Policy paper

Basic DBS Check Privacy Policy

Updated 5 July 2018

1. About us

1.1. The Disclosure and Barring Service (DBS) helps employers make safer recruitment decisions and prevent unsuitable people from working with vulnerable groups, including children.

1.2. The DBS issues criminal conviction certificates under section 112 Police Act 1997. There are two ways an applicant can apply for a basic DBS check. You can apply:

• online directly to DBS via GOV.UK - through our online application route
• via a Responsible Organisation (RO)

An RO is an organisation that registers with the DBS and submits basic checks using a web service for applicants living or working in England and Wales. Each RO has an Accountable Officer (AO) who is accountable for all activities carried out by the organisation in relation to submitting basic checks.

1.3. The content of this privacy policy applies to all basic DBS check applicants.

2. What is it I need to know?

2.1. This is our DBS Privacy Policy for all basic check applicants. It tells you how we will use and protect any information you provide when making a basic DBS check application in accordance with the General Data Protection Regulation (GDPR).

2.2. The Policy also explains what your rights are as a basic disclosure applicant under the General Data Protection Regulation (GDPR). It says why we need your personal data, what we will do with it and what you can expect from us. It also explains how to get a copy of any personal data we may hold about you. This is called a Subject Access Request.

2.3. We do have other Privacy Policies that cover other statutory functions. They can be accessed here.

3. How will we use your personal information

3.1. We at the DBS collect your personal data to:

• process requests for basic criminal record checks (basic DBS check). This will include searching police records and in certain circumstances obtaining fingerprints
• create a system profile for you - this helps us to identify you if you use another DBS Service
• send SMS text messages, where requested, to update you on the progress of your application
• allow you to view your DBS certificate online
• allow the AO or another third party to view your basic certificate (with your consent only)
• issue an electronic result to you or your RO at your request and with your consent
• send a paper version of the certificate if you apply directly to the DBS or if you apply via an RO only if you if you request this
• process payments when appropriate

3.2. The information we collect about you depends on the reason for your business with us. We may use the information we obtain for any of the purposes listed above.

3.3. Your information may also be used for testing purposes. Testing is undertaken to ensure that our systems function as per specified requirements. If it is not practical to disguise your data or use dummy data then we will test our system using your data. This testing will only take place in environments that are secured to the same level as our live system.

3.4. SMS messages - this only applies if you apply via a Responsible Organisation

Within your application you can choose to receive SMS text messages to provide an update on the progress of your application. Only mobile telephone numbers should be provided. Please be aware that this is a 24 hour messaging service.

3.5. Viewing your certificate online

Once your basic check is complete an online certificate will be available. To access this you will need to create an online DBS account. You will receive a letter containing your reference number and an authorisation code. You can use these details to link your online account to your DBS profile and view your online certificate.

3.6. Allow the Accountable Officer (AO) or another third party to view your certificate online – only applies if you apply via a Responsible Organisation

Within your application you will be asked the question ‘Is Consent Provided to RO’, which means ‘Do you wish to provide consent to the lead contact of RO to view your online DBS certificate when it has been issued?’ If you select the ‘Yes’ option the Accountable Officer of the RO will be able to view an electronic image of your certificate and if applicable could make a recruitment decision based on that information.

Within your application you will be asked the question ‘Consented 3rd Party Email Address’ which means ‘Enter the third party email address to provide consent to view your DBS certificate once it is issued. This should match the email address registered for the recipient’s DBS online account’. If you enter an email address in response to this question the person that address belongs to will be able to view an electronic image of your certificate and if applicable could make a recruitment decision based on that information.

You can use your DBS online account to remove or amend consent once your basic check has been completed and you have linked your DBS profile to your DBS online account.

Please be aware that if you give consent on your application to an Accountable Officer and/or a 3rd Party to view your certificate they will be able to see this as soon as the application has been completed. This means they may have the opportunity to view it before you have seen it.

If you give consent on your application to an Accountable Officer and/or a 3rd Party and your DBS certificate contains conviction information, the consent to view an electronic image of your certificate will automatically be removed. This allows you to view the content and dispute it, if necessary. You can reinstate the consent to view the certificate using your DBS online account.

3.7. Issue an electronic result to your Responsible Organisation (RO) – only applies if you apply via an RO

ROs will obtain an electronic result once your application is completed containing the following wording ‘Certificate contains no information’ or ‘Please wait to view applicant certificate.’ The RO should obtain your consent for this. If you do not consent to this result being received by the RO you should not submit your application through the RO. You will need to submit your basic check directly through DBS using our online application route.

Please be aware that once the application has been submitted through the RO you can not withdraw consent for the electronic result to be sent to the RO. You would need to withdraw the application.

3.8. Provide a paper version of the certificate

If you apply directly to the DBS you will be issued automatically with a paper certificate. This does not have to be your own address, you can send it to another recipient, for example your employer. If you choose to have your paper certificate sent to another person this person will be able to view your certificate before you have had an opportunity to check that your details on the certificate are correct.

If you apply via an RO you can choose to receive a paper certificate. This can be sent to your current address or you can send it to another address. This does not have to be your own address, you can send it to another recipient, for example your employer. If you choose to have your paper certificate sent to another person this person will be able to view your certificate before you have had an opportunity to check that your details on the certificate are correct.

Please note - we may use previous applications you have submitted to assist in the checking process.

4. Who is the data controller?

4.1. A data controller decides the purposes for which and the manner in which any personal data is processed.

4.2. DBS is the data controller of information held by us for the purposes of GDPR. We have the responsibility for the safety and security of all the data we hold.

5. Who are the data processors?

5.1. A data processor is anyone (other than an employee of a data controller) who processes that data on behalf of the controller.

5.2. At the DBS we have a range of suppliers who process data on behalf of DBS as defined in section 9. We make ensure that our data processors comply with all relevant requirements under data protection legislation. This is defined in our contractual arrangements with them.

6. Contacting the Data Protection Officer

6.1. The DBS Data Protection Officer can be contacted via telephone on 0151 676 1154, via email at dbsdataprotection@dbs.gov.uk or in writing to:

DBS Data Protection Officer
Disclosure and Barring Service
PO Box 165
Liverpool
L69 3JD

7. What are the legal grounds for processing my information?

7.1. DBS was established under the Protection of Freedoms Act (PoFA) 2012 on 1 December 2012. Disclosure functions of DBS are contained within Part V of the Police Act 1997.

7.2. The Police Act Part V section 112 allows DBS to process information supplied to it under this section for the purpose of producing a basic certificate.

7.3. In addition to the above we may share information with third parties for other purposes where we are legally permitted to do so.

8. Why would DBS hold my personal data?

8.1. We will only hold your data if you have:

• previously used a Disclosure Service
• been referred to the DBS for consideration under the Safeguarding Vulnerable Groups Act 2006 (SVGA) / Safeguarding Vulnerable Groups (Northern Ireland) Order 2007
• been cautioned or convicted for a relevant (automatic barring (offence that leads to DBS considering you for inclusion on one or both barred lists)

8.2. If we ask you for personal information, we will:

• make sure you know why we need it
• only ask for what we need
• ensure only those appropriate have access to it
• store your information securely
• inform you if the information will be shared with a third party
• ask you to agree to us sharing your information where you have a choice
• only keep it for as long as we need to – see our Retention Policy
• not make it available for commercial use (such as marketing) without your permission
• ensure you are provided with a copy of data we hold on you, on request this is called a Subject Access Request
• ensure there are procedures in place for dealing promptly with any disputes or complaints

Please note: We will share information with ‘relevant authorities’ such as the police, government departments etc. under UK Data Protection Act Prevention and Detection of Crime (Sch2, Part 1 Paragraph 2).

We will also share information under UK Data Protection Act (Sch2 Part 2 Paragraph 5 (2)) where disclosures are required by law or made in connection with legal proceedings.

8.3. In return we ask you to:

• give us accurate information
• tell us as soon as possible if there are any changes, such as a new address

9. Organisations that are involved in the Basic Check process

9.1. Data will be passed to organisations and data sources involved with the DBS where we are legally permitted to do so. This includes:

• Canadian Global Information (CGI): CGI supply technology services to DBS. They support the IT infrastructure that allows us to process DBS checks and barring referrals
• Hinduja Global Solutions UK (HGS): HGS supply contact centre and back office services to DBS. They provide frontline customer support to our service users
• Police forces in England, Wales, Scotland, Northern Ireland, the Isle of Man, and the Channel Islands – searches will be made on the PNC and data may be passed to local police forces. The data will be used to update any personal data the police currently hold about you
• ACRO Criminal Records Office - manages criminal record information and improves the exchange of criminal records and biometric information
• Other data sources such as British Transport Police, the Service Police and the Ministry of Defence Police - searches are made using an internal database. Where a match occurs the information will be shared to ensure that the record match is you
• Disclosure Scotland – if you have spent any time in Scotland, your details may be referred to Disclosure Scotland
• Garda - if information held by Police Service Northern Ireland (PSNI) indicates some information exists in the Republic of Ireland your details may be referred to Garda
• Access Northern Ireland – if you have spent any time in Northern Ireland your details may be referred to Access Northern Ireland
• Independent Complaints Reviewer (ICR) - part of their role to investigate complaints that have gone through internal review process
• United Kingdom Central Authority - for exchange of criminal records with other EU countries
• The Child Exploitation Online Protection Centre (CEOP) who are National Crime Agency (NCA) Command
• National Identity Services (NIS) – assisting in the uploading of old criminal records from Micro Fiche to the Police National Computer (PNC)

10. Where is my data stored?

10.1. Your data is held in secure paper and computer files. These have restricted access. Where your data is held in paper format we have secure storage and processes for this. In some cases we may use secure offsite storage. We have approved measures in place to stop unlawful access and disclosure. All our IT systems are subject to formal accreditation in line with Her Majesty Government (HMG) policy. They also comply with the security required within Article 5 of GDPR to make sure that personal data is processed in a manner that ensures that appropriate security of the data including protection against unauthorised or unlawful processing.

11. How long will DBS hold my information?

11.1. We operate a Data Retention Policy to ensure that data is not held for longer than necessary. However at present, there is a restriction on the destruction of information due to the ongoing Independent Inquiry into Child Sexual Abuse. DBS are currently reassessing the retention requirements in light of this.

11.2. Any data that we identify that could be called on by the inquiry will be retained until completion of the inquiry. At this point the information will be securely destroyed as soon as is practicable.

12. What are my rights? How will DBS protect them?

12.1. We are committed to protecting your rights under GDPR.

12.1.1. Your right to be informed

This document provides you with information in relation to how your data is processed as a basic DBS check applicant. This ensures that we are transparent with you, as an applicant with regards to what we will do with the information you supply to us on your basic DBS check application.

12.1.2. Your right to access to your personal data held by DBS is known as a Subject Access Request

You have the right to request a copy of the information we hold about you.

On receipt of a valid application we will tell you whether we hold any data about you and provide you with a copy. Further information on how to apply can be found here.

12.1.3. Your right to request information held is accurate. Can I update it?

If you think that the information held by us at the DBS is incorrect, you have the right to request it is corrected. If you challenge the accuracy of data that was provided to us by a third party we will send your request for correction to that party for their consideration.

It is the duty of both you and the organisation who submitted your application if you used an RO to ensure that the information you have submitted on you application form is accurate.

If you believe you have submitted an error on an application that is still in progress you will need to contact us immediately on 03000 200 190.

If you wish to dispute your information as contained on a completed certificate you can raise a dispute by contacting 03000 200 190.

Third parties can also dispute a completed certificate if they have all the necessary certificate information:

• the applicant’s name
• the applicant’s date of birth
• the certificate number and issue date
• the applicant’s address

Where this is the case the applicant will be notified that a third party has raised a dispute.

Read our guidance on GOV.UK for more information about disputes.

12.1.4. Your right to request erasure of your personal data

In certain circumstances you have a right to have personal data held about you erased. At the DBS we will only do this if certain criteria are met. There are some circumstances where this cannot be done therefore we advise you to seek independent advice before submitting an application to us.

Any requests for information to be destroyed will be considered on a case-by-case basis.

There are some specific circumstances where the right to erasure does not apply and we may refuse your request.

12.1.5. Your right to prevent DBS from processing your information which is likely to cause you damage or distress

You have the right to request restriction of processing where it has been established that one of the following applies:

• the accuracy of personal data is contested, during the period of rectification
• where processing is unlawful
• where an individual has requested it is retained to enable them to establish, exercise or defend legal claims.
• pending verification of the outcome of the right to object
• where processing has been restricted

DBS customers can request restriction of processing for any of the above reasons until these are resolved. Should you wish to restrict processing you will need to call the DBS helpline on 03000 200 190. Any requests to stop processing will be considered on a case-by-case basis.

12.1.6. Right to receive an electronic copy of any information you have consented to be supplied to us known as data portability

You have the right, where this is technically feasible, to electronically receive any personal data you have provided to the DBS to process, on a consent basis.

Please note that Basic, Standard and Enhanced certificates are processed under our legal obligation, under Part V of the Police Act 1997, and barring information is processed under the Safeguarding and Vulnerable Groups Act 2006. Therefore this information falls outside of the right to data portability.

All requests for portability will be considered on a case-by-case basis.

12.1.7. You have the right to object to processing of your information

Should you wish for the DBS to stop processing your application you will need to withdraw the application.

If you have set up a DBS online account and linked this to your DBS profile you can use this to withdraw your application.

12.1.8. You have rights relating to automated decisions being made about you

The basic check process is generally an automated process however if the system identifies that ‘potentially’ there is police information held about you by a police force then some manual processing may be required.

You have the right to object to any automated decision making. It should be noted that you would need to inform us of this on submission of your application as the certificate can be issued quite quickly.

Please contact the DBS helpline on 03000 200 190.

DBS do not currently undertake any profiling activities.

12.1.9. You have the right to make a complaint to the DBS and the ICO

If you wish to make a complaint to us regarding the way in which we have processed your personal data you can make a complaint to the Data Protection officer via the contact details in Section 6.1.

If you then remain dissatisfied with the response received, you have the right to lodge a complaint to the ICO at the following address:

The Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire SK9 5AF

https://ico.org.uk

13. Transfer outside the European Economic Area

13.1. If you have spent time in the Channel Islands or the Isle of Man, your data may be passed to police forces in that area. If any of your data has to be transferred outside of the UK DBS will ensure that an adequate level of protection is put in place.

14. Our staff and systems

14.1. All our staff, suppliers and contractors are security vetted by the Home Office security unit prior to taking up employment. All staff are data protection trained and are aware of their data protection responsibilities. This is refreshed on an annual basis.

14.2. We conduct regular compliance checks on all DBS departments and systems. All checks are to the standard set out by the Information Commissioners Office. In addition continual security checks are carried out on our IT systems.

15. Notification of changes

15.1. If we decide to change our Privacy Policy, we will add a new version to our website.