Policy paper

Accountable Officer Privacy Policy (HTML)

Updated 5 July 2018

1. About us

1.1 The Disclosure and Barring Service (DBS) helps employers make safer recruitment decisions and prevent unsuitable people from working with vulnerable groups, including children.

1.2 For the purposes of basic DBS checks we search police records and then issue a basic DBS certificate to the applicant.

1.3 Occasionally depending on circumstances, and in order to produce a complete and accurate certificate, we must issue a manually produced certificate. Manual certificates follow the same checking processes as our system-generated certificates and are equally valid. It must be noted however, that applicants issued with a manual certificate cannot join the update service with that certificate.

1.4 DBS offer different types of check issued under the Police Act 1997:

• a basic DBS check shows unspent convictions and conditional cautions under the terms of the Rehabilitation of Offenders Act 1974
• a standard DBS check shows spent and unspent convictions, cautions, reprimands and final warnings which are not subject to filtering
• an enhanced DBS check shows the same as a standard check plus any information held by local police that’s considered reasonably relevant and ought to be disclosed relating to the child or adult workforce. Where the application is for any other role, the police will consider the nature of the role in the release of information
• an enhanced with Barred List(s) DBS check with barred lists shows the same as an enhanced check plus whether the applicant is in the list of people barred from doing the role

2. What is it I need to know?

2.1 This is our privacy policy for an Accountable Officer (AO) who is usually a senior figure within a Responsible Organisation (RO). An RO is an organisation registered with the DBS to submit basic DBS checks on behalf of individuals. The policy tells you how we will use and protect any information we hold about you as part of your registration as an AO.

2.2 The policy also explains what your rights are as an AO under the General Data Protection Regulations. It says why we need your personal data, what we will do with it and what you can expect from us. It also explains how to get a copy of any personal data we may hold about you. This is called a Subject Access Request.

There are further DBS privacy policies which cover other statutory functions undertaken by DBS. They can be accessed here.

3. How will we use the personal information supplied to us?

3.1 We at DBS collect your personal data in order to:

• process request for DBS basic checks - this will include verifying your identity, searching police records, issuing a DBS certificate to you and in certain circumstances, obtaining fingerprints
• assess whether you are suitable to be an AO
• contact you regarding the consideration or changes to your DBS basic DBS check and/or registration status
• contact you in relation to further information that is required on any applications that your RO has submitted to either progress the application or as part of assessing compliance to the basic check processing standards
• contact you regarding any changes you need to be aware of relating to DBS services and products

3.2 DBS must satisfy itself that you and your RO can comply with the requirements set out in the basic check terms and conditions, basic check processing standards and web services interchange agreement and that the person to be appointed as the AO within the RO is suitable.

3.3 To assess suitability we require you to apply for a basic check via DBS as part of the RO registration process. Before you submit a basic check you will be asked to read the Basic Check Privacy Policy. You must apply directly to DBS and not use any other organisation to submit your check. When you receive your basic disclosure certificate you will need to send this to DBS, which we will return. More details about this will be issued to you during the registration process.

3.4 The consequence of registration is that the DBS function within section 118 Police Act 1997, in respect of ensuring the application is supported by such evidence to verify the identity of the applicant, is delegated by the DBS to your organisation under paragraph 7 of Schedule 8 to the Protection of Freedoms Act 2012.

For this reason we must be sure of your suitability to act as an AO and your organisation to register as a Responsible Organisation.

3.5 Suitability assessment of the AO

3.6 A suitability decision will be made using the information contained on the basic disclosure check you obtain and present to DBS. This will be done on a case-by-case basis following the DBS Accountable Officer risk assessment. Suitability will be assessed in relation to the functions carried out by the RO.

3.7 These functions include ensuring that any application that is made under section 112 Police Act, and submitted by the RO, is supported by such evidence required by DBS under section 118 Police Act 1997 to verify the identity of the applicant. Suitability will also be assessed for the role of the RO in processing personal sensitive information on behalf of individual applicants to DBS and, with the consent of the applicant, to proposed employers.

3.8 Generally, DBS considers that it is likely that offences of dishonesty and extortion, serious sexual and violent offences and non-minor drug offences could in principle impact upon a person’s suitability, depending on the circumstances of the relevant offence and how long ago it occurred. However, each case will be considered on its own merits. In considering each case the following factors, will be taken into account:

• the nature of the offences and their relevance to the functions
• the seriousness of the offences
• the number of offences
• date of the offences
• the circumstances surrounding the offending
• the person’s attitude to the offending
• any change in circumstances since the offences occurred
• any other mitigating circumstances and/or other factors which are considered relevant to suitability

3.9 Financial credit check

3.10 As payments for basic DBS checks will be made in arrears we will carry out a financial credit check of your organisation to assess the credit worthiness and this will inform the approval of your organisation payment account status as part of the registration process. If you are already registered with DBS as a Registered Body we will not carry out this check as we already have a financial relationship with you.

3.11 The information we collect about you depends on the reason for your business with us. DBS may use the information it obtains for any of the purposes listed in paragraph 3.1.

3.12 Your information may also be used for testing purposes. Testing is undertaken to ensure that our systems function as per specified requirements. If it is not practical to disguise your data or use dummy data then we will test our system using your data. This testing will only take place in environments that are secured to the same level as our live system.

Please note - we may use previous applications you have submitted to assist in the checking process.

4. Who is the data controller?

4.1 A data controller decides the purpose, and the manner, in which any personal detail is processed.

4.2 DBS is the data controller of information held by us for the purposes of GDPR. We have the responsibility for the safety and security of all the data we hold.

5. Who are the data processors?

5.1 A data processor is anyone (other than an employee of a data controller) who processes that data on behalf of the controller.

5.2 At DBS we have a range of suppliers who process data on behalf of DBS as defined in section 9. We make sure that our data processors comply with all relevant requirements under data protection legislation. This is defined in our contractual arrangements with them.

6. Contacting the Data Protection Officer

6.1 The DBS Data Protection Officer can be contacted via telephone on 0151 676 1154, via email at dbsdataprotection@dbs.gov.uk, or in writing to:

DBS Data Protection Officer
Disclosure and Barring Service
PO Box 165
Liverpool
L69 3JD

7. What are the legal grounds for processing my information?

7.1 DBS was established under the Protection of Freedoms Act (PoFA) 2012 on 1 December 2012. Disclosure functions of DBS are contained within Part V of the Police Act 1997.

7.2 The functions carried out by an RO include ensuring that any application that is made under section 112 Police Act, and submitted by the RO, is supported by such evidence required by DBS under section 118 Police Act 1997 to verify the identity of the applicant.

7.3 In addition to the above we may share information with third parties for other purposes where we are legally permitted to do so.

8. Why would DBS hold my personal data?

8.1 We will only hold your data if you have:

• previously used or are using the Disclosure Service
• been referred to the DBS for consideration under the Safeguarding Vulnerable Groups Act 2006 (SVGA)/Safeguarding Vulnerable Groups (Northern Ireland) Order 2007
• cautioned or convicted for a relevant (automatic barring) offence that lead to DBS considering you for inclusion in one or both lists

8.2 If we ask you for personal information, we will:

• make sure you know why we need this information
• only ask for information that we need
• ensure only those appropriate have access to it
• store your information securely
• inform you if the information will be shared with a third party
• ask you to agree to us sharing your information where you have a choice
• only keep your information for as long as we need to – see our Retention Policy
• not make it available for commercial use (such as marketing) without your permission
• ensure you are provided with a copy of data we hold on you, on request – this is a Subject Access Request
• ensure there are procedures in place for dealing promptly with any disputes or complaints

8.3 In return, we will ask you to:

• give us accurate information
• tell us as soon as possible if there are any changes to your details, such as a new address

8.4 This helps us to keep your information reliable, up-to-date and secure. It will apply whether we hold your data on paper or in electronic form.

9. Organisations that are involved in the AO and RO registration process

9.1 Data will be passed to organisations and data sources involved with DBS where it is legally permitted to do so. This includes:

• Canadian Global Information (CGI) - CGI supply technology services to DBS - they support the IT infrastructure that allows us to process DBS checks and barring referrals
• Hinduja Global Solutions UK (HGS) - HGS supply contact centre and back office services to DBS; they provide frontline customer support to our service users
• Police forces in England, Wales, Scotland, Northern Ireland, the Isle of Man, and the Channel Islands - searches will be made on the Police National Computer
• Independent Complaints Reviewer (ICR) - part of their role to investigate complaints that have gone through internal review process
• United Kingdom Central Authority - for exchange of criminal records with other EU countries
• DXC Technology our provider for cloud storage
• National Identity Services (NIS) - assisting in the uploading of old criminal records from Micro Fiche to the Police National Computer (PNC)

10. Where is my data stored?

10.1 Your data is held in a secure computer files. These have restricted access. Where your data is held in paper format we have secure storage and processes for this. In some cases we may use secure offsite storage. We have approved measures in place to stop unlawful access and disclosure. All our IT systems are subject to formal accreditation in line with HM Government (HMG) policy. They also comply with the security required within GDPR to make sure that personal data is processed in a manner that ensures that appropriate security of the data including protection against unauthorised or unlawful processing.

11. How long will DBS hold my information?

11.1 We operate a Data Retention Policy to ensure that data is not held for longer than necessary. However at present, there is a restriction on the destruction of information due to the ongoing Independent Inquiry into Child Sexual Abuse. DBS are currently reassessing the retention requirements in light of this.

11.2 Any data that we identity that could be called on by the inquiry will be retained until completion of the inquiry. At this point the information will be securely destroyed as soon as is practicable.

12. What are my rights? How will DBS protect them?

12.1 We are committed to protecting your rights under the GDPR.

12.1.1 Your right to be informed

This document provides you with information in relation to how your data is processed as a DBS applicant.

12.1.2 Your right to access to your personal data held by DBS - known as a Subject Access Request

You have the right to request a copy of the information DBS hold about you.

On receipt of a valid application we will tell you whether we hold any data about you and provide you with a copy. Further information on how to apply can be found here.

12.1.3 Your right to request information held is accurate. Can I update it?

If you think that the information held by us at the DBS is incorrect, you have the right to request it is corrected. If you challenge the accuracy of data that was provided to us by a third party we will send your request for correction to that party for their consideration.

If you believe you have submitted an error on your application that is still in progress you will need to contact us immediately on 03000 200 190.

If you wish to dispute information as contained on your completed certificate you can raise a dispute by contacting us on 03000 200 190.

Third parties can also dispute a DBS certificate if they have all the necessary certificate information:

• the applicant’s name
• the applicant’s date of birth
• the certificate number and issue date
• the applicant’s address

Where this is the case you will be notified that a third party has raised a dispute.

Read our guidance on GOV.UK for more information about disputes.

12.1.4 Your right to request erasure of your personal data

In certain circumstances you have a right to have personal data held about you erased. As the DBS we will only do this if certain criteria are met. There are some circumstances where this cannot be done therefore we advise you to seek independent advice before submitting an application to DBS.

Any requests for information to be destroyed will be considered on a case-by-case basis. There are some specific circumstances where the right to erasure does not apply and we may refuse your request.

12.1.5 Your right to prevent DBS from processing information which is likely to cause you damage/distress

You have the right to request restriction of processing where it has been established that one of the following applies:

• during the period of rectification if accuracy of personal data is contested
• processing is unlawful
• an individual has requested it is retained to enable them to establish, exercise or defend legal claims
• pending verification of the outcome of the Right to object
• where processing has been restricted

You can request restriction of processing for any of the above reasons until these are resolved. Any requests to stop processing will be considered on a case-by-case basis. Should you wish to restrict processing you will need to call the DBS helpline on 03000 200 190.

12.1.6 Right to receive an electronic copy of any information you have consented to be supplied to us - known as data portability

You have the right, where this is technically feasible to receive electronically any personal data you have provided to DBS to process on a consent basis.

Please note that basic, standard and enhanced certificates are processed under our legal obligation, under Part V of the Police Act 1997, and barring information is processed under the Safeguarding and Vulnerable Groups Act 2006. Therefore this information falls outside of the right to data portability.

All requests for portability will be considered on a case-by-case basis.

12.1.7 You have the right to object to processing of your information

Should you wish us at DBS to stop processing your application you will need to withdraw the application.

12.1.8 You have rights relating to automated decisions being made about you

Our Disclosure process is generally automated. You have the right to object to any automated decision-making. It should be noted that you would need to inform us of this on submission of your application by contacting us on 03000 200 190.

DBS do not currently undertake any profiling activities.

12.1.9 You have the right to make a complaint to DBS and the Information Commissioner’s Office (ICO)

If you wish to make a complaint to us regarding the way in which we have processed your personal data you can make a complaint to the Data Protection officer via the contact details in Section 6.1. If you then remain dissatisfied with the response received, you have the right to lodge a complaint to the ICO at the following address:

The Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF

https://ico.org.uk/

13. Our staff and systems

13.1 All our staff, suppliers and contractors are security vetted by the Home Office security unit prior to taking up employment. All staff are data protection trained and are aware of their data protection responsibilities and this is refreshed on an annual basis. We conduct regular compliance checks on all DBS departments and systems. All checks are to the standard set out by the Information Commissioners Office. In addition continual security checks on our IT systems are undertaken.

14. Notification of changes

14.1 If we decide to change our privacy policy, we will add a new version to our website.