You can’t fail to have noticed that there’s been a change in the law around data protection with the introduction of GDPR in May 2018. This is the reason why you’ve been getting all of those emails asking you to agree to continue receiving marketing material and being asked to agree to cookies every time you log onto a new website. GDPR is a way of protecting us from having our data shared without our consent and there are implications for all sorts of organisations which store personal information such as our names, addresses and phone numbers. There isn’t much data which is more sensitive than information which is shown on a DBS form, which as well as having our name, date of birth and address, may well have information about crimes we have committed in the past. So, what should employers do to be keeping this information safe?


Who Keeps the Certificates?

When your DBS certificate is issued, it’s sent to your home address. This is the case whether you are in England and Wales and apply through the Disclosure and Barring Service (DBS), Protecting Vulnerable Groups (PVG) in Scotland, or Access NI in Northern Ireland. It’s your property, and yours to keep. You might be asked to show it to your employer once it arrives, but they should give it back to you. As it’s your property, there are no restrictions about how you store your own information. Stick it in a drawer, put in in a cupboard, pin it on the noticeboard – your choice.


Employer Information

When it comes to employers though, more care has to be taken over how they keep the information recorded on the DBS certificate. Every employer does something different and the information they will record will depend on the organisation and the type of role. In some cases, someone from the employer may just sign to say that they have seen your DBS and that it’s either clean, or that there is nothing on the form which raises concern. If employers are recording other information such as the number of the DBS certificate, then more care has to be taken.

The new GDPR legislation requires that employers keep personal information under lock and key, or restricted. In an old-fashioned business still using paper records, this means keeping the DBS information in a locked filing cabinet drawer and making sure only a few people have access to the key. In a digital system, folders and files which contain personal data of people working in the business should be restricted too. Companies may use passwords, encryption or other measures to prevent the data being accessed. Password protecting the information is just part of the measures companies should take though – there is no point in password-protecting and restricting access if there’s a culture of sharing login ids and passwords being an open secret. Companies must also make sure that only the people who need to have access to the information contained on a DBS can get into the system to see it.