The Disclosure and Barring Service (DBS) was established in December 2012 under Part V of the Protection of Freedoms Act (POFA) 1 to undertake disclosure and barring functions. There are specific legal requirements around these checks. Disclosure functions are set out in Part V of the Police Act 1997 2 , which requires Registered Bodies to adhere to this Code of Practice.
Who does this Code apply to?
The Code of Practice applies to all Registered Bodies with the Disclosure and Barring Service (DBS) under section 120 of the Police Act 1997 (Registered Bodies) and recipients of Update Service information under section 116A of the Police Act 1997. This includes those Registered Bodies that provide an umbrella function to non registered organisations. The Code refers to any information exchanged between DBS and the Registered Body.
The Code of Practice does not apply to other third parties. The DBS will seek to ensure compliance with the Code through the full range of DBS assurance management processes.
All applicants for a DBS check should be made aware of this Code of Practice and provided with a copy on request.
Disclosure Offences: Sections 123 and 124 of the Police Act 1997 3
Although certificates are now provided directly to the applicant, registered bodies will receive personal information related to applications and, where registered bodies are also employers, voluntary sector organisations or licensing authorities, will receive disclosure information when certificates are provided to them by their employees or applicants for posts, including volunteers.
Recipients of disclosure information, through electronic means or via the applicant’s copy of the disclosure, must note that it is an offence to disclose information contained within a DBS Certificate to any person who is not a member, officer or employee of the Registered Body or their client, unless a relevant legal exception applies. Furthermore, it is also an offence to:
- Disclose information to any member, officer or employee where it is not related to that employee’s duties
- Knowingly make a false statement for the purpose of obtaining, or enabling another person to obtain, a Certificate
- Revised Code of Practice for Disclosure and Barring Service Registered Persons
Registered Bodies and those in receipt of Update Service information believed to have committed an offence will be liable to prosecution, suspension or de-registration.
What happens if the Code is breached?
The Police Act 1997 (Criminal Records) (Registration) Regulations 2006 4 sets out Conditions of Registration. Regulation 7(h) is for compliance with the Code of Practice issued under section 122 of the Act.
Failure to comply with Conditions of Registration can result in the suspension or cancellation of registration. This follows a set legislative process with clear timescales.
Failure to comply with requirements set out in the Data Protection Act may also result in enforcement action from the Information Commissioner’s Office (ICO).
The Police Act 1997 (Criminal Records) (Registration) Regulations 2006 5 sets out the obligations a Registered Body must meet in order to retain its registration.
Registered Bodies must:
- Provide up-to-date information to the DBS in respect of their registration information and counter signatories in line with current procedures.
- Maintain all accounts, online or otherwise, for all DBS products and delete when no longer required.
- Ensure any electronic system used complies with specifications set out in the above regulations.
Registered Bodies must:
- Submit applications for a DBS product in the format determined by DBS.
- Ensure that applications for a DBS product are completed accurately and that all data fields determined by DBS as mandatory are completed in full.
- Ensure that any application submitted electronically complies with DBS specifications as stipulated in line with current requirements.
- Ensure that, where evidence checkers complete any part of the administration of the application process, sufficient training has been provided to enable same degree of accuracy required by DBS of the counter signatory.
Registered Bodies must:
- Verify the identity of the applicant prior to the submission of an application for a DBS product by following the current guidelines issued by DBS.6
- Ensure that any person undertaking identity verification checks on their behalf follows the current guidelines issued by DBS.
- Make sure lead or counter signatories do not validate their own applications for any DBS products.
Failure to comply with DPA requirements could result in enforcement action from the ICO.
In line with the Data Protection Act 1998 Registered Bodies and those in receipt of Update Service information must:
- Have a written policy on the secure handling of information provided by DBS, electronically or otherwise, and make it available to individuals at the point of requesting them to complete a DBS application form or asking consent to use their information to access any service DBS provides.
- Handle all information provided to them by DBS, as a consequence of applying for a DBS product, in line with the obligations under GDPR and the Data protection Act 2018.
- Handle all DBS related information provided to them by their employee or potential employee in line with the obligations under GDPR and the Data protection Act 2018.
- Ensure that a result received as part of an application submitted electronically is not reproduced in such a way that it infers that it is a certificate issued by DBS.
- Ensure any third parties are aware of the Data Protection Principles and provide them with guidance on secure handling and storage of information. For Data Protection purposes, information passed to a Registered Body by DBS remains the responsibility of the Registered Body even if passed to a third party.
- Ensure business continuity and disaster recovery measures are in place and comply with Data Protection requirements.
- Must comply with security requirements under principle 7 of the Data Protection Act.7
Registered Bodies and those in receipt of Update Service information must:
- Have a written policy on the suitability of ex-offenders for employment in relevant positions. This should be available upon request to potential applicants and, in the case of those carrying out an umbrella function, should be made available to their clients. Clients of Registered Bodies should make this policy available to their potential or existing employees.
- Ensure that all applicants for relevant positions or employment are notified in advance of the requirement for a Disclosure.
- Notify all potential applicants of the potential effect of a criminal record history on the recruitment and selection process and any recruitment decision.
- Discuss the content of the Disclosure with the applicant before withdrawing any offer of employment.
Payment of Fees
Registered Bodies must:
- Pay all registration fees in line with time periods set out in current procedures.
- Pay all fees relating to DBS products in line with time periods set out in current procedures.
- Pay all fees related to criminal records check applications submitted after any decision by the DBS to suspend registration or deregister the organisation.
- Correctly apply the Police Act definition of a volunteer to each criminal records check application to assert eligibility that no fee should be charged for that application.
- Publish all fees, in relevant documentation, associated with the processing of criminal records check applications when you do so on behalf of others.
- Notify the DBS in writing of any change to the fees associated with the processing of Criminal records check applications when you do so on behalf of others.
Eligibility for DBS checks is set out in the following legislation:
- Standard checks – to be eligible for a standard level DBS certificate, the position must be included in the Rehabilitation of Offenders Act (ROA) 1974 (Exceptions) Order 1975.8
- Enhanced checks – to be eligible for an enhanced level DBS certificate, the position must be included in both the ROA Exceptions Order and in the Police Act 1997 (Criminal Records) regulations.9
- Enhanced checks with children’s and/or adults’ barred list check(s) – to be eligible to request a check of the barred lists, the position must be eligible for an enhanced level DBS certificate and be specifically listed in the Police Act 1997 (Criminal Records) regulations as being eligible to check the appropriate barred list(s).
Registered Bodies must:
- Use all reasonable endeavours to ensure that they only submit Criminal Records check applications in accordance with the legislative provisions which provide eligibility criteria for relevant positions or employment.
- Ensure that before allowing a DBS check application to be submitted they have assessed the role to be eligible under current legislation, correctly applied the right level of check, and correctly requested the appropriate barring list information.
- Ensure they are legally entitled to request any DBS product being applied for.
Registered Bodies and those in receipt of Update Service Information must co-operate in full and in line with the timescales in current procedures,10 when DBS enquiries are made in relation to:
- Ongoing compliance of Registered Bodies and those in receipt of Update Service information with the obligations under this Code.
- Implementing the suspension or de-registration of a Registered Body where non-compliance is established in line with current procedures.
Each of the obligations of this Code is supplemented by detailed Guidance available on the DBS website at www.gov.uk/dbs This Guidance will be updated on a continual basis to ensure that it reflects the reality of DBS operations and the needs of Registered Bodies. Significant changes to the Guidance will be notified to Registered Bodies as required.