In the UK, Disclosure and Barring Service (DBS) checks are a crucial part of the recruitment process for roles involving children, vulnerable adults, or positions of trust. However, once a DBS certificate is received, it contains highly sensitive personal information. It is essential that employers know how to handle this data securely and lawfully.
Why DBS Information Is Sensitive
DBS certificates may contain details about a candidate’s criminal record, including convictions, cautions, warnings, or reprimands. Enhanced checks might also include police intelligence. Mishandling this information can lead to breaches of privacy, discrimination claims, and legal penalties.
The UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 treat this information as special category data — meaning it requires extra care.
Best Practices for Employers
1. Limit Access
Only those directly involved in the recruitment process should have access to DBS check information. Avoid sharing it with unrelated departments or staff members. Assign a responsible person or team who understands data protection responsibilities.
2. Secure Storage
Store DBS information securely — whether physical or digital. Paper documents should be kept in locked cabinets, while digital copies must be encrypted and password-protected. Access logs can also help monitor who views the data.
3. Retain Only What’s Necessary
According to DBS guidance, employers should not keep copies of DBS certificates for more than six months. After this period, the certificate should be securely destroyed. However, a record of the check date, reference number, and decision made can be retained for audit or safeguarding purposes.
4. Do Not Use the Data for Unrelated Purposes
Information disclosed in a DBS check must only be used to assess a candidate's suitability for the specific role applied for. Using it for other purposes — such as general performance evaluation or non-related roles — is a breach of data protection rules.
5. Inform the Applicant
Candidates should be made aware of how their data will be handled before the check is carried out. Employers must explain how long the data will be kept, who will have access, and the reasons for processing it.
6. Provide a Fair Assessment
If a DBS certificate contains disclosures, employers should give the applicant a chance to explain the circumstances. A risk assessment should be conducted to determine whether the offence affects the individual's ability to do the job.
Legal and Ethical Responsibilities
Employers must register with the Information Commissioner's Office (ICO) and comply with the Code of Practice issued by the DBS. Failing to handle sensitive DBS information correctly may result in fines and reputational damage.
Conclusion
Handling DBS check information comes with significant responsibilities. Employers in the UK must store, use, and dispose of this data in accordance with UK GDPR and DBS guidelines. By following best practices and remaining transparent with candidates, organisations can ensure compliance while protecting the privacy and rights of individuals.
For more guidance on DBS checks and compliance, visit CRBDirect.org.uk
