It has at all times been the intention that, in terms of data protection, security and other aspects, the arrangements for processing data should entail no material increase to the risk of misuse of data. Consequently, before agreement was given for any data to be processed in India, the site was visited by senior officials from the Criminal Records Bureau (CRB), who were fully satisfied that this was the case. The main CRB contract, (signed in August 2000) requires that the CRB's private sector partner, Capita, and any sub-contractor of Capita must comply with the Data Protection Act 1998; and that Capita may not enter into a sub-contracting arrangement without the permission of the CRB.
The CRB undertakes a wide range of checks and audits on all systems and processes to satisfy the security expectations of the Data Protection Act 1998. In addition to daily routine auditing of CRB systems, the CRB undertakes yearly security accreditation and BS7799 compliance and has undergone a full data protection adequacy audit. Where processing is conducted by a data processor overseas, the same security standards are applied. Additionally, all staff members both within the CRB agency and within organisations processing data on behalf of the CRB agency receive regular data protection and security training.