Data Protection for DBS Checks

How confidential is the information that appears in all levels of Disclosure and Barring Service’s (DBS) checks?

You can’t be blamed for being concerned that the information on these data sensitive certificates is kept as confidential as possible.

Even a basic DBS check, also known as a CRB check is going to flag up any unspent convictions and cautions you have received going back as far as seven years, depending on the offence.

While you can apply for a basic DBS check yourself, standard and enhanced clearances can only be requested by a screening service or organisation that is recognised by the DBS.

Data protection is taken very seriously in the UK and anyone with access to your personal information has to comply to strict data protection laws and this includes criminal records.

Confidentiality is a legal requirement

A reputable employer should know the importance of confidentiality not only because it builds trust with their employees but also because confidentiality is a legal requirement.

They are compelled to follow the UK’s strict data protection (DPA) rules, which is now governed by the GDPR (General Data Protection Regulation).

The rules dictate that the data should be:

• collected only for “specified, explicit and legitimate” purposes;
• “fairly and lawfully” used;
• used only where it is “adequate, relevant and limited” to what is necessary;
• kept for “no longer than is necessary”;
• processed in such a way that it “ensures appropriate security” of the data.

The cost of breaching DBS check data rules

The GDPRA doesn’t take breaches of confidentiality lightly and companies or organisation could face fines of up to £18M.

Disclosure and Barring Service Code of Practice

Besides these data protection rules being in place, there are stringent rules on how data on DBS checks should be used.

The Disclosure and Barring Service has taken the place of the Criminal Record Bureau to oversee basic, standard and enhanced checks. It is a non-departmental public body under the Home Office’s banner.

It has its own code of practice and this includes:

• That all criminal record information is used fairly and appropriately and that all information gleaned from a standard or enhanced DBS check must abide by this code.
• That all organisations registered with the Disclosure and Barring Service must have a written policy on how to handle this information securely. These organisations should also ensure that bodies or individuals on whose behalf they countersign applications have written policies in place.

Company and organisation policy statements

The DBS takes confidentiality so seriously it has gone to the trouble of drawing up a template policy statement for companies or organisations to use.

If an organisation is going to apply for a standard or enhanced DBS check on you, then it should:

• Comply by DBS code of practice and data protection laws
• Store DBS data provided to them securely
• Only pass this data on to those who are authorised to receive it
• Keep the data for only as long as it is necessary. The guideline here is six months
• Removes and disposes of this information securely after the six months is up

It is clear that your personal data is respected by the Disclosure Barring Service and that it has put strict rules in place for their registered organisations and companies to follow.

DBS checks need your consent

Standard and enhanced CRB checks require the consent of the person who will be subject to the CRB check and the “registered person” who is requesting it. The registered person is usually the prospective employer or organisation and they must be registered as an authorised body, in order to be able to apply for CRB checks.