As an organisation using the Disclosure and Barring Service (DBS) checking service to help assess the suitability of applicants for positions of trust, Ashfield District Council complies fully with the code of practice regarding the correct handling, use, storage, retention and disposal of certificates and certificate information.
It also complies fully with its obligations under the General Data Protection Regulation (UK GDPR), Data Protection Act 2018 and other relevant legislation relating to the safe handling, use, storage, retention and disposal of certificate information and has a written policy on these matters, which is available to those who wish to see it on request.
It is a criminal offence to disclose information in a certificate to anyone other than an employee (or member) of the Council. There are some very limited exceptions to this rule, which include where the applicant for the certificate consents, or if there is statutory obligation, lawful basis or valid exemption under the DPA 2018 or UK GDPR to provide the information to another person.
What data may be disclosed to us by DBS?
DBS offer different types of check issued under the Police Act 1997:
- personal data including name and address
- a basic check shows unspent convictions and conditional cautions under the terms of the Rehabilitation of Offenders Act 1974
- a standard check shows spent and unspent convictions, cautions, reprimands and final warnings which are not subject to filtering
- an enhanced check shows the same as a standard check plus any information held by local police that the Chief Officer reasonably believes to be relevant and, in the Chief Officer’s opinion, ought to be included in the certificate, relating to the child or adult workforces. Where the application is for any other role, the police will consider the nature of the role in the release of information
- an enhanced check with barred lists shows the same as an enhanced check plus whether the applicant is in the list of people barred from working with children and/or other vulnerable groups
Storage and access
Certificate information is kept securely, in lockable, non-portable, storage containers with access strictly controlled and limited to those who are entitled to see it as part of their duties.
DBS certificates received electronically are stored solely within the e-Bulk system for online viewing. Online access to the DBS certificates is restricted to nominated staff within Ashfield District Council with secure password controls in place.
In accordance with Protection of Freedoms Act (PoFA) 2012 and section 124 of the Police Act 1997, certificate information is only passed to those who are authorised to receive it in the course of their duties. We maintain a record of all those to whom certificates, or certificate information has been revealed and it is a criminal offence to pass this information to anyone who is not entitled to receive it.
In order to process your data lawfully the Council relies on Article 6(1)(a) Consent and 6(1)(e) public task.
In relation to processing criminal offence data, the Council is compliant with the Data Protection Act 2018. Processing is undertaken pursuant to the exercise of a statutory function, is necessary for reasons of substantial public interest and an appropriate policy document is in place.
Organisations which are inspected by the Care Quality Commission (CQC) or Ofsted, and those establishments which are inspected by the Care and Social Services Inspectorate for Wales (CSSIW) may be legally entitled to retain the certificate for the purposes of inspection.
In addition, organisations that require retention of certificates in order to demonstrate ‘safer recruitment’ practice for the purpose of safeguarding audits may be legally entitled to retain the certificate. This practice will need to be compliant with the Data Protection Act, Human Rights Act, UK General Data Protection Regulation (UK GDPR), and incorporated within the individual organisation’s policy on the correct handling and safekeeping of DBS certificate information.
Certificate information is only used for the specific purpose for which it was requested and for which the applicant’s full consent has been given. In addition, there are limited exceptions referred to above where the Council may be able to retain or disclose to third parties where a valid lawful exemption is engaged under the DPA 2018 and/or UK GDPR.
As defined in the data protection law, GDPR Article(s) 12-23, you have the following rights:
- The right to be informed about the collection and use of your personal data. This is outlined above.
- The right to erasure. If at any point within the 21 days after your visit you decide you’d like us to delete the personal data you provided, please advise us and we will delete all information related to you.
- The right to object to us processing your personal data. If you do so, we will delete all the personal data we hold in relation to you.
- The right to rectification. If the information held is in any way incorrect, you can contact the data controller and request that the information be rectified.
In certain circumstances exemptions to these rights may apply. Further information is available on the Information Commissioner’s Office (ICO) website.
Once a decision has been made, we do not keep certificate information for any longer than is necessary. This retention will allow for the consideration and resolution of any disputes or complaints or be for the purpose of completing safeguarding audits.
Throughout this time, the usual conditions regarding the safe storage and strictly controlled access will prevail.
Further details regarding retention periods can be found in our corporate retention schedule which can be requested by contacting firstname.lastname@example.org or, alternatively, on the Council’s Privacy Notice.
Once the retention period has elapsed, we will ensure that any DBS certificate information is immediately destroyed by secure means, for example by deleting an electronic file from the server, shredding, pulping or burning. While awaiting destruction, paper certificate information will not be kept in any insecure receptacle (e.g. waste bin or confidential waste sack).
We will not keep any photocopy or other image of the certificate or any copy or representation of the contents of a certificate. However, notwithstanding the above, we may keep a record of the date of issue of a certificate, the name of the subject, the type of certificate requested, the position for which the certificate was requested, the unique reference number of the certificates and the details of the decision taken.
DBS certificates are not portable other than for those individuals registered with the online DBS update service.
For further information on how Ashfield District Council processes your data generally please refer to the main privacy notice.
Visit GOV.UK - Disclosure and Barring Service's Privacy Policies for further information on the DBS Privacy Policies and how DBS will process your personal data as well as the options available for submitting your application.
The Disclosure and Barring Service Code of Practice can be found on the Government website.
Do you have a complaint?
If you consider that your personal data has been misused or mishandled by us, you can raise this with the data controller. In this instance, the data controller is the Data Protection Officer who can be contacted by:
- email: email@example.com
If you remain dissatisfied you can make a complaint to the Information Commissioner, who is an independent regulator.
The Information Commissioner can be contacted at:
- address: Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, SK9 5AF
- telephone: 0303 123 1113
- email: firstname.lastname@example.org
Any complaint to the Information Commissioner is without prejudice to your right to seek redress through the courts.
Review of the Policy
This policy will be reviewed every two years and updated as and when required as a result of changes in the law.