10 years of the DBS: Can you check an applicant’s criminal record?
This month the Disclosure and Barring Service (DBS) marked its ten-year anniversary of helping make recruitment safer. The DBS processes and issues checks of job applicants’ criminal records, along with maintaining records of people who aren’t permitted to work with certain vulnerable groups. Since December 2012, the DBS has processed more than 52 million basic, standard and enhanced checks.
Here’s a refresher on how to check an applicant’s criminal record when you’re running a recruitment process.
Yes. You can ask an applicant to get a basic DBS check (providing limited information about any unspent convictions) for any role, or apply for it yourself with the consent of the applicant.
You can only apply for a more thorough criminal record check (a standard or enhanced DBS check) for specific types of role. You may be required to carry out a standard or enhanced DBS check either if you are recruiting someone to a regulated profession (eg law) or because of the nature of the job in question (eg if it involves working with children or vulnerable adults). You can use the DBS website to find out what type of check is right for your employee.
How do I check whether a job applicant has a criminal record?
If you need to carry out a criminal record check and are allowed to do so, you can request a basic check from the DBS online here. It costs £18 and shows any convictions that aren’t ‘spent’ (eg some types of cautions will disappear after 3 months). It usually takes up to 14 days to receive the certificate.
To apply for a basic DBS check, your employee will need to provide their:
- addresses for the last 5 years and the dates they lived there
- National Insurance number
- driving licence
If you need a standard or enhanced check, follow the steps set out on the DBS website here.
Note that it’s a criminal offence to try to circumvent the DBS by requiring a job applicant to make a subject access request for their own criminal records. Your business could face hefty fines if you try to do this.
What data protection obligations do I have when handling data about criminal records?
You have specific data protection obligations when requesting and handling criminal records data about an individual:
- If you are going to collect information about criminal convictions, you should consider carrying out a data protection impact assessment (DPIA) before you start (see Data protection impact assessments for how to carry one out). A DPIA is mandatory if you will be collecting information about criminal convictions on a large scale.
- You should have a written policy document detailing how you ensure your compliance with data protection law, and explaining your approach to retaining and erasing the data about individuals’ criminal records, including how long you will keep it; see Staff recruitment privacy notice.
- the name and contact details of your business;
- what the criminal records data consists of, who it is about, why you need it and whether you got it with the consent of the applicant or because you are legally required to by the nature of the role;
- how long you will keep the data;
- a brief description of the measures you take to ensure data security;
- if you will share the data with anyone, and if so, who and where they are based if they are outside the UK, together with details of the safeguards you have to ensure that the data is kept securely by them; and
- You must be prepared to provide a copy of these records about your use of the criminal records information to the ICO on request.
You should record the results of the DBS check (ie whether it is satisfactory or unsatisfactory, rather than the detail of any convictions), but delete all other information about criminal convictions collected in the course of the recruitment process once it has been verified through the DBS check. You must only keep more detailed information in very exceptional circumstances where it is clearly relevant to your ongoing employment of the individual in question.