Policy paper

Update Service Privacy Policy

Updated 5 July 2018

1. 1. About us

1.1. The Disclosure and Barring Service (DBS) helps employers make safer recruitment decisions and prevent unsuitable people from working with vulnerable groups, including children.

1.2. Every year we issue around four million DBS certificates. We also manage both the children’s and adults’ Barred Lists.

1.3. We search police records and, in relevant cases, Barred List information and then issue a DBS certificate to you.

1.4. Please see the Update Service guide for applicants for more information.

1.5. The Update Service is not available for applicants who have a basic DBS check. It is only available for standard and enhanced checks.

2. 2. What is it I need to know?

2.1. This is the Update Service Privacy Policy, which tells you how we will use and protect any information we hold about you as part your Update Service subscription.

2.2. This Policy also explains why we need your personal data, what we will do with it and what you can expect from us. It details what your rights are as an Update Service subscriber in accordance with the Data Protection Act (DPA) 2018 and General Data Protection Regulation (GDPR), collectively known as Data Protection (DP) Legislation. It should be noted from January 2021 the UK becomes a third country with regard to GDPR as the UK is no longer a member of the European Union.

This Policy also explains how to get a copy of any personal data we may hold about you, known as a Subject Access Request.

2.3. We do have other Privacy Policies that cover our other statutory functions. They can be accessed here.

3. 3. How will we use the personal information supplied to us?

3.1. We at the DBS collect your personal information to:

  • allow you to register for the Update Service
  • process payments when appropriate
  • carry out searching of data sources
  • consider whether your name should be included on one or both of the barred lists

3.2. Your information may also be used for testing purposes. Testing is undertaken to ensure that our systems function as per specified requirements. If it is not practical to disguise your data or use dummy data then we will test our system using your data.

This testing will only take place in environments that are secured to the same level as our live system.

Please note, we may use previous applications you have submitted to assist in the checking process.

4. 4. Who is the data controller?

4.1. A data controller decides the purpose, and the manner, in which any personal data is processed.

4.2. DBS is the data controller of information held by us for the purposes of GDPR. We have the responsibility for the safety and security of all the data we hold.

5. 5. Who are the data processors?

5.1. A data processor is anyone (other than an employee of a data controller) who processes that data on behalf of the controller.

5.2. At DBS, we have a range of suppliers who process data on behalf of DBS as defined in section 9. We make sure that our data processors comply with all relevant requirements under data protection legislation. This is defined in our contractual arrangements with them.

6. 6. Contacting the Data Protection Officer

6.1. The DBS Data Protection Officer, can be contacted via email at dbsdataprotection@dbs.gov.uk or in writing to:

DBS Data Protection Officer
Disclosure and Barring Service
PO Box 165
Liverpool
L69 3JD

7.1. Disclosure functions of the DBS are contained within Part V of the Police Act 1997. DBS is required to produce an up-to-date certificate on request.

7.2. In addition to the above, we may share information with third parties for other purposes, where we are legally permitted to do so.

8. 8. Why would DBS hold my personal data?

8.1. We will only hold your data if you have:

  • previously used or are using the disclosure service
  • been referred to DBS for consideration under the Safeguarding Vulnerable Groups Act 2006 (SVGA)/Safeguarding Vulnerable Groups (Northern Ireland) Order 2007
  • been cautioned or convicted for a relevant (automatic barring) offence that leads to DBS considering you for inclusion in one or both lists

We will periodically check local police intelligence. If information about relevant offences is released by the police, DBS will consider whether you should be included in one or both lists.

8.2. When we ask you for personal information, we will:

  • make sure you know why we need this information
  • only ask for information that we need
  • ensure only those appropriate have access to it
  • store your information securely
  • only keep it for as long as we need to – see Retention Policy
  • not make it available for commercial use (such as marketing) without your permission
  • ensure you are provided with a copy of data we hold on you, on request – this is called a Subject Access Request
  • ensure there are procedures in place for dealing promptly with any disputes or complaints

Please note: We will share information with ‘relevant authorities’ such as the police, government departments etc. under UK Data Protection Act Prevention and Detection of Crime (Sch2, Part 1 Paragraph 2).

We will also share information under UK Data Protection Act (Sch2 Part 2 Paragraph 5 (2)) where disclosures are required by law or made in connection with legal proceedings.

8.3. In return, we will ask you to:

  • give us accurate information
  • tell us as soon as possible if there are any changes to your details, such as a new address

8.4. This helps us to keep your information reliable, up-to-date and secure. It will apply whether we hold your data on paper or in electronic form.

9. 9. Organisations that are involved in the Update Service

9.1. Your personal information will be passed to organisations involved with DBS where it is legally permitted to do so, in order to operate the Update Service. This includes:

  • third parties who have your permission to check if anything has changed on your certificate
  • Canadian Global Information (CGI): CGI supply technology services to DBS. They support the IT infrastructure that allows us to process DBS checks and barring referrals
  • Hinduja Global Solutions UK (HGS): HGS supply contact centre and back office services to DBS. They provide frontline customer support to our service users
  • SPS (Swiss Post Solutions): SPS is a global full-service provider of physical and digital document management
  • The Big Word: the organisation authorised to translate DBS certificates into Braille (if required), with your consent
  • Police forces in England, Wales, Scotland, Northern Ireland, the Isle of Man, and the Channel Islands – searches will be made on the PNC and data may be passed to local police forces. The data will be used to update any personal data the police currently hold about you
  • ACRO Criminal Records Office - manages criminal record information and improves the exchange of criminal records and biometric information
  • Other data sources such as British Transport Police, the Service Police and the Ministry of Defence Police - searches are made using an internal database, and where a match occurs the information will be shared to ensure that the record match is you
  • Disclosure Scotland – if you have spent any time in Scotland, your details may be referred to Disclosure Scotland
  • Garda - if information held by Police Service Northern Ireland (PSNI) indicates some information exists in the Republic of Ireland your details may be referred to Garda
  • Access Northern Ireland – if you have spent any time in Northern Ireland your details may be referred to Access Northern Ireland
  • United Kingdom Central Authority - for exchange of criminal records with other EU countries
  • The Child Exploitation Online Protection Centre (CEOP) who are National Crime Agency (NCA) Command
  • National Identity Services (NIS) – assisting in the uploading of old criminal records from Micro Fiche to the Police National Computer (PNC)

10. 10. Where is my data stored?

10.1. Your information is held in secure paper and computer files. These have restricted access. Where your data is held in paper format we have secure storage and processes for this. In some cases, we may use secure offsite storage.

We have approved measures in place to stop unlawful access and disclosure. All our IT systems are subject to formal accreditation in line with His Majesty’s Government (HMG) policy. They also comply with the security required within GDPR to make sure that personal data is processed in a manner that ensures that appropriate security of the data including protection against unauthorised or unlawful processing.

11. 11. How long will DBS hold my information?

11.1. We operate a Data Retention Policy to ensure that data is not held for longer than necessary. However, at present, your information may be held beyond the specified retention periods and placed out of operational use where there is the potential for it to fall under the remit of Independent Inquiries.

11.2. Any data we identity that could be called on by the inquiry will be retained until completion of the inquiry. At this point the information will be securely destroyed as soon as is practicable.

12. 12. What are my rights? How will DBS protect them?

12.1. We are committed to protecting your rights under DPA/GDPR.

12.1 12.1.1. Your right to be informed

This document provides you with information in relation to how your data is processed as an Update Service subscriber. This ensures that we are transparent with you regarding what we will do with the information you supply to us as part of your Update Service subscription.

12.2 12.1.2. Your right to access to your personal data held by DBS - known as a Subject Access Request

You have the right to request a copy of the information we hold about you.

On receipt of a valid application we will tell you whether we hold any data about you and provide you with a copy. Further information on how to apply can be found here.

12.3 12.1.3. Your right to request information held is accurate. Can I update it?

Your personal details must match those on your application form, or the DBS certificate that you are using to join the Update Service.

If you think that the information held by us at the DBS is incorrect, you have the right to ask for it to be corrected. If you challenge the accuracy of data that was provided to us by a third party we will send your request for correction to that party for their consideration.

It is your duty to ensure that the information you have submitted on your Update Service subscription application is accurate.

Once subscribed to the Update Service you can make the following changes:

  • correspondence address
  • mobile telephone number
  • email address

If you change your name, a new DBS check will be required and within this application, previous names should match the subscription information already submitted.

Applicants can also add or remove certificates within their Update Service subscription account.

12.4 12.1.4. Your right to request erasure of your personal data

In certain circumstances, you have a right to have personal data held about you erased. At the DBS, we will only do this if certain criteria are met. There are some circumstances where this cannot be done so we advise you to seek independent advice before submitting an application to us.

Any requests for information to be destroyed will be considered on a case-by-case basis.

There are some specific circumstances where the right to erasure does not apply and we may refuse your request.

12.5 12.1.5. Your right to prevent DBS from processing your information which is likely to cause you damage/distress

You have the right to request restriction of processing where it has been established that one of the following applies:

  • during the period of rectification if accuracy of personal data is contested
  • processing is unlawful
  • an individual has requested it is retained to enable them to establish, exercise or defend legal claims
  • pending verification of the outcome of the Right to object
  • where processing has been restricted

DBS customers can request restriction of processing for any of the above reasons until these are resolved. Should you wish to restrict processing you will need to call the DBS helpline on 03000 200 190.

Any requests to stop processing will be considered on a case-by-case basis.

12.6 12.1.6. Right to receive an electronic copy of any information you have consented to be supplied to us - known as data portability

You have the right, where this is technically feasible, to electronically receive any personal data you have provided to the DBS to process, on a consent basis.

Please note that basic, standard and enhanced certificates are processed under our legal obligation, under Part V of the Police Act 1997, and barring information is processed under the Safeguarding and Vulnerable Groups Act 2006. Therefore this information falls outside of the right to data portability.

All requests for portability will be considered on a case-by-case basis.

12.7 12.1.7. You have the right to object to processing of your information

Should you wish to end your Update Service subscription, you can do this by logging into your Update Service account, and selecting the “Cancel subscription” button within the “Applications and Certificates” screen.

12.8 12.1.8. You have rights relating to automated decisions being made about you

The Update Service does not involve automated decisions.

DBS do not currently undertake any profiling activities.

12.9 12.1.9. You have the right to make a complaint to DBS and the Information Commissioner’s Office (ICO)

If you wish to make a complaint to us regarding the way in which we have processed your personal data you can make a complaint to the Data Protection officer via the contact details in Section 6.1.

If you then remain dissatisfied with the response received, you have the right to lodge a complaint to the ICO at the following address:

The Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF

https://ico.org.uk/

13. 13. Transfer outside the European Economic Area

13.1. If you have spent time in the Channel Islands or the Isle of Man, it is likely that your data will be passed to police forces in that area. If any of your data has to be transferred outside of the UK, DBS will ensure that an adequate level of protection is put in place.

14. 14. Our staff and systems

14.1. All our staff, suppliers and contractors are security vetted by the Home Office security unit prior to taking up employment. All staff are data protection trained and are aware of their data protection responsibilities and this is refreshed on an annual basis. We conduct regular compliance checks on all DBS departments and systems. All checks are to the standard set out by the Information Commissioner’s Office. In addition, continual security checks are undertaken on our IT systems.

15. 15. Notification of changes

15.1. If we decide to change our privacy policy, we will add a new version to our website.