI may also ask about any medical conditions, details of which remain strictly private and confidential for the attention of the NSI HR Manager only. A Staff Details form is given in the new starter pack along with the contract of employment. NSI collects personal data using this form for the purpose of setting up the employee on the payroll system, the pension scheme and to facilitate the security screening background checks. NSI will only share the employee’s details with the third parties providing these services to allow the service provision.
The contract of employment forms NSI’s lawful basis to process employees’ personal data in order to fulfil its contractual obligations, plus any specific consent given by the employee for additional services or benefits. Information disclosed remains strictly private and confidential and under the control of the NSI HR Manager, and only accessible by the CEO and HR Manager. Should an employee wish to enquire about the personal information NSI holds about them, they can make a ‘subject access request’ to the HR Manager.
Successful applicants to NSI are required to complete a security screening check before commencing employment with NSI. This process is outsourced to the National Security Screening Agency Ltd (NSSA), an NSI approved screening company. The NSSA collect personal data for the purpose of carrying out background screening on behalf of NSI employees. Successful applicants are asked to complete an NSSA security screening application form provided by the NSI HR Manager. Applicants are asked to provide their current passport or a birth certificate, a driving license and a utility bill or bank statement with their current home address stated. These forms are checked and counter signed by the NSI HR Manager and then forwarded to the NSSA. The NSSA will ask the applicant about their previous work experience, education, referee details, and for answers to the questions relevant to the role they have applied for. The NSSA will share the applicant’s name, date of birth and address history with third parties (the Criminal Disclosure and Barring Service and Equifax) where it is necessary to fulfill their contractual obligations to the applicant and to NSI, and where obliged to do so by law. DBS Certificates are retained by NSI for a period of 6 months and then destroyed.
Once the preliminary screening is successful, the applicant can then commence their employment with NSI. The NSI HR Manager compiles a separate file relating to their employment containing the documentation listed above. Please note this file is kept separately to the employee’s HR file. The information contained in this is kept in a secure location and is password protected by the NSI HR Manager and only used for purposes directly relevant to that person’s employment.
If the employment is terminated or an employee resigns, NSI retains both the security screening and HR file for each individual file for 7 years before destruction. NSI will inform any third parties processing the data to remove it subject to data protection requirements.
Board, Subcontractors and Committee Members
NSI Board members, subcontracted auditors and members of NSI committees are subject to the same screening process as NSI employees. Each individual is asked to sign a contractual agreement and complete the required documentation before they commence their relationship with NSI. Personal data requested will be limited to what is appropriate for the role and kept Confidential at all times. Records are kept by NSI for 7 years after cessation of the contract with NSI.
Associate Consultancy Programme (ACP)
NSI provides a consultant referral facility for businesses seeking help with Certification and business development. Consultants will be asked to complete the relevant application forms with their business details and contact details, plus the names and contact details of companies they work with in order for NSI to obtain a reference. Once on the register, the information displayed on the NSI website will include their business email address and telephone number, in order for interested visitors to contact the consultant directly. The information will remain on the NSI website and within the NSI internal database until such time as the Consultancy is removed from the register of Associate Consultants.
CCTV and Visitors
NSI has detector-activated CCTV cameras installed around the Head Office in Maidenhead for the purposes of crime prevention and public safety. NSI staff, visitors to NSI or passersby may be recorded on these cameras. The footage is stored by NSI for a limited time before it is overwritten. NSI may monitor the footage in the event of a security breach. NSI will only ever share the footage with the local Police force in the event of a criminal investigation. The contact number for CCTV enquiries is stated on signage around the building.
Visitors to NSI are asked to sign in using the Visitors Book in the Reception area. Information requested includes name, company and vehicle registration. In the unlikely event of a fire, this information is used to perform a roll call and ensure all visitors have evacuated the building. The NSI car park is private property and is available for use by NSI staff and visitors only, and by providing your registration number NSI is able to identify your vehicle. This information remains at NSI Head Office and is not shared with any other party.
NSI occasionally receives complaints about approved companies, non-NSI approved companies or about NSI itself. A complaint to NSI can be lodged via the online Complaints Form on the NSI website, or by telephone or email.
Details about complaints made and the parties involved are stored securely on NSI’s internal CRM database. It may be necessary to share the contact details of the complainant with the parties involved or with other relevant bodies in order to progress the complaint. NSI will gain authorisation from the complainant before passing any Confidential information or personal data to other parties
NSI takes any complaints received about collection and use of personal data very seriously and encourages people to bring to its attention any collection or use of information they think is unfair, misleading or inappropriate.
Complaint details are retained for 7 years before destruction in case of any further proceedings.
Under the General Data Protection Regulation (GDPR) and the Data Protection Act (DPA), NSI recognises and respects that you have rights as an individual providing personal data:
- You have the right to know exactly how your personal data will be processed by NSI. NSI commits to processing your data fairly, lawfully and transparently, details of which are set out in this Privacy Notice.
- You have the right to request access to the personal data that NSI holds about you.
- You have the right to request changes to the data held about you if the data is incorrect or requires additional information.
- You have the right to request erasure of your data or the right to be forgotten completely, where there is no legitimate reason for your data to continue to be processed.
- You have the right to request that processing of your data is restricted so that the data remains stored but is not further processed by NSI.
- You have the right to request a copy of your data in a portable format.
- You have the right to object to your data being processed, if the processing is for a legitimate interest without compelling grounds, or for direct marketing.
You may notify NSI of any request to change how your personal data is processed or to update your records by telephone, email or post (- see ‘How to Contact Us’).
NSI retains the right to continue processing personal data if there are compelling legitimate grounds for the processing, which override the interests, rights and freedoms of the individual, or the processing is for the establishment, exercise or defense of legal claims.
Please note: should you choose to erase your data or restrict how your data is processed, this may affect your approval and your awareness of important information and updates.
Subject Access Requests
If you wish to make a free Subject Access Request to access a copy of the personal data NSI stores about you, or understand how it is processed and why, please follow the instructions below:
- Contact your NSI Head Office contact (email preferred).
- Include details of your request – which information about you do you wish to have access to?
- Provide sufficient evidence about yourself for NSI to verify your identity. (NSI may have to contact you otherwise.)
NSI will deal with your request without undue delay, within 1 month of the receipt of your request. NSI will notify you if it is unable to provide the information within 1 month, detailing the likely timescale. If NSI is unable to grant you access to your data for a specific reason you will be notified immediately. In certain circumstances, such as where a large amount of data is requested which may require extensive time or resource to gather and collate the data, NSI reserves the right to charge a fee to account for this activity.
Changes to this Privacy Notice
This Privacy Notice is regularly reviewed and may change from time to time. This Privacy Notice was last updated on the 26 November 2018.
How to contact us
If you wish to contact NSI for further information about this Privacy Notice, you can call, email us or write to us at:
National Security Inspectorate
5 Reform Road
This Privacy Notice does not provide exhaustive detail of all aspects of NSI’s collection and use of personal information. However, NSI is happy to provide any additional information or explanation needed when requested.
NSI makes every effort to ensure that the information provided on its website is accurate and current. However, it cannot guarantee this and cannot accept responsibility for any errors, omissions, misstatements or mistakes on the website. Anyone becoming aware of such matters is requested to notify NSI in writing or by e-mail.
Links to other websites
This Privacy Notice does not cover the links within this site linking to other websites, or the content of those sites. NSI encourages you to read the privacy statements on the other websites you visit.
This website, including logos and trademarks, is copyright protected, except where it is specifically stated to the contrary. If you have any questions about copyright, please contact us.
The NSI logo is a registered trademark of Insight Certification Ltd. If you have any questions about the logo, please contact us.
Insight Certification Ltd
t/a National Security Inspectorate
5 Reform Road
Registered in England No. 02525516
VAT No: 697 5774 56