Policy paper

Barring Privacy Policy

Updated 1 October 2021

© Crown copyright 2021

This publication is licensed under the terms of the Open Government Licence v3.0 except where otherwise stated. To view this licence, visit nationalarchives.gov.uk/doc/open-government-licence/version/3 or write to the Information Policy Team, The National Archives, Kew, London TW9 4DU, or email: psi@nationalarchives.gov.uk.

Where we have identified any third party copyright information you will need to obtain permission from the copyright holders concerned.

This publication is available at https://www.gov.uk/government/publications/barring-privacy-policy/barring-privacy-policy

1. Introduction

1.1. This is the Privacy Policy for the Disclosure and Barring Service (DBS) barring function. It tells you how we will use and protect any information we are required to collect about you.

1.2. This policy explains your rights as a barring customer of the DBS. There are further DBS privacy policies which cover other statutory functions undertaken by DBS. They can be accessed here. The policy explains why we need your personal data, what we will do with your data and what you can expect from us. It also explains how to get a copy of any personal data we may hold about you. This is called a Subject Access Request.

1.3. This policy tells you why the DBS collects and processes your data in compliance with the Data Protection Act (DPA) 2018 and the General Data Protection Regulation (GDPR). It should be noted that in January 2021, the UK became a third country with regard to GDPR as the UK is no longer a member of the European Union.

2. Why DBS collects and uses information

2.1. DBS collects information in order to:

  • decide whether it is appropriate for a person to be placed on or removed from a barred list. This decision may include the use of any information that has been disclosed on a DBS certificate
  • process requests for DBS checks - this will include searching police records and issuing a DBS certificate
  • process ‘Adult First’ Checks - this service is only available to organisations who are eligible to access the DBS adults’ barred list and who have requested a check of the barred lists on their DBS application form
  • process payments when appropriate

2.2. The information we collect about you depends on the reason you were referred to the DBS i.e. if you’re a witness or victim of the behaviour of the individual referred, have made an enquiry to DBS, have made a referral or have been given consent to receive information - however we may use the information for any of the purposes listed above.

2.3. We may check information about you with other information we hold e.g. previous referrals. We may request information from other identified relevant organisations e.g. police, Social Services etc.

2.4. We may get information about you from employers and other identified relevant organisations e.g. Social Services, police, Keepers of Registers, Supervisory Authorities etc.

2.5. The information is collected and processed in order to help employers make safer recruitment decisions and prevent unsuitable people from working with vulnerable groups, including children.

2.6. Your information may be used for testing purposes. Testing is undertaken to ensure that our IT systems function as per specified requirements. Where it is not practical to disguise your data or use dummy data, we will test our systems using your data. This testing will only take place in environments that are secured to the same level as our live system.

2.7. You may also be contacted on a one-off basis for the purpose of gathering your views and obtaining feedback on the service you have received. This customer satisfaction insight will help us to improve our products and services. You may be contacted via email, SMS (text message), or by letter.

3. Data Controller

3.1. The DBS is the ‘data controller’ of information held by the DBS for the purposes of DPA/GDPR. A data controller determines the purposes for which, and the manner in which, any personal data is to be processed (alone, jointly or in common with others).

3.2. We have responsibility for the safety and security of the data we hold.

4. Data Processor

4.1. Any supplier that works on behalf of the DBS is one of our ‘data processors’. A data processor is any organisation that processes data on behalf of the DBS. We make sure that our ‘data processors’ comply with all relevant requirements under data protection legislation. This is defined in the contractual arrangements.

5. Contacting the Data Protection Officer

5.1. The DBS Data Protection Officer can be contacted via email at dbsdataprotection@dbs.gov.uk or in writing to:

DBS Data Protection Officer
Disclosure and Barring Service
PO Box 165
Liverpool
L69 3JD

6.1. For the Barring function your data is collected/requested and processed under the legal provision of The Safeguarding Vulnerable Groups Act 2006 (SVGA) / Safeguarding Vulnerable Groups (Northern Ireland) Order 2007 (SVGO).

6.2. This is to determine whether it is appropriate to include you in the children’s barred list and/or adults’ barred list. It is also used to provide employers with suitability information to make informed recruitment decisions should you make an application for an enhanced DBS with barred list check.

For further information about standard or enhanced DBS checks please access the relevant policies here.

7. What personal data do we hold?

7.1. We will only hold your data if you have:

7.2. We may be required to gather further information from relevant parties in order to consider your case. DBS will only request information that is relevant and where we are legally permitted to do so under SVGA/SVGO.

7.3. The DBS also has access to Police National Computer (PNC) and police intelligence.

7.4. The data we will hold will be personal details and often personally sensitive information i.e. mental health and/or criminal information.

7.5. The DBS do not intentionally collect sensitive data (as defined in data protection legislation) that it is not relevant to our function.

7.6. If we ask you for personal information, we will:

  • make sure you know why we need this information
  • only ask for information that we need
  • ensure only those appropriate have access to it
  • store your information securely
  • inform you if the information will be shared with a third party
  • ask you to agree to us sharing your information where you have a choice
  • only keep your information for as long as we need to – see our Retention Policy
  • not make it available for commercial use (such as marketing) without your permission
  • ensure you are provided with a copy of data we hold on you, on request – this is called a Subject Access Request
  • ensure there are procedures in place for dealing promptly with any disputes or complaints

7.7. In return, we ask you to:

  • give us accurate information
  • tell us as soon as possible if there are any changes to your details, such as a new address

7.8. This helps us to keep your information reliable, up to date and secure. This will apply whether we hold your data on paper or in electronic form.

8. Who do DBS share data with?

8.1. SVGA Sch 3 Para 21 requires DBS to provide the Secretary of State with prescribed information relating to:

  • inclusion in a barred list
  • consideration of inclusion in one or both barred list(s)

8.2. This means that DBS may share information with other government departments. We will only share information where there is legislation enabling DBS to do so, and will only share what is relevant to their function, for example, the Department for Education.

8.3. DBS is also required, and permitted, by legislation to share data with the following organisations. In the majority of cases, the DBS shares information on a case-by-case basis.

8.4. We may also share information where there is ‘legitimate interest’.

Legitimate interest requests are used by several bodies and, in some cases, individuals; they are commonly used by employers, managers of volunteers and local authorities who can demonstrate a need to know e.g. they are looking to employ an individual in regulated activity, or they make a referral to DBS and retain an interest in the person for example, they still employ them.

The legitimate interest request provision is included in secondary safeguarding legislation.

We will tell you if your information has been shared under the legitimate interest provision.

8.5. Keepers of Registers

  • Social Care Wales
  • Education and Training Inspectorate (NI) (ETI)
  • General Chiropractic Council (GCC)
  • General Dental Council (GDC)
  • General Medical Council (GMC)
  • General Optical Council (GOptC)
  • General Osteopathic Council (GOstC)
  • General Teaching Council Northern Ireland (GTCNI)
  • Education Workforce Council (EWC)
  • Health and Care Professions Council (HCPC)
  • Northern Ireland Social Care Council (NISCC)
  • Nursing and Midwifery Council (NMC)
  • Pharmaceutical Society of Northern Ireland (PSNI)
  • General Pharmaceutical Council (GPhC)

8.6. Supervisory Authorities

  • Care Inspectorate Wales (CIW)
  • Care Quality Commission (CQC)
  • Charity Commission (CC)
  • Charity Commission for Northern Ireland (CCNI)
  • Children’s Health and Social Services Directorate, Wales (CHSSD)
  • Estyn
  • Health Inspectorate Wales (HIW)
  • Office of the Public Guardian (OPG)
  • Ofsted
  • Regulation and Quality Improvement Authority (RQIA)
  • Teaching Regulation Agency (TRA)

9. Organisations that are involved with DBS

9.1. Data may also be passed to organisations involved with DBS where it is legally permitted to do so. These are:

Canadian Global Information (CGI) - CGI supply technology services to DBS. They support the IT infrastructure that allows us to process DBS checks and barring referrals.

Hinduja Global Solutions UK (HGS) - HGS supply contact centre and back office services to DBS. They provide frontline customer support to our service users.

SPS (Swiss Post Solutions) - SPS is a global full-service provider of physical and digital document management.

Police forces in England, Wales, Scotland, Northern Ireland, the Isle of Man, and the Channel Islands - searches will be made on the Police National Computer (PNC) and data may be passed to local police forces. The data will be used to update any personal data the police currently hold about you.

ACRO Criminal Records Office - manages criminal record information and improves the exchange of criminal records and biometric information.

Other data sources such as British Transport Police, the Service Police and the Ministry of Defence Police - searches are made using an internal database. Where a match occurs the information will be shared to ensure that the record match is you.

Disclosure Scotland – if you have spent any time in Scotland, your details may be referred to Disclosure Scotland.

Access Northern Ireland – if you have spent any time in Northern Ireland your details may be referred to Access Northern Ireland. DBS also considers barring information under SVGO.

Garda - if information held by Police Service Northern Ireland (PSNI) indicates some information exists in the Republic of Ireland your details may be referred to Garda.

United Kingdom Central Authority - for exchange of criminal records with other EU countries. This is under the decision made by the council of The European Union.

The Child Exploitation Online Protection Centre (CEOP) who are National Crime Agency (NCA) Command

Independent Monitor (IM) - to undertake reviews on local intelligence (approved information) released by local police forces.

Independent Complaints Reviewer (ICR) - part of their role is to investigate complaints that have gone through internal review process.

DXC Technology - our provider for cloud storage.

Cabinet Office - The Cabinet Office are responsible for GOV.UK Notify which is a service that may be used to assist with contacting customers regarding customer satisfaction.

10. Other organisations we may share information with

10.1. Please note: We will share information with ‘relevant authorities’ such as the police, government departments etc. under UK Data Protection Act Prevention and Detection of Crime (Sch2, Part 1 Paragraph 2).

We will also share information under UK Data Protection Act (Sch2 Part 2 Paragraph 5 (2)) where disclosures are required by law or made in connection with legal proceedings.

10.2. We may also share information where you provide your consent for DBS to do so.

11. Storage of data

11.1. Your data is held in secure paper and computer files. These have restricted access. Where your data is held in paper format we have secure storage, secure off-site storage and processes for this.

11.2 We have approved measures in place to stop unlawful access and disclosure. All our IT systems are subject to formal accreditation in line with HMG policy. They also align with the security required within DPA/GDPR to protect against unauthorised or unlawful processing.

12. Retention of data

12.1. We operate a Data Retention Policy to ensure that data is not held for longer than necessary. Customers are advised at the outcome of the barring consideration how long the data will be retained by the DBS. However at present, there is a restriction on the destruction of information due to the ongoing Independent Inquiry into Child Sexual Abuse. DBS are currently reassessing the retention requirements in light of this.

12.2. DBS is currently retaining information past the DBS Retention date due to the ongoing notification from the Independent Inquiry into Child Sexual Abuse (IICSA). At the expiry of the DBS Data Retention period you have been notified of, we remove your information from operational control and it will only be supplied to IICSA following a legal request.

12.3. At the conclusion of IICSA your information will be securely destroyed as soon as is practicable.

13. Your rights and how we protect them

13.1. We are committed to protecting your rights under GDPR and the right to be informed how your data is processed.

13.2. Your right to access your personal data held by DBS

13.2.1. You have the right to request a copy of the information DBS hold about you this is known as Subject Access Request. Further information on this process and how to apply can be found here.

13.3. Your right to request information held is accurate and how to update it

13.3.1. If you think that the information held by us is incorrect, you have the right to request it is corrected.

13.3.2. Where the information was provided to DBS by another party, this request will be forwarded to the relevant party. They will be asked to consider the request to correct the information. For example, if your request relates to an employer statement, strategy minutes or the PNC, the request will be sent to the originating organisation for consideration.

13.3.3. If you believe any of the information we hold on you is incorrect please contact the DBS helpline on 03000 200 190 or contact us via e-mail on dbsdispatch@dbs.gov.uk. We will do everything we can to make sure that your concerns are addressed as quickly as possible and that amendments are made where they can be.

13.4. Your right to request erasing your personal data – also known as your ‘right to be forgotten’

13.4.1. In certain circumstances you have the right to have personal data held about you erased. We will only do this if certain criteria are met. There are some circumstances where this cannot be undertaken. You should seek independent advice in this regard.

13.4.2. DBS is required by law (SVGA/SVGO) to consider whether it is appropriate to include an individual in one or both of the barred lists. Therefore there are some circumstances where the right to be forgotten will not apply and we may refuse your request.

13.4.3. Where information is processed under this provision, the data will be retained and destroyed in compliance with the Data Retention Policy. Any requests for information to be destroyed will be considered on a case-by-case basis.

13.5. Your right to prevent processing likely to cause you damage or distress

13.5.1. You have the right to request restriction of processing where it has been established that one of the following applies:

  • accuracy of personal data is contested during the period of rectification
  • processing is unlawful
  • an individual has requested it is retained to enable them to establish, exercise or defend a legal claim
  • pending verification of the outcome of the right to object
  • where processing has been restricted

13.5.2. It should be noted that this is unlikely to apply to information supplied under Safeguarding & Vulnerable Groups Act 2006 (SVGA).

SVGA Sch 3 Prt 3 13 (1)/ SVGO, the Safeguarding Vulnerable Groups (Northern Ireland) Order 2007:

‘DBS must ensure that in respect of any information it receives in relation to an individual from whatever source or of whatever nature it considers whether the information is relevant to its consideration as to whether the individual should be included in each barred list.’

You can request restriction of processing for any of the above reasons until these are resolved. Should you wish to restrict processing you will need to contact us on 03000 200 190.

13.6. Your right to receive an electronic copy of any information you have consented to be supplied to us – also known as data portability

13.6.1. You have the right, where it is technically feasible to receive electronically any personal data you have provided to DBS if you wish. This will enable you to give this to another organisation. It should noted that this is unlikely to apply to information supplied under SVGA/SVGO, however all requests for portability will be considered on a case-by-case basis.

13.7. Your rights relating to automated decisions being made about you

13.7.1. You have the right to object to automated processing of your information. The only automated decision process currently undertaken is for auto inclusion in a barred list without representations.

13.7.2. Within the barring process, automated decision-making is limited to the processing of information relating to certain serious criminal offences. If cautioned or convicted for such offences you may be automatically included in the children’s and/or adults’ barred list. The law requires DBS to do this.

13.7.3. Letters informing you of your barred status will explain when this action has been taken and confirm your right to object. Exercising this right will only result in removal from a list if a processing error has occurred or the information upon which the decision was based was incorrect.

13.7.4. Currently, DBS does not undertake any profiling activities.

13.8. You have the right to make a complaint to the DBS and Information Commissioner’s Office (ICO)

13.8.1. If you wish to make a complaint to us regarding the way in which we have processed your personal data you can make a complaint to the Data Protection Officer via the contact details set out in Section 5 of this policy.

If you remain dissatisfied with the response received, you have the right to lodge a complaint to the Supervisory Authority. The Supervisory Authority for the UK is:

The Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF

https://ico.org.uk/

13.9. Your right to effective judicial remedy against a controller or processor

13.9.1. You have the right to an effective judicial remedy in certain circumstances against us as data controller or our data processor(s). You should seek your own independent legal advice with regard to this right.

13.10. Your right to appoint representation

13.10.1. You have the right to appoint a not-for-profit body, organisation or association to act on your behalf where you believe the following rights have not been adhered to:

  • Right to lodge a complaint with a Supervisory Authority i.e. ICO
  • Right to effective judicial remedy against a Supervisory Authority i.e. ICO
  • Right to an effective judicial remedy against a controller or processor

13.10.2. You should seek your own independent legal advice with regard to these rights.

13.11. Compensation for failure to comply (DPA Para 13) / Right to compensation and liability (GDPR Article 82)

13.11.1. You have the right to seek compensation where it is proven that we or our data processors have not complied with GDPR, unless it is proven that we or our data processors are not in any way responsible for the damage.

13.11.2. You should seek your own independent legal advice with regard to this right.

14. Restrictions

14.1. There are restrictions to the rights of individuals and these are:

  • National Security (DPA para 28) / (GDPR Article 23 (1)(a)
  • Defence (GDPR Article 23 (1) (b))
  • Public security (GDPR Article 23 (1) (c))
  • Crime & Taxation (DPA para 29) / (GDPR Article 23 (1) (d))

These restrictions are covered in more detail in the forthcoming Data Protection Bill 2018.

15. Transfer of data outside the European Economic Area

15.1. If you have spent time in the Channel Islands or the Isle of Man, it is likely that your data will be passed to police forces in that area. If your data needs to be transferred outside of the UK, DBS will ensure that an adequate level of protection is in place.

16. Our staff and systems

16.1. All our staff, suppliers and contractors are security vetted by the Home Office security unit prior to taking up employment. All staff are data protection trained and are aware of their responsibilities. This is refreshed on an annual basis.

16.2. We conduct regular compliance checks on all DBS departments and systems. In addition, continual security checks on our IT systems are undertaken.

17. Notification of changes

17.1. If we decide to change our Privacy Policy, we will add a new version to our website.

Back to top