Standard, Basic and Police CRB Checks

Privacy Policy

Disclosure and Barring Service

Standard/Enhanced Disclosure Applicants Privacy Policy

  1. About us

    1. The Disclosure and Barring Service (DBS) helps employers make safer recruitment decisions and prevent unsuitable people from working with vulnerable groups, including children.

    2. Every year we issue around four million Disclosure certificates. We also manage both the children’s and adults’ barred lists.

    3. We search police records and in relevant cases, barred list information, and then issue a DBS certificate to you.

    4. Occasionally, depending on circumstances, and in order to produce a complete and accurate certificate, we must issue a manually produced certificate. Manual certificates follow the same checking processes as our system-generated certificates and are equally valid. It must be noted however, that applicants issued with a manual certificate cannot join the update service with that certificate.

    5. We know that information released on DBS certificates can be extremely sensitive and personal. Therefore, organisations using the DBS checking service must comply with our code of practice. The code is there to ensure organisations are aware of their obligations and that the information released will be used fairly. The code also ensures that sensitive, personal information disclosed by the DBS, is handled and stored appropriately and is kept for only as long as necessary.

    6. Each organisation requiring staff checks and registered with Cloisters (UK) Ltd must use a designate trained checker  that has  to complete a Cloisters  “Conditions of Agreement” (a copy of which is available on request). This ensures that only one Designated Checker of the organisation can be involved in the process.

    7.   We (Cloisters) only hold the applicant dob and application form reference number data  for a max of 6 months on devices that are not online.

    8. DBS offer different types of check issued under the Police Act 1997:

1.7. Employers can only carry out a standard or enhanced check when you apply for certain roles. For example you may be applying for a role in either healthcare or childcare.

1.8. You will have the ability to track your application for standard and enhanced checks. You will need to enter your form reference number and date of birth in order to use this facility.

  1. What is it I need to know?
    1. This is our Privacy Policy. It tells you how we will use and protect any information we hold about you as part of your standard or enhanced disclosure application.
    1. The Policy also explains what your rights are as a standard or enhanced applicant under the General Data Protection Regulations. It says why we need your personal data, what we will do with it and what you can expect from us. It also explains how to get a copy of any personal data we may hold about you. This is called a Subject Access Request.
    2. We do have other Privacy Policies that cover our other statutory functions. They can be accessed here.
  1. How will we use the personal information supplied to us?
    1. We at the DBS collect your personal data in order to:
    1. The information we collect about you depends on the reason for your business with us. We may use the information we obtain for any of the purposes listed above.
    1. Your information may also be used for testing purposes. Testing is undertaken to ensure that our systems function as per specified requirements. If it is not practical to disguise your data or use dummy data then we will test our system using your data. This testing will only take place in environments that are secured to the same level as our live system.

Please note we may use previous applications you have submitted to assist in the checking process.

  1. Who is the data controller?
    1. A data controller decides the purpose and the manner in which any personal data is processed.
    1. The DBS is the data controller of information held by us for the purposes of GDPR. We are responsible for the safety and security of the data we hold.
  1. Who are the data processors?
    1. A data processor is anyone (other than an employee of a data controller) who processes that data on behalf of the controller.
    1. At the DBS we have a range of suppliers who process data on behalf of DBS as defined in section 9. We make sure that our data processors comply with all relevant requirements under data protection legislation. This is defined in our contractual arrangements with them.
  1. Contacting the Data Protection Officer
    1. The DBS Data Protection Officer Elaine Carlyle can be contacted via telephone on 0151 676 1154, via email at, or in writing to:

Elaine Carlyle

DBS Data Protection Officer

Disclosure and Barring Service

PO Box 165


L69 3JD

  1. What are the legal grounds for processing my information?
    1. The DBS was established under the Protection of Freedoms Act (PoFA) 2012 on 1 December 2012. Disclosure functions of the DBS are contained within Part V of the Police Act 1997.
    1. We provide a service which enables employers in the public, private and voluntary sectors to make suitability decisions. We do this by providing information to enable them to determine whether individuals are unsuitable or unable to undertake certain work in particular, with occupations involving regular contact with vulnerable groups, including children.

7.3. In addition to the above, we may share information with third parties for other
purposes where we are legally permitted to do so.

  1. Why would DBS hold my personal data?
    1. We will only hold your data if you have:
    1. If we ask you for personal information, we will:

Please note: We will share information with ‘relevant authorities’ such as the police, government departments etc. under UK Data Protection Act Prevention and Detection of Crime (Sch2, Part 1 Paragraph 2).

We will also share information under UK Data Protection Act (Sch2 Part 2 Paragraph 5 (2)) where disclosures are required by law or made in connection with legal proceedings.

    1. In return, we will ask you to:
    1. This helps us to keep your information up to date and secure. It will apply if we hold your data on paper or in electronic form.
  1. Organisations that are involved in the Disclosure Service
    1. Data will be passed to organisations and data sources involved with the DBS where we are legally permitted to do so. This includes:
  1. Where is my data stored?
    1. Your data is held in secure paper and computer files. These have restricted access. Where your data is held in paper format we have secure storage and processes for this. In some cases we may use secure off-site storage. We have approved measures in place to stop unlawful access and disclosure. All of our IT systems are subject to formal accreditation in line with Her Majesty Government (HMG) policy. They also comply with the security required within GDPR to make sure that personal data is processed in a manner that ensures appropriate security of the data including protection against unauthorised or unlawful processing.
  1. How long will DBS hold my information?
    1. We operate a Data Retention Policy to ensure that data is not held for longer than necessary. However at present, there is a restriction on the destruction of information due to the ongoing Independent Inquiry into Child Sexual Abuse. DBS are currently reassessing the retention requirements in light of this.
    1. Any data we identify that could be called on by the inquiry will be retained until completion of the inquiry. At this point the information will be securely destroyed as soon as is practicable.
  1. What are my rights? How will DBS protect them?
    1. We are committed to protecting your rights under the GDPR.
      1. Your right to be informed

This document provides you with information in relation to how your data is processed as a DBS applicant. This ensures that we are transparent with regards to what we will do with the information you supply to us on your standard or enhanced application.

      1. Your right to access to your personal data held by the DBS – known as a Subject Access Request

You have the right to request a copy of the information we hold about you.

On receipt of a valid application we will tell you whether we hold any data about you and provide you with a copy. Further information on how to apply can be found here.

      1. Your right to request that information held is accurate. Can I update it?

If you think that the information held by us at the DBS is incorrect, you have the right to request that it is corrected. If you challenge the accuracy of data that was provided to us by a third party we will send your request for correction to that party for their consideration.

It is the duty of both you and the Registered Body, the organisation who verifies your identity, to ensure that the information you have submitted on your application form is accurate.

If you believe you have submitted an error on an application that is still in progress you will need to contact us immediately on 03000 200 190.

If you wish to dispute information contained on a completed certificate you can raise a dispute by contacting us on 03000 300 190.

Third parties can also dispute a DBS certificate if they have all the necessary certificate information:

Where this is the case the applicant will be notified by the DBS that a third party has raised a dispute.

Read our guidance on GOV.UK for more information about disputes.

      1. Your right to request erasure of your personal data

In certain circumstances you have a right to have personal data held about you erased. At the DBS we will only do this if certain criteria are met. There are some circumstances where this cannot be done therefore we advise you to seek independent advice before submitting an application to us.

Any requests for information to be erased will be considered on a case-by-case basis.

There are some specific circumstances where the right to erasure does not apply and we may refuse your request.

      1. Your right to prevent DBS from processing information which is likely to cause you damage or distress

You have the right to request restriction of processing where it has been established that one of the following applies:

DBS customers can request restriction of processing for any of the above reasons until these are resolved. Should you wish to restrict processing you will need to call the DBS helpline on 03000 200 190. Any requests to stop processing will be considered on a case-by-case basis.

      1. Right to receive an electronic copy of any information you have consented to be supplied to us – known as data portability

You have the right, where this is technically feasible, to electronically receive any personal data you have provided to the DBS to process, on a consent basis.

Please note that basic, standard and enhanced certificates are processed under our legal obligation, under Part V of the Police Act 1997, and barring information is processed under the Safeguarding and Vulnerable Groups Act 2006. Therefore, this information falls outside of the right to data portability.

All requests for portability will be considered on a case-by-case basis.

      1. You have the right to object to the processing of your information

Should you wish for the DBS to stop processing your application you will need to withdraw the application.

      1. You have rights relating to automated decisions being made about you

Our disclosure process is generally automated. However if the system identifies that there is potentially police information held about you, this is then sent to the relevant police force for consideration regarding information which may be disclosed on your certificate. This is not an automated process and involves the judgment of the Chief Officer.

You have the right to object to any automated decision making. It should be noted that you would need to inform us of this on submission of your application as the certificate can be issued quite quickly. Please contact the DBS helpline on 03000 200 190.

Barring service

The only automated decision process currently undertaken is for auto inclusion on a barred list without representations. On notification of inclusion on a barred list you will be informed if your decision has been made by automated means and you will be provided with the opportunity to request a manual review of this decision.

DBS do not currently undertake any profiling activities.

      1. You have the right to make a complaint to the DBS and the Information Commissioner’s Office (ICO)

If you wish to make a complaint to us regarding the way in which we have processed your personal data you can make a complaint to the Data Protection Officer via the contact details in Section 6.1.

If you then remain dissatisfied with the response received, you have the right to lodge a complaint to the ICO at the following address:

The Information Commissioner’s Office

Wycliffe House

Water Lane


Cheshire SK9 5AF

13. Restrictions

13.1 There are restrictions to the rights of individuals and these are:

These restrictions are covered in more detail in the forthcoming Data Protection Bill 2018.

14. Transfer outside the European Economic Area

14.1 If you have spent time in the Channel Islands or the Isle of Man, it is likely that your data will be passed to police forces in that area. If any of your data has to be transferred outside of the UK, the DBS will ensure that an adequate level of protection is put in place.

15. Our staff and systems

    1. All of our staff, suppliers and contractors are security vetted by the Home Office Security Unit prior to taking up employment. All staff are data protection trained and are aware of their data protection responsibilities. This is refreshed on an annual basis.
    1. We conduct regular compliance checks on all DBS departments and systems. All checks are to the standard set out by the Information Commissioner’s Office. In addition continual security checks are carried out on our IT systems.

16. Notification of changes

    1. If we decide to change our Privacy Policy, we will add a new version to our website.