DBS Checks and GDPR
Alan Kitto
A number of companies have contacted us recently to clarify when Disclosure and Barring Service (DBS) checks can be carried by employers on their employees and when they can't.
The Safeguarding of Vulnerable Groups Act 2006 mandates that in certain circumstances employers are required to carry out a DBS check on their employees, including, but not limited to where they are working in the healthcare industry or in a hospital, caring for or working with children (under the age of 18) or working in a school or working with the elderly, ill or disabled adults.
It is worthy of note that not all employees working in one of these locations must have DBS check, it depends on what their role entails.
In addition to the above, employees in the following specific occupations should have DBS checks carried out by their employer; financial or legal professionals, those working the court, prison or probation service, a vet or someone employed by the RSPCA who is responsible for the human killing of animals, traffic wardens and immigration workers.
Those employees who are not required to have a DBS check undertaken by their employer by the Safeguarding of Vulnerable Groups Act 2006, should not be subjected to a employer DBS check.
Employers can find out whether they should or should not carry out a DBS check on their employees, and if they should, the specific checks that should be undertaken, by using the DBS tool on the gov.uk website: https://www.gov.uk/find-out-dbs-check.
It should be noted however that where an organisation is contracted to provide outsourced services into a place of work that would require employees to be DBS checked, they may be contractually obliged to carry out a DBS check their employee(s) even if the role(s) being carried out wouldn't normally require an employer DBS check to be carried out.
Under the General Data Protection Regulation (GDPR) personal data relating to criminal convictions and offences can only be processed:
- Under the control of official authority (i.e. a Government body); or
- When it is authorised by law providing for appropriate safeguards for the rights and freedoms of data subjects (i.e. the Safeguarding Vulnerable Groups Act 2006).
On the face of it, this means that it would be unlawful for employers to carry out criminal records checks as a matter of course, unless it relates to a role for which checks are authorised by law, for example roles involving work with vulnerable adults or children where a Disclosure and Barring Service check is required.
However, the Data Protection Act 2018, which supplements the GDPR, authorises the use of criminal records checks by organisations other than those vested with official authority (the GDPR includes a derogation to allow such legislation). The Act allows employers to process criminal convictions data where necessary for the purposes of performing or exercising employment law obligations or rights.
To carry out such processing, an employer would have to have in place a policy that explains its procedures for securing compliance with the principles of the GDPR in relation to the processing of the criminal records data, and that explains its policies on erasure and retention of the data.
The Act also authorises processing criminal records data in other circumstances, including where the subject has given his or her consent. This would allow employers to ask an employee to carry out a DBS check on themselves and share the details with the employer. The normal rules of consent however will apply, in that it must be freely given and be capable of being withdrawn or withheld without penalty.
For more information, please give is a call