Policy paper

Consent Policy

Updated 4 June 2018

1. Purpose

1.1. This policy outlines when the Disclosure and Barring Service (DBS) will rely upon consent as the legal basis for processing your data. It tells you when your consent will be obtained in line with the General Data Protection Regulation (GDPR).

2. Overview

2.1. Consent is one of the grounds for lawfully processing personal data under the Data Protection Act 2018 and GDPR.

2.2. Under GDPR, the concept of consent has been strengthened with some new rules that require organisations to be more transparent.

2.3. It states that your consent must be freely given, specific, informed and unambiguous. It also states that consent must be given ‘by a statement or clear affirmative action’ for example, an opt-in.

2.4. GDPR introduced a number of other changes:

  • Consent should be separate from other terms and conditions (‘unbundled’)
  • GDPR bans pre-ticked opt-in boxes
  • Separate consent is required for separate processing operations (‘granular’)
  • Each party relying on the consent should be clearly identified (‘named’) – it is the view of the Information Commissioner’s Office (ICO) that “even precisely defined categories of third-party organisations” is not sufficient
  • Consent needs to be documented – organisations need to record what an individual was told, what the individual consented to and when/how consent was given
  • Consent must be ‘easy to withdraw’ – it must be as easy for an individual to withdraw consent, as it was for them to give, and individuals need to be told that they have the right to withdraw consent and how to do so
  • Organisations cannot rely upon consent where there is a clear imbalance of power between the individual and organisation, as it is unlikely that the individual’s consent was ‘freely given in all the circumstances of that specific situation’

3. Processing

3.1. DBS processes data, as defined in GDPR Article 6 (1), under:

  • Safeguarding Vulnerable Groups Act 2006 (SVGA) / Safeguarding Vulnerable Groups (Northern Ireland) Order 2007 (SVGO)
  • Part V of the Police Act 1997
  • Part 5 of the Protection of Freedoms Act 2012

3.2. However there are some circumstances, when your personal data is processed on a consent basis. Where this is required, because there is no other legal basis that applies, your consent will be asked for.

3.3. Under GDPR, consent should be:

  • freely given
  • specific, clear and concise
  • separate from other terms and conditions
  • given by a clear and ‘affirmative action’ such as an opt-in box – GDPR specifically bans pre-ticked opt-in boxes

3.4. Consent will not be deemed as ‘freely given’ if data is required for performance of a contract, or if there is an imbalance of power between the ‘data subject’ and ‘controller’ i.e. the individual whose consent is required, and the employer or organisation that is trying to obtain their consent.

This is particularly difficult for public authorities and employers.

3.5. Where your consent is given, DBS must keep clear records to demonstrate this.

3.6. Provision of consent must:

  • be unambiguous
  • be ‘granular’ – separate consent for separate processing operations
  • involve a clear, ‘affirmative action’ such as an opt-in box
  • not involve any pre-ticked opt-in boxes
  • allow DBS to demonstrate consent

3.7. It must be as easy for you to withdraw consent, as it was for you to give consent. You must also be informed, when giving consent, of the process for withdrawing this consent.

3.8. Consent is used by DBS in the following areas:

  • Third-party consent
  • Email disclaimer(s)
  • E-Result (via Registered Bodies and Responsible Organisations)
  • Medical consent
  • DBS basic check application
  • Fingerprints (as part of the Police National Computer matching and disputes processes)

3.9. Where your consent is being used for processing, you need to be fully informed of the process. Due to the sensitive and personal nature of the information processed within DBS, you will be:

  • informed of the process for consent
  • informed of any risks to the confidentiality of the information
  • informed of any risks to the security of the information that may occur due to consent
  • asked if you wish to place any restrictions / time-period on the consent you are giving
  • notified of your rights and how to withdraw your consent

4.1. In certain circumstances, you may wish for someone else to act on your behalf in dealing with DBS. When this is the case, and you inform DBS of this, we will take the following steps to obtain and record your consent.

4.2. DBS will issue the Third Party Consent form. This form has been developed to include all necessary information, and identifies the risks to you in providing consent for others to receive your information or give information on your behalf, due to the sensitive nature of this information.

4.3. Following receipt of the signed consent form, an acknowledgement letter will be sent to you. It will confirm receipt of consent and the date from which the consent is being applied (date of receipt of consent). It will also confirm to whom the information will be issued.

4.4. A letter will also be sent to your nominated person (third party) or organisation to advise them that they have been nominated by you to receive correspondence from DBS. It will also advise them to contact DBS, should they have any issues with this nomination.

4.5. DBS will review third-party consent on an annual basis from when consent was given, if the barring case is not concluded within one year. When a barring case is concluded, the validity of consent for third parties automatically lapses and the nominated individual or organisation are informed of this.

4.6. It is also possible for you to use your DBS online account to give consent for a third-party to view your information (such as a DBS certificate or barring notification) online.

You can navigate to this when you log in to your DBS online account. The person you are giving access to, must also have a DBS online account.

If you wish to withdraw this consent, this can be done online too.

5. Email disclaimer(s)

5.1. DBS recognises that an increasing number of you wish to correspond with us electronically. Our first step will be to signpost you to your DBS online account. This service is secure and government-approved.

5.2. You can now access various DBS services through your online account, including sharing information with us and requesting information from us. You must log in to your account to access these services.

5.3. Further disclosure and barring services may be added to this online service in the future.

5.4. DBS’ policy is that personal, sensitive information should only be issued electronically if it is being issued to a secure email address. Depending on the nature of the information being disclosed, a decision would need to be made as to whether the information should be issued by post, double-bagged and sent directly to a home address via Special Delivery or recorded delivery. This is to ensure adequate protection against loss, destruction or damage of the contents.

5.5. There may be circumstances when you request that information is not issued to you via post for several reasons, for example if you do not have a permanent address, or you request that the information is issued by email.

5.6. In these circumstances we request that you give consent via the Email Disclaimer Form for the information to be issued electronically. This form must be completed and recorded on file before any information is able to be issued by email.

6.1. When you apply for a DBS check through a Responsible Organisation (RO) or a Registered Body (RB), you will be given the option to have the result sent directly to the RO/RB, known as an e-result. The RO/RB will need to obtain your consent to do this. If you do not wish to consent to this:

  • for basic checks, you can submit an application online, directly to DBS via our online application route
  • for standard or enhanced DBS checks, the RB will need to submit a paper application

7.1. DBS may at times need to process health information for you. Health data is covered as one of seven special categories defined within GDPR.

7.2. Where this information is needed by DBS, explicit consent must be held before any requests are made for your health information.

7.3. Where consent for your health data is being requested, such as access to your medical records, you will be fully informed about why DBS is requesting this data. Reasons may include:

  • to aid DBS in making an assessment to the risk posed to other individuals based on a specialist risk assessment

This will enable you to consider providing freely given consent, as you will be aware of why DBS requires this information.

8.1. There are no specific provisions within GDPR regarding an individual’s capacity to consent. Generally, it can be assumed that adults have the capacity to consent, unless DBS has reason to believe otherwise.

8.2. An individual that lacks capacity is not able to give consent, informed or otherwise. DBS are unable to determine if capacity is an issue. We rely upon your representative or other professionals to inform us if capacity is an issue.

8.3. In the majority of cases where capacity is an issue, there will be one of the following:

  • legal representative – such as a solicitor
  • Power of Attorney (POA)
  • Social Worker – who will act as an advocate for you

8.4. A certified copy of the POA would need to be attached to your record or barring case. This will then be used for any further communication regarding the case.

8.5. For barring cases where it is identified that an individual potentially lacks capacity, the cases will be referred to the Information Governance & Security Manager and Legal team for advice on how to proceed. Full consideration will be given as to who can make decisions on behalf of the individual and who is able to give consent.

9.1. GDPR has a specific provision on children’s consent for:

  • services requested and delivered over the internet – known as ‘information society services’
  • children who require further protection due to their awareness
  • comprehension regarding data protection, risks and potential consequences

9.2. There are no envisaged circumstances in which DBS will be required to obtain the consent of children.

9.3. Applicants must be aged 16 or over to apply for a DBS check and therefore are not considered a ‘child’ under GDPR.

9.4. Should children’s data and/or consent be required, the cases will be referred to the Information Governance & Security Manager for advice, prior to any action being taken. They will consider age, and verification measures. They will also make reasonable efforts to identify and verify the holder of parental responsibility, and advise both the holder of parental responsibility and staff how to proceed.

10. Surveys and feedback

10.1. DBS may from time to time request completion of surveys or feedback from customers and stakeholders. Where this is undertaken, the appropriate consent will be obtained in advance.

11.1. In circumstances where consent has been used to process data, you have the right to withdraw your consent at any time.

11.2. It must be as easy to withdraw consent, as it was to give consent.

11.3. In circumstances where written consent is required, the request to withdraw consent should also be in writing. If you advise us of the withdrawal of consent over the phone, we will ask you to provide the request in writing but will immediately suspend the consent held on file.

11.4. It should be noted that DBS are under a duty (SVGA Sch 3 Prt 3 Para 13 (1)) to consider all information within our possession, when making an informed decision as to whether an individual should be included on one or both of the barred lists. Where this applies, you will be informed of this duty before you give consent to processing.

12. Individual rights

12.1. Where consent has been used as the basis for processing data, this generally provides stronger rights for you under GDPR. In particular, under the following rights:

  • Right to erasure – also known as the right to be forgotten
  • Right to restriction of processing
  • Right to lodge a complaint with a supervisory authority
  • Right to an effective judicial remedy against a controller or processor

12.2. When you notify DBS that you wish to exercise any of these rights, all cases will be referred to the Information Governance Team for consideration.

13. Use of images

13.1. CCTV or photographs may be provided to DBS under the requirements placed on employers, regulatory bodies etc. in line with SVGA/SVGO. These images are classed as personal data as they can be used to identify an individual, however as they are processed on a lawful basis under SVGA/SVGO, consent is not required.

13.2. Sometimes, a copy of a photograph will be obtained as part of DBS’ matching and disputes processes. This is part of the fingerprint elimination process. Where a dispute has been raised, the fingerprint team will obtain the copy of the photograph and consent.

13.3. Please be aware however that this information is also covered by other legislation and guidance:

  • Surveillance Camera Code of Practice
  • Freedom of Information Act 2000
  • Protection of Freedoms Act 2012
  • Human Rights Act 1998 Article 8
  • Guidance issued by the Surveillance Camera Commissioner and the ICO

13.4. Those providing this information to DBS should have considered all relevant legislation before providing the information under SVGA/SVGO.

13.5. There are two circumstances where DBS may share this information but your consent is not required, as it will be shared under SVGA/SVGO or GDPR.

13.6. Due to this information being in photo or video format, it is highly likely that other individuals and third parties may be included (in the background, for example). If this information is being shared or disclosed further, consideration should be given to obscuring the images, for example, pixellation or a transcript provided.

13.7. If such information is under Right to Access, previously known as a Subject Access Request, all third party data should be obscured, pixellated, redacted or a transcript provided if appropriate.

14. Incorrect handling

14.1. The incorrect handling of consent, and processing of data based on consent, could leave DBS at risk of:

  • reputational damage
  • penalties
  • an individual’s right to an effective judicial remedy against a controller or processor
  • an individual’s right to compensation and liability

15.1. In cases where consent has been used as the legal basis for processing data, the consent should:

  • be reviewed on an annual basis
  • automatically lapse on conclusion of the case/enquiry

The individual should also be notified when the consent lapses.

16. Reference list

16.1. Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)

16.2. ICO GDPR consent guidance consultation document

16.3. Safeguarding Vulnerable Groups Act 2006 / Safeguarding Vulnerable Groups (Northern Ireland) Order 2007

16.4. Part V of the Police Act 1997