Data protection law in the UK and EU changed on the 25 May 2018. This notice sets out the rights of an individual in how NAFN Data and Intelligence Services process personal data under the new law.
This notice comes into effect on 25th May 2018 and was last updated in March 2020.
As an EU member state the UK legislated to meet the EU Regulation 2016/679 (more commonly referred to as the General Data Protection Regulation) as well as the EU Directive 2016/680 (Law Enforcement Directive). The UK government has incorporated both the regulation and the directive into the UK Data Protection Act 2018, which comprises of seven parts, referred to herein as the Act. Under the Act NAFN Data and Intelligence Services recognises its obligations and responsibilities as defined within Part 2 (general processing) of the General Data and Protection Act.
NAFN Data and Intelligence services works with public sector organisations to tackle and prevent fraud and crime. We act on behalf of our members (local authorities, wider public authorities and housing associations) with a duty to protect the public interest/purse.
This Privacy Notice explains how and why we process personal data provided by our members, under Part 2, general processing, and the steps we take to keep information safe. It also describes the rights of the individual in regard to their personal information and how to complain to the Information Commissioner if there are concerns as to how we have handled the data.
Our promise to you
NAFN Data and Intelligence Services acknowledges the protection of personal and sensitive information is of paramount importance in all our activities. Beyond GDPR our codes of practice dictate that unless necessary, justifiable and proportionate, no data may be processed to fulfil the legal duties of our members. We have also put in place all reasonable technical, security and procedural controls required to protect the personal information submitted by our members for the duration of the retention period.
Your privacy is protected by law, which says that we can use your personal information only if we have a proper reason to do so. We collect the following information in order that you may register for an NAFN account and access our services:
Full name; job title; e-mail address; telephone number; fax number; organisation type; organisation name; and department.
We process information about you as follows:
- Authenticating a user’s access rights to restricted areas of the website
- Identifying and recording the use of interactive site features for example, the Discussion Forum, Sanction Information Database, National Register of Taxi Licence and Private Hire Vehicle Revocations, Refusals and Suspensions (NR3S), E-learning system for continuing professional development and record of achievement
- Processing enquiries/transactions
- Providing default (auto-completed) values in form fields
- Contacting the user to facilitate data sharing between member organisations
Upon logging in to the member’s area of the NAFN website, certain information is recorded including your IP address, username, browser type and the date/time. This information is recorded for security reasons.
Personal information (sometimes referred to as personal data) is any information that lets us identify a living individual from that information, either directly or indirectly. For example, details that may have been provided by members or has been received from third parties may include:
- Date of birth
- Residential address and address history
- Contact details such as email address and telephone numbers
- Financial information
- Vehicle details
- Personal data recorded in the NR3S Database will include the data set out in the Taxi and Private Hire Vehicle Act (TPHVA) 2022 section 2(4).
When we process your personal data, we do so on the basis that our members have a legitimate interest in protecting the public, preventing fraud, debt recovery and verifying a subject’s identity, in order to comply with laws that apply to them.
We may also enable law enforcement agencies to access and use personal data to detect, investigate and prevent crime.
In order to carry out the purposes described above, NAFN Data and Intelligence Services may obtain, use and disclose personal information relating to a wide variety of individuals including:
Our staff, officers, volunteers, agents, temporary and casual workers; suppliers, complainants, correspondents, litigants and enquirers; relatives, guardians and associates of the individual concerned; advisers, consultants and other professional experts; victims (current, past and potential); former and potential members of staff, pensioners and beneficiaries.
We process information you submit about others for/under:
- Investigatory Powers Act (IPA) 2016
- National Sanction Information Database (SID)
- Taxi and Private Hire Vehicle Act (TPHVA) 2022 (National Register of Taxi Licence and Private Hire Vehicle Revocations, Refusals and Suspensions (NR3S)
- Prevention of Social Housing Fraud Act (PoSHFA) 2013
- Council Tax Reduction Scheme Regulations (CTRS) 2013
- Driver and Vehicle Licensing Agency (DVLA)
- National Right to Buy/Acquire Anti-Fraud Service
- E-Learning and Continuing Professional Development
- Verification and validation enquiries
The type of personal information we hold will vary depending upon the reason you have had contact with us and the information you have submitted, but it may include:
Name; address, date of birth, national insurance number; telephone/mobile number; e-mail address; education and training details; family information/known associates; employment details; financial details; offences and alleged offences; criminal proceedings, outcomes and sentences; sound and visual images; references to manual records or files; complaint, incident, civil litigation and accident details.
Personal Information, which is ‘special’ and requires more protection due to its sensitivity may include:
Information relating to safety and health; racial or ethnic origin; religious or other beliefs of a similar nature; trade union membership; physical or mental health or condition; sexual life or orientation.
We will use the minimum amount of personal information necessary to fulfil a particular purpose and personal information will be held on a secure computer system.
NAFN is a Joint Data Controller for the National Register of Taxi and Private Hire Vehicle Revocations, Refusals and Suspensions (NR3S) only, as provided for in the Taxi and Private Hire Vehicle Act (TPHVA) 2022.
NAFN and each Licensing Authority are Joint Controllers by reason of the relationship between them as regards the Database, and also by reason of the obligations imposed on them by TPHVA 2022 and referred to below, read in conjunction with section 6(2) of the Data Protection Act 2018 (“DPA 2018”):
- Under section 4 of TPHVA 2022, NAFN has been designated by the Secretary of State to operate the Database.
- Under section 2(2) of TPHVA 2022, each Licensing Authority has a duty to record certain information about licensing decisions in the Database, when making a decision specified in section 2(1) of the TPHVA 2022.
- Each Licensing Authority also has a duty when making a decision specified in section 3(1) of TPHVA 2022: (i) to search the Database (see section 3(1)); and (ii) to have regard to the information in the Database when making that decision (see section 3(3)).
- Under section 4(3)(a) of TPHVA 2022, NAFN as the person operating the Database must ensure that every Licensing Authority, every Relevant Authority, and the Department for Infrastructure in Northern Ireland, are (subject to subsection (4)) able to search the database, make entries in it and amend, remove and reinstate entries that it has made.
To carry out the purposes we have described we may obtain personal information from a wide variety of sources, including:
Member organisations (local authorities, housing associations, wider public authorities); financial sector; regulatory authorities; Driver and Vehicle Licensing Agency (DVLA); Telecommunication Operators (TOs); Credit Reference Agencies; utility providers; online shopping and payment sites.
We will not share information with any third parties for the purposes of direct marketing.
To carry out the purposes described NAFN Data and Intelligence Services may securely share personal information to a variety of recipients including those from whom personal data is obtained. This may include, but is not limited to:
- Member organisations;
- Ombudsmen and regulatory authorities for example, the Investigatory Powers Commissioner’s Office;
- Partners and service providers
Disclosures of personal information are made on a case-by-case basis, only relevant information, specific to the purpose and circumstances, will be disclosed and with necessary controls in place. Where possible, this will be done in an anonymised or pseudonymised format. We will always make sure that we have a lawful basis to share the information and will document our decision making to satisfy ourselves that we have a legal basis such as;
- It is necessary to perform our statutory duties;
- It is necessary to protect someone in an emergency;
- It is required by law;
- Information has been made publicly available;
- It is necessary for legal cases;
- It is to the benefit of society as a whole
NAFN Data and Intelligence Services will only disclose personal information to other bodies or individuals, on behalf and with the knowledge or consent of the data controller/member organisation. This may be when we or the data controller are required to provide the information under an act of legislation, by a rule of law, or by court order where there may be a risk to the life or safety of an individual/a individual. We might also share information with other regulatory bodies in order to further their, or our, objectives.
As a public sector organisation, there are some circumstances where we must cooperate with and assist other public sector organisations and law enforcement agencies, in handling complaints and investigations. This may lead to sharing personal information if it is relevant to that complaint or investigation and lawful to do so.
Third Party Sites
Some of our services are provided through partnerships with other organisations. We may, on occasion, disclose non-personal aggregated information to these third parties.
We will do what we can to make sure we hold records about you (on paper and electronically) in a secure way, and we will only make them available to those who have a right to see them.
Examples of our security include:
- Encryption, meaning that information is hidden so that it cannot be read without special knowledge (such as a password). This is done with a secret code or what is called a ‘cypher’. The hidden information is said to then be ‘encrypted’;
- Controlling access to systems and networks allows us to stop people who are not allowed to view your personal information from getting access to it;
- Training for our staff allows us to make them aware of how to handle information and how and when to report when something goes wrong; and
- Regular testing of our technology and ways of working, including keeping up to date on the latest security updates.
All personal information is stored on systems in the UK. We have both a primary and secondary data centre for backup where responsibility for protecting the data is transferred. Data is protected in transit and stored securely on physical and cloud based ICT infrastructure.
NAFN Data and Intelligence Services keeps your personal information as long as is necessary for the particular purpose or purposes for which it is held. Fraud prevention agencies can hold personal data for different periods of time, and if individuals are considered to pose a public and/or fraud risk, their data can be held for up to six years.
As our members are the data controllers, information will be retained by them in line with their corporate retention policies. In the case of the NR3S, NAFN is a joint data controller with all licensing authorities as provided for by the requirements in the TPHVA 2022. As such, data will be retained on the database as stated in section 4 (3)(b) of the TPHVA 2022.
A key area of change in the new Data Protection Act relates to individuals’ rights. The law refreshes existing rights by clarifying and extending them, whilst also introducing new rights. However your information rights will be dependent on the reason why and how the data was collected and why it is being used.
In order to exercise your rights under data protection law, we will need to verify your identity for your security.
You can contact us by emailing Risk Management and Audit at firstname.lastname@example.org or writing to Tameside One, Market Place, Ashton-under-Lyne OL6 6BH.
How to get a copy of your personal information
This is commonly known as subject access and is the right which allows you access to your personal data and supplementary information. You can make a subject access request by using the contact information above. Once we have received your request we will respond within one month.
Right to be informed
This places an obligation upon NAFN Data and Intelligence Services to tell you how we obtain your personal information and describe how we will use, retain, store and who we may share it with.
We have written this privacy notice to explain how we will use member and subject personal information and tell you what your rights are under the legislation.
Letting us know if your personal information needs updating
You are entitled to have personal data rectified if it is inaccurate or incomplete.
Letting us know if your personal information needs updating
You are entitled to have personal data rectified if it is inaccurate or incomplete.
If you want us to erase your personal information
You have the right to request the deletion or removal of your personal data and/or the right to ‘block’ or restrict the processing of your personal data where there is no compelling reason for its continued processing.
If you feel that we should no longer be using your personal information, or that we are illegally using your data, you can request that we erase the personal information we hold on you. When we receive your request, we will confirm whether the personal information has been deleted or tell you the reason why it cannot be deleted. There may be legal reasons why we need to keep your personal information.
If you want to request that we erase your personal information, please contact us using the details above.
Right relating to automated decision making
Automated individual decision making and profiling is a decision made by automated means without any human involvement.
Obtaining your information in a portable format
The right to data portability allows you to obtain and reuse your personal data for your own purposes across different services. You have the right to get copies of your personal information from us in a format that can be easily re-used. As the data we process is controlled by our members, where we no longer hold the original information we may refer requests to them directly such that it can be provided in the format required.
Your right to complain
Individuals have the right to object to:
- The processing of your personal data based on legitimate interests or the performance of a task in the public interest/exercise of official authority (including profiling);
- The processing of their personal data for direct marketing (including profiling); and
- The processing of their personal data for the purposes of scientific/historical research and statistics.
For independent advice about information protection, privacy and information sharing issues, you can contact the Information Commissioner’s Officer (ICO) at:
If you are not satisfied with our response or believe that we are not processing your personal information in accordance with the law, you can complain to the ICO by emailing email@example.com or telephoning 0303 123 1113 (local rate) or 01625 545 745 (national rate). Additional contact methods are detailed on their website: https://ico.org.uk/global/contact-us
We regularly review our privacy notice. We will publish any updates on NAFN Data and Intelligence Services website. You can request a copy of our privacy notice by using the details above.
If we plan to use your personal information for a new purpose we will update our privacy notice and communicate the changes before we start any new processing.
To operate efficiently, we must collect and use information about people with whom we work. Having accurate, relevant and accessible information is vital to the efficient management of NAFN and the Host Authority. A key component of information management is effective information governance and security, which is the subject of this policy document (0.37MB). This policy lays the framework for a formal information governance programme and is the central part of a suite of information management procedures which have been adopted by NAFN and the Host Authority which apply to all officers (including all agency workers and contractors).