asked Her Majesty's Government:
Whether it is still the case that the data from a Criminal Records Bureau application form which are input in India are name, date of birth and addresses for the past five years; and
Whether any information from any source other than the application form is input in India on behalf of the Criminal Records Bureau; what information other than name, date of birth or address is input in India; whether any other information is accessed from India; whether any other overseas location is involved in data access or data input for the Criminal Records Bureau system; and whether the Government or the bureau have plans to increase the extent of work done overseas; and
Whether any personal information other than name, date of birth and address is input overseas into the Criminal Records Bureau system; and whether overseas personnel have access to any other personal information such as bank details; and
Whether the application form for a Criminal Records Bureau check now carries an instruction that the section on bank details must be left blank; and
How many unprocessed Criminal Records Bureau applications are on forms which asked for bank details to be completed; and how forms already processed which contain bank details are being stored.
Work—consisting solely of manually inputting all personal information contained on Criminal Records Bureau (CRB) disclosure application forms (including the mandatory details such as the applicant's name, date of birth, current and previous addresses during the past five years, position applied for, the organisation concerned and details of the documents used as evidence of an applicant's identification, such as passport, driving licence and birth certificate)—is undertaken at a site in India.
The data transferred are those contained on the disclosure application form. The form is scanned, encrypted and then transferred via a secure link to a site in India. On receipt of the scanned image, the data are entered onto a system compatible with those used by the CRB to process disclosure applications. On completion the data are again encrypted and transferred back to the UK via the secure link. The data are retained in India only for the duration of time taken to input. Thereafter, the data are destroyed. The overseas personnel involved in the data input are fully trained in data security and privacy and abide by a strict code of conduct.
The form is set out in Schedule 2 to the Police Act 1997 (Criminal Records) Regulations 2002. No other overseas location is involved in data access or data input for the CRB. There are no plans to increase or extend the work carried out overseas.
Although pending redesign and reprinting, the current disclosure application form includes a section in which applicants were originally invited to show certain other personal information, including their bank details, for the purpose of assisting in verifying the applicant's identity. It was decided in December 2002 that this section should no longer be used and customers were informed in January 2003. The section was formally revoked by the Police Act (Criminal Records) (Amendment No. 2) Regulations 2003 with effect from February 2003.
It is the responsibility of a registered body to verify the applicant's identity using guidelines issued by the CRB. All registered bodies have been informed that applicants no longer need to supply bank details. They have been made aware via both the disclosure website and the customer newsletter. Applicants themselves are made aware via the application guidance notes, which clearly state that there is no longer a requirement to supply bank details.