Privacy Notice: Identity, Financial and Criminal Offence Checks

Privacy Notice: Identity and Financial Verification Checks and Criminal Offence Checks

Introduction

Name of Organisation: Cherwell District Council 

This Privacy Notice

This privacy notice must be read in conjunction with the Cherwell District Council Corporate Privacy Notice and other applicable policies and procedures.

When appropriate, we will provide a ‘just in time’ notice to cover any additional processing activities not mentioned in this document.

We regularly review this privacy notice, with the most recent update made in June 2026.

What is the purpose of processing your data

Cherwell District Council is committed to protecting your privacy and safeguarding your personal information. This Privacy Policy explains how we collect, use, disclose and protect information obtained during identity verification, financial verification, criminal offence checks, fraud prevention, and regulatory compliance activities.

We process personal information to:

  • Verify your identity
  • Verify financial information
  • Prevent fraud, money laundering and financial crime
  • Carry out Disclosure and Barring Service (DBS) checks were required
  • Comply with legal and regulatory obligations, including Know Your Customer (KYC) and Anti-Money Laundering (AML) requirements
  • Assess eligibility for products or services

We process your personal data in accordance with applicable data protection laws and the lawful bases set out in this notice.

The provision of certain personal data is primarily contractual and, in some circumstances, required to meet legal and regulatory obligations.

What are the consequences of not providing personal data? 

If you choose not to provide the personal data: 

  • We may be unable to enter into a contract with you. 
  • We may be unable to fulfil orders, supply goods, or provide services. 
  • We may be unable to conduct necessary verification, compliance, or fraud prevention checks; and 
  • As a result, our services may be delayed, restricted, or declined. 

What type of information do we have

Dependent upon the activity or service you have chosen, the range of personal information processed about you will vary. We may process the following:

Identity Information

We currently collect and process the following information:

  • Full name
  • Date of birth
  • Address
  • Contact details
  • Government-issued identification documents (passport, driver’s licence, etc)
  • Biometric data (e.g. facial image for verification)
  • Proof of address

Financial Information

  • Bank account details
  • Payment information
  • Income verification
  • Transaction history
  • Credit data (where permitted)

Technical Information

We may collect:

  • IP address
  • Device identifiers
  • Browser type
  • Log data
  • Location data (where permitted)

Criminal Offence Data

  • Convictions, cautions, reprimands and warnings
  • DBS disclosure information

How do we obtain your data

Most of the personal information we process is provided to us directly by you when you engage with our services.

We may also receive data from other sources in the following circumstances:

  • Identity verification providers (e.g. TrustID)
  • Credit reference agencies (e.g. Creditsafe, TransUnion)
  • The Disclosure and Barring Service (DBS) via approved processors
  • Public records and registers

Who we share your personal information with?

We may share your personal data with:

  • Identity and verification providers (e.g. TrustID)
  • Credit reference agencies (e.g. Creditsafe, TransUnion)
  • DBS processing providers (e.g. uCheck Limited)
  • Law enforcement and regulatory bodies
  • Other public authorities where required
  • Approved contractors acting on our behalf

What is our lawful basis for processing your information?

General Processing - Article 6

Under the General Data Protection Regulation (GDPR), the lawful bases we rely on for processing this information are:

Article 6(1)(c) – Legal obligation (AML, fraud prevention, safeguarding)

Article 6(1)(f) – Legitimate interests (fraud prevention, governance, service delivery)

A Legitimate Interests Assessment has been conducted.

Special Category Data – Article 9

Where we process special category (sensitive) personal data, we rely on one or more of the following conditions under Article 9 of UK GDPR:

Article 9(2)(g) – Substantial public interest (e.g. safeguarding, fraud prevention)

Article 9(2)(a) – Explicit consent (where biometric data is processed)

Article 10 – Criminal Offence Data

We process criminal offence data in accordance with the Data Protection Act 2018 and applicable legislation.

This is supported by Schedule 1, Part 2 (6) of the Data Protection Act 2018 and legal framework, such as:

The Money Laundering Regulations 2017: Require councils to perform thorough Customer Due Diligence (CDD) and Know Your Customer (KYC) checks to prevent financial crime and verify the origin of funds when processing certain high-risk transactions (such as housing funds or major contracts).

Fraud Act 2006: Underpins the authority of local councils to perform due diligence and financial verification to protect public funds from fraud, misrepresentation, and economic crime.

DBS Code of Practice.

Third Party Services

Our verification services utilise third-party providers (processors). These providers process information according to their own privacy policies and applicable legal requirements.

Creditsafe

We obtain information via Creditsafe, which uses TransUnion data.

  • Creditsafe Business Solutions Limited (FCA FRN: 742313)
  • TransUnion International UK Limited (FCA FRN: 805757)

Data includes identity, credit commitments, payment history, and public records.

Further information about how Creditsafe and TransUnion process your personal data can be found in their respective privacy notices:

TrustID

We use TrustID to verify identity using document checks, biometrics, and trusted data sources.

Data may include:

  • Name, date of birth, and address
  • Identity document data
  • Facial biometric data

TrustID may use sub-processors including:

  • uCheck Limited (DBS and identity services)
  • Matrix Security Watchdog Limited (background screening)

These sub-processors act under TrustID’s instructions and are subject to contractual and data protection obligations to safeguard your personal data.

Further information about how TrustID and its sub-processors process your personal data can be found in its privacy notice:

Disclosure and Barring Service (DBS) Checks

Where required, we carry out DBS checks for safeguarding, recruitment, licensing, and regulatory purposes. This may include processing:

  • Criminal convictions
  • Cautions and warnings
  • Enhanced disclosure information

We use this data to:

  • Assess suitability for roles or services
  • Protect vulnerable individuals
  • Prevent fraud
  • Meet legal obligations

DBS checks are conducted via providers such as uCheck Limited.

DBS handling principles:

  • Used only for stated purposes
  • Access restricted to authorised staff
  • Retained only as necessary
  • Securely destroyed after use

Each third-party provider processes personal data on our behalf in accordance with contractual agreements and applicable data protection laws.

They are required to retain personal data only for as long as necessary to fulfil the purposes for which it was collected and to securely delete or return it thereafter.

Details of transfers to any third countries or internal organisations

Your data is primarily processed within the UK and European Economic Area (EEA).

Where personal data is transferred outside of these areas, we ensure appropriate safeguards are in place, such as:

  • UK adequacy regulations; or
  • Standard Contractual Clauses (SCCs).

Your rights in relation to this processing

To find out about your rights under data protection law, you can go to the Information Commissioner's Office website.

You can also find information about your rights in our Corporate Privacy Notice.

If you have any questions about this privacy notice, want to exercise your rights, or if you have a complaint about how your information has been used, please contact us:

Other relevant transparency information

For more information about how we use your data, including your privacy rights and the complaints process, please see our corporate privacy notice.