Disclosure and Barring Service (DBS) Recruitment and On-boarding Privacy Notice
Published 19 September 2024
1. Who does this Privacy Notice apply to?
This Privacy Notice applies to individuals applying for a job at DBS. The privacy notice covers personal data collected during the recruitment, security clearance and on-boarding process.
This privacy notice explains why we need your personal data, where we get the personal data from, what we will do with your data, who we share it with and what you can expect from us. It also explains how to exercise various rights in relation to the personal data we may hold about you (see section Your rights and how we protect them, below).
There are further DBS privacy policies that act as notices which cover other statutory functions undertaken by DBS. They can be accessed on DBS Privacy Policies (GOV.UK).
2. Who is DBS?
DBS was established under the Protection of Freedoms Act 2012 (PoFA) on 1 December 2012 and undertakes a number of functions which can be reviewed on our website. DBS is responsible for:
- DBS checks: processing requests for, and issuing, DBS checks for England, Wales, the Channel Islands and the Isle of Man. Further information on DBS checks can be found in DBS Checks: detailed guidance (GOV.UK).
- Barred Lists: making considered decisions regarding whether an individual should be barred from engaging in regulated activity with children, adults or both, in England, Wales and Northern Ireland, and maintaining these Barred Lists. Further information on barring referrals can be found on Barring referrals (GOV.UK).
The Disclosure functions of DBS are contained within Part V of the Police Act 1997; (PA). The Barring functions of DBS are underpinned by the Safeguarding Vulnerable Groups Act 2006 (SVGA) and the Safeguarding Vulnerable Groups (Northern Ireland) Order 2007 (SVGO).
3. What is personal data?
DBS use the definition of ‘personal data’ as described by United Kingdom General Data Protection Regulation (UK GDPR) (Regulation (EU) 2016/679).
UK GDPR underpins the UK Data Protection Act 2018; (UK DPA 2018)
-
Personal data is information that is unique to you as an individual. This information can help identify who you are either directly or indirectly.
-
Special category data is data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation.
The Information Commissioner’s office (ICO) provides further detailed guidance on what is personal data on their website.
4. Who is the Data Controller?
A data controller decides the purposes, and the manner, in which any personal data is processed. They have responsibility for the safety and security of the personal data held.
Cabinet Office (Civil Service HR) and DBS are joint data controllers for the personal data held within a submitted application. DBS is the ‘data controller’ of personal data held by DBS for the purposes of the UK GDPR and the UK DPA. A data controller determines the purposes for which, and the manner in which, any personal data is to be processed (alone, jointly or in common with others).
-
DBS is the data controller of information held by us for the purposes of Data Protection legislation. DBS has responsibility for the safety and security of all the data we hold.
-
Cabinet Office (Civil Service HR) is the data controller for account details, and for any applications that have started but not yet submitted by you as a candidate. More information can be found in the Civil Service Jobs Privacy Notice.
5. What is the purpose for processing your personal data?
In relation to applying for a job at DBS, DBS collects information to:
-
carry out the recruitment process to fill a vacant role
-
carry out pre-employment checks including references, right to work and eligibility
-
process a Basic DBS check which checks for a criminal record. A Basic DBS check informs DBS of any unspent convictions and conditional cautions. This check is then used as part of the security clearance process
-
process an application for security clearance. Security clearance is required before you can start employment at DBS
-
ensure we have the relevant occupational health guidance for you to commence employment with us. Our Occupational Health provider will undertake a health questionnaire with you to establish whether you are fit for work and to make necessary arrangements, if required, for the implementation of reasonable adjustments in the workplace due to a disability
-
create and monitor a merit list for future positions. Merit lists are used to collate a list of candidates who have been successful in reaching the benchmark of an assessment but have not scored highly enough to take up an immediate vacancy. Merit lists last for six or twelve months and candidates can therefore be contacted to be offered similar vacancies should they arise in the future
-
set you up as an employee on the DBS self-service electronic system (Metis) during the recruitment process
-
undertake payroll and pension administration
-
provide access to IT systems
-
carry out equal opportunities monitoring
-
to gain feedback through smart survey tools on your candidate experience, if you choose to do so.
-
undertake any other purpose where we are legally permitted to do so or where you have given your consent
DBS also has a legal obligation under the Equality Act 2010, to have due regard to the need to eliminate unlawful discrimination, advance equality of opportunity and foster good relations between people who share a protected characteristic and those that do not. This is known as the Public Sector Equality Duty. DBS will process data about racial or ethnic origin, sexual orientation, disability, religious belief, or other protected characteristic (known as Special Category Data) where you have volunteered this data for the purpose of monitoring and upholding this duty and DBS equal opportunities policies. For example, collating diversity monitoring information.
You do not have to provide this information as part of the recruitment process unless you choose to do so.
You will not be identifiable in the reporting of this information.
6. What Data is collected?
The following information will be compiled in relation to your application and the subsequent recruitment, security clearance and on-boarding process. The information collected will depend upon the stage your application progresses to and whether you are successful and offered employment at DBS. More information can be found in the Civil Service Jobs Privacy Notice.
Application information is held within a web-based recruitment system, with restricted access for recruiters and vacancy holders.
-
Name
-
Title
-
National Insurance Number
-
Date of birth
-
Gender
-
Marital Status
-
Address
-
Telephone Number
-
Email Address
-
Disability information/reasonable adjustments required
-
Employment history
-
Civil service or NPDB (Non-Public Departmental Body) status
-
Eligibility and immigration status
-
Reference details
-
Public sector pension history
-
Health declaration information
-
Application responses
-
Evidence of identity and right to work in the UK (passport, utility bills or other documentation)
-
Qualification history
-
Workplace discipline warnings if applicable
-
Interview scores and notes from interview panel
-
Online test results
-
Sift scores
-
Equality, Inclusion and Diversity information
7. Where is your data collected from?
The personal data will be collected from:
-
You – as part of your application
-
The referees you provide to us – as part of your application
-
DBS - for the purposes of performing a Basic DBS check
8. What is the Lawful Basis for processing?
Each process DBS undertakes in relation to your personal data must be on an appropriate lawful basis. There are six lawful bases under the UK GDPR which can apply to all personal data. These are consent, performance of a contract, compliance with a legal obligation, necessary to protect the vital interests of a person, necessary for performance of a task in the public interest or for the purpose of legitimate interests.
DBS and Civil Service Jobs will process your personal data as joint controllers during the recruitment, pre-employment and security clearance processes using the following lawful basis:
-
Contractual: it is necessary for the performance of a contract to which you are a party - an employment contract. This relates to information that we need to recruit and employ you.
-
Contractual: it is necessary in order to take steps at your request prior to entering into a contract for employment. This relates to information that we collect as part of the application and selection process.
-
Legal obligation: it is necessary to comply with a legal obligation placed on us as the data controller - we are required to report on equality of opportunity; and onboarding processes have specific requirements.
-
Public task: processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the data controller. In this case, Civil Service Jobs facilitates recruitment of high-quality candidates to roles across government departments, agencies and other public bodies. It provides recruitment tools and processes that support Civil Service recruitment strategy, and we also monitor the effectiveness of recruitment processes.
-
Consent: for the digital right to work checks, personnel checks, work history checks, and participation in user research interviews we rely on your consent.
Sensitive personal data is personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation.
The legal basis for processing your sensitive personal data is:
-
it is necessary for reasons of substantial public interest for the exercise of a function of the Crown, a Minister of the Crown, or a government department; the exercise of a function conferred on a person by an enactment; the exercise of a function of either House of Parliament; or the administration of justice; and an appropriate policy document is in place. Civil Service Jobs facilitates recruitment of high-quality candidates to roles across government departments, agencies and other public bodies. It provides recruitment tools and processes that support Civil Service recruitment strategy.
-
it is necessary for the purposes of performing or exercising our obligations or rights as the controller, or your obligations or rights as the data subject, under employment law, social security law or the law relating to social protection. External recruitment is required to follow the Civil Service Commission Recruitment Principles. Personal data is processed to ensure that these requirements are met. We are required under the Equality Act 2010 to make appropriate reasonable adjustments for candidates with a disability.
-
processing is of a specific category of personal data and it is necessary for the purposes of identifying or keeping under review the existence or absence of equality of opportunity or treatment between groups of people specified (in paragraph 8(2) of Part 2 of Schedule 1 to the Data Protection Act 2018) in relation to that category with a view to enabling such equality to be promoted or maintained; and it is not carried out for the purposes of measures or decisions with respect to a particular data subject; and you have not declined consent; and you have not given notice that you do not wish your data to be processed for these purposes; and the processing is not likely to cause substantial damage or substantial distress to an individual. Diversity and inclusion data is used anonymously: ethnicity, religion, community background (Northern Ireland vacancies only), and sexual orientation.
-
it is necessary for archiving purposes, scientific or historical research purposes or statistical purposes, and it is in the public interest. Analysis of applications and recruitment outcomes (including online tests), impact on protected groups, timescales for recruitment, and other research may be carried out.
-
for the provision of a digital route for carrying out Right to Work checks, the legal basis for providing a digital version of your face and identity documents, is because you explicitly consent.
-
for user research activities such as surveys, interviews or workshops, the legal basis is because you explicitly consent.
The processing by DBS of personal data relating to criminal convictions and offences or related security measures is not carried out under official authority, but is authorised because it meets the following condition:
- it is necessary for reasons of substantial public interest. This is ensuring that individuals with access to official information and assets will meet the required standards of propriety.
DBS has a legal obligation under The Police Act Part V Section 112 to process information supplied to it under this section, for the purpose of producing a Basic DBS certificate. DBS would be unable to progress with the pre-employment checks without your basic DBS certificate. We process a Basic DBS certificate as part of pre-employment checks. Our recruitment partner, Government Recruitment Services (GRS) will submit your check to DBS to be processed. Further information can be found in Civil Service Jobs Privacy Notice and DBS Basic level Privacy Policy.
DBS also have a legal obligation under the Equality Act 2010, to have due regard to the need to eliminate unlawful discrimination, advance equality of opportunity and foster good relations between people who share a protected characteristic and those that do not. This is known as the Public Sector Equality Duty. DBS will process data about racial or ethnic origin, sexual orientation, disability, religious belief, or other protected character where you have volunteered this data for the purpose of monitoring and upholding this duty. For example, collating diversity monitoring information.
You do not have to provide this information as part of the recruitment process unless you choose to do so. You will not be identifiable in the reporting of this information.
9. How do we protect your data?
If we ask you for personal data, we will:
-
ensure only appropriate DBS personnel have access to the information contained in your job application.
-
store and process your personal data securely.
-
only keep your personal data for as long as we need to.
-
ensure there are procedures in place for dealing promptly with any disputes or complaints. See the Complaints procedure and information on how to report a problem about a criminal record check or barring decision on GOV.UK. Should you have any concerns with the recruitment or subsequent security clearance process, please contact the HR Services Team via email on [email protected].
-
follow our security protocols which include our secure paper and computer systems having restricted access. Where your data is held in paper format, we have secure storage and processes for managing this.
-
have approved measures in place to stop unlawful access and disclosure. Application information is held within a web-based recruitment system, with restricted access for recruiters and vacancy holders. We utilise Cabinet Office IT systems which are subject to formal accreditation in line with HMG policy. They also align with the security required within DPA 2018/GDPR to protect against unauthorised or unlawful processing.
-
ensure all our staff, suppliers and contractors are security vetted by the Home Office security unit prior to taking up employment and due diligence on third party contractors is undertaken prior to entering into a contract. All staff are data protection trained and are aware of their responsibilities.
In return, we ask you to:
-
give us accurate information
-
tell us as soon as possible if there are any changes to your details, such as a new address
This helps us to keep your personal data reliable, up to date and secure. This will apply whether we hold your data on paper or in electronic form.
10. Who does DBS share data with?
DBS will only share personal data where it has a lawful basis to do so with the following third parties and for the purpose of entering a contract of employment with you. Data may also be shared where you have provided your consent for the sharing to take place.
-
Government Recruitment Services (GRS) – our recruitment partner, undertakes recruitment processes on our behalf. More information can be found in the Civil Service Jobs Privacy Notice.
-
The technical supplier for the recruitment system (VX) used by DBS.
-
Cabinet Office IT Infrastructure partners – the data is stored within the Cabinet Office IT infrastructure and may be shared with their data processors who provide email, document management and storage services.
-
DBS Disclosure Service – to undertake a Basic DBS check to then be used as part of the security clearance process. Please follow the links below for further details on the Basic Check Privacy Policies and information regarding how DBS will carry out the check and who your data may be shared with for the purposes of producing a certificate - Basic DBS check Privacy Policy on GOV.UK
-
Home Office Security – DBS is a sponsored body of the Home Office and Home Office Security will determine whether an individual will be granted security clearance which is a requirement to take employment with the Home Office/DBS.
-
Our Occupational Health service provider, who will conduct a health questionnaire with you and may advise on any potential reasonable adjustments if required.
-
Shared Services Connected Limited (SSCL) – provider who administers several HR Services on behalf of DBS such as facilitating payroll.
-
Civil Service Pension provider – who undertakes pension administration on behalf of DBS
-
DBS Security Team – to record decisions and monitor security clearances details including level of vetting and expiry dates
-
Capita – a supplier of recruitment testing and resourcing agency services to DBS
-
Civil Service Resourcing – supplier of the online platform for Civil Service Jobs which DBS use in recruitment administration including applications, feedback, notifications and offers to candidates
-
DBS Facilities – for the administration and reporting of health and safety obligations, and sourcing equipment for colleagues who require reasonable adjustments and/or equipment to support flexible working.
-
Government Internal Audit Agency (GIAA) – department who undertake audit and advisory engagements to help government departments to improve how they deliver their public service
-
National Audit Office (NAO) – department who may review payroll information as part of an annual or interim audit.
We do not share data with organisations who provide an online test platform which the recruitment system is integrated with.
11. Retention of data
Full and proper records of all recruitment campaigns (including interview notes, scoring sheets etc.) are kept for 2 years to show that DBS has conducted the process in accordance with the Recruitment Principles. External campaigns are subject to regular audit by the Civil Service Commission.
Civil Service recruitment is conducted via Civil Service Jobs and our recruitment partner, Government Recruitment Services (GRS). They will retain application records and associated files (including CVs, letters, ID emails, criminal history certificates, security clearance forms and ID, comments and feedback) on their systems for 2 years after the application is moved to a completed status. Further information can be found: Civil Service Jobs Privacy Notice.
12. Transfer of data outside the United Kingdom
If your data needs to be transferred outside of the UK, DBS will ensure that an adequate level of protection is in place. For further information on the safeguards employed to protect your personal data when it is transferred outside of the UK, please contact us using the details provided.
As part of the processing of applications, personal data may be stored on the Cabinet Office IT infrastructure and shared with data processors who provide email, document and storage management services and may be transferred and stored securely outside of the European Economic Area. Where that is the case, it will be subject to equivalent legal protection through the use of Model Contract Clauses.
The data held within the recruitment system is held within the United Kingdom.
13. Your rights and how we protect them.
We are committed to protecting your rights under GDPR.
To exercise one of the rights set out below please follow the links provided to the relevant forms or contact us on the information given at the end of this notice. We have 1 month to respond to a request unless it is particularly complicated, in which case we will inform you as to the additional time required. We may need you to confirm exactly what information you want to receive or action so we can accurately fulfil your request.
We may also need to request information to confirm your identity when making a request. You are not required to pay a fee when making a request unless your request is excessive or unfounded. We will let you know of any reasonable charges before completing any request.
The different rights you have in relation to your personal data are set out below, however individuals’ rights to (i) erasure and (ii) data portability do not apply if we are processing your personal data on the basis of public task.
14. Your right to access your personal data held by DBS
You have the right to request a copy of the information DBS hold about you which is known as a Subject Access Request (SAR). On receipt of a valid SAR application we will tell you whether we hold any data about you and provide you with a copy. Note that there is some information we may not be able to provide or that we need to provide in a redacted form to preserve the rights and privacy of other individuals.
Further information on this process and how to apply can be found in the appendix or you can use our contact details provided below.
You can find the appendix in a separate Word document attachment.
15. Your right to request information held is accurate and how to update it
If you think that the personal data held by us is incorrect, you have the right to request it is corrected.
As a candidate, you can manually update a number of personal details online on the Civil Service Jobs portal where you applied such as name and contact details.
If you believe any of the personal data we hold on you is incorrect please contact [email protected]. We will do everything we can to make sure that your concerns are addressed as quickly as possible and that amendments are made where they can be.
If the personal data is incorrect from a third party, we will send your request for correction to that party for their consideration.
16. Your right to request erasure of your personal data – also known as your ‘right to be forgotten’.
In certain circumstances you have the right to have personal data held about you erased. See Deletion of Data for more information. We will only do this if certain criteria are met. There are some circumstances where this cannot be undertaken (such as where the processing activity is done on the lawful basis of undertaking a task in the public interest).
Any requests for personal data to be destroyed will be considered on a case-by-case basis.
If you do not agree with our decision regarding erasure of your personal data, you should seek independent advice in this regard.
17. Your right to restrict processing.
You have the right to request restriction of processing where it has been established that one of the following applies:
-
accuracy of personal data is contested and during the period of rectification processing is unlawful
-
an individual has requested it is retained to enable them to establish, exercise or defend a legal claim; or
-
pending verification of the outcome of the right to object on the basis of legitimate interests.
You can request restriction of processing for any of the above reasons until these are resolved. Should you wish to restrict processing you will need to contact us using the contact details provided below.
18. Objecting to some forms of processing of your data
You have the right to object to processing of your personal data where this is undertaken on the basis of (1) the performance of a task carried out in the public interests or (2) on the basis of DBS’ legitimate interests. It should be noted that this is unlikely to apply to Personal Data supplied under the SVGA or the SVGO.
All such requests will be considered on a case-by-case basis. Please contact us the using the contact details provided below if you wish to exercise this right or find out further information.
19. Your right to receive an electronic copy of any information you have consented to be supplied to us – also known as data portability.
You have the right, where it is technically feasible to receive electronically any personal data you have provided to DBS if you wish. This will enable you to give this to another organisation. It should be noted that this is unlikely to apply to personal data supplied on the basis of performance of a public task however all requests for portability will be considered on a case-by-case basis. Please contact us on the details provided below for further information.
20. Your rights relating to automated decisions being made about you
You have the right to object to automated processing of your personal data.
As part of the pre-employment checks process, you will be required to obtain a Basic DBS certificate. The Basic DBS check process is generally an automated process however if the system identifies that ‘potentially’ there is police information held about you by a police force then some manual processing may be required.
You have the right to object to any automated decision making. It should be noted that you would need to inform us of this on submission of your application as the certificate can be issued quite quickly. Please contact the DBS helpline on 03000 200 190.
The HR department does not undertake any other automated decision making or profiling activities in relation to the recruitment process.
21. How do I complain?
If you wish to make a complaint to us regarding the way in which we have processed your personal data you can make a complaint to the Data Protection Officer via the contact details set out below.
Via email at [email protected] or in writing to:
DBS Data Protection Officer
Disclosure and Barring Service
PO Box 165
Liverpool
L69 3JD
If you remain dissatisfied with the response received, you have the right to lodge a complaint to the Supervisory Authority. The Supervisory Authority for the UK is:
The Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF
To exercise your rights or request further information on anything set out in this Privacy Notice, please contact [email protected].
To fill in the Subject Access Request form, please refer to the Word file attachment.
22. Notification of changes
If we decide to change our Privacy Notice, we will add a new version to DBS Privacy Policies (GOV.UK).