UK Data Privacy, DBS Checks & Your Rights

Data privacy in the UK has two very different halves. Your data-protection rights under the UK GDPR are the same across all four nations, but criminal-record checks run on three separate systems, one each for England and Wales, Scotland, and Northern Ireland. This hub maps both and links every guide.
Two halves: UK-wide data rights, per-nation record checks
The single most important thing to get right is which half of this cluster you are in. Data protection (what organisations can do with your personal information, and the rights you have over it) is a reserved, UK-wide matter: the UK GDPR, the Data Protection Act 2018, and the ICO apply identically whether you live in Cardiff, Glasgow or Belfast. Criminal-record disclosure (the checks an employer runs before you start a job) is devolved and genuinely different in each nation, with three separate agencies, three sets of products, and certificates that are not transferable between them. Reading the wrong nation's guidance is the most common mistake, so each check has its own page below.
Your data-protection rights (UK-wide)
Under the UK GDPR, you have rights over the personal data organisations hold about you. The most used is the subject access request, your right to a free copy of your data within one month, and you can build the letter with our free subject access request generator or follow the template guide. You can also ask an organisation to delete your data under the right to be forgotten. If something goes wrong, you can complain to the ICO, and in limited cases claim data breach compensation through the courts.

The Data (Use and Access) Act 2025 reshaped several of these rights during 2026, and the freshest points are flagged on each page.
Criminal-record checks (per-nation)
Which check you need depends on where you will work and the role. Our criminal record check guide helps you choose, and each system has its own page:

- England and Wales: the DBS check (Disclosure and Barring Service), with Basic, Standard, Enhanced, and Enhanced-with-barred-list levels.
- Scotland: Disclosure Scotland and the PVG scheme, reformed by the Disclosure (Scotland) Act 2020 into Level 1 and Level 2 disclosures.
- Northern Ireland: the AccessNI check, with Basic, Standard and Enhanced levels.
Whether an old conviction has to be disclosed depends on the spent convictions rules, which have been reformed at different times in each nation.
Surveillance, recording and the core moat
Data-protection law also reaches into everyday recording. Home CCTV and doorbell cameras that capture beyond your own boundary bring you within the UK GDPR, as the Ring-doorbell case Fairhurst v Woodard showed. And the common question of whether it is illegal to record someone turns on the same distinction between recording for your own use and processing other people's data.

This hub is general legal information about the law in the United Kingdom, not legal advice. Data protection is UK-wide, but criminal-record checks and spent-conviction rules differ between England and Wales, Scotland, and Northern Ireland, and the law is changing under the Data (Use and Access) Act 2025. For your own situation, check the current guidance on the ICO website, GOV.UK, mygov.scot or nidirect, or take advice. Part of our guide to United Kingdom law.
Frequently Asked Questions
Is data protection law the same across the UK?
Yes. The UK GDPR and the Data Protection Act 2018 are reserved, UK-wide law regulated by the ICO, so your data-protection rights are the same in England, Wales, Scotland and Northern Ireland. What differs by nation is criminal-record disclosure, which uses three separate systems.
What is the difference between a DBS check, Disclosure Scotland and AccessNI?
They are the three UK criminal-record-check systems. The DBS covers England and Wales, Disclosure Scotland (with the PVG scheme) covers Scotland, and AccessNI covers Northern Ireland. They have different levels, fees and rules, and a certificate from one is not automatically accepted in another.
How do I get a copy of the data a company holds about me?
Make a subject access request under Article 15 of the UK GDPR. It is free in most cases and the organisation must respond within one month. You can send a simple letter or use our free subject access request generator, and complain to the ICO if they refuse or ignore you.
Can I claim compensation for a data breach in the UK?
You can claim through the courts for financial loss or distress caused by a breach of data-protection law, but not from the ICO. Following Lloyd v Google, there is no automatic payout for mere loss of control of data, so genuine claims need evidence of real damage or distress.
Is it illegal to record someone in the UK?
There is no general law against recording your own conversations or calls for personal use, even without the other person's consent. It can become unlawful if you share or process other people's data in breach of the UK GDPR, if it is done in a workplace without notice, or if it amounts to harassment.
Sources and References
- ICO: Guide to the UK GDPR(ico.org.uk).gov
- GOV.UK: Disclosure and Barring Service (DBS) checks(gov.uk).gov
- mygov.scot: Disclosure Scotland and the levels of disclosure(mygov.scot).gov
- nidirect: Types of AccessNI check(nidirect.gov.uk).gov
- legislation.gov.uk: Data (Use and Access) Act 2025(legislation.gov.uk).gov
- ICO: Your right of access (subject access requests)(ico.org.uk).gov