Facebook

We value your privacy

CRB Direct process Basic DBS Checks, Standard DBS Checks and Enhanced DBS Checks. We are approved by the DBS as a registered body and responsible organisation. We use cookies on our website to provide you with a better experience and make it secure. We would also like to use additional cookies to provide personalised marketing on other websites and apps you use. This involves sharing your data with our social media, analytics and advertising partners.

Select ‘Accept all’ to agree or ‘Manage cookies’ to choose the cookies we use.
Refer to our Cookie Policy

Customize Consent Preferences

We use cookies to help you navigate efficiently and perform certain functions. You will find detailed information about all cookies under each consent category below.

The cookies that are categorized as "Necessary" are stored on your browser as they are essential for enabling the basic functionalities of the site.

We also use third-party cookies that help us analyze how you use this website, store your preferences, and provide the content and advertisements that are relevant to you. These cookies will only be stored in your browser with your prior consent.

You can choose to enable or disable some or all of these cookies but disabling some of them may affect your browsing experience.

Currently Active

Necessary cookies are required to enable the basic features of this site, such as providing secure log-in or adjusting your consent preferences. These cookies do not store any personally identifiable data.

  • Cookie
    crb_cookie_consent
  • Host
    crbdirect.org.uk
  • Duration
    30 days
  • Type
    First Party
  • Category
    Necessary
  • Description

    This cookie is used for storing the acceptance of cookie policy by the visitors.

  • Cookie
    _GRECAPTCHA
  • Host
    www.google.com
  • Duration
    5 months 27 days
  • Type
    First Party
  • Description

    Google Recaptcha service sets this cookie to identify bots to protect the website against malicious spam attacks

  • Cookie
    __cf_bm
  • Host
    www.cloudflare.com/en-gb/
  • Duration
    30 minutes
  • Type
    Third Party
  • Description

    Cloudflare set the cookie to support Cloudflare Bot Management.

  • Cookie
    _sorwc_wp
  • Host
    crbdirect.org.uk
  • Duration
    Session
  • Type
    Third Party
  • Description

    This is an essential cookie to provide details to the payment gateway.

  • Cookie
    ci_session
  • Host
    crbdirect.org.uk
  • Duration
    Session
  • Type
    Third Party
  • Description

    This cookies associated with the software core functions.

  • Cookie
    _ga
  • Host
    crbdirect.org.uk
  • Duration
    1 year 1 month 4 days
  • Type
    Third Party
  • Category
    Analytics
  • Description

    Google Analytics sets this cookie to calculate visitor, session and campaign data and track site usage for the site's analytics report. The cookie stores information anonymously and assigns a randomly generated number to recognise unique visitors

  • Cookie
    _gid
  • Host
    crbdirect.org.uk
  • Duration
    1 day
  • Type
    Third Party
  • Category
    Analytics
  • Description

    Google Analytics sets this cookie to store information on how visitors use a website while also creating an analytics report of the website's performance. Some of the collected data includes the number of visitors, their source, and the pages they visit anonymously

  • Cookie
    _gat
  • Host
    crbdirect.org.uk
  • Duration
    1 day
  • Type
    Third Party
  • Category
    Analytics
  • Description

    Google Analytics sets this cookie to store and count page views.

  • Cookie
    _gcl_au
  • Host
    crbdirect.org.uk
  • Duration
    3 months
  • Type
    Third Party
  • Category
    Advertisement
  • Description

    Google Tag Manager sets the cookie to experiment advertisement efficiency of websites using their services

  • Cookie
    gat_gtag_UA_*, _ga_W4KD8NZQMW
  • Host
    crbdirect.org.uk
  • Duration
    1 minute
  • Type
    Third Party
  • Category
    Advertisement
  • Description

    Google Analytics sets this cookie to store a unique user ID.

Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics such as the number of visitors, bounce rate, traffic source, etc.

  • Cookie
    _fbp
  • Host
    crbdirect.org.uk
  • Duration
    3 months
  • Type
    Third Party
  • Category
    Analytics
  • Description

    Facebook sets this cookie to display advertisements when either on Facebook or on a digital platform powered by Facebook advertising after visiting the website.

  • Cookie
    __insp_wid
  • Host
    crbdirect.org.uk
  • Duration
    1 year
  • Type
    Third Party
  • Category
    Analytics
  • Description

    This cookie is set by Inspectlet. This cookie is used to store datas within a session. Cookie deletes when a visit is over.

  • Cookie
    __insp_nv
  • Host
    crbdirect.org.uk
  • Duration
    1 year
  • Type
    Third Party
  • Category
    Analytics
  • Description

    Inspectlet sets this cookie to know if this user is a new visitor or a returning visitor.

  • Cookie
    __insp_targlpt, __insp_targlpu, __insp_slim
  • Host
    crbdirect.org.uk
  • Duration
    1 year
  • Type
    Third Party
  • Category
    Analytics
  • Description

    Inspectlet sets this cookie for review solicitors to store data regarding mouse position, clicks, scrolls, and highlighted elements.

Advertisement cookies are used to provide visitors with customized advertisements based on the pages you visited previously and to analyze the effectiveness of the ad campaigns.

  • Cookie
    _uetsid
  • Host
    crbdirect.org.uk
  • Duration
    1 day
  • Type
    Third Party
  • Category
    Advertisement
  • Description

    Bing Ads sets this cookie to engage with a user that has previously visited the website.

  • Cookie
    _uetvid
  • Host
    crbdirect.org.uk
  • Duration
    1 year 24 days
  • Type
    Third Party
  • Category
    Advertisement
  • Description

    Bing Ads sets this cookie to engage with a user that has previously visited the website.

GDPR & DBS Data: How Employers Must Store, Use, and Delete Sensitive Records

Apply for a DBS Check
GDPR & DBS Data: How Employers Must Store, Use, and Delete Sensitive Records

When it comes to DBS checks, employers handle some of the most sensitive personal data available — including criminal record information. Under the General Data Protection Regulation (GDPR) and the Data Protection Act 2018, UK employers have strict responsibilities to ensure this data is stored, used, and deleted correctly. Mishandling such information can lead to legal penalties and damage to trust.

This article explains how employers can remain compliant when dealing with GDPR & DBS Data, ensuring fair treatment and lawful processing.Understanding the Link Between GDPR and DBS Data

The Disclosure and Barring Service (DBS) provides criminal record information to help employers make safer recruitment decisions. However, because DBS certificates contain personal and sometimes sensitive details, they fall under special category data in GDPR terms.

Employers must therefore:

  • Process DBS data lawfully and fairly.

  • Store it securely and confidentially.

  • Keep it only for as long as necessary.

Every stage of handling DBS data — from receiving results to storage and disposal — must comply with the GDPR principles of data minimisation, accuracy, and integrity.

How Employers Should Store DBS Information

Once a DBS certificate is received, employers should store it securely and restrict access only to authorised staff involved in recruitment or safeguarding. Best practices include:

  • Keeping DBS certificates in locked cabinets or encrypted digital storage.

  • Ensuring limited access controls — only HR or compliance officers should handle them.

  • Avoiding unauthorised copying or scanning unless absolutely necessary.

Employers should never store DBS data indefinitely. The DBS Code of Practice advises that a copy or note of a DBS certificate should be kept no longer than six months, unless there is a valid legal reason to retain it for longer.

Using DBS Data Responsibly

DBS information should only be used for the specific purpose it was obtained — usually for assessing suitability for employment or voluntary work.

Employers must never use DBS data for unrelated activities, marketing, or internal profiling. Additionally, decisions based on DBS results should always be proportionate and fair, taking into account the nature of the role and any spent convictions under the Rehabilitation of Offenders Act 1974.

Transparency is essential. Candidates should be informed about:

  • Why their data is being collected.

  • How it will be used.

  • How long it will be retained.

Deleting and Disposing of DBS Data

When DBS data is no longer needed, it must be securely destroyed to prevent unauthorised access or misuse. Employers should:

  • Use cross-cut shredders for paper copies.

  • Employ secure digital deletion tools for electronic files.

  • Record the deletion date and method for audit purposes.

Under GDPR, individuals have the right to request deletion of their personal data, which employers must comply with unless there is a legal obligation to retain it.

Why GDPR Compliance Matters

Failure to comply with GDPR & DBS Data rules can result in substantial fines from the Information Commissioner’s Office (ICO) and reputational harm. More importantly, maintaining compliance shows a commitment to safeguarding and respect for employee privacy.

For more information or to start a DBS check process, visit CRBDirect.org.uk.

FAQs

1. Can employers keep copies of DBS certificates?
Employers can keep a copy for up to six months but should destroy it once the retention period expires unless there’s a justified reason to retain it longer.

2. Is consent required to process DBS data?
Yes. Employers must inform candidates and obtain consent before processing their DBS information.

3. How should digital DBS data be stored?
It should be stored in encrypted formats with restricted access and proper cybersecurity measures.

4. What happens if DBS data is breached?
A data breach involving DBS information must be reported to the ICO within 72 hours and to the affected individuals if there’s a high risk to their rights.

Properly handling GDPR & DBS Data is not just a legal requirement — it’s a sign of professionalism and trustworthiness in any UK organisation.

DBS News and Advice