Policy paper

Standard and Enhanced DBS Check Privacy Policy

Updated 25 January 2021

1. About us

1.1. The Disclosure and Barring Service (DBS) helps employers make safer recruitment decisions and prevent unsuitable people from working with vulnerable groups, including children.

1.2. Every year we issue around four million DBS certificates. We also manage both the children’s and adults’ barred lists.

1.3. We search police records and in relevant cases, barred list information, and then issue a DBS certificate to you.

1.4. Occasionally, in certain circumstances, and to produce a complete and accurate certificate, we must issue a manually produced certificate. Manual certificates follow the same checking processes as our system-generated certificates and are equally valid. It must be noted however, that applicants issued with a manual certificate cannot join the update service with that certificate.

1.5. We know that information released on DBS certificates can be extremely sensitive and personal. Therefore, organisations using the DBS checking service must comply with our code of practice. The code is there to ensure organisations are aware of their obligations and that the information released will be used fairly. The code also requires that sensitive, personal information disclosed by the DBS, is handled and stored appropriately and is kept for only as long as necessary.

1.6. DBS offer different types of check issued under the Police Act 1997:

  • a basic check shows unspent convictions and conditional cautions under the terms of the Rehabilitation of Offenders Act 1974

  • a standard check shows spent and unspent convictions, cautions, reprimands and final warnings which are not subject to filtering

  • an enhanced check shows the same as a standard check plus any information held by local police that the Chief Officer reasonably believes to be relevant and, in the Chief Officer’s opinion, ought to be included in the certificate, relating to the child or adult workforces. Where the application is for any other role, the police will consider the nature of the role in the release of information

  • an enhanced check with barred lists shows the same as an enhanced check plus whether the applicant is in the list of people barred from working with children and/or other vulnerable groups

1.7. Employers can only legally carry out a standard or enhanced check when you apply for certain roles. For example you may be applying for a role in either healthcare or childcare. Further guidance relating to eligibility can be found here.

1.8. You will have the ability to track your application for standard and enhanced checks. You will need to enter your form reference number and date of birth to use this facility.

2. What is it I need to know?

2.1. This is our Privacy Policy in respect of standard and enhanced DBS checks. It tells you how we will use and protect any information we hold about you as part of your standard or enhanced disclosure application.

2.2. The Policy also explains what your rights are as a standard or enhanced applicant in accordance with Data Protection legislation. Should there be any changes to Data Protection legislation as a result of the UK leaving the EU from January 2021 this document will be updated accordingly. It says why we need your personal data, what we will do with it and what you can expect from us. It also explains how to get a copy of any personal data we may hold about you. This is called a Subject Access Request.

2.3. We do have other Privacy Policies that cover our other statutory functions. They can be accessed here.

3. How will we use the personal information supplied to us?

3.1. We at DBS collect your personal data to:

  • process requests for criminal records checks (DBS checks). This will include searching police records, issuing a DBS certificate to the applicant and in certain circumstances, obtaining fingerprints
  • decide whether it is appropriate for a person to be placed on or removed from a barred list, if information is disclosed on a DBS certificate
  • process ‘Adult First’ checks - this is a service* provided by DBS under the Police Act 1997. It can be used in exceptional cases where a person is permitted to start regulated activity work with adults, before a DBS certificate has been obtained. This service is only available to organisations who are eligible to access the DBS adults’ barred list and who have requested a check of the barred list on their DBS application form. The DBS Adult First check allows an individual to be checked against the DBS adults’ barred list ahead of the DBS certificate being issued. A preliminary result is sent to the Registered Body who submitted the application

*Please note, we do not use any non-essential cookies on the Adult First Service. An essential session cookie is used to support the user whilst using the service.

3.2. The information we collect about you depends on the reason for your business with us. We may use the information we obtain for any of the purposes listed above.

3.3. Your information may also be used for testing purposes. Testing is undertaken to ensure that our systems function as per specified requirements. If it is not practical to disguise your data or use dummy data, then we will test our system using your data. This testing will only take place in environments that are secured to the same level as our live system.

Please note we may use previous applications you have submitted to assist in the checking process.

4. Who is the data controller?

4.1. A data controller decides the purpose and way in which any personal data is processed.

4.2. DBS is the data controller of information held by us for the purposes of the Data Protection Act 2018 and General Data Protection Regulation (GDPR). We are responsible for the safety and security of the data we hold.

5. Who are the data processors?

5.1. A data processor is anyone (other than an employee of a data controller) who processes that data on behalf of the controller.

5.2. At DBS we have a range of suppliers who process data on behalf of DBS as defined in section 9. We make sure that our data processors comply with all relevant requirements under data protection legislation. This is a requirement defined in our contractual arrangements with them.

6. Contacting the Data Protection Officer

6.1. The DBS Data Protection Officer can be contacted via email at dbsdataprotection@dbs.gov.uk, or in writing to:

DBS Data Protection Officer
Disclosure and Barring Service
PO Box 165
Liverpool
L69 3JD

7.1. The DBS was established under the Protection of Freedoms Act (PoFA) 2012 on 1 December 2012. Disclosure functions of the DBS, which includes the processing of standard and enhanced DBS checks, are contained within Part V of the Police Act 1997.

7.2. We provide a service which enables employers in the public, private and voluntary sectors to make suitability decisions about those they employ. We do this by providing information to enable them to determine whether individuals are unsuitable or unable to undertake certain work in particular, with occupations involving regular contact with vulnerable groups, including children.

7.3. DBS is also able by Para 16 of schedule 18 of the Protection Of Freedoms Act (POFA) 2012 to use information gathered for a function to carry out any of its other functions.

7.4. In addition to the above, we may share information with third parties for other purposes where we are legally permitted to do so.

8. Why would DBS hold my personal data?

8.1. We will only hold your data if you have:

  • previously used or are using the Disclosure Service
  • been referred to the DBS for consideration under the Safeguarding Vulnerable Groups Act 2006 (SVGA) or Safeguarding Vulnerable Groups (Northern Ireland) Order 2007
  • been cautioned or convicted for a relevant (automatic barring) offence that leads to the DBS considering you for inclusion in one or both lists

8.2. If we ask you for personal information, we will:

  • make sure you know why we need this information
  • only ask for information that we need
  • ensure only those appropriate have access to it
  • store your information securely
  • only keep your information for as long as we need to – see our Retention Policy
  • not make it available for commercial use (such as marketing) without your permission
  • ensure you are provided with a copy of data we hold on you, on request – this is called a Subject Access Request
  • ensure there are procedures in place for dealing promptly with any disputes or complaints

Please note: We will share information with ‘relevant authorities’ such as the police, government departments etc. under the Data Protection Act 2018 when required by law or made in connection with legal proceedings. Sch2, Part 1.

8.3. In return, we will ask you to:

  • give us accurate personal information on your application form – failure to supply correct information will result in you being required to submit a new application. It is also an offence under section 123 Police Act 1997 to make a false statement for purpose of obtaining a certificate
  • tell us as soon as possible if there are any changes to your details, such as a new address if we are currently processing a standard or enhanced application

8.4. This helps us to keep your information up-to-date and secure. It will apply if we hold your data on paper or in electronic form.

9. Organisations that are involved in the Disclosure Service

9.1. Data will be passed to organisations and data sources involved with DBS either as a data processor of DBS, or because the organisation is involved in the process of issuing a check. This includes:

  • Canadian Global Information (CGI): CGI supply technology services to DBS. They support the IT infrastructure that allows us to process DBS checks and barring referrals
  • Hinduja Global Solutions UK (HGS): HGS supply contact centre and back office services to DBS. They provide frontline customer support to our service users
  • Swiss Post Solutions Ltd: Swiss Post Solutions Ltd provides print fulfilment services on behalf of DBS, including inbound and outbound document management, and paper and stationery stock management
  • Police forces in England, Wales, Scotland, Northern Ireland, the Isle of Man, and the Channel Islands – searches will be made against the Police National Computer (PNC) and an internal database, and data may be passed to local police forces. The data will be used to update any personal data the police currently hold about you
  • ACRO Criminal Records Office - manages criminal record information and improves the exchange of criminal records and biometric information
  • Other data sources such as British Transport Police, the Service Police and the Ministry of Defence Police - searches are made against the PNC and an internal database. Where a match occurs, the information will be shared to ensure that the record match is you
  • Disclosure Scotland – if you have spent any time in Scotland, your details may be referred to Disclosure Scotland
  • Access Northern Ireland – if you have spent any time in Northern Ireland your details may be referred to Access Northern Ireland
  • Independent monitor (IM) - to undertake reviews on local intelligence (approved information) released by local police forces
  • United Kingdom Central Authority - for exchange of criminal records with other EU countries
  • The Child Exploitation Online Protection Centre (CEOP) who are National Crime Agency (NCA) Command
  • Registered Bodies – the bodies registered with the DBS to submit Disclosure checks
  • DXC Technology - our provider for cloud storage
  • ATOS - for the collection of e-bulk application data
  • National Identity Services (NIS) – assisting in the uploading of old criminal records from Micro Fiche to the PNC
  • The Big Word: Big Word are the organisation authorised to translate DBS certificates into Braille (if required) with an applicant’s consent

10. Where is my data stored?

10.1. Your data is held in secure paper and computer files. These have restricted access. Where your data is held in paper format we have secure storage and processes for this. In some cases, we may use secure off-site storage. We have approved measures in place to stop unlawful access and disclosure. All our IT systems are subject to formal accreditation in line with His Majesty’s Government (HMG) policy. They also comply with the security required within DPA 2018/GDPR to make sure that personal data is processed in a manner that ensures appropriate security of the data including protection against unauthorised or unlawful processing.

11. How long will DBS hold my information?

11.1. We operate a Data Retention Policy to ensure that data is not held for longer than necessary. However at present, your information may be held beyond the specified retention periods, and placed out of operational use, where there is the potential for it to fall under the remit of Independent Inquiries.

11.2. If required by an inquiry to maintain any data that could be called on by the inquiry the DBS will retain that data until completion of the inquiry. At this point the information will be securely destroyed as soon as is practicable.

12. What are my rights? How will DBS protect them?

12.1. We are committed to protecting your rights, detailed below, under the DPA 2018/GDPR.

12.1.1. Your right to be informed

This document provides you with information in relation to how your data is processed as a DBS applicant. This ensures that we are transparent with regards to what we will do with the information you supply to us on your standard or enhanced application.

12.1.2. Your right to access to your personal data held by the DBS - known as a Subject Access Request

You have the right to request a copy of the information we hold about you.

On receipt of a valid application we will tell you whether we hold any data about you and provide you with a copy. Further information on how to apply can be found here.

12.1.3. Your right to request that information held is accurate. Can I update it?

If you think that the information held by us at DBS is incorrect, you have the right to request that it is corrected.

It is the duty of both you and the Registered Body, the organisation who verifies your identity, to ensure that the information you have submitted on your application form is accurate.

If you believe you have submitted an error on an application that is still in progress you will need to contact us immediately on 03000 200 190.

If you wish to dispute information contained on a completed certificate you can raise a dispute by contacting us on 03000 200 190.

Third parties can also dispute a DBS certificate if they have all the necessary certificate information:

  • the applicant’s name
  • the applicant’s date of birth
  • the certificate number
  • the issue date
  • the applicant’s address

Where this is the case the applicant will be notified by the DBS that a third party has raised a dispute.

Read our guidance on GOV.UK for more information about disputes.

12.1.4. Your right to request erasure of your personal data

In certain circumstances you have a right to have personal data held about you erased. At the DBS we will only do this if certain criteria are met. There are some circumstances where this cannot be done therefore we advise you to seek independent advice before submitting an application to us.

Any requests for information to be erased will be considered on a case-by-case basis.

There are some specific circumstances where the right to erasure does not apply and we may refuse your request.

12.1.5. Your right to prevent DBS from processing information which is likely to cause you damage or distress

You have the right to request restriction of processing where it has been established that one of the following applies:

  • the accuracy of personal data is contested, during the period of rectification
  • where processing is unlawful
  • where an individual has requested it is retained to enable them to establish, exercise or defend legal claims
  • pending verification of the outcome of the right to object
  • where processing has been restricted

DBS customers can request restriction of processing for any of the above reasons until these are resolved. Should you wish to restrict processing you will need to call the DBS helpline on 03000 200 190. Any requests to stop processing will be considered on a case-by-case basis.

12.1.6. Right to receive an electronic copy of any information you have consented to be supplied to us - known as data portability

You have the right, where this is technically feasible, to electronically receive any personal data you have provided to DBS to process, on a consent basis.

Please note that basic, standard and enhanced certificates are processed under our legal obligation, under Part V of the Police Act 1997, and barring information is processed under the Safeguarding and Vulnerable Groups Act 2006. Therefore, this information falls outside of the right to data portability.

All requests for portability will be considered on a case-by-case basis.

12.1.7. You have the right to object to the processing of your information

Should you wish for the DBS to stop processing your application you will need to withdraw the application. However DBS will continue to hold the information in line with our retention requirements.

12.1.8. You have rights relating to automated decisions being made about you

Our disclosure process is generally automated. However, if the system identifies that there is potentially police information held about you, this is then sent to the relevant police force for consideration as to whether that information should be disclosed on your certificate. This is not an automated process and involves the judgment of the Chief Officer.

You have the right to object to any automated decision making. It should be noted that you would need to inform us of this on submission of your application as the certificate can be issued quite quickly. Please contact the DBS helpline on 03000 200 190.

Barring service

The only automated decision process currently undertaken when a person is considered for barring by DBS takes place when the person has been cautioned or convicted for an autobar offence and there exists no rights to make representations before inclusion. On notification of inclusion on a barred list you will be informed if your decision has been made by automated means and you will be provided with the opportunity to request a manual review of this decision. DBS do not currently undertake any profiling activities.

12.1.9. You have the right to make a complaint to the DBS and the Information Commissioner’s Office (ICO)

If you wish to make a complaint to us regarding the way in which we have processed your personal data you can make a complaint to the Data Protection Officer via the contact details in Section 6.1.

If you then remain dissatisfied with the response received, you have the right to lodge a complaint to the ICO at the following address:

The Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire SK9 5AF

https://ico.org.uk

13. Restrictions

13.1. There are restrictions to the rights of individuals and these are:

  • National Security
  • Defence Public Security
  • Crime & Taxation

14. Transfer outside the European Economic Area

14.1. If you have spent time in the Channel Islands or the Isle of Man, it is likely that your data will be passed to police forces in that area. If any of your data has to be transferred outside of the UK, the DBS will ensure that an adequate level of protection is put in place.

15. Our staff and systems

15.1. All our staff, suppliers and contractors are security vetted by the Home Office Security Unit prior to taking up employment. All staff are data protection trained and are aware of their data protection responsibilities. This training is refreshed on an annual basis.

15.2. We conduct regular compliance checks on all DBS departments and systems. All checks are to the standard set out by the Information Commissioner’s Office. In addition, continual security checks are carried out on our IT systems.

16. Notification of changes

16.1. If we decide to change our Privacy Policy, we will add a new version to our website.