Privacy notice

Privacy notice

Privacy notice

Privacy notice

We protect your privacy. 

Last updated: 31st March 2022

NSI is the leading Certification Body for the security and fire protection industries in the UK and Eire, and provides certification and auditing services to companies within these sectors. NSI operates from a central Head Office in Maidenhead, Berkshire, with field based auditors attending clients’ premises whilst auditing.

NSI is committed to protecting your personal information and respecting your privacy and rights when it comes to information processing. NSI is committed to maintaining compliance with current data protection legislation, any future legislation that comes into force as and when required, and to maintain transparency about how it processes personal data.

NSI processes the personal data of both its own employees and its business contacts and works to robust information security policies to ensure this data is kept secure and the risk of data breach is reduced to a minimum. NSI holds Cyber Essentials Plus certification and undergoes annual penetration testing by an external body to search and mitigate vulnerabilities if identified.

This Privacy Notice informs you how and why NSI collects your personal information, how NSI processes your personal information, who has access to your personal information, and details your rights as an individual to control how your personal information is processed.

By continuing to use NSI’s services you give NSI permission to process your personal data for the purposes identified as set out within this Privacy Notice.

 

This Privacy Notice contains information regarding:

  • LAWFUL BASIS FOR PROCESSING YOUR INFORMATION
  • COLLECTION OF PERSONAL INFORMATION
  • HOW NSI USES YOUR INFORMATION
  • VISITORS TO THE NSI WEBSITE
  • PEOPLE WHO CONTACT NSI VIA SOCIAL MEDIA
  • ENQUIRIES
  • NSI APPROVED AND APPLICANT COMPANIES
  • COMMUNICATIONS
  • PEOPLE WHO USE NSI SERVICES
  • RECRUITMENT, STAFF DETAILS AND SECURITY SCREENING
  • BOARD, SUBCONTRACTORS AND COMMITTEE MEMBERS
  • CCTV
  • HEAD OFFICE VISITORS (INC. COVID-19 REQUIREMENTS)
  • COMPLAINTS
  • YOUR RIGHTS
  • SUBJECT ACCESS REQUESTS
  • CHANGES TO THIS PRIVACY NOTICE
  • HOW TO CONTACT US
  • DISCLAIMER
 

Lawful basis for processing your information

To comply with current data protection requirements including the UK General Data Protection Regulation (GDPR), the EU GDPR and the UK Data Protection Act 2018 (DPA), there must be a lawful basis to collect, process and store any personal data that you provide to NSI. For NSI as a data controller, the lawful bases under which personal data is processed include:

  1. The contractual agreement with each approved company for the provision of audit services. Personal information that NSI collects during the application and approval processes will be limited to what is necessary and processed for the purposes of fulfilling its contractual obligations. See the ‘NSI approved and applicant companies’ section below.
  2. Where the processing is necessary for the purposes of legitimate interests pursued by NSI or by yourselves as a third party. For example, NSI may occasionally send out communications using your contact details that are of specific importance to approved companies, including Circular Letters and Technical Bulletins, or may ask for your input when developing a new service. See the ‘Communications’ section below.

(Where such interests are overridden by your interests or fundamental rights and freedoms, NSI will instead ask for your consent.)

  1. Any active consent you may have given NSI to receive or access particular services where another lawful basis does not apply. You will be asked to demonstrate your consent with an affirmative action, such as ticking a box or filling in your email address.

Note. During the COVID-19 pandemic, NSI may use the information you supply for ‘contact tracing’ (see section on ‘Head Office Visitors’) in accordance with current government guidance.

Collection of personal information

When you access and browse the NSI website and when you correspond with NSI by phone, post or email, you may give NSI information about yourself. This information can include your name, postal address, email address, landline and/or mobile telephone number and information about your employment (including your job title, responsibilities and employer's details) as well as other personal information.

This Privacy Notice applies, but is not limited to, personal information that NSI collects from:

  • visitors to the NSI website;
  • applicant companies wishing to obtain NSI approval;
  • approved companies maintaining their NSI approval;
  • associated third party organisations, stakeholders, suppliers and subcontractors;
  • complainants and other individuals in relation to a complaint or enquiry;
  • individuals who use NSI services (e.g. Standards on Subscription);
  • external committee members;
  • job applicants and NSI current and former employees;
  • visitors to the NSI Head Office (including passersby). 
 

How NSI uses your information

Where NSI collects personal data (for example your name, postal address or e-mail address) this information is used exclusively by NSI for providing the services you have requested or which are detailed within your service contract, or for controlling access to restricted areas. NSI will only pass your personal data to relevant third party organisations or individuals either as a contractual requirement, with your explicit consent, or if specifically compelled to do so by law or court order or other legitimate reason.

Note. During the COVID-19 pandemic, NSI may use the information you supply for ‘contact tracing’ (see section on ‘Head Office Visitors’).

Unfortunately, the transmission of information via the internet is not completely secure. Although NSI does its best to protect your personal data, it cannot guarantee the security of your data transmitted to the NSI site; any transmission is at your own risk. Once NSI has received your information, robust information security measures in place protect it and minimise the risk of unauthorised access.

Visitors to the NSI website

Public website areas

You can visit the NSI website without revealing who you are or giving any information about yourself, except where you voluntarily choose to give NSI your personal details via e-mail or by enquiring about any of NSI’s services.

Secure website areas

If you register to use the password protected areas of the website, you will be asked to provide NSI with certain data about yourself, such as your email address. This data is used to help control access to these protected areas, managed securely by NSI.

Website forms

In order to access certain services on the NSI website you may be required to fill in a web form which includes completing your personal details. When you submit a web form, this information is sent directly to NSI only, and is then processed as appropriate.

Resetting passwords

Users choose their own passwords for logging into the Approved Company area of the NSI website. NSI does not have access to these passwords. NSI recommends that passwords are changed every 90 days to prevent data breaches, and that they conform to the format set out in the login area. If a user forgets their password, they are able to reset their password themselves within the login area.

Cookie policy

Cookies are small pieces of information that are stored by your browser on your computer’s hard drive. NSI will occasionally place a cookie on the visitor’s hard drive in order to provide more user-friendly browsing or useful features to the web site visitor. Most browsers are initially set to automatically accept cookies. If you prefer, you can reconfigure your browser to reject cookies, but you may not be able to take full advantage of our website if you do so.

To find out more about the cookies we use and how to opt-out please read our Cookie Policy

People who email NSI

NSI may monitor any emails sent to us, including file attachments, for viruses or malicious software. Please be aware that you have a responsibility to ensure that any email you send is within the bounds of the law.

Google analytics

NSI may collect details of your visits to the website including the Internet protocol (IP) address used to connect your computer to the internet and information to help us assess the usage of the site, for example, identify which pages are most popular. The data collected in this way is completely anonymised.

People who contact NSI via social media

You can contact NSI via Facebook, Twitter, Linked In, Pinterest or YouTube by direct message if you wish to enquire about NSI services or wish to comment on NSI services. These communications are managed by NSI’s Marketing department and are only ever shared internally at NSI, either for the purpose of providing you with the information you have requested, or directing you to an Applications Advisor if you wish to become an approved company. Should NSI wish to quote your comment with your name and company within NSI marketing literature or on the NSI website, you will be first contacted by the NSI Marketing department to ask for your explicit consent to do so.

Enquiries 

NSI receives enquiries about approval and other services through the website and by telephone, post and email. Enquiries will typically require the person to enter some form of contact details to allow NSI to follow them up.

For general enquiries, a record of the enquiry is retained by NSI until the enquiry has been dealt with and no further follow up is needed.

If a company makes an application enquiry, but does not wish to progress the application at that time, the details are held on NSI’s internal system for 18 months. This is because NSI is often contacted by companies that are aiming for approval, but that are a long way off being ready for audit. If a company needs more time to provide application documents, NSI will ask for a suggested time to regain contact with them in the future, and will keep the details on record until then for that purpose.

Communications 

As part of NSI approval and as a legitimate interest of NSI approved companies, contacts from approved companies are sent Circular Letters from NSI which contain either general information or information relevant to the approvals they hold. These may include important technical updates about standards, Technical Bulletins, or marketing information on new services offered by NSI. You do have the option to opt out of receiving Circular Letters at any time, but please bear in mind this may mean that you miss out on important updates.

NSI’s Marketing department may, from time to time, send approved and confirmed applicant companies invitations to events hosted by NSI or attended by NSI which are in the company’s interest. Registration to these events is entirely optional, and you will be informed of any third parties that your details will be shared with prior to, during and after the event, with the option to immediately opt out of any unwanted communications. By registering to attend an NSI hosted event, you agree to receive important details about the event using the contact information provided. You may unsubscribe from these emails if you wish using the link at the bottom of the email.

NSI’s Marketing department may, from time to time, send approved and confirmed applicant companies direct marketing emails or invitations to participate in surveys or certain activities in the company’s interest. You may unsubscribe from these emails if you wish using the link at the bottom of the email.

NSI approved and applicant companies

NSI retains all information regarding an approval throughout the life of the approval and then for 7 years should that approval cease. This includes audit records, contact details, and any other information collected by NSI as part of the approval process. This retention period ensures NSI complies with relevant data retention legislation where applicable, and allows NSI to follow up with any legal proceedings or further actions following the approval ceasing.

All information provided to NSI by approved and applicant companies is treated as Confidential. This information is stored securely on NSI’s internal CRM database and is only used for purposes related to the approval. Any financial details given have access limited to the relevant NSI departments only.

All information collected throughout the approval, including audit reports and evidence, is also treated as Confidential and is stored securely on NSI’s internal CRM database. Evidence collected during audits may contain samples of personnel files, which could in turn contain personal data. NSI collects this information as evidence for the audit process in order to deliver its Certification Body services, and will only ever take a record of personal data where necessary for the purpose of the approval.

NSI may request a Personal Data Form be completed by senior management or persons with an influential role within an approved or applicant company. Information requested includes current and previous employment details, qualifications and industry experience, details of directorships held, and information regarding criminal convictions and legal proceedings. NSI collects this information for the legitimate interest of protecting its own reputation and that of its scheme(s), by ensuring, to an extent it sees fit, the reputation and experience of those companies it certifies.

Approval information is only shared with a third party with a legitimate interest in the approval, for example the SIA or BAFE, when necessary. NSI may also share information with the Police if there is a lawful basis for doing so, or with the United Kingdom Accreditation Service (UKAS) as part of NSI’s continued accreditation as a Certification Body.

All companies have the option for their approval information to appear in the ‘Company Finder’ service on the NSI website, however this is optional and companies may opt out at any time. A non-generic business email address may be displayed in Company Finder where that person has consented to their information being displayed in the original Application Form for approval. This can be amended by that company to a generic email address at any time. The other information displayed includes company name, address/location, phone number, fax, website and the approvals you hold.

 

People who use NSI services

Training courses

NSI hosts a range of classroom-based and virtual training courses, and can also offer training at a customer’s own premises. Delegates are asked to provide their contact details so that they can receive information about the course, such as the agenda, the Terms and Conditions, and any follow-up material. Occasionally, NSI uses these details to promote new training courses, but the delegate has the option to unsubscribe from these emails at any point.

Online courses

NSI uses a trusted third party company, Nimble, as the provider of eLearning software used to create NSI online training courses, available through the NSI website. NSI uses the Nimble software to create and run these training courses, and has full control over the learners that are enrolled. The details required to enroll a learner are first name, surname and email address.

Nimble will not use your personal data for any purpose other than the delivery of online learning through their website. Should you wish for your contact details to be removed from the Nimble system, or wish to know what information is held about you, please contact NSI. For further information on Nimble’s Privacy Policy, please visit their website https://www.nimble-elearning.com/.

Certificates of Compliance (see T&Cs on certificates)

NSI retains a full record of each Certificate of Compliance issued, including name and address details of the end user. This allows a revised or copy certificate to be issued on the request of the Issuing Company. The names of domestic end users are deleted from the certificate record after 7 years for data protection purposes.

A record of the certificate is held securely on the NSI database with access limited to the Issuing Company only. Any personal data referenced will not be shared or processed otherwise by NSI.

Cyber Essentials certification

NSI, in partnership with Risk Crew, offers NSI approved companies a route to Cyber Essentials certification. NSI acts as a reseller of Risk Crew’s services, providing administration support and billing services. When NSI collects the personal details of companies wishing to apply for Cyber Essentials, this is for the sole purpose of sharing the information with Risk Crew to allow them to carry out the service provision requested. For details on Risk Crew’s own Privacy Notice, please refer to their website: https://www.riskcrew.com/privacy-notice/

Standards on subscription

NSI offers an electronic British Standards Subscription Service in conjunction with the British Standards Institution (BSI).  This service is exclusively available to NSI approved companies, and those interested in gaining NSI approval who have reached the later stages of the application process. To apply for access to this service, the applicant completes the application form on the NSI website and provides NSI with their name, company address, email address and telephone number. NSI uses this information to verify the applicant against the company information it holds, and then sends an invoice for the subscription. The subscription is automatically renewed annually, with the option to opt out of the service at any point. NSI does not share these details with any other party including BSI, and retains the information as part of the company’s approval record.

 

Recruitment, staff details and security screening

Successful applicants to NSI are required to complete a security screening check before commencing employment with NSI. This process is outsourced to the National Security Screening Agency Ltd (NSSA), an NSI approved screening company. The NSSA collect personal data for the purpose of carrying out background screening on behalf of NSI employees. Successful applicants are asked to complete an NSSA security screening application form provided by the NSI HR Manager. Applicants are asked to provide their current passport or a birth certificate, a driving license and a utility bill or bank statement with their current home address stated. These forms are checked and counter signed by the NSI HR Manager and then forwarded to the NSSA. The NSSA will ask the applicant about their previous work experience, education, referee details, and for answers to the questions relevant to the role they have applied for. The NSSA will share the applicant’s name, date of birth and address history with third parties (the Criminal Disclosure and Barring Service and Equifax) where it is necessary to fulfill their contractual obligations to the applicant and to NSI, and where obliged to do so by law. DBS Certificates are retained by NSI for a period of 6 months and then destroyed.

Once the preliminary screening is successful, the applicant can then commence their employment with NSI. The NSI HR Manager compiles a separate file relating to their employment containing the documentation listed above. Please note this file is kept separately to the employee’s HR file. The information contained in this is kept in a secure location and is password protected by the NSI HR Manager and only used for purposes directly relevant to that person’s employment.

If the employment is terminated or an employee resigns, NSI retains both the security screening and HR file for each individual file for 7 years before destruction. NSI will inform any third parties processing the data to remove it subject to data protection requirements.

Successful applicants to NSI are required to complete a security screening check before commencing employment with NSI. This process is outsourced to the National Security Screening Agency Ltd (NSSA), an NSI approved screening company. The NSSA collect personal data for the purpose of carrying out background screening on behalf of NSI employees. Successful applicants are asked to complete an NSSA security screening application form provided by the NSI HR Manager. Applicants are asked to provide their current passport or a birth certificate, a driving license and a utility bill or bank statement with their current home address stated. These forms are checked and counter signed by the NSI HR Manager and then forwarded to the NSSA. The NSSA will ask the applicant about their previous work experience, education, referee details, and for answers to the questions relevant to the role they have applied for. The NSSA will share the applicant’s name, date of birth and address history with third parties (the Criminal Disclosure and Barring Service and Equifax) where it is necessary to fulfill their contractual obligations to the applicant and to NSI, and where obliged to do so by law. DBS Certificates are retained by NSI for a period of 6 months and then destroyed.

Once the preliminary screening is successful, the applicant can then commence their employment with NSI. The NSI HR Manager compiles a separate file relating to their employment containing the documentation listed above. Please note this file is kept separately to the employee’s HR file. The information contained in this is kept in a secure location and is password protected by the NSI HR Manager and only used for purposes directly relevant to that person’s employment.

If the employment is terminated or an employee resigns, NSI retains both the security screening and HR file for each individual file for 7 years before destruction. NSI will inform any third parties processing the data to remove it subject to data protection requirements.

 

Board, subcontractors and committee members

NSI Board members, subcontracted auditors and members of NSI committees are subject to the same screening process as NSI employees. Each individual is asked to sign a contractual agreement and complete the required documentation before they commence their relationship with NSI. Personal data requested will be limited to what is appropriate for the role and kept Confidential at all times. Records are kept by NSI for 7 years after cessation of the contract with NSI.

Associate consultancy programme (ACP)

NSI provides a consultant referral facility for businesses seeking help with Certification and business development. Consultants will be asked to complete the relevant application forms with their business details and contact details, plus the names and contact details of companies they work with in order for NSI to obtain a reference. Once on the register, the information displayed on the NSI website will include their business email address and telephone number, in order for interested visitors to contact the consultant directly. The information will remain on the NSI website and within the NSI internal database until such time as the Consultancy is removed from the register of Associate Consultants.

CCTV 

NSI has detector-activated CCTV cameras installed around the Head Office in Maidenhead for the purposes of crime prevention and public safety. NSI staff, visitors to NSI or passersby may be recorded on these cameras. The footage is stored by NSI for a limited time before it is overwritten. NSI may monitor the footage in the event of a security breach. NSI will only ever share the footage with the local Police force in the event of a criminal investigation. The contact number for CCTV enquiries is stated on signage around the building.

Head Office Visitors (inc. COVID-19 requirements)

Visitors to NSI are asked to sign in using the Visitors Book in the Reception area. Information requested includes name, company and vehicle registration. In the unlikely event of a fire, this information is used to perform a roll call and ensure all visitors have evacuated the building. The NSI car park is private property and is available for use by NSI staff and visitors only, and by providing your registration number NSI is able to identify your vehicle. This information remains at NSI Head Office and is not shared with any other party.

During the COVID-19 pandemic, NSI requires all visitors to complete a ‘Visitor Declaration’ on acceptance into the building. Information requested includes name, company, email address or telephone number, and signature. Collecting this information allows NSI to contact visitors directly for ‘contact tracing’ (e.g. in the event another individual in the building on the same day as the visit subsequently tested positive for COVID-19 within the following 5 days). This information is retained by NSI for 21 days following the visit and is then securely destroyed. This information remains at NSI Head Office and is not shared with any other party. NSI is retaining its contact tracing policy as best practice – choosing not to complete the contact details is at the Visitor’s own risk.

Note. A separate declaration must be signed for each day visited.

Throughout the pandemic, all staff and visitors entering Sentinel House are also required to have their temperature taken using a thermographic camera. For visitors, the temperature (correct to 0.1oC) is recorded on the Visitor Declaration and retained for 21 days as described above.

Note. If the temperature recorded is above 38oC the visitor will not be permitted entry.

Complaints 

NSI occasionally receives complaints about approved companies, non-NSI approved companies or about NSI itself. A complaint to NSI can be lodged via the online Complaints Form on the NSI website, or by telephone or email.

Details about complaints made and the parties involved are stored securely on NSI’s internal CRM database. It may be necessary to share the contact details of the complainant with the parties involved or with other relevant bodies in order to progress the complaint.  NSI will gain authorisation from the complainant before passing any Confidential information or personal data to other parties

NSI takes any complaints received about collection and use of personal data very seriously and encourages people to bring to its attention any collection or use of information they think is unfair, misleading or inappropriate.

Complaint details are retained for 7 years before destruction in case of any further proceedings.

Your rights

Under the UK GDPR, the EU GDPR and the DPA (2018), NSI recognises and respects that you have rights as an individual providing personal data:

  • You have the right to know exactly how your personal data will be processed by NSI. NSI commits to processing your data fairly, lawfully and transparently, details of which are set out in this Privacy Notice.
  • You have the right to request access to the personal data that NSI holds about you.
  • You have the right to request changes to the data held about you if the data is incorrect or requires additional information.
  • You have the right to request erasure of your data or the right to be forgotten completely, where there is no legitimate reason for your data to continue to be processed.
  • You have the right to request that processing of your data is restricted so that the data remains stored but is not further processed by NSI.
  • You have the right to request a copy of your data in a portable format.
  • You have the right to object to your data being processed, if the processing is for a legitimate interest without compelling grounds, or for direct marketing.

You may notify NSI of any request to change how your personal data is processed or to update your records by telephone, email or post (- see ‘How to Contact Us’).

NSI retains the right to continue processing personal data if there are compelling legitimate grounds for the processing, which override the interests, rights and freedoms of the individual, or the processing is for the establishment, exercise or defense of legal claims.

Please note: should you choose to erase your data or restrict how your data is processed, this may affect your approval and your awareness of important information and updates.

 

Subject access requests 

If you wish to make a free Subject Access Request to access a copy of the personal data NSI stores about you, or understand how it is processed and why, please follow the instructions below:

  1. Contact your NSI Head Office contact (email preferred).
  2. Include details of your request – which information about you do you wish to have access to?
  3. Provide sufficient evidence about yourself for NSI to verify your identity. (NSI may have to contact you otherwise.)

NSI will deal with your request without undue delay, within 1 month of the receipt of your request. NSI will notify you if it is unable to provide the information within 1 month, detailing the likely timescale. If NSI is unable to grant you access to your data for a specific reason you will be notified immediately. In certain circumstances, such as where a large amount of data is requested which may require extensive time or resource to gather and collate the data, NSI reserves the right to charge a fee to account for this activity.

Changes to this privacy notice

This Privacy Notice is regularly reviewed and may change from time to time. This Privacy Notice was last updated on the 31st March 2022.

How to contact us

If you wish to contact NSI for further information about this Privacy Notice, you can call, email us or write to us at:

National Security Inspectorate
Sentinel House
5 Reform Road
Maidenhead
SL6 8BY

E: nsi@nsi.org.uk  T: 01628 637512

Disclaimer 

This Privacy Notice does not provide exhaustive detail of all aspects of NSI’s collection and use of personal information. However, NSI is happy to provide any additional information or explanation needed when requested.

NSI makes every effort to ensure that the information provided on its website is accurate and current. However, it cannot guarantee this and cannot accept responsibility for any errors, omissions, misstatements or mistakes on the website. Anyone becoming aware of such matters is requested to notify NSI in writing or by e-mail.

Links to other websites

This Privacy Notice does not cover the links within this site linking to other websites, or the content of those sites. NSI encourages you to read the privacy statements on the other websites you visit.

Copyright

This website, including logos and trademarks, is copyright protected, except where it is specifically stated to the contrary. If you have any questions about copyright, please contact us.

Trademark 

The NSI logo is a registered trademark of Insight Certification Ltd. If you have any questions about the logo, please contact us.

Registered office

Insight Certification Ltd
t/a National Security Inspectorate
Sentinel House
5 Reform Road
Maidenhead
SL6 8BY
Registered in England No. 02525516
VAT No: 697 5774 56