Records Management – Policy for the handling and use of DBS certificate information

Related pages

This policy explains that all handlers and recipients of certificate information from the Disclosure and Barring Service (DBS) must protect and ensure the security of the information they have access to, and must use it only for the purpose it was given for and abide by the DBS Code of Practice.

The policy applies to all employees, including those who receive, handle or manage certificate information.


1. Policy

1.1 The University of York uses the Disclosure and Barring Service (DBS) checking service to help assess the suitability of applicants for positions of trust. It will comply fully with the DBS Code of Practice regarding the correct handling, use, storage, retention and disposal of certificates and certificate information.

1.2 It will comply fully with its obligations under the Data Protection Act 1998 and other relevant legislation pertaining to the safe handling, use, storage, retention and disposal of certificate information.

1.3 It will keep certificate information securely, in lockable, non-portable, storage containers. Access will be strictly controlled and limited to those who are entitled to see it as part of their duties.

1.4 In accordance with section 124 of the Police Act 1997, certificate information will only be passed to those who are authorised to receive it in the course of their duties. The University will maintain records of all those to whom certificates or certificate information has been revealed. It is a criminal offence to pass this information to anyone who is not entitled to receive it.

1.5 Certificate information will only be used for the specific purpose for which it was requested and for which the applicant’s full consent has been given.

1.6 Once a recruitment (or other relevant) decision has been made, the University will not keep certificate information for any longer than is necessary. This is generally for a period of up to six months, to allow for the consideration and resolution of any disputes or complaints. If, in very exceptional circumstances, it is considered necessary to keep certificate information for longer than six months, the University will consult the DBS about this and will give full consideration to the Data Protection and Human Rights of the individual before doing so. Throughout this time, the usual conditions regarding the safe storage and strictly controlled access will prevail.

1.7 Once the retention period has elapsed, any DBS certificate information will be destroyed immediately by secure means (i.e. by shredding, pulping or burning). While awaiting destruction, certificate information will not be kept in any insecure receptacle (e.g. waste bin or confidential waste sack). The University will not keep any photocopy or other image of the certificate or any copy or representation of the contents of a certificate. However, notwithstanding the above, the University may keep a record of the date of issue of a certificate, the name of the subject, the type of certificate requested, the position for which the certificate was requested, the unique reference number of the certificates and the details of the recruitment decision taken.



2. Scope

2.1 This policy applies to all University staff who handle, or are responsible for the handling of, DBS certificate information.

2.2 This policy covers all DBS certificates and certificate information held by the University.



3. Oversight

3.1 The Information Security Board, chaired by the Director of Information, will monitor the effectiveness of this policy and carry out regular reviews.


4. Responsibilities

4.1 All managers, handlers and recipients of DBS certificate information are responsible for protecting and ensuring the security of the information to which they have access.

4.2 University Officers, Heads of Departments and Section Heads are responsible for ensuring that all DBS and certificate information in their area is managed in conformance with this policy.

4.3 Information users who act in breach of this policy, or who do not act to implement it, may be subject to disciplinary procedures or other appropriate sanctions.

4.4 Any breach of information security or violation of this policy must be reported to the Director of Information who will take appropriate action and inform the relevant authorities.

Document history

Document history

 09 April 2015 Approved by Information Policy Executive
21 August 2015 Approved by Information Security Board


Review cycle: Three yearly

Date of next review: August 2018