Independent private certification and management-system review for quality, compliance and resilience.
info@veritystandards.co.uk · 020 3422 7346
Verity Certification
Privacy notice

Privacy and data handling with clear boundaries.

Verity Certification handles enquiries, certification records, evidence-pack correspondence and verification requests in a proportionate way. This notice explains what information may be received, why it may be used, how it is protected and what limits apply.

The purpose of this page is to be clear without overpromising. Verity only needs enough information to respond to enquiries, assess requirements, provide certification or review services, maintain records, manage certificate status and handle legitimate verification or governance requests.

What we collect Retention Your rights
Protective summary: Verity does not need unnecessary personal data. Certification and evidence review should focus mainly on organisation-level documents, management-system records, scope, standards, contacts and correspondence needed to deliver or verify the service.
Data collected Why data is used Lawful basis Verification records Sharing Retention Security Rights
Information Verity may receive

Most information should relate to the organisation, not private life.

Verity’s services are business-facing. Most information received should concern organisations, standards, management-system evidence, certification scope and business correspondence. Some personal data may still be involved where individuals act as contacts, directors, managers, employees, auditors, reviewers or certificate-verification enquirers.

  • Name, role, organisation and contact details.
  • Business address, website, telephone number and email address.
  • Requirement wording, tender clauses or customer due-diligence questions.
  • Certification scope, standards requested and service history.
  • Management-system documents, policies, records and evidence supplied for review.
  • Audit, review, findings, corrective-action and certification decision records.
  • Certificate verification enquiries and related correspondence.
  • Complaints, appeals, concerns or certificate-use correspondence.
Data minimisation

Do not send unnecessary personal data

Verity does not normally need private personal information, special-category data, medical records, identity documents, payroll files or unrelated employee records to provide a certification or review service.

Where evidence contains names, signatures, job titles, training records or incident details, the organisation sending it should consider whether it can be limited, summarised, redacted or anonymised before submission.

Purposes of processing

Why Verity may use information.

Information is used only where it has a clear purpose connected to enquiries, services, certification records, verification, governance, legal duties or legitimate business administration.

01

Responding to enquiries

To answer questions, review requirement wording, provide initial suitability comments and prepare quotations.

02

Delivering services

To review evidence, manage audit or assessment activity, record findings and communicate outcomes.

03

Certification control

To issue, manage, suspend, withdraw, renew or verify certificates and associated review records.

04

Governance and defence

To keep records where needed for complaints, appeals, disputes, legal claims, misuse concerns or audit trail protection.

Input

Information supplied

Enquiry details, requirement wording, evidence records and contact information.

Use

Controlled review

Assessment, communication, decision recording, verification and governance activity.

Output

Service result

Quotation, findings, evidence pack, certificate, verification record or governance response.

Lawful basis and business protection

How Verity may justify using personal data.

Situation Likely lawful basis Why it may apply Protective limit
Responding to a service enquiry Legitimate interests or steps before contract Verity needs contact details and requirement information to respond properly. Only relevant enquiry and contact information should be used.
Delivering certification, review or evidence-pack services Contract or legitimate interests Information is needed to provide the requested business service and maintain a record of work performed. Evidence should be limited to what is relevant to the agreed scope.
Maintaining certificate and verification records Legitimate interests Verity, certificate holders and those checking certificates need accurate status records. Public verification should normally show organisation-level certificate details, not unnecessary personal details.
Handling complaints, appeals, disputes or misuse Legitimate interests and legal claims Records may be needed to investigate issues, defend decisions, protect the scheme and maintain audit trails. Records should be kept proportionately and access should be restricted.
Meeting legal, tax or accounting duties Legal obligation Some records may need to be kept for tax, accounting, regulatory or legal compliance reasons. Only records required or reasonably needed should be retained.

This notice is a practical privacy statement and not a substitute for legal advice. Live data flows, processors, analytics, hosting, email and form arrangements should be checked before launch.

Certificate verification

Verification records are deliberately limited.

A verification register exists to confirm whether a Verity certificate is genuine, what it covers and whether it is active. It should not become an unnecessary personal-data register.

Public verification should normally show certificate number, certified organisation name, standard, scope, issue date, expiry date and status. Detailed audit records, commercial documents, correspondence and evidence packs are not published openly.

What may appear in the public register

  • Certificate number.
  • Organisation name.
  • Standard or review route.
  • Certificate scope.
  • Issue and expiry dates.
  • Status such as active, suspended, withdrawn or expired.
Sharing and disclosure

Verity does not sell personal data.

Verity may share information only where necessary for service delivery, business administration, legal compliance, professional advice, technical hosting, email, secure storage, payment administration, complaints, appeals, certificate verification or protection of the certification scheme.

  • Website hosting, email and IT service providers.
  • Professional advisers where needed.
  • Payment, accounting or administration providers.
  • Authorised certificate holders or authorised third parties where evidence sharing is agreed.
  • Public authorities, regulators, courts or legal representatives where required or reasonably necessary.
Controlled disclosure

Evidence packs are not automatically public

Evidence packs, audit notes, findings records and supporting documents may contain confidential commercial information. They are not published openly.

Where a customer, buyer, framework manager or other third party asks to see supporting evidence, Verity should only share it where there is appropriate permission, a legitimate reason and suitable confidentiality controls.

Retention

Records are kept only for as long as there is a proper reason.

Retention periods depend on the type of record and why it is held. Verity may need to keep certain records after a service ends because certificates remain verifiable, disputes may arise, accounting rules may apply and certification decisions may need an audit trail.

  • Enquiry records may be deleted sooner if no service proceeds.
  • Contract, invoice and accounting records may be retained for legal and tax reasons.
  • Certification records may be retained for the certificate lifecycle and a reasonable period afterwards.
  • Complaint, appeal, misuse or dispute records may be kept for longer where necessary.
  • Public verification entries may remain visible where needed to show active, expired, suspended or withdrawn status.
Retention risk view

Why some records may need to be kept longer

Invoices
Legal
Certificate decisions
Audit trail
Complaints
Defence
Verification entries
Status

These are illustrative retention drivers, not fixed periods. A live retention schedule should be maintained separately.

Security and confidentiality

How information should be protected.

Verity should use proportionate technical and organisational measures to protect enquiry records, evidence files, certification records and correspondence against unauthorised access, accidental loss, misuse or inappropriate disclosure.

🔒

Access control

Access should be restricted to those who need the information for enquiry handling, service delivery, verification, administration or governance.

File discipline

Evidence files should be organised, labelled and retained in a way that supports review while avoiding unnecessary duplication.

Review and deletion

Information should be reviewed periodically and deleted, archived or restricted where it is no longer needed.

!

Incident response

Suspected data incidents should be assessed promptly, with appropriate remedial action and notification where required.

Supplier care

Hosting, email, form and IT providers should be chosen and configured with reasonable privacy and security controls.

Confidentiality

Evidence packs, audit notes and client records should be treated as confidential unless disclosure is authorised or required.

Individual rights

Requests about personal data.

Individuals may have rights under UK data protection law, including the right to ask for access, correction, deletion, restriction, objection or portability, depending on the circumstances. Some rights are not absolute, especially where Verity has a legitimate need to keep records for legal, contractual, audit-trail, dispute or verification purposes.

  • Requests should be sent to info@veritystandards.co.uk.
  • Verity may need to verify identity before responding.
  • Verity may ask for clarification where a request is broad or unclear.
  • Records may be retained where there is a legal, contractual, dispute or certification-governance reason.
  • Individuals can raise concerns with the UK Information Commissioner’s Office if they are unhappy with how a matter is handled.
Protective wording

Deletion is not always immediate

Verity may not be able to delete every record on request, particularly where the information forms part of a certification decision, verification record, complaint, appeal, dispute, invoice, legal claim or audit trail.

Where deletion is not appropriate, Verity may consider restriction, redaction, archiving or limiting future use where this is reasonable and lawful.

Common questions

Privacy questions clients often ask.

Does Verity sell personal data?

No. Verity does not sell personal data. Information is used for enquiries, service delivery, certification records, verification, administration, governance and lawful business protection.

Will evidence packs be published online?

No. Evidence packs and audit records are not published openly. The public verification register should normally show certificate status information only.

Can certificate details appear in the public register?

Yes. Certificate number, organisation name, standard, scope, issue date, expiry date and status may be shown so certificates can be verified.

Should clients send employee records?

Only where relevant and proportionate. Clients should avoid sending unnecessary personal data and should consider redaction or anonymisation where possible.

Can Verity keep records after a contract ends?

Yes, where there is a legitimate reason such as accounting, certification history, verification, complaints, appeals, disputes, legal claims or audit trail protection.

Who should privacy requests be sent to?

Privacy requests can be sent to info@veritystandards.co.uk. Please include enough information to identify the relevant record or enquiry.

Contact about privacy

Questions about data handling, records or verification?

Contact Verity with the relevant certificate number, enquiry reference or organisation name where possible. Please do not send unnecessary personal information when making a privacy or verification request.

Email privacy enquiry Certificate verification Contact Verity

This page should be reviewed before launch against the actual website, hosting, email, analytics, form-processing, storage and third-party service arrangements used by Verity Certification.