Yoti Identity Verification within the UK Digital Identity and Attribute Trust Framework (UKDIATF)
This Privacy Notice applies when you use Yoti’s Identity Verification service for the purpose of a digital DBS check, Right to Work or Right to Rent check. Yoti is the Data Controller and is responsible for the processing of your data.
Last updated: 15th October 2022
Jump to section
What is it?
Yoti’s Identity Verification service allows one time verification of a living person’s identity. This verification is conducted under the rules set out in the Department for Culture, Media and Sport’s UK digital identity and attributes trust framework (known as the “UKDIATF“).
Yoti uses its Identity Verification service to assist its clients conduct digital DBS, Right to Work and Right to Rent checks. You do not have to pay Yoti for this service, but Yoti will charge its clients.
We have some FAQs on Yoti’s Identity Verification service here:
Yoti’s Identity Verification service is explained on our web page here: www.yoti.com/business/identity-verification
The information in this privacy notice relates to Yoti’s Identity Verification service. We also have general information that applies across all our business here: https://www.yoti.com/privacy/ That page provides information about Yoti, our business principles, our Guardian Council, contact details and general personal information collection and use practices. The page also has links to all the product-specific privacy notices.
Information collection and use
- We collect information from those using Yoti’s Identity Verification service to send our clients an assertion of identity so that they can conduct digital DBS, Right to Work or Right to Rent checks on you.
- Yoti’s Identity Verification service is a one off verification journey, so we do not create an account for you.
- We also collect some device information as part of our analytics.
- If we suspect your document is fraudulent we may keep it in an internal database to ensure that (a) this document is never accepted by us and (b) is used to improve our anti-fraud techniques.
- If we find a suspected fraudulent document we may share this with relevant law enforcement and anti-fraud bodies.
|We extract data from your identity document to establish your identity. We extract your name, date of birth, address (if present), document number, type of document, document expiry date and photo.
For Right to Work and Right to Rent only, we will also share an image of the identity document with our client.
|We capture images of your face to conduct liveness tests to check that you are a real person and not someone trying to impersonate you. We take a scan of your face to create a biometric template of your face, which we store securely. A biometric template is a digital map of your face
We perform face matches to compare your selfie with the photo on your identity document. When you add a document we compare its photo with the face template to make sure users only upload their own documents.
As we are capturing your biometrics, we ask you to consent to this. If you do not want to consent then you will not be able to complete the digital identification process and you can speak to the HR vetting company or employer / volunteer organisation you are working with about other routes you can use for verification.
|You may assert your address to us, and we may check it against the records held by a Credit Reference Agency. The check will be in the name of Yoti Limited.
Or we may take your address from an identity document that you have submitted to us.
|Third party data sources
|We may send your information to trusted third parties, such as Credit Reference Agencies, to look for other information about you that helps us verify your identity.
|Information on how we verified your identity
|This information creates an audit trail stating how we verified your identity. It is sent to our client as part of their digital service for or about you.
This information includes your IP address when using Yoti’s Identity Verification service.
|Feedback and email
|If you send feedback to our Customer Support we will use that information to get in touch with you to resolve your issue or to acknowledge your feedback.
We delete your data in line with the requesting companies (the company asking you to perform the checks) retention period.
The maximum amount of time that Yoti will have access to your data is 28 days; after which we either:
- delete your data completely or
- delete your data in line with the requesting company’s privacy notice.
We will hold your data for 28 days following the completion of the Identification Verification session and do not have access to view the data after this time.
We may in some instances keep your data for longer than 28 days where there are legal, regulatory or anti-fraud reasons to keep your data for a longer period of time. Under these circumstances you would not be able to exercise your right to erasure.You can contact us to delete your data by emailing email@example.com. You can find more about your data protection rights below.
Other companies’ use of your personal information
We will put your data into a report and send that report to our client. Our client is the entity who requested that you undergo Yoti’s Identity Verification. The form of the report is dictated by the DBS or UK Home Office requirements for DBS, Right to Work and Right to Rent.
Credit Reference Agencies
If we need to use a credit reference agency to verify your address or other part of your identity then we simply send the relevant details to the credit reference agency or fraud prevention database and use the response in our identity verification.
If we suspect you are committing identity fraud or a criminal offence when using Yoti’s Identity Verification, we may have to share a copy of your information with the appropriate authorities.
We may pass a copy of your information or an image of the false document to the relevant fraud prevention agencies, law enforcement agencies or the third party company who issues the genuine version of the false document.
If, after investigation, we determine that there has been fraud that meets the criteria for reporting to Cifas, we will pass on the details to prevent further fraud and money laundering.
Cifas keeps fraud reports for six years. Other Cifas members may use the information we report to refuse to provide you with services, financing or employment. You can find the Cifas privacy information here: https://www.cifas.org.uk/fpn
We also work with the Metropolitan Police Service Amberhill Identity Team in relation to false identity documents / information. Where we find that there is a match to their database, we will share the document and information with the Police.
Law Enforcement of other official body
We have an internal policy and process to make sure that, where we are able to share information, the request is valid, the information requested is no more than necessary, and that we think it’s the right thing to do.
We may have a legal obligation to share the information if we receive a court or similar legal order ordering us to disclose it.
Security and data location
We keep the Identity Verification data encrypted in our UK datacentres and occasionally the data could be sent to our security centre in India for further checks. We are audited annually by KPMG against the SOC2 Type 2 Security control standards and we also maintain our ISO 27001 certification.
Yoti has the decryption keys for your encrypted data, but we have access controls in place to limit which staff have access to the server. Our staff may need access data to troubleshoot problems and manage the server in emergency events.
If we decide or are obliged to send or store your personal information in another country, we will update this section to describe the protections we have put in place.
You are entitled to know what personal information we hold about you and to receive a copy of it.
Please note that we do not have to share information about fraudulent indicators. You may contact the relevant fraud prevention agency for further information.
If you spot an error in the data we have processed then please re-submit your document again.
You are entitled to correct personal information we hold about you that is inaccurate.
In certain circumstances you are entitled to ask us to delete the personal information we hold about you. We may keep your data for longer than 28 days where there are legal or regulatory reasons to do so.
In certain circumstances you are entitled to object to Yoti processing your personal information.
There are unlikely to be any circumstances when this right applies to Yoti Identity Verification service personal information. If you want to contact us about your objection rights, please email: firstname.lastname@example.org
In certain circumstances you are entitled to ask us to restrict our processing of your personal information.
You can ask us to do this if:
- you dispute the accuracy of your personal information;
- our processing is unlawful but you prefer restriction to deletion;
- we no longer need the information but you need it for legal reasons; or
- you have objected to our processing and we are still dealing with this objection.
If you want to contact us about your restriction rights, please email: email@example.com
In certain circumstances, you are entitled to receive the personal information you have provided us in a structured, commonly used and machine-readable format.
You have the right to object to automated decisions made about you and have a person within our business to review this decision. Please email firstname.lastname@example.org and our Customer Support can help you with your request.
Complain to the ICO
You can also complain to the Information Commissioner’s Office (ICO) who is responsible for making sure that organisations comply with the law on handling personal information. https://ico.org.uk/global/contact-us/
Understanding how people use the Yoti Identity Verification service is essential. We need to know what’s working, and what isn’t, so we can improve. As a business, we need to know how many people are using it, where they are in the world, and which aspects are most popular.
We collect information about your device and your use of our websites using in-house analytics. We de-identify and aggregate the information we collect so we can’t identify you personally. Unlike most other companies, we don’t build individual profiles of the people who use the Yoti Identity Verification service. We simply look for trends and patterns to inform business decisions.
Using our in-house software, we collect some information from users and some information on when certain things happen as you use Yoti Identity Verification service. This information includes information about your phone, such as make and model, operating system, app version and screen size information. Our in-house software does not identify you personally.
We perform analytics on information created automatically by our internal systems when things happen. Our analytics looks at, on an aggregated and anonymous basis, the actions performed on our own servers, for example: how many sessions are created, how many of a particular document type are uploaded and the outcomes for particular checks (but without recording personal data).
We do not perform any analytics on actions you take on your own device, such as clicking buttons.
We do not store device IDs or any other unique device identifiers.
We do not use any personal data, such as your mobile phone number or IP address, to identify you in our analytics. All we do is note your country location based on your IP address (but we do not store the full IP address).
From January 2019, we changed how we present our privacy information to distinguish between general information and product-specific information. We no longer present our past versions on our website.
This is the first version of this privacy notice. For all future versions please contact email@example.com.
- We updated our section on data retention to make this more clearer to the customer and organisations using this service. Our retention time has not changed.