Despite the UK having left the EU at the end of 2020, we are still sticking to many of the GDPR rules which cover data protection across Europe. Data protection laws are strict in terms of criminal records, so whether you’re a business owner or a DBS applicant, it’s important to understand what you need to do in terms of confidentiality.
For a Business Owner
Confidentiality is a key aspect of building trust between an employer and their workers. If your organisation will be receiving DBS certificates, having robust processes to keep the information safely and securely will let your employees know that you’re taking confidentiality seriously. You are also legally obliged to put a bit of thought into the confidentiality of your employee data, under the GDPR rules.
GDPR is complex but there are six main principles which you have to think about when obtaining and storing data, including criminal records information. These are that data must be:
- Used lawfully and fairly.
- Only collected for a specific, legitimate purpose.
- Only used for limited and relevant purposes.
- Disposed of when no longer needed.
- Kept up to date and kept accurate.
- Processed in a way which keeps it secure.
There are hefty fines for companies which don’t abide by GDPR rules, so it’s worth checking that your procedures comply.
DBS Code of Practice
As well as the overall rules about data, there are specific rules about DBS data. All the detail is set out in the 1997 Police Act should you wish to read it. The DBS has however distilled down the larger code of practice and come up with the basic elements which should form your policy for storing DBS checks. They advise things like secure storage for DBS information, only using the information for the purpose it was requested in the first place, only keeping it for six months, and disposing of it safely.
Employers are also advised to come up with a written policy of employing ex-offenders. There is a sample policy on the DBS website which employers can use and adapt rather than writing their own from scratch. As a minimum, in order to comply with the Code of Conduct for DBS checks employers should:
- Tell applicants in advance that the position under consideration requires a DBS check.
- Tell applicants about how a criminal record might affect their chances of getting the position.
- Talk to applicants about information included on any disclosure certificate before withdrawing the offer of employment.
What it Means in Practice
This might all seem a lot to take on for an employer but needn’t be too tricky. Employers should think about including information about DBS checking on job adverts and restrict access to the information to a limited number of people. DBS information online should be password protected or stored in a locked cupboard. It should be kept for a minimum of time and shredded or disposed of securely once you want to get rid of it.