Digital Background – DBS Standard and Enhanced Criminal Checks from £4-£7 Admin Fee – Free Sign Up

DBS Checks: Tips for Employers: Best practices for managing DBS checks, including storage and disposal of information

handling and destruction of dbs documents

For employers, managing DBS (Disclosure and Barring Service) checks is a crucial responsibility.  

It’s not just about requesting checks; it’s also about handling sensitive personal information with care and ensuring compliance with all relevant legislation.  

This blog post aims to provide employers with practical tips and best practices for managing DBS checks effectively, focusing particularly on the secure storage and responsible disposal of sensitive information. 

 

Understand Your Legal Obligations  

Before anything else, it’s crucial to understand the legal framework surrounding DBS checks.  

This includes: 

  • The Police Act 1997: This is the primary legislation that governs criminal record checks. Specifically, Sections 112 to 125 of the Act outline the framework for DBS checks and the responsibilities of registered bodies. You can find the full act at https://www.legislation.gov.uk/ukpga/1997/50/contents 
  • The Rehabilitation of Offenders Act 1974: This act defines what “spent” convictions are and how they should be treated, and details when they may, or may not be disclosed on certain levels of check. You can find the full act at https://www.legislation.gov.uk/ukpga/1974/53 
  • The Safeguarding Vulnerable Groups Act 2006: This act outlines the requirements for working with vulnerable groups, including the types of roles that require an Enhanced DBS check and checks of the Barred Lists. You can find the full act at https://www.legislation.gov.uk/ukpga/2006/47/contents 
  • The Protection of Freedoms Act 2012: This act outlines the rules regarding the disclosure of certain spent convictions and the rules regarding the disclosure of ‘protected’ convictions. It also created the DBS Update Service. You can find the full act at https://www.legislation.gov.uk/ukpga/2012/9/part/2 
  • Data Protection Legislation (UK GDPR and the Data Protection Act 2018): This legislation, particularly Article 5 of the UK GDPR and the Data Protection Act 2018 (specifically schedule 1, part 1), outlines the requirements for handling personal data, including DBS check results. You can review the UK GDPR on the Information Commissioners Office (ICO) website: https://ico.org.uk/ 

  

Familiarising yourself with these acts and their specific sections will ensure your practices are compliant and effective. 

  

Determine the Correct Level of Check 

It’s vital to request the correct level of DBS check for each role.  

This will be dependent on the following factors: 

  • Level of Responsibility: Higher levels of responsibility or authority, particularly positions of trust, typically require a higher level of check. For example, a CEO or senior manager may need a Standard check, while a volunteer may only need a Basic check. 
  • Contact with Vulnerable Groups: Roles that involve regular, close, or unsupervised contact with children or vulnerable adults usually legally require Enhanced DBS checks with Barred List checks. For example, teachers, social workers, and healthcare professionals. 
  • Industry Guidelines: Different sectors have specific legal guidance on DBS checks. For instance, the Care Quality Commission (CQC) provides guidance for health and social care providers, while the Department for Education (DfE) outlines requirements for schools. Always consult these sector-specific guidelines. 
  • Seek Guidance if Unsure: If you are unsure about the level of check required for a particular role, seek guidance from the DBS directly or a qualified professional. Always err on the side of caution, as it is better to over-check than under-check. 

  

Develop a Clear Policy 

Create a comprehensive policy that outlines your procedures for requesting, processing, storing, and disposing of DBS check information.  

This policy should include: 

  •  The process for requesting checks: This should include a step-by-step procedure, such as: 
  1. Identify the role requiring a check.
  2. Determine the correct level of check.
  3. Complete the necessary application forms.
  4. Verify the identity of the applicant.
  5. Submit the application to the DBS.
  • Handling DBS information: Detail how the DBS certificate will be received, reviewed, and actioned. 
  • Data security: Detail the physical and digital security measures you will put in place to protect the information. For example, passwords must be regularly changed, and you should implement multi-factor authentication where possible. 
  • Data retention: Specify how long the information will be held for, and the process of disposal when it is no longer required. 
  • Staff training: Include details of how staff will be trained to ensure all policy and procedures are adhered to. Ensure all staff involved in processing DBS checks are trained annually to ensure they are up-to-date. 
  • Regular review: The policy should be reviewed and updated at least annually to ensure it reflects the most recent legislative changes. 

  

Identification Verification 

Proper identification verification is a critical part of the DBS check process.  

It is essential to confirm the applicant’s identity before a check is submitted to the DBS.  

You should: 

  • Use Original Documents: Always use original identification documents; photocopies should not be accepted unless they are certified by a qualified person. 
  • Use a Checklist: Use the DBS’s guidance on acceptable identification documents and create a checklist to ensure all required documents have been provided. 
  • Compare Documents: Compare the photographs and names on the documents with the applicant in person, or via a live video call if this is necessary. 
  • Record Verification: Record the verification process, noting all documents seen and who verified them, and the date and time that the verification was carried out. 
  • Keep Records Secure: Maintain records of the verification process, and store them securely, in accordance with data protection principles, as they are also considered sensitive data. 

  

Secure Storage of Information 

DBS check results are sensitive personal information that must be stored securely.  

This includes: 

  • Physical storage: 
  • Original documents and printed certificates should be stored in locked, fireproof cabinets, in a room with limited access. 
  • Implement a clear log of who has access to the cabinets and when, and ensure a regular audit. 
  • Keep physical files separate from other records, especially any financial or operational records. 
  • Digital storage: 
  • If data is stored digitally, it should be in a secure database with strong access controls and encryption using industry standard protocols. 
  •  Ensure access is granted only to authorised personnel using strong passwords or multi-factor authentication. 
  • Regularly back up digital data to a secure offsite location, with encrypted backups. 
  •  Implement an access control list to monitor who accesses the digital files, with regular audit of access. 
  • Avoid unnecessary copying: Only keep essential copies, and avoid duplicating information unless absolutely necessary. This reduces the risk of data breaches. 

  

Responsible Disposal of Information 

DBS information should only be retained for as long as it is necessary for the purpose that it was collected, usually just until it has served its purpose.  

When it is no longer required, it should be disposed of securely and in a timely manner.  

This includes: 

  • Physical Disposal: 
  • Paper documents should be shredded using a cross-cut shredder (compliant with DIN 66399 security level P-4 or higher) to ensure that they cannot be reconstructed. 
  • Dispose of paper records as soon as they are no longer required. 
  • Ensure the disposal is carried out by a trained member of staff. 
  • Digital Disposal: 
  •  Electronic data should be deleted securely using data wiping software (such as DBAN or Blancco) that is designed to remove data permanently, over-writing the data multiple times. 
  • Ensure data is deleted as soon as it is no longer required. 
  • Ensure all traces are removed, including any back-ups or stored data copies. 
  • Retention Schedules: Implement a clear retention schedule outlining how long you will keep records (as defined by Data Protection legislation) and when you will dispose of them. For example, you might keep DBS check results for six months after an individual’s employment ends. 
  •  Document Disposal: Document all disposals that have been carried out, including dates, and method used. This will ensure an audit trail is available in the event of any legal or data breach claim. 

  

Data Protection Compliance 

All DBS check information must be processed in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018, ensuring: 

  • Data Minimisation: You should only collect the data that is strictly necessary for processing the DBS check. Do not ask for information that you do not need, and only keep the minimum data that you require. 
  • Purpose Limitation: You can only process data for the specific purpose for which it was collected. You cannot, for example, use DBS data for any other purpose than for suitability for the role that the data was obtained for. 
  • Storage Limitation: You must only store data for as long as it is necessary, and then dispose of it securely as soon as it has served its purpose. 
  • Transparency: You must be transparent with applicants and employees about what data you are collecting, how you intend to use it, and how it is being stored. You should provide a clear privacy notice. 
  • Security Measures: Implement appropriate and up to date security measures to ensure the confidentiality and integrity of the data. This includes encryption, access controls, staff training, and regular system checks. 
  • Right to Access, Rectify and Erase: Ensure that you comply with individual rights under Data Protection law, including the right to request access to their data, rectify any inaccuracies, and request erasure of their data when it is no longer required. 

  

Staff Training 

Ensure all staff members who are involved in the DBS check process are adequately trained on the relevant legislation, policies, and procedures.  

Training should be specific to their role, and should be practical rather than purely theory based. Training should cover: 

  • Data protection: Ensuring all staff understand their obligations regarding GDPR and data protection, and how these impact on the DBS processes. 
  • DBS check process: All staff should understand how to request the correct level of check, how to handle the certificates, and how to dispose of them. Training should include practical exercises to demonstrate competency. 
  • Confidentiality: Staff should be aware of the need for confidentiality and should treat sensitive information responsibly. Ensure that the data is only shared with those who have a specific need to see it. 
  • Regular updates: Training should be repeated at least annually, and whenever there is a change in legislation or procedures, to ensure that staff are fully aware and compliant with all current regulations.  

  

Accessing Standard and Enhanced Checks 

It’s crucial to understand that Standard and Enhanced DBS checks cannot be accessed directly by employers.  

Instead, these checks must be requested through an umbrella organisation that is registered with the DBS.  

Digital Background is one such organisation, with extensive experience in managing DBS checks.  

We are skilled in guiding you through the process, ensuring that you are requesting the correct level of check and complying with all legal requirements.  

Partnering with a reliable umbrella body like Digital Background can simplify the DBS process and give you peace of mind. 

  

Regular Audits 

Conduct regular audits of your DBS check processes, at least annually, to ensure ongoing compliance with your policies and with the law.  

These audits should be conducted by a person who is not usually involved with the DBS check processes, to ensure that the audit is fair and unbiased.  

This will help to identify any weaknesses or areas for improvement and ensure that you are operating in a safe and compliant way.  

Record the findings of the audit and take any necessary action required. 

  

Conclusion 

Managing DBS checks responsibly is a critical task for employers, and something that should be taken seriously.  

By following these best practices, you can ensure that your organisation is compliant with the law, and is also maintaining a safe environment for all staff, clients, and vulnerable groups.  

Prioritise data security, implement clear policies and procedures, and provide thorough staff training to safeguard your organisation and the individuals you serve.  

Partnering with an experienced umbrella organisation, such as Digital Background, for Standard and Enhanced checks, can greatly simplify the process and help you to remain compliant with relevant legislation. 

 

While every effort has been made to ensure the accuracy of the information in this blog post, it is intended for general guidance only and should not be taken as legal advice.  

For specific legal advice relevant to your situation, please consult with a qualified legal professional.