Why Is Confidentiality So Important?
The DBS is the most effective way yet devised to keep dangerous individuals away from society’s most vulnerable citizens. There are several types of DBS check that provide different levels of protection for different types of work. From Basic DBS Checks that looks for unspent convictions, to the comprehensive Enhanced DBS Check with Barred List that applies to anyone who seeks to engage in regulated activity with children or vulnerable adults. It’s in everyone’s interest to make sure employers have access to information regarding the suitability of candidates to obtain certain positions. But there are also laws governing how that information can and must be handled. Why is confidentiality so important? That’s what we’re here to discuss.
The GDPR as it Applies to Employers
Large corporations tend to have legal departments that keep everyone up to date on current law as it pertains to their business operation. Small and mid-sized companies, however, are often on their own. But a lack of legal resources is not an acceptable excuse for ignorance of the rules when it comes to confidentiality and handling sensitive information.
The rules regarding the handling of personal information are laid out in the General Data Protection Regulation that came into effect in 2018. This EU initiative replaced the UK’s Data Protection Act of 1998. The UK will likely be exiting the EU shortly, but as of this writing, the GDPR is still in effect and will remain so until and unless a new act of Parliament says otherwise.
The GDPR was intended to create limits on how organisations can collect and use personal data. And that includes criminal records. The penalties for failing to comply with GDPR regulations are steep. Ignoring them could result in a fine of up to £17 million. According to GDPR guidelines, the following principles must be adhered to when handling personal information:
- Data minimisation
- Purpose limitations
- Storage limitations
- Confidentiality and integrity
Violating any or all of these principles will result in the aforementioned fine. (The size of the penalty will depend on the severity of the violation.) But GDPR compliance is not the only thing companies need to be mindful of when handling personal information regarding criminal records. The DBS has its own code of practice that must be honoured when dealing with information about a person’s criminal history. That code states that organisations must:
- Store any received information in a secure manner
- Comply with all relevant data protection laws (i.e. the GDPR)
- Never pass DBS data to those not specifically authorised to see it
- Not keep information on hand longer than necessary
- Ensure the data they have is accurate
- Always process DBS information in a secure manner
Failure to comply with the DBS code of practice may result in an intrusive investigation as well as substantial fines.
How to Ensure Confidentiality and Data Protection
Both the DBS code of practice and the EU’s GDPR require that information gleaned during DBS checks be stored in a secure manner and kept confidential. But many smaller companies, in particular, are unsure exactly how to go about doing this. The following pointers should help.
- Keeping it Secure – There’s a problem when it comes to data security. And that is this: there is no legal definition of what constitutes ‘secure’. Only security violations are explicitly defined. For instance, leaving Barred List information in the break room at work where anyone could see it is a clear violation of confidentiality. But how you prevent that from happening is up to you. The DBS itself suggests you use ‘lockable, non-portable, storage containers’. So you might decide to use the company safe. But if people not authorized to see the DBS information have access to that safe then that too is a violation of confidentiality. So the important question to ask when trying to determine where to store sensitive information is “Who has access?”
- Holding onto the Information – When it comes to holding onto confidential DBS information the law is once again unclear. You are generally warned not to hold onto the information any longer than necessary. But again, there is no precise legal definition of ‘longer than necessary’. The DBS suggests disposing of such data once a hiring decision has been made. But confidentiality must also be taken into account during the disposal process. The DBS certificate cannot simply be tossed in the waste bin next to your desk to be collected by the cleaners. Typically, it must be shredded or burned. Making copies of a DBS certificate is also prohibited. But in the event it somehow occurs that copy must also be shredded or burned.
DBS checks contain information of a highly personal and, in some cases, incriminating nature. As such both the DBS and the GDPR impose strict guidelines governing data protection and handling. Make sure your company is always in compliance with both the GDPR and DBS regulations.