Care Check Privacy Notice
Register Your Organisation
Start Your DBS Application
Manage Your DBS Checks
Privacy Notice
1. Introduction
Care Check LTD (“we”, “us”, “our”) is committed to protecting your privacy and the security of your personal data. We take care to protect the privacy of all individuals who engage with our services and website, whether we are providing a service to you directly, in cases where you have been directed to us by the organisation for which you work, or have otherwise contacted us through email or phone.
We have developed this privacy notice to inform you of the data we collect, what we do with it and what we do to keep it secure, as well as the rights and choices you have over your personal data.
Throughout this document we refer to Data Protection Legislation, which means the Data Protection Act 2018 (DPA 2018), United Kingdom General Data Protection Regulation (UK GDPR), the Privacy and Electronic Communications (EC Directive) Regulations 2003 and any legislation implemented in connection with the aforementioned legislation. This includes any replacement legislation coming into effect from time to time.
2. Our role
Care Check is the controller for the personal information we process as identified in this privacy notice. This means that we determine the purpose and means for which we process your data.
We are registered with the Information Commissioner’s Office (the ICO) with registration number Z330403X.
Where your organisation has instructed Care Check to carry out a check on you on their behalf, we will be a data processor and your organisation will be the data controller. This means that we will only process your data upon the instructions of your organisation and in accordance with our Terms of Service. You should refer to your organisation’s privacy notice for full details on how your data is processed and note that no other sections of this notice apply to these services.
We are also a Registered Organisation with the Disclosure and Barring Service (“DBS”) and Disclosure Scotland (“DS”), which means that we must comply with the DBS Code of Practice and have a fair processing notice, in addition to this privacy notice, which also applies to our processing relating to DBS checks.
We have appointed The DPO Centre Ltd as our Data Protection Officer (DPO) to help us monitor internal compliance, inform, and advise on data protection obligations, and act as a point of contact for data subjects and the ICO. For further details on how you can contact us or our DPO, please see the contact us section below.
3. The data we collect and when
We only collect personal data that we know we will genuinely use and in accordance with Data Protection Legislation and the DBS code of practice, where applicable. The type of personal data that we will collect on depends on the nature of the relationship that we have with you. We may collect the following:
- Biographical Data: Title, name, middle name(s), surname, DOB, place of birth, nationality at birth, current nationality, other names, gender.
- Contact Data: Job title and employer name, email address, phone number(s).
- ID Data: Passport or driving licence details, including scans, photos, and numbers, national insurance number, proof of address documentation, ID reports and a recent photo or “selfie”.
- Online Data: Cookies and IP addresses. For more information, please see our cookie banner and 4.5.
- Communications Data: Your communication preferences, subscriptions, feedback and any records of interactions with you. This may include call recordings.
- Payment Data: Information such as bank account and payment card details.
- Transaction Data: Information about payments to and from you and other details of products and services you have purchased from us.
- Criminal Offence Data: The results of your DBS check, and any information associated with it, as well as your response to our question on whether you have any unspent convictions.
- Other Check Data: Address history (5 years), country of application, DBS profile number, purpose of check (if employment selected – position applied for, name of sector, employer name).
In most instances, you are under no statutory or contractual requirement or obligation to provide us with your personal information; however, we will often require elements of the information above in order to provide our services to you in an efficient and effective manner.
4. How we use your information
4.1 Collection
In most instances we collect personal data directly from you, for example from online forms that you complete on our website, or any information you provide by email or by phone.
For some of our services, we will receive information from third parties, such as DBS or Disclosure Scotland, for example, with the results of your DBS check.
Should you need access to our client portal to manage DBS checks on behalf of the organisation for which you work, your organisation may provide us with basic information in order to add you to their account.
Further data may be collected as you interact with our website and/or systems.
4.2 Lawful basis
We only process, store or transfer your personal information when we have a legal basis for doing so. The lawful bases we may rely on to process the information identified in this notice are as follows:
- Legitimate Interest: processing is necessary for the purposes of our legitimate interests (i.e., our business interests), except where such interests are overridden by your interests or fundamental rights and freedoms.
- Consent: You have given consent to the processing of your personal data for one or more specific purposes. You may withdraw this consent at any time, either through the channel in which you provided your consent, or by getting in touch via the contact us section below.
- Legal obligation: processing is necessary for compliance with our legal obligations.
- Contractual Obligation: processing is necessary to deliver a contractual service to you or for us to do something at your request before entering into a contract with you
4.3 Purpose
We may use your data to:
| Processing activity | Type of Data | Lawful basis |
| Contact you, following your enquiry, reply to any questions, suggestions, issues, or complaints you have contacted us about, or to otherwise send you service messages. | Contact Data; Communications Data | Legitimate Interest (to promptly reply to your enquiries and to keep you informed of key updates to our services) |
| Meet our high security standards in managing your personal data, our systems and our website. | All Data Items | Legitimate Interest (to ensure that the privacy and security of your data is maintained at all times) |
| Provide an individual DBS or Disclosure Scotland Check (this includes any processing necessary to support you in completion of the check, hosting the data and providing results) | Biographical Data; Contact Data; ID Data; Criminal Offence Data; Other Check Data | Contractual Obligation (contract entered into with an individual when you request a check)
Consent/Explicit Consent Please note: Consent is also required by DBS for processing applications but this is separate from privacy consent) |
| Verify your identity, either manually or digitally | ID Data | Legitimate Interest (to ensure those subject to checks are who they say they are)
Contractual Obligation (where a requirement as part of a service we provide) |
| Process any purchases you make. This may include managing payments, fees and charges; collecting and recovering money owed to us | Contact Data; Transaction Data; Finance Data | Legitimate Interest (to process payments owed by your employer) or Contractual Obligation (to receive payment for our services from individuals) |
| Send you marketing communications where you have signed up to our newsletter or otherwise consented to receiving such material. You will be given the opportunity to opt-out in every communication. | Contact Data; Communications Data | Consent
Legitimate Interest (to promote our products and services in a B2B capacity) |
| Ask you to leave a review or take a survey relating to our services | Contact Data; Communications Data | Legitimate Interest (to monitor the quality of, and to help improve, our services) |
| Generate marketing/analytics from our website using cookies. | Online Data | Consent |
| Comply with applicable laws, lawful requests, and legal process, where appropriate/necessary. | The data items processed will depend on the request, but in any such situations, Care Check will only provide the minimal data necessary to comply | Legal Obligation |
| Comply with regulatory monitoring and reporting obligations, where appropriate/necessary. |
4.4 De-identified data
In addition, we may create anonymous, aggregated, or de-identified data from your personal information and other individuals whose personal information we collect. We do this by excluding information that makes the data personally identifiable to you.
4.5 Cookies
Care Check uses cookies to distinguish you from other users of our website. This helps to provide you with a good experience when you browse our website and also allows us to improve our site. You can set your cookie preference when you first visit our site via our cookie banner, which also provides you with information on the cookies we use. You can review and change your settings at any time by clicking the cookie icon in the bottom-left corner of our website. Alternatively you can contact us using the details in our notice and we will action this ourselves.
Care Check uses Google Analytics for tracking and reporting website traffic. This information can be used to gain insight into our website visitors and therefore improve the way our website works. You can find Google’s Privacy Policy here: https://policies.google.com/privacy?hl=en&gl=uk. You can prevent Google Analytics cookies being used by opting out via our cookie banner or via our Cookie Policy. Alternatively, you can opt-out through browser/mobile settings, or use the following browser add-on to opt-out of Google Analytics online: https://tools.google.com/dlpage/gaoptout.
Please note that third parties (including, for example, advertising networks and providers of external services like web traffic analysis services) may also use cookies, over which we have no control. These cookies are likely to be analytical/performance cookies or targeting cookies.
5. Data Sharing
5.1 Who we may share your data with
We may share your personal data with trusted third-party organisations, subject to written agreements, as follows:
| Recipient | Purpose | Location |
| Matrix | Provides the eBulk solution, our secure IT system used to process and host all data related to checks. | UK |
| DBS | The DBS provide the processing of all levels of DBS checks, all information collected within the DBS application form is shared with them. | UK |
| Disclosure Scotland | Disclosure Scotland provide the processing of Basic level checks for applicants living within Scotland. | UK |
| Campaign Monitor | We use Campaign Monitor to send out bulk mailers relating to system updates, legislation changes ID rules, and system downtime. The only information held within Campaign Monitors system is registered clients email addresses. | EEA |
| Opayo | We use Opayo for the processing of Payment Data. We have a separate policy for this supplier that can be found within our guidance pages. | UK |
| Intuit | Processing Contact Data to send out invoices, statements and reminders. | UK |
| Trust ID | Conduct digital identity verification and authentication solutions using ID Data. | UK |
| Bamboo | Used for call recording purposes and therefore processes Communication Data | UK |
| Cloud 9.0 | IT support, any data access incidental. | UK |
In addition to the table above, we may share your data with
- Professional advisors, such as lawyers bankers, auditors and insurers, where necessary in the course of the professional services that they render to us.
- Government or law enforcement officials or private parties as required by law and disclose and use such information as we believe necessary or appropriate.
- Cookie and Analytics Providers. See 4.5 and our cookie banner for more detail.
5.2 International transfers of information
The large majority of Care Check’s processing takes place in the UK, with most of the third parties Care Check engages with also UK based. However, should Care Check, or any third party Care Check shares data with need to transfer your personal information from the UK (or EEA) to countries not deemed by the ICO to provide an adequate level of personal information protection, the transfer will be based on safeguards that allow us (or them) to conduct the transfer in accordance with the data protection legislation, such as the specific contracts approved by the ICO providing adequate protection of personal information.
6. How we keep you updated on our services
As identified in 4.3 above, we may contact you for several purposes.
We may send you service messages that provide you with information that we legitimately have cause to send you as a user of our products and services or in order to help us improve our products and services (feedback requests, market research, etc.). Such messages will not contain promotional material.
For business contacts, we may separately send you information regarding our products and services where we believe such messages are relevant and will be of interest to you/the organisation for which you work in a business capacity. In such instances, we will contact you if you have provided your consent or if we believe we have a legitimate interest in doing so. Each email communication will have an option to object to the processing, if you wish to amend your marketing preferences, you can do so by following the link in the email and updating your preferences or by calling us on the number displayed on our website.
7. Your rights over your information
You have a number of rights over how we manage your personal information. If you would like to exercise any of these rights, please contact our Data Privacy Team using the contact details in this notice. We may ask you for information to confirm your identity when responding to any such requests. We will typically respond to your requests within one month from the confirmation of your identity, unless we require additional time and are entitled to this as per Data Protection Legislation.
Under certain circumstances, by law you have the right to:
7.1 Be informed about our collection and use of personal data
You have the right to be informed about the collection and use of your personal data. We ensure we do this through this privacy notice and by providing you other relevant information when you first engage with us. Our notices are regularly reviewed and updated to ensure these are accurate and reflect our data processing activities.
7.2 Right to access your personal information
You have the right to access the personal information that we hold about you in many circumstances, by making a request. This is referred to as a ‘Data Subject Access Request’. If we agree that we are obliged to provide personal information to you (or someone else on your behalf), we will typically provide it to you or them free of charge and aim to do so within one month from when your identity has been confirmed.
7.3 Right to rectify your personal information
If any of the personal information we hold about you is inaccurate, incomplete, or out of date, you may ask us to correct it.
Please note, when it comes to individual DBS checks, upon submitting an application, we are no longer able to correct any information you have included on that application without withdrawing the application itself and then resubmitting it. This may incur a fee.
7.4 Right to object or restrict our processing of your data
You have the right to object to us processing your personal information for particular purposes or have its processing restricted in certain circumstances.
7.5 Right to erasure
You have the right to have personal data erased. This is also known as the ‘right to be forgotten’. The right is not absolute and only applies in certain circumstances.
7.6 Right to portability
The right to portability gives you the right to receive personal data you have provided to a controller in a structured, commonly used, and machine-readable format. It also gives them you the right to request that a controller transmits this data directly to another controller.
This right is unlikely to apply to Care Check’s use of your data, but if you would like to discuss this right, please contact us as set out below.
7.7 Right to withdraw consent
Should we be relying on consent for the processing of your personal data, you have the right to withdraw such consent at any time.
7.8 Right in relation to automated decision making
Should we use your personal data for the purposes of automated decision-making and our automated decisions have a legal (or similarly significant) effect on you, you have the right to challenge those decisions and to request human intervention, express your own point of view and obtain an explanation of the decision from us.
7.9 For more information about your privacy rights
The Information Commissioner’s Office (ICO) regulates data protection and privacy matters in the UK. They make a lot of information accessible to consumers on their website and they ensure that the registered details of all data controllers such as ourselves are available publicly. You can access them here https://ico.org.uk/for-the-public.
You can make a complaint to the ICO at any time about the way we use your information. However, we hope that you would consider raising any issue or complaint you have with us first. Your satisfaction is extremely important to us, and we will always do our very best to solve any problems you may have.
8. How long we keep your information for
We will retain your personal information in order to provide you with a high-quality service, in accordance with Data Protection Legislation and for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements.
To determine the appropriate retention period for personal information, we consider the amount, nature, and sensitivity of the personal information, the potential risk of harm from unauthorised use or disclosure of your personal information, the purposes for which we process your personal information and whether we can achieve those purposes through other means.
In some circumstances we may anonymise your personal information (so that it can no longer be associated with you).
For individual DBS checks, your data will be deleted after 6 months. We will retain an archived record of the check with minimal Contact/Biographical Data for 3 years, for record-keeping and customer service purposes.
9. Security
Data security is of great importance to us and to protect your data we have put in place suitable physical, electronic, and managerial procedures to safeguard and secure your collected data.
We take security measures to protect your information including:
- Limiting access to our buildings to those that we have determined are entitled to be there (by use of passes, key card access and other related technologies).
- Implementing access controls to our information technology.
- We use appropriate procedures and technical security measures (including pseudonymisation, strict encryption and archiving techniques) to safeguard your information across all our computer systems, networks, websites, mobile apps, offices, and stores.
- All information held within the eBulk system is encrypted on transfer and held in an ISO 27001 certified data centre.
- We only share your data with service providers that can provide sufficient guarantees that they will process your data securely and in accordance with Data Protection Legislation.
10. Changes to Our Privacy Notice
We may change this privacy notice from time to time (for example, if the law changes). We recommend that you check this notice regularly to keep up-to-date.
11. How to contact us
If you would like to exercise one of your rights as set out above, or you have a question or a complaint about this notice, the way your personal information is processed, you can contact us or our DPO by one of the following means:
By email: privacy@carecheck.co.uk By post: Care Check Ltd, 1st Floor Orchard House, Crab Apple Way, Evesham, WR11 1GP
By phone: 0333 777 8575
Thank you for taking the time to read our privacy notice.
This notice was last updated July 2024.