Disclosure and Barring Service – Consent Privacy Policy

1.0      Purpose

• This policy outlines when the DBS will rely upon your consent as the legal basis for processing your data. It tells you when your consent will be obtained. This enables the DBS to be in line with the requirements of the General Data Protection Regulation (GDPR).

2.0     Overview

2.1       Consent is one of the grounds for lawfully processing personal data under the current Data Protection Act 1998 and will remain so under GDPR.

2.2       Under GDPR, the concept of consent is being strengthened, with some new rules, requiring organisations to provide more transparency.

2.3       It states your consent must be freely given, specific and informed. Consent must be ‘unambiguous’ and given ‘by a statement or clear affirmative action.’

2.4       GDPR introduces a number of other changes:

• unbundled – consent should be set out separately from the acceptance of other terms and conditions requests
• active opt in – organisations must use un-ticked boxes or similar. Pre-ticked boxes or the requirements to opt out will generally be invalid
• granular – separate consent should be sought for different types of processing
• named – each party relying on the consent needs to be clearly identified. The ICO’s view is that ‘even precisely defined categories of third party organisations’ will not be sufficient.
• documented – organisations need to keep records showing what an individual was told, what they consented to and when/how consent was given
• easy to withdraw – it must be as easy to withdraw consent as it is to give it. Individuals need to be told that they have the right to withdraw consent and how to do this
• no imbalance – organisations cannot rely upon consent where there is an imbalance in the relationship so the individual doesn’t have genuine choice. Consent may be particularly difficult for public authorities and employers

3.0      Processing

3.1       The barring arm of the DBS processes the majority of personal data as defined in GDPR Article 6 (1) under the legislative provisions in Safeguarding Vulnerable Groups Act 2006 (SVGA) / Safeguarding Vulnerable Groups (Northern Ireland) Order 2007 (SVGO).

The majority of disclosure processing is under:

• Part V of the Police Act 1997 and
• Part 5 of the Protection of Freedoms Act 2012.

3.2       For employees the majority of processing is under employment contract i.e. pay.

3.3       However there are some circumstances in which your personal data is processed on a consent basis. Where this is required, because there is no other lawful basis that applies, your consent will be asked for.

3.4       GDPR provides the definitions of consent in that it should be:

• freely given i.e. there is no negative effect on an individual if they decide not to give consent – they have a real choice
• specific, clear and concise
• separate from any other terms and conditions i.e. separate to signing up to using a portal service
• given by a clear and affirmative action i.e. no pre-ticked boxes, no implied consent

3.5       Your consent will not be deemed as freely given if data is required for performance of a contract or there is an imbalance between the data subject and the controller. This is particularly difficult for public authorities and employers.

3.6       Where your consent is given, the DBS must keep clear records to demonstrate this. In the following circumstances the DBS will have your written consent on file that can be used as evidence.

3.7       In conditions for processing for specific purposes based on your consent where there is no other legislative basis to process, the DBS as data controller is required to demonstrate (prove) that they have consent from the individual.

3.8       The provision of your consent must:

• be unambiguous
• be granular for distinct processing or circumstances
• involve a clear affirmative action
• involve no pre-ticked opt in boxes
• be demonstrable by the DBS

3.9       Where your consent is used as the basis for processing it must also be as easy for you to withdraw consent as it was to give. You should be informed at the time consent is given how you can withdraw consent.

3.10     The areas where consent is used by DBS are:

• Third party consent
• Email Consent Disclaimer
• Basic check applications
• E-result (via Registered Bodies and Responsible Organisations)
• Medical consent
• Fingerprints as part of the PNC matching and disputes processes

3.11      Where your consent is being used for processing, you need to be fully informed of the process.  Due to the sensitive and personal nature of the information processed within the DBS, you will be:

• informed of the process for consent
• informed of any risks to the confidentiality of the information
• informed of any risks to the security of the information that may
  occur due to consent i.e. sharing with third parties
• asked if you wish to place any restrictions or a time period on the consent you are giving for processing
• informed of your rights
• advised how to withdraw consent

4.0     Third party consent

4.1       If/when you tell the DBS that you wish for someone to act on your behalf when dealing with DBS, the DBS will take the following steps to obtain and record your consent:

• Issue the DBS Third Party consent form. This form has been developed to include all necessary information and identifies the risks to you in providing consent for others to receive your information or give information on your behalf
• Following receipt of the signed consent form, an acknowledgement letter will be sent to you. It will confirm receipt of consent and the date from which the consent is being applied (date of receipt of consent). It will also confirm to whom the information will be issued
• A letter will also be sent to your nominated person (third party) or organisation to advise them that they have been nominated by you to receive correspondence from the DBS. It will also advised them to contact the DBS, should they have any issues with this nomination

4.2      The DBS will review third party consent on an annual basis, from when consent was given, if the case is not concluded within one year. When a barring case is concluded, the validity of consent for third parties automatically lapses and the nominated individual or organisation are informed of this.

4.3      It is also possible for you, with your DBS online account, to give consent for a third party to view your information i.e. disclosure certificate, barring notification online. You can navigate to this once logged on.

The person you are giving access to must also have a DBS online account.

Equally, if you wish to withdraw consent you can do this online too.

5.0     Email Consent Disclaimer

5.1       The DBS recognises that in line with digitalisation, an increasing number of you wish to correspond with us electronically. Our first step will be to signpost you to your DBS online account. This service is secure and government-approved.

5.2       You can now access various DBS services through your online account, including sharing information with us and requesting information from us. You must log on to access these services.

5.3       Further disclosure and barring services will be added to this online service in the future e.g. the ability to apply for and track DBS applications, accessing digital certificates etc.

5.4      The DBS’ policy is that personal, sensitive information should only be issued electronically if it is being issued to a secure email address.  Depending on the nature of the information being disclosed, a decision would need to be made as to whether the information should be issued by post.

Post is double-bagged and sent directly to a home address via Special Delivery or recorded delivery. This is to ensure adequate protection against loss, destruction or damage of the contents.

5.5       There may be circumstances when you request that information is not issued to you via post for several reasons e.g. you do not have a permanent address, or you request that the information is issued by email.

5.6       In these circumstances we request that you give consent via the Email Disclaimer Form for the information to be issued electronically. This form must be completed and recorded on file before any information is able to be issued by email.

6.0     Basic certificate consent

6.1       When you apply for a basic DBS check the request is based purely on your consent. Some basic checks are processed very quickly, and as a result of this, there may not be enough time for you to withdraw consent. We would therefore advise that should you not wish to give your consent, you do not request a basic disclosure check.

This may have implications from the employer regarding their recruitment process so we would advise that you discuss this with the employer.

6.2       It should also be noted that candidates applying to work at the DBS are required to submit an application for a basic DBS check.

7.0     e-Result Consent

7.1       When you apply for a disclosure certificate through a Responsible Organisation (RO) or Registered Body (RB), you will be given the option to have the result sent directly to the RO or RB – this will require your consent.

8.0     Medical Consent

8.1       DBS may at times, need to process health information for you. Health data is covered as one of seven special categories defined within GDPR.

8.2       Where this information is needed by the DBS, explicit consent must be held before any requests for your health information are made.

• 3 Where consent for health data, i.e. access to your medical records, is being requested you will be fully informed about why the DBS is requesting this information. Reasons may include: to aid the DBS in making an assessment to the risk posed to other individuals based on a specialist risk assessment to aid with any occupational health requirements to enable you to consider giving freely informed consent

8.4      Health information for DBS employees will be processed under employment contracts for the provision of sickness benefits and adherence to Sickness Absence Management Policy and Procedure.

Access to employees’ medical records will only be given with the employees’ consent.

9.0     Adult lacks capacity

9.1       There are no specific provisions within GDPR regarding an individual’s capacity to consent. Generally it can be assumed that adults have the capacity to consent unless the DBS has reason to believe otherwise.

9.2       An individual who lacks capacity is not able to give consent, informed or otherwise. The DBS are unable to ascertain whether capacity is an issue and we are reliant upon you or your representative to inform us if this is the case.

9.3       In the majority of these cases where capacity may be an issue, there will often be:

• a legal representative i.e. solicitor
  a Power of Attorney (POA)
  a Social Worker acting as an advocate

9.4      We would need a certified copy of the POA to be attached to the applicant’s record and/or barring case. This will then be used for any further communication regarding your case.

9.5       In barring cases where it is identified that an individual potentially lacks capacity, the cases will be referred to the Information Governance & Security Manager and Legal team for advice on how to proceed. Full consideration will be given as to who can make decisions on behalf of the individual and who is able to give consent.

10.0    Children’s consent

10.1      GDPR has a specific provision on children’s consent for

• ‘information society service’ i.e. services requested and delivered via the Internet
• those who require further protection due to their awareness
• comprehension regarding data protection, risks and potential consequences

10.2     There are no envisaged circumstances in which DBS will be required to obtain the consent of children – DBS only considers adults who are, have been, or may in the future engage in Regulated Activity, under our statutory function.

10.3     Applicants must be aged 16 or over to apply for any type of DBS check and are therefore not considered a child under GDPR.

10.4     Should children’s data and/or consent be required, these instances will be referred to the Information Governance & Security Manager for advice prior to any action being taken. They will consider age and verification measures, and make reasonable efforts to both identify and verify the holder of parental responsibility. They will also advise staff how to proceed.

11.0    Surveys/Feedback

11.1      The DBS may from time to time request completion of surveys or feedback from customers, stakeholders and employees.  Where this is undertaken the appropriate consent will be obtained in advance.

12.0    Right to withdraw consent

12.1      In circumstances where consent has been used to process your data, you have the right to withdraw consent at any time.

12.2     The process of withdrawing consent must be as easy as the process of giving consent. The DBS requires written consent in the circumstances detailed above, and will request the withdrawal of consent to also be in writing. If you inform us that you would like consent to be withdrawn over the telephone, an immediate suspension will be put in place to the consent held on file, and you will then be asked to request this withdrawal in writing.

12.3     It should also be noted that the DBS are under a duty (SVGA Sch 3 Prt 3 Para 13 (1)) to consider all information within our possession. Where this applies, you will be clearly informed of this duty before you give consent to processing i.e. attendance for a specialist risk assessment.

13.0    Individual Rights

13.1      Where consent has been used as the basis for processing data, this generally provides stronger rights for you under GDPR. In particular, under the following rights:

• Right to erasure – also known as the right to be forgotten
• Right to restriction of processing
• Right to lodge a complaint with a supervisory authority
• Right to an effective judicial remedy against a controller or processor

13.2     When you notify DBS that you wish to exercise any of these rights, all cases will be referred to the Information Governance Team for consideration.

14.0    Use of images i.e. CCTV, photos etc

14.1     CCTV, photos and images may be provided to the DBS under the requirements placed on employers and Regulatory Bodies etc. under SVGA/SVGO. These images are classed as personal data as individuals could be identified through their use, however DBS does not require consent in order to process the information. This is because they are being processed on a lawful basis under SVGA/SVGO.

14.2     DBS disclosure disputes and matching processes also occasionally require/obtain a copy of a photograph as part of the fingerprint elimination process. Consent is obtained by the fingerprint team alongside a photograph, if required, in order to proceed with the fingerprint process where a dispute has been raised.

14.3     This information is also covered by various legislation and guidance:

• Surveillance Camera Code of Practice
• Freedom of Information Act 2000
• Protection of Freedoms Act 2012
• Human Rights Act 1998 Article 8
• Surveillance Camera Commissioner and the ICO guidance

14.4     Those providing information to the DBS should have considered all relevant legislation before providing the information under SVGA/SVGO.

14.5     There are two circumstances in which the DBS may share this information further, however your consent is not required as this will be shared under SVGA/SVGO or GDPR, for example:

• Right of access by the data subject
• ‘minded to bar’ bundle

14.6     In the event that the information is to be shared or disclosed further, it is highly likely that due to the format of the information (images, CCTV etc.) it will include images of third parties that could be used to identify individuals. Consideration should be given to obscuring images i.e. pixellation, redaction or a transcript provided etc.

14.7     Where the request is under ‘right of access’ previously known as a subject access request, all third party data should be redacted, pixellated, obscured or a transcript provided etc.

15.0    Incorrect Handling

15.1      Incorrect handling of consent or incorrect processing of data based on consent could leave the DBS at risk of:

• reputational damage
• penalties
• the right to an effective judicial remedy against a controller or processor
• the right to compensation and liability

16.0    Validity of Consent

16.1      In all cases where consent has been used as the condition for processing, this should:

• be reviewed on an annual basis
• automatically lapse on conclusion of the case/enquiry

When consent lapses at the end of a case or enquiry, the individual should be made aware of this.

17.0    Reference List

17.1      Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)

17.2      ICO GDPR consent guidance consultation document

17.3     Safeguarding Vulnerable Groups Act 2006 / Safeguarding Vulnerable Groups (Northern Ireland) Order 2007