Policy paper

Subject Access Request Privacy Policy

Updated 5 July 2018

© Crown copyright 2018

This publication is licensed under the terms of the Open Government Licence v3.0 except where otherwise stated. To view this licence, visit nationalarchives.gov.uk/doc/open-government-licence/version/3 or write to the Information Policy Team, The National Archives, Kew, London TW9 4DU, or email: psi@nationalarchives.gov.uk.

Where we have identified any third party copyright information you will need to obtain permission from the copyright holders concerned.

This publication is available at https://www.gov.uk/government/publications/subject-access-request-privacy-policy/subject-access-privacy-policy

1. About us

1.1 The Disclosure and Barring Service (DBS) helps employers make safer recruitment decisions and prevent unsuitable people from working with vulnerable groups, including children.

2. About this policy

2.1 The Data Protect Act 2018 (DPA) and General Data Protection Regulation (GDPR) allow you to make a request to DBS for copies of all personal information we hold about you. This is known as a Subject Access Request.

2.2 This Privacy Policy applies to all individuals who make a subject access request to DBS, unless otherwise stated.

2.3 The policy tells you what your rights are as an individual when requesting a copy of all the information that DBS holds under DPA/GDPR Article 15, why we need to verify your identity, what we will do with it and what you can expect from us.

2.4 It also tells you how to get a copy of any personal information we may hold about you. This is called, as mentioned above, a Subject Access Request. There are further DBS privacy policies which cover our statutory functions undertaken by DBS. They can be accessed here.

3. How will we use the personal information supplied to us?

3.1 We will verify your identity to process a subject access request in order to:

  • search our systems and clerical records to identify any information we may hold about you
  • prepare the information to be sent to you - this will be information already held; we will not reprocess your information to create any new records or products

4. Why would DBS hold my personal information?

4.1 The most common reasons that we will hold your information is if you have:

  • previously used or are using a DBS service to obtain a DBS certificate
  • been referred to DBS by an employer or regulatory body, that leads to DBS considering you for inclusion in the children’s and/or adults’ Barred Lists
  • been included as a named victim or witness in a barring referral (you will need to tell us the name of the individual referred)
  • been cautioned or convicted for a relevant automatic barring offence that leads to DBS considering you for inclusion in one or both lists
  • previously applied or are in the process of applying to be a Lead Countersignatory or Countersignatory of an organisation registered with DBS to process standard and enhanced applications
  • previously applied or are in the process of applying to be an accountable officer within a responsible organisation set up to submit basic applications
  • are or have been an employee of DBS, the Criminal Records Bureau or Independent Safeguarding Authority
  • been involved in carrying out finance related functions for organisations who use our service
  • been involved in delivering services via a contract

This is not a limited set of circumstances and we will search all our systems and records to check for information for all subject access requests.

5. Who is the data controller?

5.1 DBS is the data controller of information held by DBS for the purposes of DPA/GDPR. A data controller determines the purposes for which, and the manner in which, any personal data is to be processed (either alone or jointly or in common with others).

5.2 We have the responsibility for the safety and security of all the data we hold.

6. Who are the data processors?

6.1 Any supplier that works on behalf of DBS is one of our data processors. A data processor is any organisation that processes data on behalf of DBS. We make sure that our data processors comply with all relevant requirements under data protection legislation. This is defined in the contractual arrangements we have with them.

7. Contacting the Data Protection Officer

7.1 The DBS Data Protection Officer can be contacted via email at dbsdataprotection@dbs.gov.uk or in writing to:

DBS Data Protection Officer
Disclosure and Barring Service
PO Box 165
Liverpool
L69 3JD

8. What can you expect from us?

8.1 We aim to provide you with a copy of the information we hold about you within one calendar month of receiving a valid request.

8.2 In rare circumstances where we cannot meet that deadline, we will contact you within that calendar month to tell you the reasons why and give you a realistic date of when we will provide the information. This should be no longer than 3 months from the original date of a valid application.

8.3 We will send you a copy of all the information we hold on you. Any third-party information will be redacted unless we have consent from the third party to provide it.

8.4 We reserve the right to charge an administrative fee and will inform you of this. Further information about when a fee may be payable can be found here.

8.5 Where possible, we will provide your information electronically if you wish. Please tell us if you want the information electronically.

9. What can you do if you think the information DBS holds is inaccurate?

9.1 If you are dissatisfied with the way your subject access request has been processed raise a concern with the DBS Data Protection Officer using the contact details in Section 7.

9.2 If you believe that data contained in your subject access information is incorrect, please complete the form that was in your subject access package and return it to DBS.

9.3 If you believe that information contained on the printout of your disclosure-related information is incorrect, you should raise a dispute rather than a concern. Please see guidance on raising a dispute here.

9.4 Where the barring referral information was provided to DBS by another party, you should contact them direct. You should ask them to consider the request to correct the information e.g. if your request relates to an employer statement, strategy minutes or the PNC.

10. Who will we share your subject access request information with?

10.1 We will only share your information with a third party if you write to us and give your consent for us to provide it to someone else.

11. Where is my subject access information stored?

11.1 Your information is held in secure paper and computer files, which have restricted access. Where your information is held in paper format we have secure on site storage and processes for this. All our IT systems are subject to formal accreditation in line with His Majesty’s Government (HMG) policy. They also align with the security required within DPA/GDPR to protect against unauthorised and/or unlawful processing.

12. How long will DBS retain my subject access information?

12.1 We operate a Data Retention Policy to ensure that information is not held for longer than necessary.

13. Our staff and systems

13.1 All our staff, suppliers and contractors are security vetted by the Home Office security unit before taking up employment. All staff are data protection trained and are aware of their data protection responsibilities. This is refreshed on an annual basis. We conduct regular compliance checks on all DBS departments and systems and continual security checks on our IT systems are undertaken.

14. You have the right to make a complaint to DBS and the ICO

14.1 If you wish to make a complaint to DBS about the way in which we have processed your personal information you can make a complaint to the Data Protection Officer via the contact details in Section 7.

14.2 If you remain dissatisfied with the response received, you have the right to lodge a complaint to the ICO at the following address:

The Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF

https://ico.org.uk/

15. Notification of changes

15.1 If we decide to change our privacy policy, we will add a new version to our website.

Back to top