For most businesses, handling an employee’s confidential data can present a number of challenges. If you operate in sectors such as education and social care you may be more familiar with the guidelines surrounding DBS data, but for all businesses it is important to educate your team so you can be confident you will not have to face any of the legal implications of a data leak.
Here, Michelle Mellor, Managing Director at Personnel Checks, gives her top advice on how companies should handle confidential information in the best way possible.
First and foremost, in line with the DBS code of practice, businesses need a formal written policy on the secure handling of any information provided (electronically or otherwise).
Companies would usually request DBS checks for successful job applicants, at which point they must make the details of this policy available to the applicant in question.
The employer must handle all information provided to them by DBS in line with the obligations under Data Protection Act 1998.
Businesses that receive DBS information can keep a record of:
A business cannot reproduce a DBS certificate or related information in such a way that it infers that it is a certificate issued by DBS.
Disclosure information should never be kept on an applicant's personnel file and should be kept separately and securely, in a lockable, non-portable storage container with access strictly controlled and limited to those who are entitled to see it as part of their duties.
Once a recruitment (or other relevant) decision has been made, organisations should not keep disclosure information for any longer than is absolutely necessary. This is generally for a period of up to six months to allow for the consideration and resolution of any disputes or complaints.
Organisations should ensure that the information is destroyed via secure means, i.e. by shredding, pulping or burning.
Employee files should be kept in a secure, locked cabinet, and access should be restricted to trusted individuals. In line with regulations, DBS reports should be securely destroyed after six months.
The DBS code of practice states that employers must ensure that all applicants for relevant positions are notified in advance of the requirement for a disclosure.
Employers should also notify all applicants of the potential effect of a criminal record history on the recruitment and selection process and any recruitment decision. The content of the disclosure should be discussed with the applicant before withdrawing any offer of employment.
As outlined in the Recruitment of Ex-Offenders Act 1974:
“All employers must treat Disclosure and Barring Service (DBS) check applicants who have a criminal record fairly and not discriminate automatically because of a conviction or other information revealed.”
A leak of any applicant’s personal information should mean disciplinary action against the employee responsible. This could even lead to the termination of that employee’s contract.
It is an employer’s responsibility to ensure all staff understand their responsibility when handling confidential data (e.g. through employee handbooks) and the consequences they should expect if they breach guidelines.
Before any disciplinary action can begin, however, a full and proper investigation should take place to determine whether formal procedures are necessary.
Breach of confidentiality is (in most cases) gross misconduct, and the company in question must make a decision based on the severity of the breach.
If you’d like more advice on how to deal with DBS information in your business, give our expert team a call on 01254 355688 or send us an email at firstname.lastname@example.org.