{"id":8393,"date":"2025-10-28T19:40:43","date_gmt":"2025-10-28T19:40:43","guid":{"rendered":"https:\/\/crbdirect.org.uk\/?p=8393"},"modified":"2025-10-28T19:40:43","modified_gmt":"2025-10-28T19:40:43","slug":"gdpr-dbs-data","status":"publish","type":"post","link":"https:\/\/crbdirect.org.uk\/gdpr-dbs-data\/","title":{"rendered":"GDPR &amp; DBS Data: How Employers Must Store, Use, and Delete Sensitive Records"},"content":{"rendered":"<article class=\"text-token-text-primary w-full focus:outline-none [--shadow-height:45px] has-data-writing-block:pointer-events-none has-data-writing-block:-mt-(--shadow-height) has-data-writing-block:pt-(--shadow-height) [&amp;:has([data-writing-block])&gt;*]:pointer-events-auto scroll-mt-[calc(var(--header-height)+min(200px,max(70px,20svh)))]\" dir=\"auto\" data-turn-id=\"26bbd3c9-e9ea-48b5-9df3-d11ca95e407b\" data-testid=\"conversation-turn-731\" data-scroll-anchor=\"true\" data-turn=\"assistant\">\n<div class=\"text-base my-auto mx-auto pb-10 [--thread-content-margin:--spacing(4)] thread-sm:[--thread-content-margin:--spacing(6)] thread-lg:[--thread-content-margin:--spacing(16)] px-(--thread-content-margin)\">\n<div class=\"[--thread-content-max-width:40rem] thread-lg:[--thread-content-max-width:48rem] mx-auto max-w-(--thread-content-max-width) flex-1 group\/turn-messages focus-visible:outline-hidden relative flex w-full min-w-0 flex-col agent-turn\">\n<div class=\"flex max-w-full flex-col grow\">\n<div class=\"min-h-8 text-message relative flex w-full flex-col items-end gap-2 text-start break-words whitespace-normal [.text-message+&amp;]:mt-1\" dir=\"auto\" data-message-author-role=\"assistant\" data-message-id=\"b48a5f49-ae92-4b52-9e25-1d91638cfd1e\" data-message-model-slug=\"gpt-5\">\n<div class=\"flex w-full flex-col gap-1 empty:hidden first:pt-[1px]\">\n<div class=\"markdown prose dark:prose-invert w-full break-words light markdown-new-styling\">\n<p data-start=\"270\" data-end=\"687\">When it comes to <strong data-start=\"287\" data-end=\"301\">DBS checks<\/strong>, employers handle some of the most sensitive personal data available \u2014 including criminal record information. Under the <strong data-start=\"422\" data-end=\"467\">General Data Protection Regulation (GDPR)<\/strong> and the <strong data-start=\"476\" data-end=\"504\">Data Protection Act 2018<\/strong>, UK employers have strict responsibilities to ensure this data is stored, used, and deleted correctly. Mishandling such information can lead to legal penalties and damage to trust.<\/p>\n<p data-start=\"689\" data-end=\"833\">This article explains how employers can remain compliant when dealing with <strong data-start=\"764\" data-end=\"783\">GDPR &amp; DBS Data<\/strong>, ensuring fair treatment and lawful processing.Understanding the Link Between GDPR and DBS Data<\/p>\n<p data-start=\"895\" data-end=\"1171\">The <strong data-start=\"899\" data-end=\"939\">Disclosure and Barring Service (DBS)<\/strong> provides criminal record information to help employers make safer recruitment decisions. However, because DBS certificates contain personal and sometimes sensitive details, they fall under <strong data-start=\"1129\" data-end=\"1154\">special category data<\/strong> in GDPR terms.<\/p>\n<p data-start=\"1173\" data-end=\"1200\">Employers must therefore:<\/p>\n<ul data-start=\"1201\" data-end=\"1339\">\n<li data-start=\"1201\" data-end=\"1246\">\n<p data-start=\"1203\" data-end=\"1246\">Process DBS data <strong data-start=\"1220\" data-end=\"1243\">lawfully and fairly<\/strong>.<\/p>\n<\/li>\n<li data-start=\"1247\" data-end=\"1292\">\n<p data-start=\"1249\" data-end=\"1292\">Store it <strong data-start=\"1258\" data-end=\"1289\">securely and confidentially<\/strong>.<\/p>\n<\/li>\n<li data-start=\"1293\" data-end=\"1339\">\n<p data-start=\"1295\" data-end=\"1339\">Keep it <strong data-start=\"1303\" data-end=\"1336\">only for as long as necessary<\/strong>.<\/p>\n<\/li>\n<\/ul>\n<p data-start=\"1341\" data-end=\"1514\">Every stage of handling DBS data \u2014 from receiving results to storage and disposal \u2014 must comply with the GDPR principles of <strong data-start=\"1465\" data-end=\"1511\">data minimisation, accuracy, and integrity<\/strong>.<\/p>\n<h2 data-start=\"1521\" data-end=\"1568\">How Employers Should Store DBS Information<\/h2>\n<p data-start=\"1570\" data-end=\"1756\">Once a DBS certificate is received, employers should <strong data-start=\"1623\" data-end=\"1644\">store it securely<\/strong> and restrict access only to authorised staff involved in recruitment or safeguarding. Best practices include:<\/p>\n<ul data-start=\"1758\" data-end=\"2008\">\n<li data-start=\"1758\" data-end=\"1839\">\n<p data-start=\"1760\" data-end=\"1839\">Keeping DBS certificates in <strong data-start=\"1788\" data-end=\"1836\">locked cabinets or encrypted digital storage<\/strong>.<\/p>\n<\/li>\n<li data-start=\"1840\" data-end=\"1933\">\n<p data-start=\"1842\" data-end=\"1933\">Ensuring <strong data-start=\"1851\" data-end=\"1878\">limited access controls<\/strong> \u2014 only HR or compliance officers should handle them.<\/p>\n<\/li>\n<li data-start=\"1934\" data-end=\"2008\">\n<p data-start=\"1936\" data-end=\"2008\">Avoiding unauthorised copying or scanning unless absolutely necessary.<\/p>\n<\/li>\n<\/ul>\n<p data-start=\"2010\" data-end=\"2249\">Employers should never store DBS data indefinitely. The <strong data-start=\"2066\" data-end=\"2090\">DBS Code of Practice<\/strong> advises that a copy or note of a DBS certificate should be kept <strong data-start=\"2155\" data-end=\"2184\">no longer than six months<\/strong>, unless there is a valid legal reason to retain it for longer.<\/p>\n<h2 data-start=\"2256\" data-end=\"2287\">Using DBS Data Responsibly<\/h2>\n<p data-start=\"2289\" data-end=\"2437\">DBS information should only be used for the specific purpose it was obtained \u2014 usually for assessing suitability for employment or voluntary work.<\/p>\n<p data-start=\"2439\" data-end=\"2745\">Employers must never use DBS data for unrelated activities, marketing, or internal profiling. Additionally, decisions based on DBS results should always be <strong data-start=\"2595\" data-end=\"2621\">proportionate and fair<\/strong>, taking into account the nature of the role and any spent convictions under the <strong data-start=\"2702\" data-end=\"2742\">Rehabilitation of Offenders Act 1974<\/strong>.<\/p>\n<p data-start=\"2747\" data-end=\"2812\">Transparency is essential. <strong>Candidates should be informed about:<\/strong><\/p>\n<ul data-start=\"2813\" data-end=\"2910\">\n<li data-start=\"2813\" data-end=\"2851\">\n<p data-start=\"2815\" data-end=\"2851\">Why their data is being collected.<\/p>\n<\/li>\n<li data-start=\"2852\" data-end=\"2876\">\n<p data-start=\"2854\" data-end=\"2876\">How it will be used.<\/p>\n<\/li>\n<li data-start=\"2877\" data-end=\"2910\">\n<p data-start=\"2879\" data-end=\"2910\">How long it will be retained.<\/p>\n<\/li>\n<\/ul>\n<h2 data-start=\"2917\" data-end=\"2956\">Deleting and Disposing of DBS Data<\/h2>\n<p data-start=\"2958\" data-end=\"3088\">When DBS data is no longer needed, it must be <strong data-start=\"3004\" data-end=\"3026\">securely destroyed<\/strong> to prevent unauthorised access or misuse. Employers should:<\/p>\n<ul data-start=\"3090\" data-end=\"3266\">\n<li data-start=\"3090\" data-end=\"3139\">\n<p data-start=\"3092\" data-end=\"3139\">Use <strong data-start=\"3096\" data-end=\"3119\">cross-cut shredders<\/strong> for paper copies.<\/p>\n<\/li>\n<li data-start=\"3140\" data-end=\"3206\">\n<p data-start=\"3142\" data-end=\"3206\">Employ <strong data-start=\"3149\" data-end=\"3182\">secure digital deletion tools<\/strong> for electronic files.<\/p>\n<\/li>\n<li data-start=\"3207\" data-end=\"3266\">\n<p data-start=\"3209\" data-end=\"3266\">Record the deletion date and method for audit purposes.<\/p>\n<\/li>\n<\/ul>\n<p data-start=\"3268\" data-end=\"3438\">Under GDPR, individuals have the <strong data-start=\"3301\" data-end=\"3330\">right to request deletion<\/strong> of their personal data, which employers must comply with unless there is a legal obligation to retain it.<\/p>\n<h2 data-start=\"3445\" data-end=\"3477\">Why <a href=\"https:\/\/crbdirect.org.uk\/gdpr-and-the-dbs-check-process\/https:\/\/crbdirect.org.uk\/gdpr-and-the-dbs-check-process\/\">GDPR<\/a> Compliance Matters<\/h2>\n<p data-start=\"3479\" data-end=\"3747\">Failure to comply with <strong data-start=\"3502\" data-end=\"3521\">GDPR &amp; DBS Data<\/strong> rules can result in substantial fines from the <strong data-start=\"3569\" data-end=\"3612\">Information Commissioner\u2019s Office (ICO)<\/strong> and reputational harm. More importantly, maintaining compliance shows a commitment to safeguarding and respect for employee privacy.<\/p>\n<p data-start=\"3749\" data-end=\"3857\">For more information or to start a DBS check process, visit <a class=\"decorated-link\" href=\"https:\/\/crbdirect.org.uk\/\" target=\"_new\" rel=\"noopener\" data-start=\"3809\" data-end=\"3854\">CRBDirect.org.uk<\/a>.<\/p>\n<h2 data-start=\"3864\" data-end=\"3873\">FAQs<\/h2>\n<p data-start=\"3875\" data-end=\"4090\"><strong data-start=\"3875\" data-end=\"3928\">1. Can employers keep copies of <a href=\"https:\/\/crbdirect.org.uk\/dbs-certificates-are-changing-appearance\/\">DBS certificates<\/a>?<\/strong><br data-start=\"3928\" data-end=\"3931\" \/>Employers can keep a copy for up to six months but should destroy it once the retention period expires unless there\u2019s a justified reason to retain it longer.<\/p>\n<p data-start=\"4092\" data-end=\"4241\"><strong data-start=\"4092\" data-end=\"4139\">2. Is consent required to process DBS data?<\/strong><br data-start=\"4139\" data-end=\"4142\" \/>Yes. Employers must inform candidates and obtain consent before processing their DBS information.<\/p>\n<p data-start=\"4243\" data-end=\"4391\"><strong data-start=\"4243\" data-end=\"4288\">3. How should digital DBS data be stored?<\/strong><br data-start=\"4288\" data-end=\"4291\" \/>It should be stored in encrypted formats with restricted access and proper cybersecurity measures.<\/p>\n<p data-start=\"4393\" data-end=\"4601\"><strong data-start=\"4393\" data-end=\"4437\">4. What happens if DBS data is breached?<\/strong><br data-start=\"4437\" data-end=\"4440\" \/>A data breach involving DBS information must be reported to the <strong data-start=\"4504\" data-end=\"4511\">ICO<\/strong> within 72 hours and to the affected individuals if there\u2019s a high risk to their rights.<\/p>\n<p data-start=\"4608\" data-end=\"4754\" data-is-last-node=\"\" data-is-only-node=\"\">Properly handling <strong data-start=\"4626\" data-end=\"4645\">GDPR &amp; DBS Data<\/strong> is not just a legal requirement \u2014 it\u2019s a sign of professionalism and trustworthiness in any UK organisation.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/article>\n","protected":false},"excerpt":{"rendered":"<p>When it comes to DBS checks, employers handle some of the most sensitive personal data available \u2014 including criminal record information. Under the General Data Protection Regulation (GDPR) and the Data Protection Act 2018, UK employers have strict responsibilities to ensure this data is stored, used, and deleted correctly. Mishandling such information can lead to legal penalties and damage to&nbsp;<a href=\"https:\/\/crbdirect.org.uk\/gdpr-dbs-data\/\" class=\"read-more\">Continue Reading<\/a><\/p>\n","protected":false},"author":8,"featured_media":8394,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[34],"tags":[79,78],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v19.8 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>GDPR &amp; DBS Data: How Employers Must Store, Use, and Delete Sensitive Records<\/title>\n<meta name=\"description\" content=\"Learn how UK employers handle GDPR &amp; DBS Data \u2014 storing, using, and deleting sensitive records securely and lawfully.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/crbdirect.org.uk\/gdpr-dbs-data\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"GDPR &amp; DBS Data: How Employers Must Store, Use, and Delete Sensitive Records\" \/>\n<meta property=\"og:description\" content=\"Learn how UK employers handle GDPR &amp; DBS Data \u2014 storing, using, and deleting sensitive records securely and lawfully.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/crbdirect.org.uk\/gdpr-dbs-data\/\" \/>\n<meta property=\"og:site_name\" content=\"CRB Direct\" \/>\n<meta property=\"article:published_time\" content=\"2025-10-28T19:40:43+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/crbdirect.org.uk\/wp-content\/uploads\/2025\/10\/GDPR-DBS-Data.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"1000\" \/>\n\t<meta property=\"og:image:height\" content=\"667\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"Kazi\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Kazi\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"3 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebPage\",\"@id\":\"https:\/\/crbdirect.org.uk\/gdpr-dbs-data\/\",\"url\":\"https:\/\/crbdirect.org.uk\/gdpr-dbs-data\/\",\"name\":\"GDPR &amp; DBS Data: How Employers Must Store, Use, and Delete Sensitive Records\",\"isPartOf\":{\"@id\":\"https:\/\/crbdirect.org.uk\/#website\"},\"datePublished\":\"2025-10-28T19:40:43+00:00\",\"dateModified\":\"2025-10-28T19:40:43+00:00\",\"author\":{\"@id\":\"https:\/\/crbdirect.org.uk\/#\/schema\/person\/527698d8fcc16e87eb8d0041b1f8effc\"},\"description\":\"Learn how UK employers handle GDPR & DBS Data \u2014 storing, using, and deleting sensitive records securely and lawfully.\",\"breadcrumb\":{\"@id\":\"https:\/\/crbdirect.org.uk\/gdpr-dbs-data\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/crbdirect.org.uk\/gdpr-dbs-data\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/crbdirect.org.uk\/gdpr-dbs-data\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/crbdirect.org.uk\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"GDPR &amp; DBS Data: How Employers Must Store, Use, and Delete Sensitive Records\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/crbdirect.org.uk\/#website\",\"url\":\"https:\/\/crbdirect.org.uk\/\",\"name\":\"CRB Direct\",\"description\":\"\",\"inLanguage\":\"en-US\"},{\"@type\":\"Person\",\"@id\":\"https:\/\/crbdirect.org.uk\/#\/schema\/person\/527698d8fcc16e87eb8d0041b1f8effc\",\"name\":\"Kazi\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/crbdirect.org.uk\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/6d7460bd48ea0065e5c9bad997ef21ab?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/6d7460bd48ea0065e5c9bad997ef21ab?s=96&d=mm&r=g\",\"caption\":\"Kazi\"},\"url\":\"https:\/\/crbdirect.org.uk\/author\/kazi\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"GDPR &amp; DBS Data: How Employers Must Store, Use, and Delete Sensitive Records","description":"Learn how UK employers handle GDPR & DBS Data \u2014 storing, using, and deleting sensitive records securely and lawfully.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/crbdirect.org.uk\/gdpr-dbs-data\/","og_locale":"en_US","og_type":"article","og_title":"GDPR &amp; DBS Data: How Employers Must Store, Use, and Delete Sensitive Records","og_description":"Learn how UK employers handle GDPR & DBS Data \u2014 storing, using, and deleting sensitive records securely and lawfully.","og_url":"https:\/\/crbdirect.org.uk\/gdpr-dbs-data\/","og_site_name":"CRB Direct","article_published_time":"2025-10-28T19:40:43+00:00","og_image":[{"width":1000,"height":667,"url":"https:\/\/crbdirect.org.uk\/wp-content\/uploads\/2025\/10\/GDPR-DBS-Data.jpg","type":"image\/jpeg"}],"author":"Kazi","twitter_card":"summary_large_image","twitter_misc":{"Written by":"Kazi","Est. reading time":"3 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"https:\/\/crbdirect.org.uk\/gdpr-dbs-data\/","url":"https:\/\/crbdirect.org.uk\/gdpr-dbs-data\/","name":"GDPR &amp; DBS Data: How Employers Must Store, Use, and Delete Sensitive Records","isPartOf":{"@id":"https:\/\/crbdirect.org.uk\/#website"},"datePublished":"2025-10-28T19:40:43+00:00","dateModified":"2025-10-28T19:40:43+00:00","author":{"@id":"https:\/\/crbdirect.org.uk\/#\/schema\/person\/527698d8fcc16e87eb8d0041b1f8effc"},"description":"Learn how UK employers handle GDPR & DBS Data \u2014 storing, using, and deleting sensitive records securely and lawfully.","breadcrumb":{"@id":"https:\/\/crbdirect.org.uk\/gdpr-dbs-data\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/crbdirect.org.uk\/gdpr-dbs-data\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/crbdirect.org.uk\/gdpr-dbs-data\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/crbdirect.org.uk\/"},{"@type":"ListItem","position":2,"name":"GDPR &amp; DBS Data: How Employers Must Store, Use, and Delete Sensitive Records"}]},{"@type":"WebSite","@id":"https:\/\/crbdirect.org.uk\/#website","url":"https:\/\/crbdirect.org.uk\/","name":"CRB Direct","description":"","inLanguage":"en-US"},{"@type":"Person","@id":"https:\/\/crbdirect.org.uk\/#\/schema\/person\/527698d8fcc16e87eb8d0041b1f8effc","name":"Kazi","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/crbdirect.org.uk\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/6d7460bd48ea0065e5c9bad997ef21ab?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/6d7460bd48ea0065e5c9bad997ef21ab?s=96&d=mm&r=g","caption":"Kazi"},"url":"https:\/\/crbdirect.org.uk\/author\/kazi\/"}]}},"_links":{"self":[{"href":"https:\/\/crbdirect.org.uk\/wp-json\/wp\/v2\/posts\/8393"}],"collection":[{"href":"https:\/\/crbdirect.org.uk\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/crbdirect.org.uk\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/crbdirect.org.uk\/wp-json\/wp\/v2\/users\/8"}],"replies":[{"embeddable":true,"href":"https:\/\/crbdirect.org.uk\/wp-json\/wp\/v2\/comments?post=8393"}],"version-history":[{"count":3,"href":"https:\/\/crbdirect.org.uk\/wp-json\/wp\/v2\/posts\/8393\/revisions"}],"predecessor-version":[{"id":8397,"href":"https:\/\/crbdirect.org.uk\/wp-json\/wp\/v2\/posts\/8393\/revisions\/8397"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/crbdirect.org.uk\/wp-json\/wp\/v2\/media\/8394"}],"wp:attachment":[{"href":"https:\/\/crbdirect.org.uk\/wp-json\/wp\/v2\/media?parent=8393"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/crbdirect.org.uk\/wp-json\/wp\/v2\/categories?post=8393"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/crbdirect.org.uk\/wp-json\/wp\/v2\/tags?post=8393"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}