Hi Dot

Puzzled if it’s the case as to why copies of visitors’ actual DBS checks need to be seen at all. Volunteers associated with the school who are in regular unsupervised contact with children, yes, but many / most visitors won’t be - obviously all visitors need to be risk-assessed re safeguarding, but even those who might possibly or conceivably come into unsupervised contact will usually have been DBS checked by the organisation they represent and all your school needs or indeed all you r school should normally get is official confirmation from suchlike organisation that this has been done. Obviously such confirmations themselves should be scrutinised for possible risk, but that’s all.

In reply to David:

Thanks for your reply David.

We do check the DBS for safeguarding reasons. We often get written confirmation from the visiting organisation that the DBS has been undertaken (the date it was done and the DBS number) and that the DBS was clear. We have many visitors from multi-agencies who do have lone access to our students and obviously for safeguarding reasons we need to be confident in our processes. If a DBS wasn't clear we would need to see the certificate as what may not be considered a risk to one organisation may be a risk to another.
My question is is there a need to keep the actual documentation once the data has been input onto the SCR.

In reply to Dot:

Obviously there isn’t any need, Dot, because as mentioned before there was no need normally / routinely to see the *actual / detailed* DBS results from these multiagency visitors - the organisations these visitors come from usually aren’t required to release the detailed results, only confirmation of a satisfactory check. Indeed, for reasons of data protection, they may be unwilling to release such very sensitive personal data.

Hi Dot

I'm no expert, but I thought that once the content had been checked you weren't supposed to keep more than the number.

In reply to Elizabeth Divver:

Neither am I an expert in all this, but if I was in charge of an organisation that sent our employees to visit establishments that required enhanced DBS checks, I wouldn't normally release any details of anything the check revealed to these establishments other than the number and confirmation that it was clear for such purposes. I do think to do so routinely would amount to a failure properly / lawfully to control sensitive personal data.

I'm all for effective safeguarding, but for keeping it proportionate to the risks as well.

In reply to Elizabeth Divver:

Thanks Elizabeth. We don't keep the certificate on the personnel file for our own employees which is what prompted me to consider the paperwork we're currently holding for visitors.

In reply to David:

Thanks David

I think you'll find that you are not entitled to keep copies of any DBS certificate longer than it takes to process - whether for permanent staff or visitors. So once the document has been checked and there are no concerns, simply recording on the SCR the number and the date it was seen/person checking should be all that's required.
www.gov.uk/.../dbs-check-requests-guidance-for-employers

In reply to Nina Waters:

Thanks Nina. Yes the paperwork we're holding are those containing the DBS details. Where the certificate has been provided we've not kept copies. I should have been a bit clearer and said the paperwork we're keeping relates to DBS details and not the certificate.

In reply to Dot:

I would re-visit DBS guidance and look at ‘Regulated Activity’ and check your visitors are genuinely involved in regulated activity because you may be requesting information that you do not require.

It’s not only the issue with retention of the data you have but also given the introduction of our friend GDPR it will be the justification behind why you are asking for it that you will need to be clear on.

In reply to Dot:

Hi Dot. Copies of DBS forms (for anyone) should not be kept for longer than is necessary to complete the task they are required for such as a recruitment process. I believe the maximum length of time they should be kept is 6 months. So, in short. Don't keep copies. :) hope that helps?

In reply to Nina Waters:

I am very interested in this post since I am in the process of developing a really robust policy in line with the most up to date DBS Code for an organisation.  I provide a lot of management and consultancy work in social care and  health where employees/workers are subject to rigorous DBS checks. There is one thing that I wish to smooth out in my future work relating to procedure and the retention of documents concerning DBS certificate numbers. 

This query has come up for me since hard copy DBS processes are outdated.  Most smaller organisations use an umbrella body to administrate the process on line nowadays.  Whether the checks finally come in positive and negative, there is an email that arrives in from the umbrella body to advise 'None Recorded' or to otherwise say something similar to 'refer to the DBS Cert.' where there is a positive report.  The latter is then subject to a risk assessment and is escalated. 

However, for all outcomes generally, the 'DBS ready' alert email eventually arrives.  This email is retained and sometimes held on a separate DBS file in alphabetical order by name for future reference.  Since filing a DBS certificate or a copy of it on the staff file is something that would be in breach of the DBS Code. 

There is a lawful reason for filing key data on DBS.  This is so that organisations may keep on top of what staff require an updated DBS.  However, the date of the email alert will differ to the date on the actual DBS certificate since the certificate will have been issued before this date.  This surely will mean that the person in the organisation that is authorised to know this level of information must see a copy of the certificate so that the correct date of issue can be checked and key data written down such as name linked to the expiry date in 3 years time.   In some organisations that I work with this practice definitely does not take place. 

If the certificate is seen and key details recorded, the email alerts can then be destroyed within six months and an on-going list of certificate numbers and the name to who they have been issued with expiry dates can be kept for lawful reasons only.  

Please advise whether or not it is mandatory to see the hard copy since I have not seen this written anywhere in the Code.   If not, what do you recommend.   There is a mixed bag of issues with the DBS code and in light of GDPR Regulations that came in May I see that this is an area that needs to be cleared up in my own mind to provide the correct advice.

In reply to David:

Hi David Please reply to my reply to Elizabeth's post on this.