Privacy Notice: Identity and Financial Verification Checks and Criminal Offence Checks
Introduction
Name of Organisation: Cherwell District Council
- Address: 39 Castle Quay, Banbury, OX16 5FD
- Telephone: 01295 227001
- Name of Data Protection Officer (DPO): Shiraz Sheikh
- E-mail: informationgovernance@cherwell-dc.gov.uk
This Privacy Notice
This privacy notice must be read in conjunction with the Cherwell District Council Corporate Privacy Notice and other applicable policies and procedures.
When appropriate, we will provide a ‘just in time’ notice to cover any additional processing activities not mentioned in this document.
We regularly review this privacy notice, with the most recent update made in June 2026.
What is the purpose of processing your data
Cherwell District Council is committed to protecting your privacy and safeguarding your personal information. This Privacy Policy explains how we collect, use, disclose and protect information obtained during identity verification, financial verification, criminal offence checks, fraud prevention, and regulatory compliance activities.
We process personal information to:
- Verify your identity
- Verify financial information
- Prevent fraud, money laundering and financial crime
- Carry out Disclosure and Barring Service (DBS) checks were required
- Comply with legal and regulatory obligations, including Know Your Customer (KYC) and Anti-Money Laundering (AML) requirements
- Assess eligibility for products or services
We process your personal data in accordance with applicable data protection laws and the lawful bases set out in this notice.
The provision of certain personal data is primarily contractual and, in some circumstances, required to meet legal and regulatory obligations.
What are the consequences of not providing personal data?
If you choose not to provide the personal data:
- We may be unable to enter into a contract with you.
- We may be unable to fulfil orders, supply goods, or provide services.
- We may be unable to conduct necessary verification, compliance, or fraud prevention checks; and
- As a result, our services may be delayed, restricted, or declined.
What type of information do we have
Dependent upon the activity or service you have chosen, the range of personal information processed about you will vary. We may process the following:
Identity Information
We currently collect and process the following information:
- Full name
- Date of birth
- Address
- Contact details
- Government-issued identification documents (passport, driver’s licence, etc)
- Biometric data (e.g. facial image for verification)
- Proof of address
Financial Information
- Bank account details
- Payment information
- Income verification
- Transaction history
- Credit data (where permitted)
Technical Information
We may collect:
- IP address
- Device identifiers
- Browser type
- Log data
- Location data (where permitted)
Criminal Offence Data
- Convictions, cautions, reprimands and warnings
- DBS disclosure information
How do we obtain your data
Most of the personal information we process is provided to us directly by you when you engage with our services.
We may also receive data from other sources in the following circumstances:
- Identity verification providers (e.g. TrustID)
- Credit reference agencies (e.g. Creditsafe, TransUnion)
- The Disclosure and Barring Service (DBS) via approved processors
- Public records and registers
Who we share your personal information with?
We may share your personal data with:
- Identity and verification providers (e.g. TrustID)
- Credit reference agencies (e.g. Creditsafe, TransUnion)
- DBS processing providers (e.g. uCheck Limited)
- Law enforcement and regulatory bodies
- Other public authorities where required
- Approved contractors acting on our behalf
What is our lawful basis for processing your information?
General Processing - Article 6
Under the General Data Protection Regulation (GDPR), the lawful bases we rely on for processing this information are:
Article 6(1)(c) – Legal obligation (AML, fraud prevention, safeguarding)
Article 6(1)(f) – Legitimate interests (fraud prevention, governance, service delivery)
A Legitimate Interests Assessment has been conducted.
Special Category Data – Article 9
Where we process special category (sensitive) personal data, we rely on one or more of the following conditions under Article 9 of UK GDPR:
Article 9(2)(g) – Substantial public interest (e.g. safeguarding, fraud prevention)
Article 9(2)(a) – Explicit consent (where biometric data is processed)
Article 10 – Criminal Offence Data
We process criminal offence data in accordance with the Data Protection Act 2018 and applicable legislation.
This is supported by Schedule 1, Part 2 (6) of the Data Protection Act 2018 and legal framework, such as:
The Money Laundering Regulations 2017: Require councils to perform thorough Customer Due Diligence (CDD) and Know Your Customer (KYC) checks to prevent financial crime and verify the origin of funds when processing certain high-risk transactions (such as housing funds or major contracts).
Fraud Act 2006: Underpins the authority of local councils to perform due diligence and financial verification to protect public funds from fraud, misrepresentation, and economic crime.
DBS Code of Practice.
Third Party Services
Our verification services utilise third-party providers (processors). These providers process information according to their own privacy policies and applicable legal requirements.
Creditsafe
We obtain information via Creditsafe, which uses TransUnion data.
- Creditsafe Business Solutions Limited (FCA FRN: 742313)
- TransUnion International UK Limited (FCA FRN: 805757)
Data includes identity, credit commitments, payment history, and public records.
Further information about how Creditsafe and TransUnion process your personal data can be found in their respective privacy notices:
- Creditsafe Privacy / Transparency Notice (customers and suppliers)
- TransUnion CRAIN (Credit Reference Agency Information Notice)
- TransUnion Bureau Privacy Notice
TrustID
We use TrustID to verify identity using document checks, biometrics, and trusted data sources.
Data may include:
- Name, date of birth, and address
- Identity document data
- Facial biometric data
TrustID may use sub-processors including:
- uCheck Limited (DBS and identity services)
- Matrix Security Watchdog Limited (background screening)
These sub-processors act under TrustID’s instructions and are subject to contractual and data protection obligations to safeguard your personal data.
Further information about how TrustID and its sub-processors process your personal data can be found in its privacy notice:
Disclosure and Barring Service (DBS) Checks
Where required, we carry out DBS checks for safeguarding, recruitment, licensing, and regulatory purposes. This may include processing:
- Criminal convictions
- Cautions and warnings
- Enhanced disclosure information
We use this data to:
- Assess suitability for roles or services
- Protect vulnerable individuals
- Prevent fraud
- Meet legal obligations
DBS checks are conducted via providers such as uCheck Limited.
DBS handling principles:
- Used only for stated purposes
- Access restricted to authorised staff
- Retained only as necessary
- Securely destroyed after use
Each third-party provider processes personal data on our behalf in accordance with contractual agreements and applicable data protection laws.
They are required to retain personal data only for as long as necessary to fulfil the purposes for which it was collected and to securely delete or return it thereafter.
Details of transfers to any third countries or internal organisations
Your data is primarily processed within the UK and European Economic Area (EEA).
Where personal data is transferred outside of these areas, we ensure appropriate safeguards are in place, such as:
- UK adequacy regulations; or
- Standard Contractual Clauses (SCCs).
Your rights in relation to this processing
To find out about your rights under data protection law, you can go to the Information Commissioner's Office website.
You can also find information about your rights in our Corporate Privacy Notice.
If you have any questions about this privacy notice, want to exercise your rights, or if you have a complaint about how your information has been used, please contact us:
- on email: informationgovernance@cherwell-dc.gov.uk
- or write to: Data Protection Officer, Cherwell District Council, 39 Castle Quay, Banbury, OX16 5FD
Other relevant transparency information
For more information about how we use your data, including your privacy rights and the complaints process, please see our corporate privacy notice.