Handling Disclosure and Barring Service (DBS) information is a key responsibility for UK employers, particularly those operating in regulated sectors. While conducting DBS checks is essential for safer recruitment, it is equally important to understand how long this sensitive information should be retained. This How Long Should Employers Retain DBS Information: Best Practice Guide explains the rules and best practices for managing DBS data responsibly.
Understanding DBS Information
DBS information includes details contained in a DBS certificate, such as criminal record disclosures, cautions, convictions, and barring list information. Because this data is highly sensitive, it must be handled in line with strict data protection requirements.
Employers must ensure that DBS information is stored securely, accessed only by authorised personnel, and not kept longer than necessary.
Legal Framework for Data Retention
DBS data retention is governed by UK data protection laws, including the UK GDPR and the Data Protection Act 2018. These regulations require organisations to follow the principle of data minimisation, meaning personal data should only be retained for as long as it is necessary for its intended purpose.
Additionally, the DBS Code of Practice provides specific guidance on how employers should handle and retain DBS information.
Recommended Retention Period
According to DBS guidelines, employers should not keep a copy of a DBS certificate for longer than six months after making a recruitment decision. This period allows time to resolve disputes or queries related to the recruitment process.
After six months, the certificate should be securely destroyed. However, employers are allowed to keep a record of certain non-sensitive information, such as:
- The applicant’s name
- The date of the DBS check
- The type of check carried out
- The certificate reference number
- The recruitment decision
This limited information can be retained for audit and compliance purposes without breaching data protection rules.
Risks of Retaining DBS Information Too Long
Failing to follow proper retention guidelines can expose employers to legal and reputational risks. Keeping DBS data longer than necessary may result in:
- Breaches of data protection laws
- Regulatory penalties or fines
- Loss of trust from employees and applicants
- Increased risk of data misuse or unauthorised access
Employers must ensure that their data retention policies are clear, compliant, and regularly reviewed.
Secure Storage and Disposal
During the retention period, DBS information must be stored securely, whether in physical or digital form. Access should be restricted to authorised staff only.
When the retention period ends, documents must be disposed of securely. This may involve:
- Shredding physical copies
- Permanently deleting digital files
- Ensuring no recoverable data remains
Secure handling of DBS information is a key part of safeguarding both individuals and organisational compliance.
Implementing a Clear DBS Policy
To ensure compliance, organisations should create a clear DBS data retention policy. This policy should outline:
- How DBS information is stored
- Who has access to it
- How long it is retained
- How it is securely destroyed
Using professional services such as https://clearcheck.co.uk/ can help employers manage DBS checks efficiently while maintaining compliance with data protection standards.
FAQ
How long can employers keep a DBS certificate?
Employers should not keep a DBS certificate for longer than six months after a recruitment decision.
Can employers keep any DBS information after six months?
Yes, they can retain basic details such as the certificate number and date, but not the full certificate.
Why is DBS data retention limited?
Because DBS information is sensitive personal data, and UK law requires it to be kept only as long as necessary.
What happens if DBS data is kept too long?
Employers may face legal consequences, including fines and breaches of data protection regulations.
How should DBS information be disposed of?
It should be securely destroyed, such as shredding paper copies or permanently deleting digital records.
Conclusion
Understanding How Long Should Employers Retain DBS Information is essential for maintaining compliance with UK data protection laws. By following the recommended six-month retention period and adopting secure handling practices, employers can protect sensitive information and reduce legal risks.
A clear, well-managed DBS policy not only ensures compliance but also builds trust with employees and supports responsible recruitment practices.
