Policy paper

Research Privacy Policy

Updated 19 September 2024

1. About us

1.1 The Disclosure & Barring Service (DBS) helps employers make safer recruitment decisions and prevent unsuitable people from working with multiple groups, including children.

1.2 We carry out research to evaluate and improve services across the business.

1.3 DBS is a non-departmental public body (NDPB) of the Home Office. DBS is the data controller of information which is collected. We are responsible for how the data is processed and the safety and security of the data we hold.

1.4 This is our Research Privacy Policy. It tells you how we will use and protect any information we have collected from you. Your information is collected on a consent basis for the purposes of research.

2. Opting-in to be involved in research

2.1 If you would like to be involved in DBS research projects, you will need to provide us with your consent. This is done by completing our ‘consent to contact for future research’ form. You will be asked to provide your name, email address, and telephone number along with your preferred method of contact. You will also be asked to choose from a list of statements, and choose any that are relevant to you. This is to help us identify what DBS services you have accessed, and to ensure that any research projects you are invited to participate in are relevant to you.

2.2 If you have given us your consent to contact you regarding further research, we will keep your details on a secure database that will only be accessed by members of the Research and Horizon Scanning team. Further information about this can be found in section 5.

3. What data we collect from you

When inviting you to take part

3.1 We will send you an invitation to be involved in a research project, using your preferred method of contact if possible. When this is not possible, we will attempt to contact you using another method of contact if this has been provided.

3.2 The personal data we collect from you could include your name, age, gender, ethnicity, disability, details of any condition that can affect your ability to use a computer, job title, email address, phone number, or other socioeconomic indicators. This data will be collected separately for each research project.

3.3 We may collect additional information, based on the specific topic being researched. For example, if we’re conducting research on a specific DBS service, we may want to know whether you’ve used this service in the past.

4.1 We will use your data because you have consented for us to do so for a specific piece of research. Where this is undertaken, the appropriate consent will be obtained in advance.

4.2 As your data is being used on a consent basis, you have the right to withdraw this consent at any time. Your request to withdraw your consent should be made via email to [email protected] or in writing to:

DBS Research and Horizon Scanning
Stephenson House
Alderman Best Way
Darlington
DL1 4WB
United Kingdom

5. Your data

Who is the data controller?

5.1 A data controller decides the purpose and way in which any personal data is processed.

5.2 DBS is the data controller of information held by us for the purposes of the Data Protection Act 2018 and UK GDPR. We are responsible for the safety and security of the data we hold.

Who are the data processors?

5.3 A data processor is anyone (other than an employee of a data controller) who processes that data on behalf of the controller.

5.4 The Research and Horizon Scanning team within DBS have some suppliers who process data on behalf of the team, as defined in section 7. We make sure that our data processors comply with all relevant requirements under data protection legislation. This is a requirement defined in our contractual arrangements with them.

Why we need your data

5.5 We need information about you, when inviting you to take part, to ensure that you meet the criteria for the piece of research we’re carrying out, and to ensure that we are including a wide range of people.

5.6 We need to collect data during the research session to ensure that we have an accurate record of what happened and what was said. This is important, because we then analyse this information and use it to draw conclusions about what we should do next.

Data collection

5.7 Data collection can be in the form of feedback, surveys, focus groups, audio recordings, written notes, and/or other research methods.

What we do with your data

5.8 We will not:

  • sell or rent any of your data to third parties
  • share your data with third parties for marketing purposes

5.9 We will share your data if we’re required to do so by law, for example by court order, or to prevent fraud or other crime. We will also share your data in the event of a serious safeguarding concern, for example, if we are concerned about the welfare of a child or vulnerable adult.

5.10 We will anonymise all data before it is published in any reports or presentations internally and externally.

5.11 Only DBS researchers will have access to the full original recordings, although we may share short audio or video clips with other colleagues within DBS and other government departments. We will only do this if we have your express permission to do so.

How long we keep your data

5.12 We will hold the data, record of consent, and your name for a maximum period of 3 years. We will delete all your personal data. Any anonymised reports or publications will be retained.

5.13 We will contact you after this point to review your consent to ensure that it is still relevant for DBS to contact you.

How we protect your data

5.14 We are committed to protecting your data. We have systems and processes to prevent unauthorised access or disclosure of your data, for example, we protect your data by storing it in an access-restricted secure file structure.

5.15 Regular compliance checks are undertaken on all DBS departments and systems. In addition to this, continual security checks are undertaken on our IT systems.

6. Your rights

6.1 We are committed to protecting your rights under the Data Protection Act 2018 and UK GDPR.

Your right to access your personal data held by DBS

6.2 You have the right to request a copy of the information we hold about you. This is known as a subject access request. Further information on this process and how to apply can be found in our subject access request guidance.

Your right to request information held is accurate and how to update it

6.3 If you think the information held by us is incorrect, you have the right to request that it is corrected.

6.4 If you believe that any of the information we hold on you is incorrect, please contact the DBS Research team via email at [email protected].

Your right to request erasure of your personal data

6.5 In certain circumstances, you have a right to have personal data held about you erased. At DBS we will only do this if certain criteria are met. There are some circumstances where this cannot be done therefore we advise you to seek independent advice before submitting an application to us.

6.6 Any requests for information to be erased will be considered on a case-by-case basis.

6.7 There are some specific circumstances where the right to erasure does not apply and we may refuse your request.

Your right to prevent DBS from processing information which is likely to cause you damage or distress

6.8 You have the right to request restriction of processing where it has been established that one of the following applies:

  • the accuracy of personal data is contested, during the period of rectification
  • where processing is unlawful
  • where an individual has requested it is retained to enable them to establish, exercise, or defend legal claims
  • pending verification of the outcome of the right to object
  • where processing has been restricted

6.9 DBS customers can request restriction of processing for any of the above reasons until these are resolved. Should you wish to restrict processing you will need to contact DBS Research team via email at [email protected].

Your right to receive an electronic copy of any information you have consented to be supplied to us – also known as data portability

6.10 You have the right, where this is technically feasible, to electronically receive any personal data you have provided to DBS to process, on a consent basis.

6.11 All requests for portability will be considered on a case-by-case basis.

Your rights relating to automated decisions being made about you

6.12 No automated decisions are being made about you with regards to the personal data you provide us for research purposes.

You have the right to make a complaint to DBS and the Information Commissioner’s Office (ICO)

6.13 If you wish to make a complaint to us regarding the way in which we have processed your personal data, you can make a complaint to the Data Protection Officer via the contact details in section 7 of this privacy policy.

6.14 If you then remain dissatisfied with the response received, you have the right to lodge a complaint to the ICO at the following address:

The Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire SK9 5AF

7. Questions and complaints

7.1 If you have questions about research that you’ve been invited to participate in, please contact the DBS Research team via email at [email protected].

7.2 The data controller for your personal data is DBS. If you think that your personal data has been misused or mishandled, please contact our Data Protection Officer. They can be contacted via email at [email protected], or in writing to:

DBS Data Protection Officer
Disclosure and Barring Service
PO Box 165
Liverpool
L69 3JD

Organisations that are involved in the DBS research process

8.1 Data may be passed to other organisations and data sources involved with research as a data processor of DBS. This includes:

  • SmartSurvey - SmartSurvey provide software that allows DBS to create and distribute surveys to customers
  • the Cabinet Office - the Cabinet Office are responsible for ‘GOV.UK Notify’ which is a service that may be used to assist with contacting customers regarding future research