Undertaking DBS (Disclosure & Barring Service) checks on staff and volunteers can be an important measure to ensure safeguards are in place to protect everyone concerned. In order to undertake such a check, personal data must be processed and therefore your data protection policy will apply. However, a DBS check constitutes the processing of criminal records whether or not there are ‘none recorded’. Criminal records are a special category of data and the UK GDPR Article 10 says that the processing of such information is not permitted under normal everyday circumstances, so you’ll need some additional measure to lawfully process the check.
Firstly, it’s important to choose the right lawful basis. it could be a legal obligation, if this is the case you’ll need to identify the law that requires it. It probably won’t be consent as the individual must be given a genuine choice to say no, this is difficult to justify in the employment setting. Therefore, it is likely that the lawful basis will be legitimate interest (UK GDPR Art.6(f). Because criminal records are a special category of data you will also need a UK GDPR Art.9 condition to accompany it. There are ten to choose from. Once this has been established, most of the Art.9 conditions require you to identify a law upon which to rely. It is likely these will be found in the Data Protection Act 2018. Finally, most of those laws require you to have an Appropriate Policy Document (APD) in place. This document supports the use of the exemptions referenced here and should be made available to the ICO should they wish to inspect it. The exemptions are very powerful, they can remove your obligations to uphold certain data subject information rights such as the right to be informed.
If you are undertaking DBS checks and have not implemented the procedures discussed here, you are probably infringing the legislation, we urge you to take action without delay. If you need support please get in touch on 0330 111 0013 or firstname.lastname@example.org