Privacy notice - Identity Document Validation Technology for right to work checks

• Data is collected from the information you upload to TrustID.
• Data is collected from your passport or other identity documents that you provide.
• Data is collected from the checks that TrustID completes using your ID documents (ie cross checks with the Metropolitan police database). 

Personal data including: 

• Your name, date of birth, gender and nationality
• Your contact details
• Information about your nationality and entitlement to work in the UK. 

Special category data including:

• Racial or ethnic origin
• Biometrics

The university is required to complete right to work checks on all new employees. The use of IDVT allows us to collect, process and store this data, complying with Government legislation surrounding these pre-employment checks. 

Typically, data will be processed: 

• To allow us to comply with our legal obligations
• On the grounds of contractual requirement (eg, to allow us to offer you employment at the University)
• Because you have given us your consent or, in the case of special category data, your explicit consent.

The University may process your personal data (including special category data) for the following purposes:

• To evidence your right to work in the UK, allowing us to respond to and defend against legal claims.
• To meet the audit requirements of Government bodies.
• To form the basis of a personnel file.

The University may share your data with: 

• employees and agents of the University
• third parties that process data on behalf of the University to support it in fulfilling its obligations and responsibilities to and relationship with you (eg software and system providers)
• government departments/agencies to whom we have a statutory obligation to release information (including the Higher Education Statistics Agency, the Home Office UK Visas and Immigration, HM Revenue and Customs, Department for Work and Pensions and the Child Maintenance Service)
• law enforcement agencies such as the police or relevant authorities dealing with emergency situations (only as required or appropriate and in line with data protection legislation).

The University may also disclose your data to other third parties not listed above on a case-by-case basis. Disclosures will be made in full accordance with the data protection legislation and only where necessary. Consent will be sought from you where appropriate and you will be told about such disclosures unless exceptional circumstances apply.

The University maintains a high standard of information security. Access to information and systems for all users are restricted on a need-to-know basis, and security arrangements are reviewed to ensure their continued suitability. For further information see, our IT security webpages.

In certain cases, your personal data will be transferred outside the UK. For these transfers, the University will always comply with UK GDPR obligations and use necessary safeguards to protect your data.

The University will only keep your data as long as necessary to meet legal requirements or satisfy a defined business need. Specific retention timeframes are set out in the University’s Records Retention Schedule.

Under the UK GDPR, you have a right of access to your data, a right to rectification, erasure (in certain circumstances), restriction of processing, objection or portability (in certain circumstances). You also have a right to withdraw consent, and rights relating to automated decision making. For more information see Individuals’ Rights.

If you have any queries about this privacy notice or about how your data is being processed, please contact the University’s Information Governance Team at dataprotection@york.ac.uk.

If you wish to make a data protection complaint, please contact the University’s Data Protection Officer at dataprotection@york.ac.uk.

If you are unhappy with the way in which the University has handled your personal data, you also have a right to complain to the Information Commissioner’s Office (ICO).

This Privacy Notice is kept under regular review. It was last reviewed and updated on 16 June 2026.