- What is it I need to know?
- The Policy also explains what your rights are as a standard or enhanced applicant under the General Data Protection Regulations. It says why we need your personal data, what we will do with it and what you can expect from us. It also explains how to get a copy of any personal data we may hold about you. This is called a Subject Access Request.
- We do have other Privacy Policies that cover our other statutory functions. They can be accessed here.
- How will we use the personal information supplied to us?
- We at the DBS collect your personal data in order to:
- process requests for criminal records checks (DBS checks). This will include searching police records, issuing a DBS certificate to the applicant and in certain circumstances, obtaining fingerprints
- decide whether it is appropriate for a person to be placed on or removed from a barred list, if information is disclosed on a DBS certificate
- process ‘Adult First’ checks – this is a service provided by the DBS under the Police Act 1997. It can be used in exceptional cases where a person is permitted to start regulated activity work with adults, before a DBS certificate has been obtained. This service is only available to organisations who are eligible to access the DBS adults’ barred list and who have requested a check of the barred list on their DBS application form. The DBS Adult First check allows an individual to be checked against the DBS adults’ barred list ahead of the Disclosure certificate being issued. A preliminary result is sent to the Registered Body who submitted the application
- process payments when appropriate
- The information we collect about you depends on the reason for your business with us. We may use the information we obtain for any of the purposes listed above.
- Your information may also be used for testing purposes. Testing is undertaken to ensure that our systems function as per specified requirements. If it is not practical to disguise your data or use dummy data then we will test our system using your data. This testing will only take place in environments that are secured to the same level as our live system.
Please note we may use previous applications you have submitted to assist in the checking process.
- Who is the data controller?
- A data controller decides the purpose and the manner in which any personal data is processed.
- The DBS is the data controller of information held by us for the purposes of GDPR. We are responsible for the safety and security of the data we hold.
- Who are the data processors?
- A data processor is anyone (other than an employee of a data controller) who processes that data on behalf of the controller.
- At the DBS we have a range of suppliers who process data on behalf of DBS as defined in section 9. We make sure that our data processors comply with all relevant requirements under data protection legislation. This is defined in our contractual arrangements with them.
- The DBS Data Protection Officer Elaine Carlyle can be contacted via telephone on 0151 676 1154, via email at firstname.lastname@example.org, or in writing to:
DBS Data Protection Officer
Disclosure and Barring Service
PO Box 165
- What are the legal grounds for processing my information?
- The DBS was established under the Protection of Freedoms Act (PoFA) 2012 on 1 December 2012. Disclosure functions of the DBS are contained within Part V of the Police Act 1997.
- We provide a service which enables employers in the public, private and voluntary sectors to make suitability decisions. We do this by providing information to enable them to determine whether individuals are unsuitable or unable to undertake certain work in particular, with occupations involving regular contact with vulnerable groups, including children.
7.3. In addition to the above, we may share information with third parties for other
purposes where we are legally permitted to do so.
- Why would DBS hold my personal data?
- We will only hold your data if you have:
- previously used or are using the Disclosure Service
- been referred to the DBS for consideration under the Safeguarding Vulnerable Groups Act 2006 (SVGA) or Safeguarding Vulnerable Groups (Northern Ireland) Order 2007
- been cautioned or convicted for a relevant (automatic barring) offence that leads to the DBS considering you for inclusion in one or both lists
- If we ask you for personal information, we will:
- make sure you know why we need this information
- only ask for information that we need
- ensure only those appropriate have access to it
- store your information securely
- inform you if the information will be shared with a third party
- ask you to agree to us sharing your information where you have a choice
- only keep your information for as long as we need to – see our Retention Policy
- not make it available for commercial use (such as marketing) without your permission
- ensure you are provided with a copy of data we hold on you, on request – this is called a Subject Access Request
Please note: We will share information with ‘relevant authorities’ such as the police, government departments etc. under UK Data Protection Act Prevention and Detection of Crime (Sch2, Part 1 Paragraph 2).
We will also share information under UK Data Protection Act (Sch2 Part 2 Paragraph 5 (2)) where disclosures are required by law or made in connection with legal proceedings.
- In return, we will ask you to:
- give us accurate information
- tell us as soon as possible if there are any changes to your details, such as a new address
- This helps us to keep your information up to date and secure. It will apply if we hold your data on paper or in electronic form.
- Organisations that are involved in the Disclosure Service
- Data will be passed to organisations and data sources involved with the DBS where we are legally permitted to do so. This includes:
- Tata Consultancy Services (TCS) including their third party suppliers – a partner and data processor in the DBS service
- Police forces in England, Wales, Scotland, Northern Ireland, the Isle of Man, and the Channel Islands – searches will be made on the PNC and data may be passed to local police forces. The data will be used to update any personal data the police currently hold about you
- ACRO Criminal Records Office – manages criminal record information and improves the exchange of criminal records and biometric information
- Other data sources such as British Transport Police, the Service Police and the Ministry of Defence Police – searches are made using an internal database. Where a match occurs the information will be shared to ensure that the record match is you
- Disclosure Scotland – if you have spent any time in Scotland, your details may be referred to Disclosure Scotland
- Garda – if information held by Police Service Northern Ireland (PSNI) indicates some information exists in the Republic of Ireland your details may be referred to Garda
- Access Northern Ireland – if you have spent any time in Northern Ireland your details may be referred to Access Northern Ireland
- Independent monitor (IM) – to undertake reviews on local intelligence (approved information) released by local police forces
- Independent Complaints Reviewer (ICR) – part of their role to investigate complaints that have gone through internal review process
- United Kingdom Central Authority – for exchange of criminal records with other EU countries
- The Child Exploitation Online Protection Centre (CEOP) who are National Crime Agency (NCA) Command
- Registered Bodies – the bodies registered with the DBS to submit Disclosure checks
- DXC Technology – our provider for cloud storage
- ATOS – for the collection of e-bulk application data
- National Identity Services (NIS) – assisting in the uploading of old criminal records from Micro Fiche to the Police National Computer (PNC)
- Where is my data stored?
- Your data is held in secure paper and computer files. These have restricted access. Where your data is held in paper format we have secure storage and processes for this. In some cases we may use secure off-site storage. We have approved measures in place to stop unlawful access and disclosure. All of our IT systems are subject to formal accreditation in line with Her Majesty Government (HMG) policy. They also comply with the security required within GDPR to make sure that personal data is processed in a manner that ensures appropriate security of the data including protection against unauthorised or unlawful processing.
- How long will DBS hold my information?
- We operate a Data Retention Policy to ensure that data is not held for longer than necessary. However at present, there is a restriction on the destruction of information due to the ongoing Independent Inquiry into Child Sexual Abuse. DBS are currently reassessing the retention requirements in light of this.
- Any data we identify that could be called on by the inquiry will be retained until completion of the inquiry. At this point the information will be securely destroyed as soon as is practicable.
- What are my rights? How will DBS protect them?
- We are committed to protecting your rights under the GDPR.
- Your right to be informed
This document provides you with information in relation to how your data is processed as a DBS applicant. This ensures that we are transparent with regards to what we will do with the information you supply to us on your standard or enhanced application.
- Your right to access to your personal data held by the DBS – known as a Subject Access Request
You have the right to request a copy of the information we hold about you.
On receipt of a valid application we will tell you whether we hold any data about you and provide you with a copy. Further information on how to apply can be found here.
If you think that the information held by us at the DBS is incorrect, you have the right to request that it is corrected. If you challenge the accuracy of data that was provided to us by a third party we will send your request for correction to that party for their consideration.
It is the duty of both you and the Registered Body, the organisation who verifies your identity, to ensure that the information you have submitted on your application form is accurate.
If you believe you have submitted an error on an application that is still in progress you will need to contact us immediately on 03000 200 190.
If you wish to dispute information contained on a completed certificate you can raise a dispute by contacting us on 03000 300 190.
Third parties can also dispute a DBS certificate if they have all the necessary certificate information:
- the applicant’s name
- the applicant’s date of birth
- the certificate number
- the issue date
- the applicant’s address
Where this is the case the applicant will be notified by the DBS that a third party has raised a dispute.
Read our guidance on GOV.UK for more information about disputes.
- Your right to request erasure of your personal data
In certain circumstances you have a right to have personal data held about you erased. At the DBS we will only do this if certain criteria are met. There are some circumstances where this cannot be done therefore we advise you to seek independent advice before submitting an application to us.
Any requests for information to be erased will be considered on a case-by-case basis.
There are some specific circumstances where the right to erasure does not apply and we may refuse your request.
- Your right to prevent DBS from processing information which is likely to cause you damage or distress
You have the right to request restriction of processing where it has been established that one of the following applies:
- the accuracy of personal data is contested, during the period of rectification
- where processing is unlawful
- where an individual has requested it is retained to enable them to establish, exercise or defend legal claims
- pending verification of the outcome of the right to object
- where processing has been restricted
DBS customers can request restriction of processing for any of the above reasons until these are resolved. Should you wish to restrict processing you will need to call the DBS helpline on 03000 200 190. Any requests to stop processing will be considered on a case-by-case basis.
- Right to receive an electronic copy of any information you have consented to be supplied to us – known as data portability
You have the right, where this is technically feasible, to electronically receive any personal data you have provided to the DBS to process, on a consent basis.
Please note that basic, standard and enhanced certificates are processed under our legal obligation, under Part V of the Police Act 1997, and barring information is processed under the Safeguarding and Vulnerable Groups Act 2006. Therefore, this information falls outside of the right to data portability.
All requests for portability will be considered on a case-by-case basis.
- You have the right to object to the processing of your information
Should you wish for the DBS to stop processing your application you will need to withdraw the application.
- You have rights relating to automated decisions being made about you
Our disclosure process is generally automated. However if the system identifies that there is potentially police information held about you, this is then sent to the relevant police force for consideration regarding information which may be disclosed on your certificate. This is not an automated process and involves the judgment of the Chief Officer.
You have the right to object to any automated decision making. It should be noted that you would need to inform us of this on submission of your application as the certificate can be issued quite quickly. Please contact the DBS helpline on 03000 200 190.
The only automated decision process currently undertaken is for auto inclusion on a barred list without representations. On notification of inclusion on a barred list you will be informed if your decision has been made by automated means and you will be provided with the opportunity to request a manual review of this decision.
DBS do not currently undertake any profiling activities.
- You have the right to make a complaint to the DBS and the Information Commissioner’s Office (ICO)
If you wish to make a complaint to us regarding the way in which we have processed your personal data you can make a complaint to the Data Protection Officer via the contact details in Section 6.1.
If you then remain dissatisfied with the response received, you have the right to lodge a complaint to the ICO at the following address:
The Information Commissioner’s Office
Cheshire SK9 5AF
13.1 There are restrictions to the rights of individuals and these are:
- National Security
- Defence Public Security
- Crime & Taxation
These restrictions are covered in more detail in the forthcoming Data Protection Bill 2018.
14. Transfer outside the European Economic Area
14.1 If you have spent time in the Channel Islands or the Isle of Man, it is likely that your data will be passed to police forces in that area. If any of your data has to be transferred outside of the UK, the DBS will ensure that an adequate level of protection is put in place.
15. Our staff and systems
- All of our staff, suppliers and contractors are security vetted by the Home Office Security Unit prior to taking up employment. All staff are data protection trained and are aware of their data protection responsibilities. This is refreshed on an annual basis.
- We conduct regular compliance checks on all DBS departments and systems. All checks are to the standard set out by the Information Commissioner’s Office. In addition continual security checks are carried out on our IT systems.
16. Notification of changes