Guidance

DBS referral guide: data protection and security

Updated 14 June 2018

Introduction

Help with understanding data protection issues when referring a person to the Disclosure and Barring Service (DBS).

This is guidance only, it’s not intended to provide legal advice to anyone making a referral to the DBS.

The General Data Protection Regulation (GDPR) and Data Protection Act (DPA) 2018

The GDPR and DPA make provisions for the regulation of the processing of information relating to individuals, including the getting, holding, use or disclosure of information.

The GDPR and DPA also outline 6 data protection principles designed to make sure that personal data is processed in a lawful manner.

Whenever a regulated activity provider, personnel supplier, local authority, keeper of register or supervisory authority refers a person to the DBS, they must consider the legal consequence of the disclosure, and the duty or power which they are making the referral.

Referrals

• Safeguarding Vulnerable Groups Act 2006 (as amended) (SVGA) (paras 35 and 36)

• Safeguarding Vulnerable Groups(Northern Ireland ) Order 2007 parts 37 and 38

This legislation places a legal duty on regulated activity providers (including local authorities where they are the employer) and personnel suppliers to refer any person to the DBS who they’ve removed from regulated activity (or would have removed had they not stopped working in regulated activity) and they think the person has:

• harmed or poses a risk of harm to a child or vulnerable adult; or
• satisfied the harm test
• received a caution or conviction for a relevant offence

Other types of organisations such as keepers of registers, supervisory authorities and local authorities (where the local authority is not the employer) are not under a legal duty to refer to the DBS but have a power to refer if they believe that the person is, has been or might in the future work in regulated activity, and they think the DBS may consider it appropriate to include a person in the barred list and the person has met the criteria listed above.

The difference in the duty to refer and power to refer will need referring parties to take a different approach when making a referral.

Duty to refer

When a regulated activity provider has a legal duty to refer, the information prescribed by the Safeguarding Vulnerable Groups Act 2006 (Prescribed Information) Regulations 2008 or Safeguarding Vulnerable Groups (Prescribed Criteria and Miscellaneous Provisions) Regulations (Northern Ireland) 2009 is exempt from the non-disclosure provisions of the GDPR/DPA because the disclosure is needed by law.

This means that where a person or organisation is under a duty to refer, the GDPR/DPA do not stop the sharing of the prescribed information, and the prescribed information may be legally given to the DBS.

The legal duty to refer to DBS applies to regulated activity providers even when a referral has been made to a body such as a local authority safeguarding team or professional regulator. This is regardless of whether that body has made a referral to the DBS about the person.

Where there is a duty to refer, it should be noted that:

• failure to provide the information to the DBS without reasonable justification may result in, on summary conviction, a fine up to level 5 on the standard scale (presently up to £5,000)

• the DBS must make sure that in respect of any information it receives in relation to a person from whatever source or of whatever nature, it considers whether the information is relevant to its consideration add the person to a barred list(s)

• if a person or organisation making a referral wishes to provide information in addition to that prescribed in legislation, the additional information is not exempt under the GDPR/DPA. This means that referring parties must make sure that they addressed any legal considerations under the GDPR/DPA, and any other relevant legislation in the knowledge of how the DBS may process that information.

Power to refer

While a person or organisation is compelled by law to supply information where a duty exists, the SVGA provides a power to refer allows local authorities, keepers of registers and supervisory authorities to decide whether they feel it is relevant to make a referral and provide the DBS with any information they hold.

The exact nature and type of information these organisations wish to provide is not specified in law. So, the information provided in a referral (where the power exists) can take any form that the referring party feels is appropriate.

As there is no legal duty to provide information under the power to refer, there’s no exemption to the requirements of the GDPR/DPA.

When considering the release of information under the power to refer, it’s important to keep in mind that any disclosure must be made in accordance with the GDPR/DPA and any other relevant legal requirements. For example, local authorities must consider other legislation such as the Human Rights Act 1998.

If a referring party doesn’t know what information they can disclose under the power to refer, they should get independent legal advice.

Duty to give information on request

The duty to provide information on request from DBS (SVGA Para 37) stands when the DBS is considering:

• whether to include a person in a barred list, or
• whether to remove a person from a barred list

The DBS may need any of the following organisations to provide information prescribed under the SVGA 2006 (Prescribed Information) Regulations 2008 or SVGA (Prescribed Criteria and Miscellaneous Provisions) Regulations (Northern Ireland) 2009:

• regulated activity provider
• personnel supplier
• local authority
• keeper of register
• supervisory authority

Because this is a duty to provide information, the prescribed information requested is exempt from the non-disclosure provisions of the GDPR/DPA as the disclosure is required by law.

Where any party has received a request under the duty to provide information on request, they may disclose the prescribed information with reasonable confidence.

But, if upon receipt of a request for information there is any doubt, it is advised that independent legal advice is sought.

Sensitive information

There may be occasions when a referring party may have concerns relating to the release of information to the DBS.

This may be due to a general concern over the disclosure of sensitive, personal information or more focused concerns. For example, where it is feared that the disclosure may impact the:

• prevention, detection or investigation of crime
• the apprehension or prosecution of offenders
• jeopardise the safety, security or liberty of others (especially victims)

Where a referring party is under a duty to refer or a duty to provide information on request, there is a legal duty to provide information which may have this nature of sensitivity.

Disclosing parties need to provide sensitive personal information including details of any child or vulnerable adult who has been harmed or put at risk of harm.

There may be times when a referring party has safeguarding concerns about an individual’s suitability to work with children or vulnerable adults, but feels prohibited from disclosing information under the power to refer due to the GDPR/DPA or other legal issues.

In these circumstances, referring parties may wish to consider editing information to reduce the sensitivity. By providing edited information, DBS will still be able to consider the case and if necessary request additional information from other sources such as the relevant local authority, keeper of register, supervisory authority or other person or organisation.

If a party decides to provide edited information, it’s important that it still remains understandable. Blanking out names mightn’t be enough to hide the identity of an individual, and this must also be considered when preparing a document.

It’s important that it is apparent what information relates to each person involved. To allow the DBS to identify which party an action, comment or other such information belongs to, names may be replaced with alternative tags such as initials, terms like, “Child 1”, “Child 2” or other such methods of flagging and differentiating between individuals.

While DBS request, whenever possible, that information is given in a non-redacted form, it would be preferable for information to be disclosed under the power to refer in a redacted form rather than not at all.

This allows concerns to be highlighted to the DBS, which would otherwise go undisclosed and may lead to placing vulnerable groups at greater risk.

Notification of concerns relating to personal information

Any party giving information to the DBS should be aware that it may be necessary for information to be disclosed to another party. This may include (but not limited to):

• the individual themselves
• the police
• a relevant authority e.g. probation/prison service
• a supervisory authority e.g. National College for Teaching and Leadership
• a keeper of register e.g. General Medical Council

The DBS will only disclose information to another party there is a legal duty to do so. For example:

• in response to a request for subject access made by a person
• to allow a person to provide representations against information which the DBS intend to rely on when barring a person
• a Keeper of Register, eg the General Medical Council requires the disclosure of information under their legislation for a fitness to practice case
• a legal power exists letting the DBS consider the disclosure of information. But, DBS will normally only disclose information for the purposes of safeguarding vulnerable groups, including children

Disclosing parties must note that under normal circumstances, the DBS will not contact any party who has provided information for permission to further disclose information.

But, it’s recognised there may be occasions where information is particularly sensitive, and the release of information may hinder:

• the prevention, detection or investigation of crime;
• the apprehension or prosecution of offenders, or
• the safety, security, liberty or welfare of vulnerable groups including children

Normally the sensitivity relating to the disclosure of information is time limited. When a police investigation hasn’t finished would be one example.

It’s important that the DBS knows of any concerns relating to the disclosure of information in cases of particular sensitivity, such as those mentioned above.

In these cases, any party disclosing information to the DBS may highlight information of particular sensitivity.

This allows the DBS to contact the person or organisation which disclosed the information, to get a better understanding of any concerns, and make an informed decision whether the information may be disclosed.

Security of information

Data Protection principle (f) requires any person or organisation that processes personal data, to make sure enough security safeguards are in place to prevent the accidental or deliberate loss, amendment, destruction or disclosure of information.

Whenever information is disclosed to the DBS, (irrespective of the disclosure being a power or a duty), it is the responsibility of the person or organisation disclosing the information to make sure that information is given to the DBS securely.

Information can be submitted to the DBS electronically via our online services. Any disclosure to DBS by electronic means must take security of the information into consideration.

When information is sent to the DBS by post it is recommended that it is:

• double enveloped (the information is placed in an envelope addressed to the DBS, which is then placed in another envelope, again showing the addressee as the DBS)
• unless the information being provided to the DBS is brief, (only a few pages, and therefore unlikely to rip the envelope due to the weight of contents), it’s recommended that the outer envelope is sealed in a way that seams will not break (eg taping around the envelope near to the edges of each side)
• when sending information by post, tamper proof or tamper evident bags can also be used
• sent to the DBS by recorded delivery or special delivery to make sure the sender has evidence of postage and receipt