The importance of your HR team understanding DBS and GDPR compliance
The Disclosure and Barring Service (DBS) handles all criminal records checks within England, Wales, the Channel Islands and the Isle of Man. Companies looking to carry out criminal records checks for staff, volunteers or students use the service to obtain a DBS certificate which states that the applicant has DBS clearance.
There are three levels of checks; Standard – covering spent and unspent convictions, reprimands, cautions and final warnings, Enhanced – which is the same as standard with the addition of any relevant information held by the local police, and Enhanced with Barred - which lists the same information as Enhanced with the addition of whether or not someone has been barred from working with certain vulnerable groups of people.
All organisations who use the DBS are bound by the DBS Code of Practice, but, due to DBS checks requiring the handling of sensitive data, GDPR compliance is also essential.
GDPR governs the access, management and storage of data and protects individuals from their data falling into the wrong hands or being used inappropriately. Under GDPR all data must:
only be used fairly
collected and used only for clearly explained legitimate and necessary purposes
be kept up to date
only be retained until the data is no longer needed
be kept and processed securely
The DBS Code of Practice is similar with some crossover with GDPR. It includes the appropriate and secure storage and management of data, which must:
be used and kept only for the purpose it was requested for
and only for the length of time required (usually for up to 6 months)
be securely disposed of
The DBS Code of Practice also requires that all companies using the service have a written policy on the recruitment of ex-offenders. All applicants must be notified of how a criminal record history might affect their application, and applicants must be made aware of the policy and the requirements for DBS checks.
Non-compliance of both the GDPR and DBS Code of Practice can have serious repercussions. Failing to adhere to GDPR can result in up to €20 million fine or 4% annual turnover. DBS non-compliance can result in suspension or cancellation of registration.
With the hectic nature of HR departments, and often an urgent need to carry out fast onboarding of new staff members, it is essential that all staff have a full understanding of compliance for both GDPR and the DBS Code of Practice.