- Our biometric identification service has a comprehensive privacy governance framework in place, with additional local measures where needed. This is led and overseen by a designated Data Protection Officer.
- It has both ISO 27001 and SOC 2 certifications for information security, please see our SOC 2 report for more information.
- It uses both UK datacentres and AWS EU servers. Some products allow local data storage for customers in certain countries.
How the service complies with privacy laws
The biometric identification services and operations are built and run in jurisdiction, subject to the GDPR / UK Data Protection Act 2018 and have user privacy at their core. Privacy and security by design are the unique selling point of this service. It has a comprehensive Privacy Government Framework in place to implement the requirements and obligations of the GDPR, Data Protection Act 2018 and any other privacy or data protection legislation we may be subject to. This Governance Framework is based on established privacy management and accountability frameworks and includes policies, procedure, privacy risk assessments, training and awareness and supplier diligence. The service has a Data Protection Officer who monitors implementation of this Governance Framework and advises the businesses in all matters of data protection compliance.
Product-specific privacy information
Identity: Doc Scan
Doc Scan is a business product allowing customer organisations to quickly, easily, and securely verify or authenticate their own customers or users. It involves these individuals taking a photo of their ID document. Customer organisations can also request a face match. Customer organisations can also use the product for age checks, based on the date of birth on a document.
What data does Doc Scan collect?
The ID or other document requested by the customer organisation doing the identity check, and the photo of the individual. There is a face match done to make sure the ID document belongs to the individual, and checks make sure they are a real person.
There is more information on biometrics later in this policy.
What data does Doc Scan store?
The details from each identity check and the result. The default storage is one week, but customer organisations can customise this. The shortest storage time we can offer is 24 hours and the longest is three years.
Doc Scan SDK / API: The information and check results are sent to the customer organisation.
What is the lawful basis?
The service is a data processor for Doc Scan. Customer organisations will decide the lawful basis (if required under EU/UK privacy law). If a customer organisation chooses to include the face match option or is in a jurisdiction that considers the liveness check to be biometrics, there is a consent step built into the flow.
How does Doc Scan meet transparency requirements?
The user interface is designed so that is it is clear what information is being requested. It also contains information on the different steps, and what they are for. Customer organisations can also just use our API and build their own front end. Customer organisations are responsible for providing relevant information to their end users / customers on the ID checks they require that involve Doc Scan.
How does Doc Scan comply with individual privacy rights?
The Doc Scan SDK / API is self-serve, so customer organisations have the information in their own systems and can retrieve it during the agreed storage period. For the identity-as-a-service platform, customer organisations can find and view data.
Customer organisations can delete the entire session (which will remove the results of the checks) and will also be able to remove the media / user data in each section.
The main datacentres are in the UK. There are also two Security Centres who verify individuals and documents. One is in the UK and one is India. Some customer organisations choose to only have automated checks and not include the Security Centre human review step.
Proof of Funds (Optional)
The optional proof of funds checking service is a business product allowing customer organisations to quickly, easily and securely verify or authenticate their own customers or users. It involves customer organisations uploading their documents that can prove the said funds are available.
What does the proof of funds check collect?
The document(s) requested by the customer organisation doing the check. Biometrics, mentioned next in this document, verify the document.
What does the proof of funds check store?
The document(s) from each proof of funds check and the result. The default storage is one week, but customer organisations can customise this. The shortest storage time we can offer is 24 hours and the longest is three years.
Proof of funds: The information and check results are sent to the customer organisation.
What is the lawful basis?
The service is a data processor for proof of funds checks. Customer organisations will decide the lawful basis (if required under EU/UK privacy law).
The service has a variety of security certifications and the technology undergoes regular penetration testing by leading security consultancies.
Audits and certifications
The service is audited annually by a top four auditing firm to ISAESOC2 security standards. This is an internationally recognised security standard used by large banks and leading technology firms. The report is available upon request under NDA to potential customers. The service has also been recently audited against the HIPAA Security and Privacy Rules (US medical data regulation) and is also certified to ISO 27001.
Security by design
Data is generally stored in UK Tier 3 datacentres.
Some products also allow local storage for customers in certain countries.
There is an appointed CISO who is ultimately responsible for security. The CISO chairs a monthly Security Forum which includes senior staff from across the business.
This service is a biometric identity platform. Biometrics provide greater security and assurance that users are who they say they are, and so they are an integral feature of most of our products and services.
Customer organisations can choose certain features of Doc Scan that involve biometrics.
Doc Scan contains a biometric consent step if customers need it.
What do we mean by biometrics?
Biometrics is the measurement and analysis of unique physical characteristics and behaviour, such as a face, fingerprint, voice, the way someone walks, the way they use their phone and so on.
Legally, biometrics is defined differently in different laws, but the common factor is that you are identified or authenticated through your unique physical characteristics or behaviour. Not all services use this data to identify or authenticate. However, to make things easier to understand, we have called all the physical characteristics and behaviour data ‘biometrics’.
There are a range of different technologies that are considered biometrics. Not all of them identify or authenticate.
Detection: Is there a face in this picture? Is it a human face?
What can I determine from this face? (Examples: age; biological sex; mood.) Is this a real person?
Temporary unique identifier
What is this person doing in a limited context for a limited time? Have we seen this person before, within a limited timeframe?
Is this person who they are claiming to be? Are the two images of the same person?
Authentication 1: many
Is this person entitled to do what they are trying to do? (Example: entering a venue or restricted area) Does this biometric exist in the database?
Verification or identification 1: many
Is this person known to us? Does their biometric match to information we already have about this person and who they are? This kind of software can determine who this unknown person is.
Some service uses of data might involve, for example, a face or elements of a face, but without identifying the person. For example, we have developed technology to check if a face presented is real, or if it someone wearing a mask. This activity doesn’t identify the person in any way, it checks if the image is genuine or not.
When biometric are used to identify a person, the characteristics are compared to a pre-existing list or database of characteristics and other information. For example, if a shop allowed you to pay with your face, or if a casino used facial recognition to identify and help people who had added themselves to a gambling exclusion list.
When biometrics are used to authenticate a person, there are two main ways this is done. The most common approach compares two examples of a characteristic to see if they match. For example, when your bank uses voice recognition for telephone banking the technology checks if your voice matches the sample held on your account. Or where you use your face or fingerprint to access your phone. This use of biometrics allows you to prove it’s really you by comparing your characteristics with a template you have already set up or that has been created for you automatically. The template once created is stored securely and then each time you need to prove that you are really you, your information is compared against the template to see if it matches.
The other way is to compare a characteristic to a pre-existing list or database of characteristics, but there doesn’t need to be any other information about you. For example, if an office used fingerprints to access a certain area that only certain people could access. The technology would match your fingerprint to all the pre-registered templates to see if yours is there. If it is you are allowed access.
Why do biometrics provide more security?
Instead of having to remember PIN numbers, or usernames and passwords (which may be guessed or hacked), biometrics uses something unique to a person that only they have, like a face or fingerprint. Many companies, such as banks, are using biometrics like voice recognition to make sure only the account holder can access the account. Biometrics are often used with other information, like a pass card or a PIN number, where more than one security measure is needed.
Why do we use this biometrics solution?
The service is an identity platform and uses biometrics as a security and fraud prevention measure.
The biometrics are a key part of making sure we keep out fake identities and documents. The biometrics to authenticate individual users prevent fraudulent use of the service and protect user data by making sure that it really is that user taking an action.
Doc Scan: Face detection
Detecting a face is the first step in the process. The technology examines the image it gets and works out which bit of it is an actual human face. Only this portion of the image is then used. This stage also allows for basic error checking: if the system can’t find a face in the image (for example, because the individual didn’t position themselves properly in front of the camera, or some inappropriate object is put there) then the system can return an error message instead.
Doc Scan: Checking it’s a real person
This technology does not identify or authenticate. It determines if the image presented is genuine and of a real person, or if it is someone wearing a mask or otherwise pretending to be someone else. We use different technologies for these checks. Some ask individuals users to take an action, such as moving the phone towards their face or recording a short video of themselves saying a few words. Some happen in the background automatically. We use the information from these checks to make sure the user is a real person. We can’t provide any more details about how this works, as we don’t want people to be able to get round our checks.
Doc Scan: Face match authentication (1:1)
This technology compares two examples of a face to see if they match.
When individual users set up Doc Scan, we take a scan of their face to create a biometric template, which we store securely. A biometric template is a digital map of the face.
We do a face match when users provide an ID document for Doc Scan. We compare the document photo with the photo taken to make sure users only upload their own documents. Customer organisations can also request a face match as an additional security measure when their users / customers share identity or age attributes with them.
How the service can help with your privacy law compliance
This service is a secure and privacy-friendly identity solution. Outsourcing your identity needs to us can help with your privacy compliance in several ways. Here is how this service puts into practice several key privacy principles and requirements, helping you do more compliant identity or age verification and authentication.
Privacy by design
GDPR and other privacy laws oblige you to design privacy into everything you do: products, services, systems, databases and process. This service takes a privacy-by-design approach to the development of our products and services, so it will likely be more privacy friendly than your current systems and processes.
You can use this service as an ‘out-of-the-box’ solution for identity verification, authentication and login safe in the knowledge that our services are compliant with the privacy-by-design principle. This service can help you improve on current practices as our products are simple privacy-friendly solution – rather than a combination of processes, systems, access controls and data handling practices that may not be joined up.
Many privacy laws require you to only collect and use the minimum amount of data necessary for your purpose. This service allows you to request, and users to share, only the information that is relevant and necessary – so complying with the data minimisation principle. This product can help you improve on current practices because you will no longer need to collect excessive information from your users.
Most privacy laws contain provisions on security and GDPR has prescriptive requirements for keeping data secure. This service keeps user data secure in Tier 3 datacentres and we follow security-by-design principles.
Businesses carrying out identity verification and authentication no longer have to deal with insecure transfers of personal information and with managing, storing and retaining securely paper copies of documents or scanned copies in emails. Identity details are shared securely and stored securely in servers. Even where you extract and keep information in your own systems, you only have the minimum information necessary, reducing your security risk.
Transparency and choice
Privacy laws require you to provide information about your data collection and use practices. When you interact with your customers using Doc Scan, they are clearly presented with the details you require, and choose whether to share them. Once shared, both you and your customer get a receipt showing what data has been shared, with whom and when. When you integrate this service to allow your customers to verify and authenticate themselves you have the option to present appropriate privacy notice information before any details are shared.
The principle is built into different privacy laws in different ways and GDPR explicitly requires you to be able to evidence and demonstrate compliance. The service provides an easy way for both individuals and organisations to have a record of what information was collected / shared. It can help you improve on current practices as the record of what information you collected from users is stored securely and accessible in one place.
Identity verification for individual rights requests
GDPR, CCPA and other privacy laws require you to confirm the identity of an individual before disclosing any personal data to them (such as following an access request), or acting on their rights requests (such as correction, deletion and so on). This service provides a quick, online, privacy-friendly and secure way to carry out this identity verification without having to collect and store copies of ID and other documents. It can help you improve on current practices by giving you the ability to quickly verify the identity of a consumer online, with a record of that verification, avoiding the need to deal with posted copies of documents or images scanned into emails.
Privacy governance framework
The service has a comprehensive privacy governance framework in place to implement the requirements of the privacy laws we are subject to. This section provides an overview of all the elements of the framework, which should assist your diligence.
- Company business principles
- Guardian council
- CFO is accountable, Commercial Management Team make the final decisions
- Data Protection Officer leads on data protection / privacy; consults and works with the business, specifically Legal, Finance, Regulatory Policy and Technology
- Ethics and Trust Committee
Privacy by design
- Privacy risk assessments
- Privacy compliance checklist
- Privacy-by-design documents for non-tech functions
- Software change management process
- Infrastructure commissioning process
- Privacy and ethics impact assessments carried out where required legally or by the DPO
Operation policies and procedures
- Policies and processes are listed on the controlled documents register and reviewed at least annually
- Controlled documents process for creating, reviewing and updating policies and processes
- Key privacy documents:
- Privacy Standards
- Data handling principles for staff
- Individual rights policy and process; Checklist for handling requests from individuals
- General security incident management policy and process
- Acceptable use and monitoring policy
- Law enforcement data request principles, disclosure and transparency policy
- Dawn raid policy
- Sensitive data policy document (required under UK DPA 2018)
- Risk Register
- Product privacy notices
- Just-in-time information in the products and services where possible and relevant
- Employee privacy notice
- Applicant privacy notice
- Visitor privacy notice
Training and awareness
- New starter training
- Privacy test six months after new starter training
- Annual refresher training
- Privacy section in weekly newsletter
- Internal resources on privacy and data protection
- Supplier diligence policy and process: includes privacy and security
- Supplier risk assessment as part of SOC 2 compliance
- Product terms include clauses as standard requiring the customer to provide appropriate information to individuals on data collection and use and to practice data minimisation
Record of processing and retention
- Data inventory
- HR retention schedule