COVID-19 testing
We are working with organisations in the fight against the coronavirus pandemic and helping individuals return to work.
Read about our work with FRANKD to deliver on-premise testing with secure, digital test results sent to a person’s phone.

What is personal data and how can you keep it safe? Should we be reading T&Cs? How can I protect my privacy online? Data can be a complex topic so we caught up with Emma, our Data Protection Officer to help answer some key data and privacy questions.


What is personal data and why should I care about protecting it so much?

Personal data is any information that relates to an identifiable living individual. As well as obvious things like your name, address, contact details, bank statements or medical records, it also includes things like your phone records showing all the numbers you called or who called you, and when – as long as the information can be connected back to you.

A lot of the free online services we use are only free in a money sense; you are providing your personal information in exchange for the service. Your personal information is valuable to companies, and can help them provide you with great add-ons that they sell to you using your data, such as dashboards showing your spending activity, for example.

Some companies use your information for their benefit without giving you anything extra back. It’s a trade-off and we all make our own decisions about whether what we’re getting in return is worth the data we’re handing over. If people knew the true value of their data and exactly what companies do with it, I suspect they’d give less away and want more control.


We constantly hear about stories of data hacks and people having their data stolen. Who’s responsible for our data and what can be done to help protect it more?

Companies who handle your personal information are responsible for looking after it. Many companies outsource and get suppliers to do certain activities for them, which often means passing on your data.

For example, if a company outsources its customer services function, the staff will need access to customer account information when you ring in for help. Companies are obliged to carry out checks on any suppliers or service providers to make sure they have appropriate security in place to look after the personal data, and the company is responsible if the supplier messes up. An updated data protection law coming in next May will put some obligations directly on the suppliers (including for security) and make them directly responsible to regulators and individuals if they mess up.

Companies usually try hard to keep their security up to date but hackers are getting more and more sophisticated, so companies have to constantly keep improving. They also have to make sure they are training their staff and have measures in place to detect if a staff member has gone rogue and is selling or leaking personal information for their own gain.

But you can also help yourself by being careful about where you provide personal information, shredding letters and documents containing your details or confidential information rather than putting them in the recycling or bin, and by choosing strong passwords online and keeping them secret. We all have so many passwords to remember that it can be difficult to choose strong ones for them all, and not use the same ones for multiple accounts. I use a password manager and get it to generate random strong passwords for me.


How can I protect my privacy when so much of our lives are spent online and every site and service asks for so much personal data?

Sometimes you have to provide certain information to get the product or service you are after, but the law obliges companies to tell you what they’re going to do with it. They should also not collect more information than is necessary, and need a justifiable business purpose for all the data they collect and use. This purpose is not always obvious though, which is why you should look for the explanation of why they need particular information.

Be wary of sites that seem to ask for a lot of information and make it all mandatory. Good companies will tell you what you need to know at the time they ask for your information, but many companies will direct you to their privacy notice instead. This can often be quite long and detailed, but it is where they will set out what they do with your information, and whether they share it with any other companies.

As mentioned above, it’s a trade-off: you need to decide if you’re comfortable handing over your information, knowing what they will do with it, for what you get in return. If you think they’re asking for too much data or you are not happy with what they do with it, then vote with your mouse and go somewhere else.

You also have the right under law to ask a company to provide you with a copy of all the information it holds about you. This helps you understand what they have, and whether any of it is inaccurate.


How will Yoti help keep my data safe?

Yoti keeps your data in a very secure data centre and the individual bits of data are all held separately and encrypted. Once you have set up your Yoti we have no access to any of your data. Unlike other companies we don’t have the full profile details of users and never will – we put our users in control of who sees their data. We don’t connect together all the data and activities of our users to create a profile or big picture of what you’re doing, your interests and so on. We have no interest in knowing what specific users are doing with the app – we just help them store and share it safely.

Like all companies we use analytics to understand how our app is being used and what kinds of users we have and where. But unlike other companies all this data is de-identified or anonymised; we have no interest in tracking you specifically. We only want to know things like how many users we have in a particular country, or how many people managed to successfully add a document (which helps us spot if there are any problems with the app and so fix them quickly).


Will my data ever be sold on? How do you make money?

No. Yoti will not sell on your data; that’s not our business model. We make money by charging companies for the identity checks they make using Yoti – and have a modern approach that makes it quicker, easier and cheaper than the current outdated paper based system.


If I add my passport to my Yoti, that’s a lot of very personal information. Is it really that safe?

Yes. And it’s safer than all the places who currently have a copy of your passport! If you think about how many times you have had to use your passport to prove your identity, and how many times the company took a photocopy or scan and kept it, then that’s a lot of copies of your data you are hoping are being kept securely. With Yoti we don’t store the image of your passport, we just extract the details and add them to your Yoti account, and they’re all held separately and encrypted.

When you use Yoti to prove your ID, you’ll only share the data that is necessary, which is often a lot less than all of those scans and copies of your passport. For example, if you use Yoti to get into a nightclub you could just show your photo and date of birth. There’s no need to show your address, passport number and so on. And it means you don’t have to carry your passport around with you as well.


With so much personal data, won’t Yoti be a hot target for hackers?

Hackers may think that Yoti has a honeypot of data they can exploit. But because we keep all your data separately and encrypted, in the very unlikely event that they got into our very secure systems, all they would find would be random bits of data like your first name or surname and no way to connect it together or connect it to a specific person. So they may see a date of birth but that’s all they would see – they wouldn’t know whose date of birth it is, or see any other information about that particular person.


I rarely read T&Cs, is there anything really important to know about the app?

It’s important to distinguish between the T&C and the privacy notice. The T&C are an agreement between the company and the person using the product, app or service. The terms set out the responsibilities and obligations of each party and provide the ‘rules’. So you have to agree to abide by these rules, usually by clicking an ‘accept’ or ‘I agree’ button.

The privacy notice sets out how the company uses your personal information and what rights and choices you have. This is usually just information, it is not something you agree to (unless any of the uses need your permission). Some companies put privacy notice information into the T&C, but that’s not good practice.

Yoti’s approach is to be as straightforward and transparent as possible, so we’re not hiding anything in our terms to catch you out. If you use the app according to the instructions as you go through it, and as it’s supposed to be used, then you’re not likely to have any issues with the T&C.

Yoti also tries hard to give you the information you need about our uses of your data at the time we ask you for it, so that you don’t have to go and read the entire privacy notice each time. We also have some privacy and security topics in our FAQs. We’re constantly looking to improve all this and we have plans to revamp our privacy notice as well, so it’s easier to navigate and understand.


In one sentence, why should someone download Yoti?

Because it’s an app that’s genuinely trying to solve the problem of trusted identity in today’s online and connected world, in a very clever, secure and convenient way, and is designed to put the user front and centre.


To wrap, up, what’s the one thing about Yoti you’re most passionate about?

I love the focus on user security and privacy in everything we do. I’m constantly inspired by how everyone here is so committed to doing the right thing by users and to putting privacy and security into the DNA of the app and the company.

If you have any other questions about data and privacy for Emma, let us know.