Processing Special Category and Criminal Data Policy
Updated 19 September 2024
1. 1. Introduction
1.1 This policy document has been produced by the Disclosure & Barring Service (DBS) with regard to our obligations under the General Data Protection Regulation (“GDPR”) and the Data Protection Act 2018 (“DPA 2018”). It should be read alongside the DBS Privacy Policies.
1.2 GDPR does not allow the processing of special categories of personal data unless it is for substantial public interest.
1.3 Personal data about criminal offences and convictions are dealt with separately in GDPR. The DPA also provides for the processing of criminal data where legislation is in place. DBS Staff must have regard to this policy.
1.4 Processing of special category and criminal conviction data inc cautions has been conferred on DBS under provisions of The Safeguarding Vulnerable Groups Act 2006 (SVGA) / Safeguarding Vulnerable Groups (Northern Ireland) Order 2007 (SVGO), the Protection of Freedoms Act (PoFA) 2012 on 1 December 2012 and within Part V of the Police Act 1997.
2. 2. Purpose
2.1 The purpose of this policy is to tell you the:
- DBS purposes which are in place to align with the GDPR and DPA data protection principles when relying on substantial public interest conditions
- retention and erasure policies about the processing of data
3. 3. Compliance with data protection principles
3.1 3.1 ‘lawfulness, fairness and transparency’
3.1.1 The lawfulness of DBS processing is derived from its official functions as outlined at 1.4. Transparency, and detailed information about how DBS uses your personal data, including special category and criminal data, is published in the DBS Privacy Policies on GOV.UK.
DBS forms and other methods of collecting information from data subjects and organisations make it clear what data must be provided, and the reason why it is needed.
3.2 3.2 ‘purpose limitation’
3.2.1 DBS only processes personal data when permitted to do so by law. Personal data is collected for explicit and legitimate purposes such as for issuing Disclosure Certificates and consideration of inclusion in the DBS Barred List(s). Any use of DBS data for a non-DBS function is required to have a specific lawful basis and it must be compatible with data protection obligations; the processing must therefore be proportionate and necessary.
3.3 3.3 ‘data minimisation’
3.3.1 Each DBS service has a bespoke application/referral form or digital service to ensure it only collects the information necessary to determine entitlement or deliver services. Additionally, DBS internal guidance, training and policies require staff to use only the minimum amount of data required to enable specific tasks to be completed. Where processing is for research and analysis purposes, wherever possible this is done using anonymised or de-identified data sets.
3.4 3.4 ‘accuracy’
3.4.1 Providing complete and accurate information is required when applying for a DBS check or accessing DBS services. You are requested to notify DBS of relevant changes in your circumstances, such as changes of address. Where permitted by law, and when it is reasonable and proportionate to do so, DBS may check this information with other organisations – for example local authorities or sponsors.
3.4.2 If a change is reported by you to one service or part of DBS, whenever possible this is also used to update other services, both to improve accuracy and avoid you having to report the same information multiple times.
3.5 3.5 ‘Storage limitation’
3.5.1 DBS operate a Data Retention Policy to ensure that data is not held for longer than necessary. Customers are advised at the outcome of the barring consideration how long the data will be retained by the DBS. However, at present, there is a restriction on the destruction of information due to the ongoing Independent Inquiry into Child Sexual Abuse. The DBS are currently reassessing the retention requirements considering this.
3.6 3.6 ‘integrity and confidentiality’
3.6.1 DBS has a range of security standards and policies based on industry best practice and government requirements to protect information from relevant threats. We apply these standards whether DBS data is being processed by our own staff, or by a processor on our behalf.
3.6.2 All staff handling DBS information are security cleared and required to complete annual training on the importance of security, and how to handle information appropriately.
3.6.3 In addition to having security guidance and policies embedded throughout DBS business, DBS works with the Home Office to ensure that our information is protected from risks of accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access.