Policy paper

Privacy Notice for DBS Disclosure Services

Published 5 November 2025

© Crown copyright 2025

This publication is licensed under the terms of the Open Government Licence v3.0 except where otherwise stated. To view this licence, visit nationalarchives.gov.uk/doc/open-government-licence/version/3 or write to the Information Policy Team, The National Archives, Kew, London TW9 4DU, or email: psi@nationalarchives.gov.uk.

Where we have identified any third party copyright information you will need to obtain permission from the copyright holders concerned.

This publication is available at https://www.gov.uk/government/publications/dbs-disclosure-services-privacy-notice/privacy-notice-for-dbs-disclosure-services

This is the Privacy Notice (“Notice”) relates to the data the Disclosure and Barring Service (“DBS”) use to perform the DBS Disclosure Services. It tells you how we will use and protect the data you have provided to us and the data we receive from you and third parties for the purposes of Disclosure services such as managing disclosure applications and issuing basic, standard and enhanced certificates, and all the associated services. Such reference to “Data” means all forms of Personal Data including Special Categories of Personal Data and Criminal Offences Data, as further explained in section 2 of this Notice.

Our Notice is divided into separate sections for ease of reference. Each section sets out important information about how DBS may collect and use personal data in connection with our functions.

If you follow a link in our website to a service provided by another government department, agency, local authority or any other third party that organisation will:

  • be the data controller for any Personal Data, Special Categories of Data and Criminal Offences Data you provide to them, or they collect from you;
  • be responsible for processing any data you share with them; and
  • publish and manage their own privacy notice setting out details of their processing of your Personal Data as well as on how to contact them.

There are further DBS privacy notices which cover other statutory functions undertaken by DBS. They can be accessed here.

1. Introduction

The Disclosure and Barring Service (DBS) was established under the Protection of Freedoms Act 2012 (PoFA) on 1 December 2012 and undertakes a number of functions which can be reviewed on our website.

The DBS is responsible for:

DBS checks: processing requests for, and issuing, DBS checks for England, Wales, the Channel Islands and the Isle of Man. Please see our guide on DBS checks for further information;

Barred Lists: making considered decisions regarding whether an individual should be barred from engaging in regulated activity with children, adults or both, in England, Wales and Northern Ireland, and maintaining these Barred Lists. Further information on barring referrals can be found here.

Disclosure: The disclosure functions of the DBS are contained within Part V of the Police Act 1997 (PA).

Barring: The barring functions of the DBS are underpinned by the Safeguarding Vulnerable Groups Act 2006 (SVGA) and the Safeguarding Vulnerable Groups (Northern Ireland) Order 2007 (SVGO).

The DBS’ use of Data, as defined in further detail above, in order for it to discharge its functions is primarily governed by the UK GDPR (General Data Protection Regulation - which is the form of the EU GDPR as implemented into UK law) and the Data Protection Act 2018. In effect the DPA 2018 supplements the UK GDPR by making provision for a number of specific areas, as well as setting out certain exemptions to data subject rights.

2. What is Personal Data?

‘Personal Data’ is defined in the UK GDPR as information which relates to you as an individual and from which you can be identified, either directly or indirectly. Personal data also, otherwise, concerns you as an individual, meaning that it relates to you as an individual in some meaningful way.

‘Special categories of personal data’ under the UK GDPR are personal data revealing:

  • racial or ethnic origin

  • political opinions

  • religious or philosophical beliefs

  • trade union membership

  • the processing of genetic data / biometric data:

    • for the purpose of uniquely identifying a natural person
    • concerning health
    • concerning a natural person’s sex life or sexual orientation

These categories of personal data are subject to additional, and more restrictive, obligations under the UK GDPR.

The UK GDPR also contains additional obligations relating to ‘Criminal Offences Data’. This is Personal Data that relates to criminal convictions and offences and covers information about offenders or suspected offenders in the context of criminal activity, allegations, investigations and proceedings.

 You can read the Information Commissioner’s Office (ICO) guidance on personal data for further information.

3. Who this Privacy Notice applies to?

This Privacy Notice applies to individuals whose Data is received and processed by the DBS in relation to using DBS services provided under the Police Act 1997 as an applicant or making an enquiry in relation to an outstanding application or a potential application.

This Privacy Notice applies to any individual who uses the following services:

  • Adult First service
  • Basic check service
  • Standard, Enhanced or Enhanced with Barred List(s) check service
  • Update Service
  • Any enquiries related to the above services.

This Privacy Notice applies whether you make an application using a hard copy format (paper form) or use an online format.

This Privacy Notice applies whether you apply directly (Basic) or use a Registered Body (RB) (Standard, Enhanced or Enhanced with barred list(s) check) or Responsible Organisation (RO) (Basic) to make your application. DBS become Data Controller once we receive your personal information, at which point this Privacy Notice becomes applicable.

In addition, we may hold your Data if you have contacted us with an enquiry by phone, online or email.

This Privacy Notice does not apply when you initially submit your personal details to an RB or RO. Until we have received the information from the RB/RO, they remain the Data Controller and should provide their own Privacy Notice to explain how they manage your personal details.

This Privacy Notice does not apply to Accountable Officers (AOs) or a Counter Signatories. They have a separate Privacy Notice as the data they submit to become a Partner of DBS will have a different purpose and may be managed differently. Privacy notices for these roles can be found here (Accountable Officer and Counter signatory Privacy Notice).

This Privacy Notice does not apply to personal details in relation to Barring Services; DBS Barring has its own Privacy Notice related to its own services that can be found here (Barring Privacy Notice).

4.  What is the Purpose for processing Data?

DBS protects the public by helping employers make safer recruitment and employment decisions, and by barring individuals who pose a risk to vulnerable people.  To do this we will process information, including Data, in order to:

  • create a system profile for you - this helps us to identify you if you apply again
  • send SMS text messages, where requested, to update you on the progress of your application
  • allow you to view your DBS basic certificate online
  • allow the AO or another third party to view your basic certificate (with your consent only)
  • issue an electronic result to you or your RB/RO, at your request.
  • send a paper version of the certificate to you (all products) or a third party, at your request (basic certificates only)
  • process payments, when appropriate
  • review and process your application for a Basic, Standard, Enhanced or Enhanced with Barred List(s) DBS check certificate and associated online result
  • process requests for criminal records checks (DBS checks). This will include searching police records, police information and DBS barring records, issuing a DBS certificate to the applicant and, in certain circumstances, obtaining fingerprints
  • provide you access to the Update Service (Standard and Enhanced only), and allow employers to check for changes (with your consent)
  • process ‘Adult First’ Checks - DBS Adult First is a service provided by the Disclosure and Barring Service that can be used in cases where, exceptionally, and in accordance with the terms of Department of Health guidance, a person is permitted to start work with adults before a DBS Certificate has been obtained. This service enables the employer to obtain information as to the person’s barred status before a certificate is issued by DBS. It is only available to organisations who are eligible to access the DBS adults’ Barred List and who have requested a check of the Barred Lists on their DBS application form

4.1  to service your request or query when you contact us

  • conduct testing of the DBS systems. Testing is undertaken to ensure that our IT systems function as per specified requirements, to ensure that the correct data is being extracted from DBS databases. Where it is not practical to pseudonymise or anonymise your data, or use dummy data, we will test our systems using actual Personal Data. This testing will only take place in environments that are secured to the same level as our live system. To note that for context pseudonymised data is personal data which has had direct identifiers removed from it, anonymised data is information from which no individual can be identified, and dummy data is data which has been designed to replicate other data but does actually relate to specific and genuine individuals; and

  • conduct research activities to:

    • monitor and improve the services provided to you, gather your views and obtain feedback on the service you have received, improve the systems by which we help employers make safer recruitment and employment decisions, and bar individuals who might pose a risk to vulnerable people and improve our knowledge and influence in safeguarding; and
    • analyse and improve the website information and features offered to individuals regarding barring services and making a barring referral.

5. What Data will DBS process and the lawful reason for processing?

One of the obligations under the UK GDPR is that the DBS must be able to satisfy one or more ‘lawful bases’ in order to lawfully process Data. A lawful basis is a specific provision which allows Personal Data, Special Categories of Personal Data and Criminal Offences Data to be processed in certain circumstances. There are several potential lawful bases and these are set out in Article 6 UK GDPR. In the case of Special Categories of Personal Data then we must also be able to rely on an additional lawful basis as set out in Article 9 UK GDPR, and for Criminal Offences Data in compliance with Article 10 UK GDPR.

6. The table below sets out:

  1. The Data we process, including Personal Data, Special Categories of Personal Data and Criminal Offences Data;

2.The purpose(s) for which we process it; and

3.The lawful basis/es relied upon in order to do so.

It may be necessary, from time to time, for the DBS to process Data for reasons which are related to the purposes but not specifically included in the table below.  This is known as processing for a ‘compatible’ purpose and is permissible if it is legitimised by an applicable lawful basis – the DBS will always ensure that any compatible processing of Personal Data is justified by a lawful basis and is otherwise compliant with the UK GDPR and DPA 2018.

With that background in mind the following information is compiled in relation to the DBS’ specific processing of your Data:

Personal Data Processed Processing Activity Lawful Reason for Processing
Forename, surname, date or birth, place of birth, address, previous addresses, email, phone number, driving licence details, passport details, barred status, gender, previous gender, national insurance number, photograph, fingerprint details, birth records, Marriage records and any alternative names used (aliases).

Criminal Offences Data.

Special Categories of Personal Data:

-Personal data revealing racial or ethnic origin.

-Data concerning health.		 All Disclosure functions of DBS, which include the processing of Basic, Standard, Enhanced and Enhanced with Barred List(s) DBS checks, are contained within Part V of the Police Act 1997.

Processing Adult First checks		 Personal data is processed using Article 6(1)(e) processing is necessary for the performance of a task carried out in the exercise of official authority vested in the controller.

Special Categories of Personal Data are processed using Article 9(2)(g) substantial public interest in the exercise of a function of a government department (lawful condition: Para 6(2)(a) of Part 2 Schedule 1 DPA 2018)

Criminal Offences Data is processed using Article 10 - under the control of official authority
Forename, surname, date or birth, address, email, phone number, When you contact us to make a request or ask us a question Where Personal data is processed in relation to disclosure  services it will be processed using Article 6(1)(e) processing is necessary for the performance of a task carried out in the exercise of official authority vested in the controller.

Special Category data and Criminal Offences Data is not processed as part of our Customer Contact Centre Services.
(Any of the data elements mentioned above) Conducting testing for DBS systems.

analyse and improve the website information and features.		 Personal data is processed using Article 6(1)(e) processing is necessary for the performance of a task carried out in the exercise of official authority vested in the controller.

Special Categories of Personal Data are processed using Article 9(2)(g) substantial public interest in the exercise of a function of a government department (lawful condition: Para 6(2)(a) of Part 2 Schedule 1 DPA 2018)

Criminal Offences Data is processed using Article 10 - under the control of official authority
(Any of the data elements mentioned above) Conducting research activities Personal data is processed using Article 6(1)(e) processing is necessary for the performance of a task carried out in the exercise of official authority vested in the controller.

Where Special Categories of Personal Data or Criminal Offences Data is collected, a separate condition for processing under Article 9 (2) (j) of the UK GDPR will apply.

“Processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) (as supplemented by section 19 of the 2018 Act) based on domestic law.”

Where the above lawful reasons are not appropriate for a research activity, whether that be the use of Personal Data, Special Categories of Personal Data or Criminal Offences Data, the lawful basis for processing your personal data is consent.  We will always seek consent prior to your participation in the research if this is the case

7. Where do we get Data From?

We will obtain Data directly from yourself as well as from a range of other potential sources, depending on the context and as described further below.

We may check information about you with other information we hold e.g. previous applications and information revealed from Barring Records. Information from previous applications is stored and used in line with our Retention Policy.

We may request information from other identified relevant organisations e.g. Police, Social Services, Keepers of Registers, Supervisory Authorities or your employer etc.

We may be required to gather further information from relevant parties to consider your application. DBS will only request information that is relevant and where we are legally permitted to do so.

How do we protect your Data?

If we ask you for your Data, we will:

  • ensure only appropriate DBS personnel have access to the information held by DBS when performing disclosure services
  • store and process your Data securely
  • only keep your Data for as long as we need to
  • ensure there are procedures in place for dealing promptly with any disputes or complaints;
  • follow our security protocols which includes restricted access to our secure paper and computer files. Where your Data is held in paper format we have secure storage, secure off-site storage and processes for managing this
  • have approved measures in place to stop unlawful access and disclosure. All our IT systems are subject to formal accreditation in line with HMG policy. They also align with the security requirements set out in the UK GDPR and DPA 2018 to protect against unauthorised or unlawful processing
  • ensure all our staff, suppliers and contractors are security vetted by the Home Office security unit prior to taking up employment and due diligence on third party contractors is undertaken prior to entering into a contract. All staff are data protection trained and are aware of their responsibilities; and
  • conduct regular compliance checks on all DBS departments and systems. In addition, continual security checks on our IT systems are undertaken

In return, we ask you to:

  • give us accurate information
  • tell us as soon as possible if there are any changes to your Data or personal details, such as a new address

This helps us to keep your Data reliable, up to date and secure. This will apply whether we hold your Data on paper or in electronic form.

8.  Who does DBS share Data with?

DBS will only share Data where it has a lawful basis to do so. This could be under the provisions of the Police Act 1997, or other legislation requiring or enabling DBS to share information.

Where the 3rd party is a Data Controller in their own right, they should issue their own Privacy Notice which tells you how they process your data.

We will share data with Registered Bodies (RBs)/Responsible Organisations (ROs)

An RO is an organisation registered with DBS to submit Basic checks on behalf of an organisation or directly for the individual being checked. Within an RO there must be an Accountable Officer (AO). An AO is usually a senior person within the RO who manages applications sent to the DBS.

An RB is an organisation registered with DBS to submit Standard, Enhanced and Enhanced with Barred List(s) checks. A lead counter signatory is a senior figure within an RB. They are registered with DBS to countersign applications and will also oversee DBS process within their organisation. All RBs must have a lead counter signatory. RBs may also have counter signatories who are registered with DBS to countersign Standard, Enhanced and Enhanced with Barred List(s) applications.

We know that information released on DBS certificates can be extremely sensitive and personal. Therefore, organisations using the DBS checking service must comply with our code of practice for RBs and Basic check processing standards for ROs. These documents ensure organisations are aware of their obligations and that the information released will be used fairly. They also require that sensitive, personal information disclosed by DBS is handled and stored appropriately and is kept for only as long as necessary.

AOs and counter signatories have a separate Privacy Notice as the data they submit to become a representative of DBS will have a different purpose and may be managed differently. Privacy notices for these roles can be found here (Accountable Officer and Counter signatory Privacy Notice).

DBS shares Data with other government departments, official organisations and external organisations. Also note that the Barring Function will share Data, on request, with employers, managers of volunteers and local authorities where it is within the legitimate interests of that organisations to do so.  Legitimate Interest requests are used by several bodies who can demonstrate, within the provisions of the UK GDPR that Legitimate Interest can be used as a lawful reason to share data.

DBS have a specific authority to share data under a legitimate interest legislative provision,

  • Safeguarding Vulnerable Groups (Miscellaneous Amendments) Order 2012

  • Safeguarding Vulnerable Groups (Miscellaneous Amendments) Order (Northern Ireland) 2012.

9. Retention of Data

Your Data will be held for no longer than is necessary for the purpose for which it was collected (or another compatible purpose).  DBS have a Data Retention Policy and Data retention schedules to ensure that Data is not held for any longer.  Data retention details for individuals or for general categories of data can be requested by using the Data Protection Officer contact details given in this Privacy Notice.

In some cases, DBS may sometimes retain information past the DBS Retention date if there is a specific need for us to do so. This includes circumstances in which the information we hold may be relevant to a public inquiry.

At the conclusion of, any public inquiry Data and information which has been retained beyond its retention period will be securely destroyed and/or anonymised as soon as is practicably and technologically possible.

10. Cookies

DBS uses cookies to gain a better understanding of how visitors use our website. Cookies help us tailor to your personal needs, to improve usability.

To enable this, some cookies are applied when you enter the website. DBS keeps all the information collected from cookies in a format that means we cannot identify individuals. DBS cookies located on your computer do not retain your name or your IP address.

To learn more about how we use cookies, see our Cookies Policy.

11. Our Use of Artificial Intelligence.

Artificial Intelligence (or “AI”) is a term used for a range of technologies that can replace manual processes and solve complex tasks by carrying out functions that previously required human action. Tasks that we have traditionally undertaken by thinking and reasoning may be undertaken by, or with the help of, AI.

We use AI to support our existing activities and improve our business processes with a particular focus on simplifying complex processes, ensuring consistent standards and driving efficiencies.

This means that how we collect and process your personal information and the types of personal information we use do not change. We do not use your Data to make automated decisions about you and or profiling.

To use AI, we combine information you have provided to us directly, information we derive about you from your use of our services or your interactions with us, and information from other people and organisations. We use your Data lawfully and for the purposes explained in this Notice.

12. Your rights and how we protect them

We are committed to respect and protect your rights under the UK Data protection Legislation and Regulations. We will always seek to process your Data in accordance with DBS obligations and rights and your rights

Please see more information about your rights and how to exercise them in our Data Subject Rights Policy here.

13. Contact the Data Protection Officer

As Data Controller, DBS have appointed a data protection officer to oversee data protection compliance across all of DBS’ processing activities.

If you have any questions about this Notice, would like to exercise any of your rights, are dissatisfied, or wish to make a complaint regarding the way we have processed your Personal Data, you can contact the DBS Data Protection Officer. Their contact details are as follows:

Email:

dbsdataprotection@dbs.gov.uk

Address:

DBS Data Protection Officer
Disclosure and Barring Service
PO Box 165
Liverpool
L69 3JD

14. Make a Complaint to DBS or the Information Commissioner’s Office (ICO)

If you remain dissatisfied with the response received from us, you have the right to lodge a complaint to the ICO.

Address:

The Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF

or you can make a complaint online at: https://ico.org.uk/make-a-complaint.

15. Notification of changes

We may make changes to this Notice as required from time to time. In that case, the ‘last updated’ date at the bottom of this page will also change and we will update the website. Any changes to this Notice will apply to you and your Data immediately.

If these changes materially change how your Data is processed, DBS will take reasonable steps to let you know if required by law.

Last updated

This Notice was last updated October 2025.

Back to top