Policy paper

DBS Registered Body Registration Privacy Notice

Updated 20 March 2026

© Crown copyright 2026

This publication is licensed under the terms of the Open Government Licence v3.0 except where otherwise stated. To view this licence, visit nationalarchives.gov.uk/doc/open-government-licence/version/3 or write to the Information Policy Team, The National Archives, Kew, London TW9 4DU, or email: psi@nationalarchives.gov.uk.

Where we have identified any third party copyright information you will need to obtain permission from the copyright holders concerned.

This publication is available at https://www.gov.uk/government/publications/dbs-registered-body-registration-privacy-notice/dbs-registered-body-registration-privacy-notice

This is the Privacy Notice (“Notice”) relating to data the Disclosure and Barring Service (“DBS”) uses to perform the DBS Registered Body registration functions. It tells you how we will use and protect the data you have provided to us and the data we receive from you and third parties for the purposes of assessing applications to be lead and counter signatories for Registered Bodies. Such reference to “data” means all forms of Personal Data and Criminal Offences Data, as further explained in section 2 of this Notice.

Our Notice is divided into separate sections for ease of reference. Each section sets out important information about how DBS may collect and use personal data in connection with our registration functions.

There are further DBS privacy notices which cover other statutory functions undertaken by DBS. They can be accessed here.

If you follow a link on our website to a service provided by another government department, agency, local authority or any other third party that organisation will:

  • be the data controller for any personal data, special categories of data and criminal offences data you provide to them, or they collect from you
  • be responsible for processing any data you share with them
  • publish and manage their own privacy notice setting out details of their processing of your personal data as well as on how to contact them

1. Introduction

DBS was established under the Protection of Freedoms Act 2012 (PoFA) on 1 December 2012 and undertakes a number of functions which can be reviewed on our website.

DBS is responsible for:

  • DBS checks: processing requests for, and issuing, DBS checks for England, Wales, the Channel Islands and the Isle of Man. Please see our guide on DBS checks for further information

  • Registration: assessing the suitability of organisations & individuals to be registered with DBS as a Registered Body and lead or countersignatory respectively

  • Barred Lists: making considered decisions regarding whether an individual should be barred from engaging in regulated activity with children, adults or both, in England, Wales and Northern Ireland, and maintaining these Barred Lists. Further information on barring referrals can be found on Making Barring Referrals to DBS

  • Disclosure: The disclosure functions of DBS are contained within Part V of the Police Act 1997 (PA)

  • Barring: The barring functions of DBS are underpinned by the Safeguarding Vulnerable Groups Act 2006 (SVGA) and the Safeguarding Vulnerable Groups (Northern Ireland) Order 2007 (SVGO)

DBS’ use of data, in order for it to discharge its functions is primarily governed by the UK GDPR (which is the form of the EU GDPR as implemented into UK law) and the Data Protection Act 2018. In effect the DPA 2018 supplements the UK GDPR by making provision for a number of specific areas, including processing personal data for law enforcement purposes as well as setting out certain exemptions to data subject rights.

2. What Is Personal Data?

‘Personal Data’ is defined in the UK GDPR as information which relates to you as an individual and from which you can be identified, either directly or indirectly. Personal data also otherwise concerns you as an individual, meaning that it relates to you as an individual in some meaningful way.

‘Special categories of personal data’ under the UK GDPR are personal data revealing:

  • racial or ethnic origin

  • political opinions

  • religious or philosophical beliefs

  • trade union membership

  • the processing of genetic data / biometric data:

    • for the purpose of uniquely identifying a natural person
    • concerning health
    • concerning a natural person’s sex life or sexual orientation

These categories of personal data are subject to additional, and more restrictive, obligations under the UK GDPR.

The UK GDPR also contains additional obligations relating to ‘Criminal Offences Data’. This is personal data that relates to criminal convictions and offences and covers information about offenders or suspected offenders in the context of criminal activity, allegations, investigations and proceedings.

 You can read the Information Commissioner’s Office (ICO) guidance on personal data for further information.

3. Who This Privacy Notice Applies To?

This Privacy Notice applies to individuals whose data is received and processed by DBS in relation to applications to become a lead or countersignatory for a Registered Body. A lead countersignatory is a senior figure within a Registered Body, registered with DBS to countersign applications and also oversee the DBS process within their organisation. All Registered Bodies must have a lead countersignatory. A countersignatory is a person within a Registered Body registered with DBS to countersign applications, in accordance with Conditions of Registration and the DBS Code of Practice. and will apply to you, if you:

  • applied to DBS to become a lead signatory for a Registered Body
  • applied to DBS to become a countersignatory for a Registered Body
  • carry out the role of a lead or countersignatory
  • make an enquiry relating to the above processes

The lead countersignatory is responsible for making countersignatories aware of this policy.

4. What Is The Purpose For Processing Data?

DBS helps employers make safer recruitment decisions and prevent unsuitable people from working with vulnerable groups, including children. To do this we will process information, including data, in order to:

  • decide whether it is appropriate for a person to be registered as a lead or countersignatory for a     Registered Body.

  • check individuals applying for countersignatory status to the level of a DBS enhanced check with both barred lists. Countersignatories will have access to personal and sensitive information and this allows DBS to assess whether the individual is suitable to carry out this role.

  • review appeals from individuals disputing or challenging a decision to reject an application to become a lead or countersignatory

  • to service your request or query when you contact us

  • conduct testing of DBS systems. Testing is undertaken to ensure that our IT systems function as per specified requirements, to ensure that the correct data is being extracted from DBS databases. Where it is not practical to pseudonymise or anonymise your data, or use dummy data, we will test our systems using actual personal data. This testing will only take place in environments that are secured to the same level as our live system. To note that for context pseudonymised data is personal data which has had direct identifiers removed from it, anonymised data is information from which no individual can be identified, and dummy data is data which has been designed to replicate other data but does actually relate to specific and genuine individuals

  • conduct research activities to:

    • monitor and improve the services provided to you, gather your views and obtain feedback on the service you have received, improve the systems by which we help employers make safer recruitment and employment decisions, and bar individuals who might pose a risk to vulnerable people and improve our knowledge and influence in safeguarding

    • analyse and improve the website information and features offered to individuals regarding barring services and making a barring referral

5. What Data Will DBS Process And The Lawful Reason For Processing?

One of the obligations under the UK GDPR is that DBS must be able to satisfy one or more ‘lawful basis’ in order to lawfully process data. A lawful basis is a specific provision which allows personal data, special categories of personal data and criminal offences data to be processed in certain circumstances. There are a number of potential lawful bases and these are set out in Article 6 UK GDPR. In the case of special categories of personal data then we must also be able to rely on an additional lawful basis as set out in Article 9 UK GDPR, and for criminal offences data in compliance with Article 10 UK GDPR.

The table below sets out:

  1. The data we process, including personal data, special categories of personal data and criminal offences data
  2. The purpose(s) for which we process it
  3. The lawful basis/es relied upon in order to do so

It may be necessary, from time to time, for DBS to process data for reasons which are related to the purposes set out below but not necessarily included specifically in the table below. This is known as processing for a ‘compatible’ purpose and is permissible provided that it is legitimised by an applicable lawful basis – DBS will always ensure that any compatible processing of personal data is justified by a lawful basis and is otherwise compliant with the UK GDPR and DPA 2018.

With the background in mind, the following information is compiled in relation to DBS’ specific processing of your data:

Personal Data Processed Processing Activity Lawful Reason for Processing
your names; your date of birth; your place of birth; your addresses; your driving licence details; your passport details; your email address; your sex; your national insurance number; your criminal conviction history; Fingerprints. Criminal offences data. Required to be processed for decision making on lead and countersignatory applications Section 120 of the Police Act. makes clear which information we can consider in making these decisions. Personal data is processed using Article 6(1)(e) processing is necessary for the performance of a task carried out in the exercise of official authority vested in the controller. Criminal offences data is processed using Article 10 - under the control of official authority.
Name, contact details, employer Required to be processed for decision making lead and countersignatory applications  
Forename, surname, date or birth, address, email, phone number, signatory number When you contact us to make a request or ask us a question  
Any of the data elements mentioned above Conducting testing for DBS systems. Analyse and improve the website information and features. Processed using Legitimate Interests (Article 6(1)(f) UK GDPR) as the lawful reason for processing.
Any of the data elements mentioned above Conducting research activities Personal data is processed using Article 6(1)(e) processing is necessary for the performance of a task carried out in the exercise of official authority vested in the controller. Special categories of personal data are processed using Article 9(2)(g) substantial public interest in the exercise of a function of a government department (lawful condition: Para 6(2)(a) of Part 2 Schedule 1 DPA 2018). Criminal offences data is processed using Article 10 - under the control of official authority.

6. Where Do We Get Data From?

We will obtain data directly from yourself as well as from a range of other potential sources, depending on the context and as described further below.

We may check information about you with other information we hold e.g.  information revealed from an Enhanced DBS check.

We may request information from other identified relevant organisations e.g. Police,

DBS will only request information that is relevant and where we are legally permitted to do so.

7. How Do We Protect Your Data?

If we ask you for your data, we will:

  • ensure only appropriate DBS personnel have access to the information held by DBS when considering including or removing someone from the DBS Barred Lists
  • store and process your Data securely
  • only keep your data for as long as we need to
  • ensure there are procedures in place for dealing promptly with any disputes or complaints
  • follow our security protocols which includes our secure paper and computer files having restricted access. Where your data is held in paper format we have secure storage, secure off-site storage and processes for managing this
  • have approved measures in place to stop unlawful access and disclosure. All our IT systems are subject to formal accreditation in line with His Majesty’s Government “HMG” policy. They also align with the security requirements set out in the UK GDPR and DPA 2018 to protect against unauthorised or unlawful processing
  • ensure all our staff, suppliers and contractors are security vetted by the Home Office security unit prior to taking up employment and due diligence on third party contractors is undertaken prior to entering into a contract. All staff are data protection trained and are aware of their responsibilities
  • conduct regular compliance checks on all DBS departments and systems. In addition, continual security checks on our IT systems are undertaken

In return, we ask you to:

  • give us accurate information
  • tell us as soon as possible if there are any changes to your data or personal details, such as a new address

This helps us to keep your data reliable, up to date and secure. This will apply whether we hold your data on paper or in electronic form.

8. Who Does DBS Share Data with?

DBS will only share data where it has a lawful basis to do so. This could be under the provisions of the Police Act, the SVGA, or other legislation requiring or enabling DBS to share information.

Where the 3rd party is a Data Controller in their own right, they should issue their own Privacy Notice which tells you how they process your data.

DBS shares data with other government departments, official organisations and external organisations. Legitimate Interest requests are used by several bodies who can demonstrate, within the provisions of the UK GDPR that Legitimate Interest can be used as a lawful reason to share data.

9. Retention Of Data

Your data will be held for no longer than is necessary for the purpose for which it was collected (or another compatible purpose). DBS has a Data Retention Policy and data retention schedules to ensure that data is not held for any longer. Data retention details for individuals or for general categories of data can be requested by using the Data Protection Officer contact details given in this Privacy Notice.

Individuals considered for barring or who have been included in a Barred List are advised at the outcome of the barring consideration how long the data will be retained by DBS.

In some cases, DBS may sometimes retain information past the DBS Retention date if there is a specific need for us to do so. This includes circumstances in which the information we hold may be relevant to a public inquiry.

At the conclusion of any public inquiry, data and information which has been retained beyond its retention period, will be securely destroyed and/or anonymised as soon as is practicably and technologically possible.

10. Cookies

DBS uses cookies to gain a better understanding of how visitors use our website. Cookies help us tailor to your personal needs, to improve usability.

To enable this, some cookies are applied when you enter the website. DBS keeps all the information collected from cookies in a format that means we cannot identify individuals. DBS cookies located on your computer do not retain your name or your IP address.

To learn more about how we use cookies, see our Cookies Policy.

11. Our Use of Artificial Intelligence

Artificial Intelligence (or “AI”) is a term used for a range of technologies that can replace manual processes and solve complex tasks by carrying out functions that previously required human action. Tasks that we have traditionally undertaken by thinking and reasoning may be undertaken by, or with the help of, AI.

We use AI to support our existing activities and improve our business processes with a particular focus on simplifying complex processes, ensuring consistent standards and driving efficiencies.

This means that how we collect and process your personal information and the types of personal information we use do not change. We do not use your data to make automated decisions about you and or profiling.

To use AI, we combine information you have provided to us directly, information we derive about you from your use of our services or your interactions with us, and information from other people and organisations. We use your data lawfully and for the purposes explained in this Notice.

12. Your Rights and How We Protect Them

We are committed to respect and protect your rights under the UK Data Protection legislation and regulations. We will always seek to process your Data in accordance with DBS obligations and your rights.

Please see more information about your rights and how to exercise them in our Data Subject Rights Policy here.

13. Contact The Data Protection Officer

As Data Controller, DBS has appointed a data protection officer to oversee data protection compliance across all of DBS’ processing activities.

If you have any questions about this Notice, would like to exercise any of your rights, are dissatisfied, or wish to make a complaint regarding the way we have processed your personal data, you can contact the DBS Data Protection Officer. Their contact details are as follows:

Email:

dbsdataprotection@dbs.gov.uk

Address:

DBS Data Protection Officer
Disclosure and Barring Service
PO Box 165
Liverpool
L69 3JD

14. Make A Complaint to DBS Or The Information Commissioner’s Office (ICO)

If you then remain dissatisfied with the response received from us, you have the right to lodge a complaint to the ICO.

Address:

The Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF

or you can make a complaint online at: https://ico.org.uk/make-a-complaint.

15. Notification Of Changes

We may make changes to this Notice as required from time to time. In that case, the ‘last updated’ date at the bottom of this page will also change and we will update the website. Any changes to this Notice will apply to you and your data immediately.

If these changes materially change how your data is processed, DBS will take reasonable steps to let you know if required by law.

16. Last updated

This Notice was last updated December 2025

Back to top