There are many employers who deal with processing DBS certificates for their staff members every day. Large employers like the NHS, which employs hundreds of thousands of staff who need to be DBS checks has set procedures for storing the information on a DBS certificate and making sure only the people who need to see it can access the information. Smaller employers sometimes struggle to know exactly what their obligations are in terms of data storage, and with new laws coming in early 2018 which will add even more to the employer’s burden, it’s important to know what happens to the information on a DBS, whether you’re an employee or employer.
Code of Practice
Back in 2012 the government recognised that there was confusion around keeping information on DBS certificates and issued a comprehensive code of practice. There are several elements to the code of practice, none of which should prove too difficult for an employer to comply with.
- Written policy – employers are advised to have a formal written policy regarding how they handle and store DBS information. There is a template policy on the DBS website which employers can print and this will suit most organisations. Companies with more unusual requirements can write their own policies.
- Secure storage – employers have to make sure they are storing DBS information securely. This usually means under lock and key in case of paper documents, or encrypted and restricted by password access for computer records. Care should be taken not to leave certificates or information lying on desks or in filing trays.
- Keep information for no longer than is necessary – employers shouldn’t be keeping DBS information for longer than necessary. The general rule is to keep any DBS information for 6 months after the recruitment decision, then destroy it.
- No copies – it is against the code of practice to photocopy or scan information contained on a DBS certificate unless the DBS has agreed to this in advance.
- Restrict distribution – only people who need to be involved in the decision to recruit a candidate or not should have access to any of the information included on a DBS form.
- Disposal – once DBS information has served its purpose, it should be disposed of securely. For larger companies, this will mean sending it offsite with the rest of the sensitive information to be pulped. Smaller employers can ensure secure disposal by running documents through a shredder rather than just putting them in the recycling bin.
DBS information and the Data Protection Act
All employers will hold a vast amount on information on their employees, and all of this information is governed by the Data Protection Act. DBS information might be more sensitive than other types of information held by your employer, but all information has to be kept safely and securely. Legislation about protecting data is changing, and as of 2018, the penalties for not abiding by the rules will be even more severe. If you’re not sure that your employer is taking care of your data, raise your concerns and if you’re still not happy, speak to the Data Protection Commissioner’s office.