CRB Checks

This policy explains your rights as a customer of the crbchecks.co.uk. These rights are set out by the Data Protection Act 1998 (the Act). The policy explains why we require your personal data. It will cover what we do with your data and what you can expect from us in return. It will also explain how to obtain a copy of any personal data we may hold about you.

The policy will not replace the Data Protection Act. It will show how the CRB will comply with the Act when processing your personal data.

This policy is aimed at users of the Disclosure service and sets out their rights when using this service.

Your rights and how we protect them

crbchecks.co.uk is committed to compliance with the Act. We hold a legal duty to do so. We will take every precaution to protect your data. The following principles will apply when we process your personal data:

• Your data is only processed with your knowledge;
• Only data that we actually need is collected and processed;
• Your data is only seen by those who need it to do their jobs;
• Your data is retained only for as long as it is required;
• Your data is accurate and is only used for the intended purpose;
• Decisions affecting you are made on the basis of reliable and up to date data;
• Your data is protected from unauthorised or accidental disclosure;
• You will be provided with a copy of data we hold on you, on request;
• There will be procedures in place for dealing promptly with any disputes.
• All will apply whether we hold your data on paper or in electronic form.

What personal data we hold

We will only hold your data if you have applied for a Disclosure or to be a Countersignatory.

If you have a police record, we will hold some basic data relating to this. This data is contained in the Police National Computer (PNC) extract that is held by crbchecks.co.uk. The extract is not a full police record. Only basic identifying details such as name and address are held on the extract. The extract is used for securing a match with the PNC when dealing with a Disclosure application.

We will also hold some of your details if you are included in the 'Department of Health' or the 'Department for Education and Skills' lists. The lists are maintained for the protection of children and vulnerable adults. The lists contain the names of those considered unsuitable to work with these groups.

crbchecks.co.uk does not capture or store data about visitors to its website. However, you may choose to give us data such as your name, address or e-mail for enquiries. If this is the case, the data received will be kept only for the time taken to process your enquiry.

Responsibility for your personal data

crbchecks.co.uk is the 'Data Controller' of your data. This means that we hold full responsibility for the safety of your data.

Any organisation that works on behalf of crbchecks.co.uk is referred to as our 'Data Processor'. We can assure that our 'Data Processors' comply with the Act. This is to the same high standard as the CRB.

Organisations that are involved with the Disclosure service

Your data will only be seen by those whose jobs require them to do so.  In practice, this means CRB staff conducting the various checks that are necessary for the issue of Disclosures.  Data may also be passed to organisations and ‘Data Sources’ involved in the Disclosure Service.  These are:

• Capita Plc –the CRB partner in the Disclosure service.  Involved in procedures processing your data
• Police Forces in England, Wales and Northern Ireland, the Isle of Man and the Channel Islands – searches will be made on the PNC and data may be passed to local police forces in the area where you live, or have previously lived. The data will be used to update any personal data the police currently hold about you 
• Department of Health/Department for Children, Schools and Families (DH/DCSF) – data may be passed to the relevant department if your job involves working with children or vulnerable adults in relation to the lists held
• Scottish Criminal Record Office (SCRO) – if you have spent any time living in Scotland, your details may be referred
• Customer satisfaction surveys – the CRB may conduct customer satisfaction surveys and may employ a specialised organisation to conduct the survey on their behalf.  The data used will be restricted to name and address
• United Kingdom Central Authority - for information exchange with other EU countries in accordance with the decision made by the council of The European Union.

Any member of staff that has access to your data will be thoroughly checked by a governmental security unit.  All our staff are data protection trained and are aware of their responsibilities under the Act.

The CRB conduct regular compliance checks on all CRB departments and systems.  All checks are to the standard set out by the Information Commissioners Office.  In addition continual security checks on their IT systems are undertaken.

Reasons for requesting personal data

The data contained in a Disclosure is often sensitive. It may be that it contains details of offences or convictions. For this reason we must be sure of the identity of an applicant. We have a duty to make certain that any data disclosed is both accurate and relevant.

It is important that we conduct a complete and accurate check of each applicant. Your data is requested for the sole reason that it is necessary to the Disclosure process.

What data is necessary for a Disclosure application?

The form asks only for data that is necessary. The 'Additional Information' section should only be completed if consent is to be given for the check with the commercial source.

If you are using a referee you must make sure that you obtain consent before entering their details on the form. Referees should be made aware that crbchecks.co.uk might need to pass their details to a commercial company should we require their help in verifying your identity. If they object to this, you must select another referee.

Why does the CRB require personal details of Countersignatories?

A key part in the Disclosure process is that played by a Countersignatory. We must make sure that they do not have a background that would make them unsuitable to receive your data. The data requested will allow us to check identity and carry out an Enhanced Disclosure check.

Our retention periods

crbchecks.co.uk has a formal retention policy in place. We will hold your data for 3 years after your application. This is to allow for repeat applications, complaints and disputes. After this time, the data we hold about you will be reduced to basic details as follows:

• Name;
• Date of birth;
• Postcode;
• National insurance number;
• Gender.

Plus;

• Type of Disclosure issued;
• Issue date and reference number.

These details will be held in our archives for 10 years. Data is usually archived after 6 months. Archives are not readily accessible. If your Disclosure shows convictions, we will retain this data for 10 years before storing it in our archives. It is important that we keep a record of the Disclosures we have issued and to whom.

If you are a Countersignatory, your details will be kept for the life of your registration with the CRB, plus 3 years. After this time, the following details will be kept in the CRB archives for 10 years:

As above, plus;

• The reference number of each Disclosure that you have countersigned.

Storage of data

Your data is held in secure computer files, which have restricted access. We have approved measures in place to stop unlawful access and disclosure.

Individual rights

The Act states that data should only be processed in accordance with the rights of an individual. These rights include:

• To know what data we hold about you and
• To ask us to amend any data if incorrect.

The right to subject access of personal data

You are entitled to be told if an organisation holds any data about you and if so to be given a copy. The data must be provided in a clear form. This right is the 'right to subject access'. You are entitled to be told what your data is used for and if it is disclosed to others.

Exemptions to the right to subject access

You are entitled to see any data that we hold about you, with some specific exceptions as set out in the Act. For example, we are allowed to refuse requests where providing data would be likely to prejudice:

• The prevention or detection of crime, or
• The privacy rights of a third party.

How to apply for subject access

You should contact us to request a copy of the data we hold. The fee is £10.00. Requests can be made either in writing or by e-mail - address given below.

We must be sure that we are releasing information to the right person. You will be asked to supply information to prove your identity.

If you want 'subject access' for a copy of your police record, but have never applied for a Disclosure, it will be highly unlikely that any data will be held. We will be willing to give you details for your local police force where a request can be made.

We will be happy to help you complete the request. The Citizens Advice Bureau may also be able to help.

Transfer outside the European Economic Area

If you have recently lived in the Channel Islands or the Isle of Man, it is likely that your data will be passed to police forces in the that area. If your data needs to be transferred there or anywhere else, we will make sure that an adequate level of protection is in place.

Notification of changes

If we decide to change our privacy policy, we will post those changes on our web site.

Contact details

Further information and advice can be obtained from:

The Office of the Information Commissioner
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF
www.ico.gov.uk/

For your nearest Citizens Advice Bureau, contact:

www.nacab.org.uk