Ensuring Integrity and Confidentiality With DBS Check Data
DBS checks are a popular way for employers and organisations to check the background of staff and potential employees.
Enhanced DBS checks are mainly used for jobs that involve working with children and vulnerable adults, such as teaching, hospital staff, care workers, etc.
Basic or standard DBS checks are used to vet people for jobs that involve a certain degree of responsibility such as cashiers, financial staff, transport drivers, etc.
With so many employers asking for DBS certificates, a question that often arises is how to protect people’s privacy when searching through their criminal background. This article will examine this issue and explain why privacy and confidentiality are important factors to consider when carrying out DBS checks.
The Impact Of GDPR On Employment & DBS Checks
General Data Protection Regulation (GDPR) legislation, that came into play in the EU and UK in 2018, has changed the way businesses and organisations handle data and personal information. GDPR states that data must be handled transparently, with limitations on purpose, and businesses must be fully accountable for data handling and privacy.
For small to medium-sized businesses, this has caused some challenges, as they don’t have the legal resources at their disposal, as is the case with large companies and corporations. It’s highly important that businesses pay attention to GDPR rules as if they do not follow them, there are large potential fines, up to the value of £17 million.
But there are some simple things that small to medium-sized enterprises can do to comply with GDPR and handle sensitive data with care and attention.
The main area that businesses need to pay attention to is how they collect and use private and personal data, including the application details and results of criminal record checks.
Here are the main principles to follow to ensure compliance with GDPR:
- Transparent practices
- Minimising collection and use of data
- Limiting the purpose of data use
- Limiting the amount of private data storage
- Ensuring data accuracy, integrity, and confidentiality.
Non-compliance with these principles can result in a fine. The amount of the fine depends on how seriously the business or organisation ignores or avoids the principles.
The misuse of DBS criminal record data and information is likely to incur larger fines, as it would constitute a more severe violation of the GDPR principles.
The DBS Code Of Practice
As well as GDPR regulation and principles, employers also need to be mindful of the DBS code of practice. The Disclosure and Barring Service (DBS) has defined a code of practice that sets out how businesses, organisations, and individuals must handle criminal record information and data.
Here is a brief outline of the DBS code of practice:
- Personal and private data that is revealed through a DBS check should be stored securely
- Data protections laws, such as GDPR, should be adhered to
- Do not share DBS data with any unauthorised person or body
- Do not hold data for longer than needed
- Ensure the veracity and integrity of data
- Collect, process, and handle DBS data securely
Non-compliance with the DBS code of practice can trigger an investigation, with the potential of penalty fines.
How To Ensure Confidentiality & Integrity
Data protection regulation and the DBS code of practice are there to ensure two main things – integrity and confidentiality. But how do you actually go about achieving this? Obviously you need to securely store data so that nobody else can access it.
The best place to start is to define what “secure” actually means. Breaches of security are pretty easy to describe. For instance, leaving a folder containing confidential information about someone’s criminal record on a train is a clear security violation. Therefore the definition of “secure” may be considered as the opposite of this, i.e. having procedures, processes, and steps in place to avoid this kind of thing from happening. So, for the example above, instead of carrying a printed, paper file, a secure process may state that files must be transported digitally on a password protected device, in an encrypted file.
The other important thing to decide is exactly who can gain access to that information. The business or organisation needs to decide who is authorised to see the data and whether they are trustworthy enough to do so.
Storage of personal data needs to be done within a set timeframe. Organisation should not hold onto DBS information and data for any longer than is absolutely necessary. This could mean that in the case of recruiting new staff, DBS data is disposed of once the decision has been made and the position is filled.
Finally, confidentiality must also be considered when data is being disposed of. If you print the DBS certificate, you must ensure that it is shredded or destroyed. Computer data files should also be wiped without a trace using specialist software.
Make Sure Your DBS Check Processes Are Robust
To summarise, when you’re dealing with confidential data such as the information revealed on a DBS certificate, you must comply with GDPR and the DBS code of practice. Failure to do so can result in hefty fines.
If you need any more advice on following the guidelines, or you have any other questions about DBS check in general, get in touch today.