It’s been over a decade since the UK introduced its current system of criminal records checking. These checks used to be called CRB, or criminal records bureau checks. The body is now the DBS, or Disclosure or Barring Service. Whatever the name, the idea is the same. The DBS and the CRB before it work to keep unsuitable people away from the most vulnerable in society. DBS checks are run on a wide range of people, from sports coaches to people providing personal care. If an employer has asked for a criminal records check you’re not alone; hundreds of thousands of people go through the checking system each year. But what happens to all of this criminal record data which is floating around? Some of it can be very sensitive. Employers have a legal duty however to be doing what they can to keep our data secure.
Data Protection, GDPR and DBS Checks
As soon as you start discussing storing data, it can get very technical, very quickly. Unless you are employed processing data on behalf of an organisation, you don’t really need to understand every clause in the law. All you need to know is the basics. Just remember the key points – data has to be kept securely, it has to be relevant, and employers have to get rid of it in a timely manner. So how does this apply to DBS checks? Let’s look at each point in turn.
- Security – the law says that anyone processing personal data has to keep it securely. Personal data in terms of DBS is the application forms, any copies of documents you’ve given as proof of ID, certificates and so on. There’s no legal definition of “securely”. For a small business it might mean in a locked drawer, with the key in the office manager’s pocket. In a computerised system, it might mean in a password predicted area of a server, with only key personnel having the password. This sort of data should never be left lying around on desks.
- Relevant – the DBS process is the same for everyone. Everyone fills out the form, provides their identity documents and then receives their certificate in the post. There isn’t really any scope for employers to add to this by asking for more details or information. If they are, it’s probably reasonable to question why.
- Keeping it – the law says that employers really shouldn’t be keeping any information longer than is necessary. So in terms of DBS checks, most operate a tickbox system. They will ask you to bring the original certificate when it arrives in the post. Someone will then make a note that they have seen and checked the original certificate. They should then return the original certificate to you. How you store it at home is your business.
Most larger companies are up to speed on their responsibilities regarding keeping your confidentiality. If there is anything you know will be disclosed on a certificate, ask questions about how the employer will protect your data.