Policy paper

Privacy Notice for DBS Barring Functions

Published 5 November 2025

1. Privacy Notice for DBS Barring Functions

This is the Privacy Notice (“Notice”) relating to data the Disclosure and Barring Service (“DBS”) use to perform the DBS Barring Functions. It tells you how we will use and protect the data you have provided to us and the data we receive from you and third parties for the purposes of creating and providing barred lists and associated services. Such reference to “data” means all forms of Personal Data including Special Categories of Personal Data and Criminal Offences Data, as further explained in section 2 of this Notice.

Our Notice is divided into separate sections for ease of reference. Each section sets out important information about how DBS may collect and use personal data in connection with our functions.

If you follow a link on our website to a service provided by another government department, agency, local authority or any other third party that organisation will:

• be the data controller for any personal data, special categories of data and criminal offences data you provide to them, or they collect from you
• be responsible for processing any data you share with them
• publish and manage their own privacy notice setting out details of their processing of your personal data as well as on how to contact them

There are further DBS privacy notices which cover other statutory functions undertaken by DBS. They can be accessed here.

2. Introduction

DBS was established under the Protection of Freedoms Act 2012 (PoFA) on 1 December 2012 and undertakes a number of functions which can be reviewed on our website.

DBS is responsible for:

• DBS checks: processing requests for, and issuing, DBS checks for England, Wales, the Channel Islands and the Isle of Man. Please see our guide on DBS checks for further information

• Barred Lists: making considered decisions regarding whether an individual should be barred from engaging in regulated activity with children, adults or both, in England, Wales and Northern Ireland, and maintaining these Barred Lists. Further information on barring referrals can be found here

• Disclosure: The disclosure functions of DBS are contained within Part V of the Police Act 1997 (PA)

• Barring: The barring functions of DBS are underpinned by the Safeguarding Vulnerable Groups Act 2006 (SVGA) and the Safeguarding Vulnerable Groups (Northern Ireland) Order 2007 (SVGO)

DBS’ use of data, in order for it to discharge its functions (as described above), is primarily governed by the UK GDPR (General Data Protection Regulation - which is the form of the EU GDPR as implemented into UK law) and the Data Protection Act 2018. In effect the DPA 2018 supplements the UK GDPR by making provision for a number of specific areas, as well as setting out certain exemptions to data subject rights.

3. What Is Personal Data?

‘Personal Data’ is defined in the UK GDPR as information which relates to you as an individual and from which you can be identified, either directly or indirectly, meaning that it relates to you as an individual in some meaningful way.

‘Special categories of personal data’ under the UK GDPR are personal data revealing:

• racial or ethnic origin

• political opinions

• religious or philosophical beliefs

• trade union membership

• the processing of genetic data / biometric data:

  • for the purpose of uniquely identifying a natural person
  • concerning health
  • concerning a natural person’s sex life or sexual orientation

These categories of personal data are subject to additional, and more restrictive, obligations under the UK GDPR.

The UK GDPR also contains additional obligations relating to ‘Criminal Offences Data’. This is personal data that relates to criminal convictions and offences and covers information about offenders or suspected offenders in the context of criminal activity, allegations, investigations and proceedings.

 You can read the Information Commissioner’s Office (ICO) guidance on personal data for further information.

4. Who This Privacy Notice Applies To?

This Privacy Notice applies to individuals whose data is received and processed by DBS in relation to DBS checks and the DBS Barred Lists and will apply to you, if you:

• have been referred to DBS for consideration for inclusion, or are already included, in a Barred List under the SVGA or SVGO
• have been referred by the automatic barring (Autobar) function. Autobar cases are where a person has been cautioned or convicted in relation to a ‘relevant offence’ or were previously issued with a Risk of Sexual Harm Order and the details have been provided to DBS by the Home Office. Relevant offences are set out in legislation
• have used the disclosure service and the DBS check reveals relevant information that results in you being considered for inclusion in one or both of the Barred Lists

In addition, we may hold your data if you have:

• made a barring referral about an individual
• been included in a barring case as a witness or victim or otherwise involved in the investigation and reporting of an alleged incident or behaviour
• contacted us in relation to a barring decision via our Customer Contact Centre Services or by phone, online or email

If you are providing data about, or on behalf, of third parties (such as victims and witnesses of barring-related incidents), you should ensure a link to this Privacy Notice is provided to them wherever it is possible to do so. We will process their data according to this Privacy Notice so please encourage them to read it if they want to find out more about how we will process their personal data.

5. What Is The Purpose For Processing Data?

DBS Protects the public by helping employers make safer recruitment and employment decisions, and by barring individuals who pose a risk to vulnerable people. To do this we will process information, including data, in order to:

• decide whether it is appropriate for a person to be placed on or removed from a Barred List. This decision may include the use of any information that has been disclosed on a DBS certificate
• consider referrals and where required seek further information to enable us to complete an assessment of the risk of future harm in relation to a person’s inclusion in a Barred List
• review appeals from individuals disputing or challenging their inclusion in a Barred List and where required, seek further information to enable an assessment of risk or whether a review of a barred list decision can be undertaken.
• process ‘Adult First’ Checks - DBS Adult First is a service provided by the Disclosure and Barring Service that can be used in cases where, exceptionally, and in accordance with the terms of Department of Health guidance, a person is permitted to start work with adults before a DBS Certificate has been obtained. This service enables the employer to obtain information as to the person’s barred status before a certificate is issued by DBS. It is only available to organisations who are eligible to access the DBS Adults’ Barred List and who have requested a check of the Barred Lists on their DBS application form
• to service your request or query when you contact us

• conduct testing of DBS systems. Testing is undertaken to ensure that our IT systems function as per specified requirements, to ensure that the correct data is being extracted from DBS databases. Where it is not practical to pseudonymise or anonymise your data, or use dummy data, we will test our systems using actual personal data. This testing will only take place in environments that are secured to the same level as our live system. To note that for context pseudonymised data is personal data which has had direct identifiers removed from it, anonymised data is information from which no individual can be identified, and dummy data is data which has been designed to replicate other data but does actually relate to specific and genuine individuals

• conduct research activities to:
  • monitor and improve the services provided to you, gather your views and obtain feedback on the service you have received, improve the systems by which we help employers make safer recruitment and employment decisions, and bar individuals who might pose a risk to vulnerable people and improve our knowledge and influence in safeguarding
  •  analyse and improve the website information and features offered to individuals regarding barring services and making a barring referral

6.  What Data Will DBS Process And The Lawful Reason For Processing?

One of the obligations under the UK GDPR is that DBS must be able to satisfy one or more ‘lawful bases’ in order to lawfully process data. A lawful basis is a specific provision which allows personal data, special categories of personal data and criminal offences data to be processed in certain circumstances. There are several potential lawful bases and these are set out in Article 6 UK GDPR. In the case of special categories of personal data then we must also be able to rely on an additional lawful basis as set out in Article 9 UK GDPR, and for criminal offences data in compliance with Article 10 UK GDPR.

The table below sets out:

1. The data we process, including personal data, special categories of personal data and criminal offences data
2. The purpose(s) for which we process it
3. The lawful basis/es relied upon in order to do so

It may be necessary, from time to time, for DBS to process data for reasons which are related to the purposes, but not specifically included, in the table below. This is known as processing for a ‘compatible’ purpose and is permissible if it is legitimised by an applicable lawful basis. DBS will always ensure that any compatible processing of personal data is justified by a lawful basis and is otherwise compliant with the UK GDPR and DPA 2018.

With the background in mind, the following information is compiled in relation to DBS’ specific processing of your data:

Personal Data Processed	Processing Activity	Lawful Reason for Processing
Forename, surname, date or birth, address, email, phone number, barred status and gender, including for any alternative names used (aliases). Criminal offences data. Special categories of personal data: -Personal data revealing racial or ethnic origin. -Personal data revealing political opinions. -Personal data revealing religious or philosophical beliefs. -Personal data revealing trade union membership. -Data concerning health. -Data concerning a person’s sex life. -Data concerning a person’s sexual orientation	Required to be processed for: -Decision making purposes (a) considerations by DBS as to whether an individual should be included in one or both DBS Barred Lists -Decision making purposes (b) considerations by DBS as to whether an individual should be removed from one or both DBS Barred Lists, -Appeals against barring Decisions – processing of information necessary to respond to Appeals lodged by barred individuals with relevant tribunals -Provision of an individual’s barred status – (a) via DBS enhanced disclosure with barred list checks and Adult first checks -Provision of information relating to an individual’s barred status - (b) where SVGA/SVGO or wider legislation provides for sharing of Barred List information with organisations such as the Police.	Personal data is processed using Article 6(1)(e) processing is necessary for the performance of a task carried out in the exercise of official authority vested in the controller Special categories of personal data are processed using Article 9(2)(g) substantial public interest in the exercise of a function of a government department (lawful condition: Para 6(2)(a) of Part 2 Schedule 1 DPA 2018) Criminal offences data is processed using Article 10 - under the control of official authority Information gathered following conclusion of a case is undertaken and processed using paragraph 16 of Schedule 8 to the Protection of Freedoms Act
Name, contact details, employer;	Required to be processed from a person making the referral.
Name, details of incidents in relation to the individual subject to the decision Criminal offences data. Special categories of personal data: -Personal data revealing racial or ethnic origin. -Personal data revealing political opinions. -Personal data revealing religious or philosophical beliefs. -Personal data revealing trade union membership. -Data concerning health. -Data concerning a person’s sex life. -Data concerning a person’s sexual orientation	Required to be processed from a victim or witness as part of a referral or a barring decision.
Forename, surname, date or birth, address, email, phone number,	When you contact us to make a request or ask us a question	Where Personal data is processed in relation to a barring decision it will be processed using Article 6(1)(e) processing is necessary for the performance of a task carried out in the exercise of official authority vested in the controller. However, where the query is not directly related to a Barring decision it will be processed using Legitimate Interests (Article 6(1)(f) UK GDPR) as the lawful reason for processing. Special category data and criminal offences data is not processed as part of our Customer Contact Centre Services.
(Any of the data elements mentioned above)	Conducting testing for DBS systems. analyse and improve the website information and features.	Personal data is processed using Article 6(1)(e) processing is necessary for the performance of a task carried out in the exercise of official authority vested in the controller. Special categories of personal data are processed using Article 9(2)(g) substantial public interest in the exercise of a function of a government department (lawful condition: Para 6(2)(a) of Part 2 Schedule 1 DPA 2018) Criminal offences data is processed using Article 10 - under the control of official authority
(Any of the data elements mentioned above)	Conducting research activities	Personal data is processed using Article 6(1)(e) processing is necessary for the performance of a task carried out in the exercise of official authority vested in the controller. Where special categories of personal data or criminal offences data is collected, a separate condition for processing under Article 9 (2) (j) of the UK GDPR will apply. “Processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) (as supplemented by section 19 of the 2018 Act) based on domestic law.” Where the above lawful reasons are not appropriate for a research activity, whether that be the use of personal data, special categories of personal data or criminal offences data, the lawful basis for processing your personal data is consent. We will always seek consent prior to your participation in the research if this is the case

7. Children’s Personal Data

We only process children’s personal data where this is necessary as part of a DBS barring consideration.

8.  Where Does DBS Get Data From?

We will obtain data directly from yourself as well as from a range of other potential sources, depending on the context and as described further below.

We may check information about you with other information we hold e.g. previous referrals and information revealed from an Enhanced DBS check. Information from referrals is stored and used in line with our Retention Policy (a link to which is included in section 9 below).

We may request information from other identified relevant organisations e.g. Police, Social Services, Keepers of Registers, Supervisory Authorities or your employer etc.

We may be required to gather further information from relevant parties to consider your case. DBS will only request information that is relevant and where we are legally permitted to do so. This may include gathering further information once a case has been concluded to enable further assessment of risk where necessary.

If a person is considered for inclusion or included in a Barred List following being cautioned for, or convicted of, an automatic barring offence, the Barred List will contain information extracted from from the Police National Computer in relation to those cautions or convictions.

9. How Do We Protect Your Data?

If we ask you for your data, we will:

• ensure only appropriate DBS personnel have access to the information held by DBS when considering including or removing someone from the DBS Barred Lists
• store and process your Data securely
• only keep your data for as long as we need to
• ensure there are procedures in place for dealing promptly with any disputes or complaints
• follow our security protocols which includes restricted access to our secure paper and computer files. Where your data is held in paper format we have secure storage, secure off-site storage and processes for managing this
• have approved measures in place to stop unlawful access and disclosure. All our IT systems are subject to formal accreditation in line with His Majesty’s Government “HMG” policy. They also align with the security requirements set out in the UK GDPR and DPA 2018 to protect against unauthorised or unlawful processing
• ensure all our staff, suppliers and contractors are security vetted by the Home Office security unit prior to taking up employment and due diligence on third party contractors is undertaken prior to entering into a contract. All staff are data protection trained and are aware of their responsibilities
• conduct regular compliance checks on all DBS departments and systems. In addition, continual security checks on our IT systems are undertaken

In return, we ask you to:

• give us accurate information
• tell us as soon as possible if there are any changes to your data or personal details, such as a new address

This helps us to keep your data reliable, up to date and secure. This will apply whether we hold your data on paper or in electronic form.

10. Who Does DBS Share Data with?

DBS will only share data where it has a lawful basis to do so. This could be under the provisions of the SVGA or the SVGO, or other legislation requiring or enabling DBS to share information.

Where the 3rd party is a Data Controller in their own right they should issue their own Privacy Notice which tells you how they process your data.

DBS shares data with other government departments, official organisations and external organisations. Also note that the Barring Function will share data, on request, with employers, managers of volunteers and local authorities where it is within the legitimate interests of that organisations to do so. Legitimate Interest requests are used by several bodies who can demonstrate, within the provisions of the UK GDPR that Legitimate Interest can be used as a lawful reason to share data.

DBS has a specific authority to share data under a legitimate interest legislative provision:

• Safeguarding Vulnerable Groups (Miscellaneous Amendments) Order 2012
• Safeguarding Vulnerable Groups (Miscellaneous Amendments) Order (Northern Ireland) 2012.

11.  Retention Of Data

Your data will be held for no longer than is necessary for the purpose for which it was collected (or another compatible purpose). DBS has a Data Retention Policy and data retention schedules to ensure that data is not held for any longer. Data retention details for individuals or for general categories of data can be requested by using the Data Protection Officer contact details given in this Privacy Notice.

Individuals considered for barring or who have been included in a Barred List are advised at the outcome of the barring consideration how long the data will be retained by DBS.

In some cases, DBS may sometimes retain information past the DBS Retention date if there is a specific need for us to do so. This includes circumstances in which the information we hold may be relevant to a public inquiry,

At the conclusion of any public inquiry, data and information which has been retained beyond its retention period, will be securely destroyed and/or anonymised as soon as is practicably and technologically possible.

12. Cookies

DBS uses cookies to gain a better understanding of how visitors use our website. Cookies help us tailor to your personal needs, to improve usability.

To enable this, some cookies are applied when you enter the website. DBS keeps all the information collected from cookies in a format that means we cannot identify individuals. DBS cookies located on your computer do not retain your name or your IP address.

To learn more about how we use cookies, see our Cookies Policy.

13.  Our Use Of Artificial Intelligence

Artificial Intelligence (or “AI”) is a term used for a range of technologies that can replace manual processes and solve complex tasks by carrying out functions that previously required human action. Tasks that we have traditionally undertaken by thinking and reasoning may be undertaken by, or with the help of, AI.

We use AI to support our existing activities and improve our business processes with a particular focus on simplifying complex processes, ensuring consistent standards and driving efficiencies.

This means that how we collect and process your personal information and the types of personal information we use do not change. We do not use your data to make automated decisions about you and or profiling.

To use AI, we combine information you have provided to us directly, information we derive about you from your use of our services or your interactions with us, and information from other people and organisations. We use your data lawfully and for the purposes explained in this Notice.

14.  Your Rights And How We Protect Them

We are committed to respect and protect your rights under the UK Data Protection legislation and regulations. We will always seek to process your Data in accordance with DBS obligations and your rights.

Please see more information about your rights and how to exercise them in our Data Subject Rights Policy here.

15.  Contact The Data Protection Officer

As Data Controller, DBS has appointed a data protection officer to oversee data protection compliance across all of DBS’ processing activities.

If you have any questions about this Notice, would like to exercise any of your rights, are dissatisfied, or wish to make a complaint regarding the way we have processed your personal data, you can contact the DBS Data Protection Officer. Their contact details are as follows:

Email:

dbsdataprotection@dbs.gov.uk

Address:

DBS Data Protection Officer
Disclosure and Barring Service
PO Box 165
Liverpool
L69 3JD

16. Make A Complaint To DBS Or The Information Commissioner’s Office (ICO)

If you remain dissatisfied with the response received from us, you have the right to lodge a complaint to the ICO.

Address:

The Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF

or you can make a complaint online at: https://ico.org.uk/make-a-complaint.

17. Notification Of Changes

We may make changes to this Notice as required from time to time. In that case, the ‘last updated’ date at the bottom of this page will also change and we will update the website. Any changes to this Notice will apply to you and your data immediately.

If these changes materially change how your data is processed, DBS will take reasonable steps to let you know if required by law.

Last updated

This Notice was last updated October 2025.