Records Management – Policy for the handling and use of DBS certificate information

Responsibilities

2. Responsibilities

All managers, handlers and recipients of DBS certificate information are responsible for protecting and ensuring the security of the information to which they have access. Counter-signatories are responsible for ensuring the safe and confidential storage of all disclosure information received.

University Officers, Heads of Departments and Section Heads are responsible for ensuring that all DBS and certificate information in their area is managed in conformance with this policy.

Information users who act in breach of this policy, or who do not act to implement it, may be subject to disciplinary procedures or other appropriate sanctions.

Any breach of information security or violation of this policy must be reported to the Chair of the Information Security Board who will take appropriate action and inform the relevant authorities.

Oversight

3. Oversight

The Information Security Board, chaired by the Director of IT Services, will monitor the effectiveness of this policy and carry out regular reviews.

Policy

4. Policy

4.1 General principles

As an organisation using the DBS checking service to help assess the suitability of applicants for positions of trust, the University of York complies fully with the Code of Practice regarding the correct handling, use, storage, retention and disposal of certificates and certificate information.

It also complies fully with its obligations under the UK General Data Protection Regulation (UK GDPR), Data Protection Act 2018 and other relevant legislation pertaining to the safe handling, use, storage, retention and disposal of certificate information and maintains this written policy on these matters.

4.2 Storage and access

Any hard copy certificates and certificate information (when held) should be kept securely, in lockable, non-portable, storage containers with access strictly controlled and limited to those who are entitled to see it as part of their duties.

4.3 Handling

In accordance with section 124 of the Police Act 1997, certificate information is only passed to those who are authorised to receive it in the course of their duties. We maintain a record of all those to whom certificates or certificate information has been revealed and it is a criminal offence to pass this information to anyone who is not entitled to receive it.

University departments or services which are inspected by Ofsted or the Care Quality Commission may be legally entitled to retain the certificate for the purposes of inspection.

Where a department is required to retain certificates in order to demonstrate ‘safer recruitment’ practice for the purpose of safeguarding audits, they may be legally entitled to retain the certificate. This practice must be compliant with the Data Protection Act, Human Rights Act, General Data Protection Regulation (UK GDPR), and incorporated within this policy. 

4.4 Usage

Certificate information is only used for the specific purpose for which it was requested and for which the applicant’s full consent has been given.

4.5 Retention

Once a recruitment (or other relevant) decision has been made, we do not keep certificate information for any longer than is necessary. This retention will allow for the consideration and resolution of any disputes or complaints, or be for the purpose of completing safeguarding audits. 

Throughout this time, the usual conditions regarding safe storage and strictly controlled access will prevail. Further details regarding retention periods for recruitment and safeguarding can be found in our corporate record retention schedule.

4.6 Disposal

Once the retention period has elapsed, we will ensure that any DBS certificate information is immediately destroyed by secure means, for example by deleting an electronic file from the 

server, shredding, pulping or burning. While awaiting destruction, certificate information will not be kept in any insecure receptacle (e.g. waste bin, confidential waste sack, or digital recycle’ or ‘trash’ folder).

We will not keep any photocopy or other image of the certificate or any copy or representation of the contents of a certificate. However, notwithstanding the above, we may keep a record of the date of issue of a certificate, the name of the subject, the type of certificate requested, the position for which the certificate was requested, the unique reference number of the certificates and the details of the recruitment decision taken.

4.7 Acting as an umbrella body

Before acting as an umbrella body (an umbrella body being a registered body which countersigns applications and receives certificate information on behalf of other employers or recruiting organisations), we will take all reasonable steps to satisfy ourselves that they will handle, use, store, retain and dispose of certificate information in full compliance with the code of practice and in full accordance with this policy.

We will also ensure that any body or individual, at whose request applications for DBS certificates are countersigned, has such a written policy and, if necessary, will provide a model policy for that body or individual to use or adapt for this purpose.

Implementation

5. Policy implementation and related documents

• DBS Code of Practice for registered persons and other recipients of disclosure information through the DBS checking service
• DBS privacy notices
• Information and Records Management Policy and retention and disposal guidance
• Data Protection Policy
• Information Classification and Handling Scheme
• Information Security Policy

Document history

Document history

Review

Review cycle: Three yearly

Date of next review: November 2026