The Data Controller is Agenda’s client (your employer / potential employer or organisation).
The Data Processor is Agenda and we process your information under written instruction from our client (Your employer / organisation or potential employer).
Agenda is registered in the UK with the Company Number 3295323.
Agenda’s registered address is Regents Court, Princess Street, Hull, HU2 8BA.
Agenda is registered with the Information Commissioner’s Office Certificate Number Z4680545.
Agenda is committed to protecting your privacy and personal data as defined in the Data Protection Act 2018, the General Data Protection Regulation ((EU) 2016/679), UK GDPR or any successor legislation in the UK to the GDPR or the Data Protection Act 2018.
As part of the management of data protection and privacy at Agenda, we have developed a Personal Information Management System which is compliant with BS 10012:2017 Data Protection and ISO 27701 Privacy Management.
What is personal data
Under the General Data Protection Regulation (GDPR) personal data is defined as:
“Any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person”.
What is pre-employment screening / background checking / vetting
Background checks, pre-employment screening or vetting is the process of validating the information that you provide as part of the recruitment or rescreen process is accurate.
How we use your personal data
Agenda use the personal information that we collect from you to perform a background screening check on you. This is based on our client’s requirements. This is done to validate that the information you have given to our client as part of your employment or potential employment is accurate.
The level of information we collect depends on the types of background checks agreed and ordered by Agenda’s client. This can include the following types of checks:
- ID Verification
- Qualification Check
- Work History
- Criminal Check
- Right to Work Check
- Fraud Database Check
- Sanctions Check
- Finance Check
- Online Reputation Check / OSINT (Open Source Intelligence)
The amount of personal information we collect from you will vary depending on the screening level and the types of checks our client has ordered. Agenda limits the amount of information that we collect from you to what is required for Agenda to be able to complete the background check that the client has ordered. The information Agenda collects from you is only used to carry out the screening and is never sold to third parties.
To carry out a background check, we collect “personal identifiable information” (i.e. information that could be used to identify you directly.) Examples of this type of information include full name, previous names, address, phone numbers, email addresses, date of birth or gender. Agenda may also ask for work, education, address and criminal record history if this is part of the background check ordered by the client.
Agenda do not sell your personal data to third parties.
Depending on the screening level ordered by the client and the types of check that screening level consists of, Agenda may have to share your information with a third party to validate the information provided by you is accurate and correct.
Examples of third parties Agenda will share your data with:
If a criminal record check is part of your screening, Agenda will share your information with the relevant disclosure body to check if you have a criminal record. In the UK, this would be the Disclosure and Barring Service (DBS), Disclosure Scotland or Access Northern Ireland.
If a finance check is part of your screening, Agenda will share your information with the relevant credit reference agencies.
If an ID check is part of the screening, Agenda with use the relevant credit reference agencies to check the authenticity of the ID documents shared with Agenda.
If a qualifications check is part of the screening, Agenda will share your details with the awarding body or establishment of the qualification to validate the authenticity of the qualification that you hold.
Previous Employer(s) and References
If required by the screening level, Agenda will contact your previous employer/s and references to confirm employment history and/or obtain a reference/s.
Sanction and Fraud Checks
If a sanctions or fraud check is part of the screening level, Agenda will cross-reference your name against various sanctions and fraud databases. Examples of these types of databases are OFAC and the UK government sanctions lists.
If you have lived or worked overseas and Agenda have to confirm employment, criminal record, references or education for the period that you were overseas, we may store, process and transmit information to locations around the world, including those outside your country or the EEA (this only applies if you have lived and worked overseas). Such a transfer will not occur without adequate protection. Agenda shall only process (including store) personal information in accordance with applicable European and UK privacy laws.
Online Reputation Check / OSINT (Open Source Intelligence)
If an OSINT check is part of the screening level, Agenda will check your online digital footprint to see if there is information in the public domain that could be detrimental to Agenda’s client.
If your screening level includes a CIFAS check, this additional fair processing notice will also apply. Please click here for the CIFAS privacy notice.
What is a CIFAS check?
Cifas is a not-for-profit fraud prevention membership organisation. They are the UK’s leading fraud prevention service, managing the largest database of instances of fraudulent conduct in the country. Their members are organisations from all sectors, sharing their data across those sectors to reduce instances of fraud and financial crime.
Please click here for a list of third party processors
How long do we store your data for
Agenda Screening Services stores your data for a maximum period of 6 months, from the completion of your Screening. After 6 months your personal identifiable information is removed from our system.
How we protect and secure your personal information
Agenda fully appreciate how important and valuable personal identifiable information is and we take all possible steps to protect it. Data is held by Agenda in the UK and is not sold on to third parties.
Agenda is accredited to the internationally recognised ISO/IEC 27001:2013 standard for Information Security Management, ISO 27701 Privacy Information Management, BS10012 Personal Information Management and ISO 22301 Business Continuity Management these standards are audited by an independent certification body, every 6 months.
Agenda is accredited to the UK government and CESG backed Cyber Essentials scheme which is now a requirement for organisations that work with UK government organisations. Agenda’s premises hold the ACPO Secured by Design award.
Agenda is an umbrella body of the Disclosure and Barring Service and must be compliant with strict information security standards set out by the DBS. To remain a registered umbrella body, Agenda is subject to and must pass audits carried out by the DBS.
All personal information is handled by Agenda staff that have been through 22 background checks themselves and are fully trained in the requirements of Data Protection.
We are accredited to ISO 9001 Quality Management System standard that we use to ensure sure that our processes and services are fully audited and robust. To maintain this international standard, we are audited every 6 months by an independent certification body.
What is Agenda’s legal basis for processing of your personal data
Agenda is processing your personal information to fulfil the contract and written instructions of our client to provide pre-employment screening / background checks / vetting.
The lawful basis for processing your information is the responsibility of our client (Your employer / organisation or potential employer)
If Agenda ask for your consent, this is for screening practicality reasons as some organisations will need your consent before they release your information to Agenda for validation. An example of this can be with a qualification awarding body when Agenda is required to confirm a qualification.
Your rights as a data subject
Please note that as a Data Processor Agenda only process your data on written instruction from the Data Controller (Agenda’s client) Subject Access Requests or a request to erase your data should be directed to the organisation that submitted you for screening. Agenda cannot action these requests without authorisation from our client, the Data Controller.
At any point whilst we are in possession of or processing your personal data, you, the data subject, have the following rights:
- Right of access – you have the right to request a copy of the information that we hold about you.
- Right of rectification – you have a right to correct data that we hold about you that is inaccurate or incomplete.
- Right to be forgotten – in certain circumstances you can ask for the data we hold about you to be erased from our records.
- Right to restriction of processing – where certain conditions apply you have a right to restrict the processing of your data.
- Right of portability – you have the right to have the data we hold about you transferred to another organisation.
- Right to object – you have the right to object to certain types of processing, such as direct marketing.
- Right to object to automated processing, including profiling – you also have the right to be subject to the legal effects of automated processing or profiling.
- Right to judicial review – in the event that the Data Controller refuses your request regarding your rights of access, we will provide you with a reason as to why. You have the right to complain as outlined below.
How does Agenda maintain compliance to data protection laws
To support compliance with all relevant UK and EU data protection law and the requirements of the General Data Protection Regulation (GDPR), Agenda Resource Management have implemented a personal information management system (PIMS) in accordance with the British standard BS 10012 and ISO 27701 Privacy Management.
The objective of the implementation of the PIMS is to provide direction and support for compliance with data protection requirements and good practice. Agenda shall establish, implement, maintain, and continually improve the PIMS, including the processes needed and their interactions, in accordance with the requirements of the British Standard BS 10012 and ISO 27701.
Certification to ISO/IEC 27001 Information Security Management, BS EN ISO 9001 Quality Management, ISO 22301 Business Continuity and BS EN ISO 14001 Environmental Management and Cyber Essentials are used to support the PIMS as well as suitable qualified and experience personnel in the roles of data protection officer and information security and data owners. These roles will oversee and review data processing activities, maintain data inventories and data impact assessments to ensure that adequate organisational and technical measures are in place which are reviewed on a yearly basis.
If we make significant changes in the way we treat your personal information, we will make that clear on our websites or by email, so that you are able to review the changes.
This Privacy Notice was last reviewed 30/04/2021
In the event that you wish to make a complaint about how your personal data is being processed by Agenda or how your complaint has been handled, you have the right to lodge a complaint directly with The Information Commissioner’s Office (ICO) and Agenda’s Data Protection Officer.
The details for each of these contacts are:
Data Protection Officer
PO BOX 24
Information Commissioners Office
0303 123 1113