Holding on to data longer than required is a breach of the General Data Protection Regulation (GDPR) and can result in suspension from DBS, fines and reputational damage.
The Revised Code of Practice for Disclosure and Barring Service for Registered Persons outlines the storage, handling, use, retention and disposal of the DBS certificates and certificate information.
Are You Compliant With Data Processing Laws?
Organisations must be able to demonstrate their compliance under the General Data Protection Regulation (GDPR), Data Protection Act 2018 and other relevant legislation relating to the safe handling, use, storage, retention, and disposal of personal data. DBS registered organisations must ensure they have clear written policies regarding personal data in line with GDPR and DBS legislation. This means you must be able to provide all the information you hold on individuals to them upon on request and ensure employees with access to the personal data are properly trained.
What Information Can Be Kept On File and for How Long?
You are entitled to keep the certificate number on file to confirm you have completed appropriate checks, but you are not permitted to keep a physical copy of the certificate. Certificate information and relevant data should not be kept on file for longer than necessary, your organisation should be able to justify the reason for keeping the data at any given time.
Exceptions to the Rules
Organisations which are inspected by the Care Quality Commission (CQC), Ofsted or the Care and Social Services Inspectorate for Wales (CSSIW) may be legally entitled to retain the certificates for the purposes of inspection.
In addition, organisations that require retention of certificates to demonstrate ‘safer recruitment’ practice for the purpose of safeguarding audits may be legally entitled to retain the certificate. This practice will need to be compliant with the Data Protection Act, Human Rights Act, General Data Protection Regulation (GDPR), and incorporated within the individual organisation’s policy on the correct handling and safekeeping of DBS certificate information.
What Happens if the Code Is Breached?
Failure to comply with the Code of Practice can result in the suspension or cancellation of registration. Further failure to comply with the legislative process and timescales of the
Data Protection Act may also result in enforcement action from the Information Commissioner’s Office (ICO), potentially resulting in fines and public penalisation.
Please Note the Following Which Is of High Importance:
The DBS logo is protected by crown copyright, the copying and use of the DBS logo is not permitted without prior approval of the DBS.
Full guidance on handling DBS certificate information can be found here.
For any further information on the contents of this blog or other security-related queries, please contact [email protected].
