How employers should handle certificate information

This section will explain what employers should do when they receive information on a criminal record check.

Using disclosed information to make a recruitment decision

What is the DBS code of practice?

The DBS code of practice is published under Section 122 of the Police Act 1997. It aims to ensure that criminal record information is used fairly and applicants are protected from unfair discrimination due to non-relevant convictions. Anybody who receives standard or enhanced certificate information must abide by the code of practice, this includes Registered Bodies, Umbrella Bodies, recruiters and any others receiving the information.

What does the code of practice require of Registered Bodies?

The DBS code of practice requires that Registered Bodies must: –

1. Have a written policy on the secure handling of information which, in the case of Umbrella Bodies, should be made available to their clients. A sample policy produced by the DBS is available online
2. Store DBS certificate information securely
3. Retain DBS certificate information, its content or any representation of the same in any format for no longer than is necessary and for a maximum of six months following the recruitment decision unless a dispute is raised or, in exceptional circumstances, where DBS agreement is secured
4. Ensure that no reproductions of the DBS certificate or its content are made, including photocopies or scanned images, unless with the prior agreement of the DBS or as a result of a stipulated requirement relating to the e-channel service
5. Only share DBS certificate information with relevant persons in the course of their specific duties relevant to recruitment and vetting processes
6. Dispose of DBS certificate information in a secure manner
7. Ensure that they comply with DBS guidance on the portability of DBS certificates and their contents.

What does the code of practice require of others?

In making use of DBS checks, any organisation subject to the code of practice must: –

1. Ensure that all applicants for relevant positions or employment are notified in advance of the requirement for a DBS check
2. Notify all potential applicants of the potential effect of a criminal record history on the recruitment and selection process and any recruitment decision
3. Discuss the content of the DBS certificate with the applicant before withdrawing any offer of employment
4. Provide a copy of the DBS code of practice to the applicant upon request.

Written policies on people with a criminal record

DBS guidance states that organisations using criminal record checks should not have a complete ban on people with criminal records. The DBS requires organisations which use checks to have a policy on the recruitment of ex-offenders. Organisations are expected to only use the information on a DBS certificate in the context of such a policy.

Many organisations achieve this by simply using the example policy provided by the DBS. However, some have positive and detailed policies towards people with criminal records. To find out more about how an organisation may use the information disclosed, ask to see a copy of their policy. If you do this before apply, you may want to do this anonymously.

You may find the organisation uses vague language such as “We judge each case on its merits”. To get a clearer picture about how they will treat you, try to ask them some specific questions about your particular type of convictions and/or the particular areas of the company that interest you.

Handling and storing disclosed information

Information on a certificate

Organisations that wish to use a standard or enhanced check must comply with the DBS code of practice The code seeks to ensure that sensitive personal information is handled and stored appropriately and is kept for only as long as necessary. In particular, it is an offence for Registered Bodies to: –

1. Disclose information contained within a certificate to any person who is not a member, officer or employee of the Registered Body or, in the case of Umbrella Bodies, their client unless a relevant legal exception applies;
2. Disclose information to any member, officer or employee where it is not related to that employee’s duties;
3. Knowingly make a false statement for the purpose of obtaining, or enabling another person to obtain a certificate.

Persons guilty of such offences are liable to deregistration, a fine or imprisonment unless a relevant exception applies as outlined in DBS Guidance.

Self-disclosure

The DBS does not impose any rules on how organisations should handle information that you choose to disclose yourself.

However, all organisations have to follow the Data Protection Act 1998. As criminal record data is regarded as sensitive personal data under this legislation, they should have processes in place to ensure it is kept safe.

If you are worried about how an organisation will retain the information that you disclose, you should ask them for a copy of their data protection policy.