DBS is the new CRB
Eugene Farrell
Andrew Kinder
4 September 2013
Disclosure and Barring Service
(DBS)
• The Disclosure and Barring Service (DBS) helps employers
make safer recruitment decisions and prevent unsuitable
people from working with vulnerable groups, including
children. It replaces the Criminal Records Bureau (CRB) and
Independent Safeguarding Authority (ISA).
• DBS are responsible for:
• processing requests for criminal records checks
• deciding whether it is appropriate for a person to be placed
on or removed from a barred list
• placing or removing people from the DBS children’s barred
list and adults’ barred list for England, Wales and Northern
Ireland
Barring
• There are 2 main ways cases come to DBS:
• Autobars - there are 2 types of automatic barring cases where a person
has been cautioned or convicted for a ‘relevant offence’:
• automatic barring without representations offences will result in the
person being placed in a barred list(s) by the DBS irrespective of whether
they work in regulated activity
• automatic barring with representations offences may, subject to the
consideration of representations and whether the DBS believes that the
person has worked in regulated activity, is working in regulated activity or
may in future work in regulated activity, this may also result in the person
being placed on a DBS barred list(s)
• referrals from an organisation that has a legal duty or power to make
referrals to DBS: typically there is a duty, in certain circumstances, on
employers to make a referral to the DBS when they have dismissed or
removed an employee from working in regulated activity, following harm
to a child or vulnerable adult or where there is a risk of harm
Types of check
•
•
•
•
•
•
•
•
•
Types of check
Organisations who are entitled to use the DBS checking service can ask successful
job applicants to apply for one of the following types of check depending on the
job role:
standard check - details of an individual’s convictions, cautions, reprimands or
warnings recorded on police central records and includes both ‘spent’ and
‘unspent’ convictions
enhanced check - the same details as a standard check, together with any
information held locally by police forces that it is reasonably considered might be
relevant to the post applied for
enhanced with a barred list check:
child barred list information is only available for those individuals engaged in
regulated activity with children and a small number of posts as listed in the Police
Act regulations, for example prospective adoptive parents
adult barred list is only available for those individuals engaged in regulated activity
with adults and a small number of posts as listed in the Police Act regulations
child and adult barred list is only available for those individuals engaged in
regulated activity with both vulnerable groups including children and a small
number of posts as listed in the Police Act regulations
adult first - an individual can be checked against the DBS adult barred list while
waiting for the full criminal record check to be completed
Process
• Stage 1 - application form received and validated
• The application form is checked for errors or omissions. Within 24
hours of receipt the form is either scanned onto the DBS computer
system or returned for correction to the countersignatory.
• Stage 2 - Police National Computer searched
• Stage 3 - children and adults lists searched, where applicable
• Stage 4 - records held by the police searched
• Enhanced checks are sent by secure, electronic means to the police
for an additional check of local records before the information is
sent back to the DBS.
• Stage 5 - DBS certificate printed
• All the information to be disclosed is printed under highly secure
procedures and sent to the applicant.
Employers
•
•
•
•
These are the basic steps for a DBS check:
Get the application form from DBS or your umbrella body.
Ask the candidate to fill in the application form.
Send the application form to your umbrella body or DBS. If
your organisation is registered with DBS the
countersignatory has to sign the form.
• DBS will send to the certificate to the applicant. The
employer will have to ask the applicant to see the
certificate.
• If the applicant has subscribed to the DBS update service
the employer can check their certificate online.
• Best to apply for the update service at the same time.
Certificate
• Once the check is completed, the DBS will send a certificate listing
the results to the applicant. The employer will have to ask the
applicant to see the certificate.
• Security features
• Certificates have security features to prove they’re genuine:
• a ‘crown seal’ watermark repeated down the right hand side, visible
both on the surface and when holding it up to the light
• a background design featuring the word ‘Disclosure’, which appears
in a wave-like pattern across both sides of the certificate; the
pattern’s colour alternates between blue and green on the reverse
of the certificate
• ink and paper that change colour when wet
• Certificates printed by the DBS have these security features, but
ones sent by email don’t.
DBS Update service
• When you join, you’ll get an online account that lets you:
• take your certificate from one job to the next
• give employers permission to check your certificate online, and see who
has checked it
• add or remove a certificate
• Cost £13 per year
• Employers and other organisations
• Employers and other organisations can check someone’s DBS certificate
status online and get a result straight away.
• There’s no registration process or fee for employers to check a certificate
online, but employers:
• must be legally entitled to carry out a check
• have the worker’s permission
• Cost £0 for employer
Protection of Freedoms Act
2012
Regulated activity
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
Parts 1 and 3 of Schedule 4 to the Safeguarding Vulnerable Groups Act 2006 (regulated activity relating to children and the
period condition) are amended as follows.
(2)In paragraph 1(1)(b) (frequency and period condition for regulated activity), at the beginning, insert “except in the case of
activities falling within sub-paragraph (1A),”.
(3)After paragraph 1(1) insert—
“(1A)The following activities fall within this sub-paragraph—
(a)relevant personal care, and
(b)health care provided by, or under the direction or supervision of, a health care professional.
Children
(1C)In this Part of this Schedule —
“health care” includes all forms of health care provided for children, whether relating to physical or mental health and also
includes palliative care for children and procedures that are similar to forms of medical or surgical care but are not provided
for children in connection with a medical condition,
“health care professional” means a person who is a member of a profession regulated by a body mentioned in section 25(3)
of the National Health Service Reform and Health Care Professions Act 2002.
Organisations need to consider whether an individual meets the following conditions:
Do they meet the definition of the activity?
Do they need to consider the DFE supervision statutory guidance?
Do they meet the relevant frequency or intensively condition?
Frequently or intensively means carried out by the same person frequently (once a week or more often), or on 4 or
more days in a 30 day period (or in some cases overnight between 2am and 6am, where there is opportunity for face-toface contact).
Where they are not carrying out an activity but their work takes place in a specified establishment do they meet the
frequency or intensively condition and have opportunity for contact with children while carrying out their duties?
Additionally where they are not carrying out an activity but their work takes place in a specified establishment is their
work to provide occasional or temporary services?
Adults
•
•
•
•
•
•
•
There are now only six types of activity which can be classed as regulated activity
relating to adults
healthcare for adults provided by, or under the direction or supervision of a
regulated health care professional
personal care for adults involving hand-on physical assistance with washing and
dressing, eating, drinking and toileting; prompting and supervising an adult with
any of these tasks because of their age, illness or disability; or teaching someone
to do one of these tasks
social work - provision by a social care worker of social work which is required in
connection with any health services or social services
assistance with an adult’s cash, bills or shopping because of their age, illness or
disability arranged via a third party
assisting in the conduct of an adult’s own affairs under a formal appointment
conveying adults for reasons of age, illness or disability to, from, or between
places, where they receive healthcare, personal care or social work arranged via a
third party
Data Protection Act
DPA Pt 1
•
•
•
•
•
•
•
•
Personal data shall be processed fairly and lawfully and, in particular, shall not be processed
unless—E+W+S+N.I.
(a)at least one of the conditions in Schedule 2 is met, and
(b)in the case of sensitive personal data, at least one of the conditions in Schedule 3 is also met.
2- Personal data shall be obtained only for one or more specified and lawful purposes, and shall not
be further processed in any manner incompatible with that purpose or those purposes.E+W+S+N.I.
3- Personal data shall be adequate, relevant and not excessive in relation to the purpose or
purposes for which they are processed.E+W+S+N.I.
4- Personal data shall be accurate and, where necessary, kept up to date.E+W+S+N.I.
5- Personal data processed for any purpose or purposes shall not be kept for longer than is
necessary for that purpose or those purposes.E+W+S+N.I.
6- Personal data shall be processed in accordance with the rights of data subjects under this
Act.E+W+S+N.I.
7- Appropriate technical and organisational measures shall be taken against unauthorised or
unlawful processing of personal data and against accidental loss or destruction of, or damage to,
personal data.E+W+S+N.I.
8- Personal data shall not be transferred to a country or territory outside the European Economic
Area unless that country or territory ensures an adequate level of protection for the rights and
freedoms of data subjects in relation to the processing of personal data.
Schedule 2
• 1- The data subject has given his consent to
the processing.E+W+S+N.I.
• 2 -The processing is necessary—E+W+S+N.I.
(a)for the performance of a contract to which
the data subject is a party, or
(b)for the taking of steps at the request of the
data subject with a view to entering into a
contract.
Schedule 3
• The data subject has given his explicit consent to the processing of the
personal data.E+W+S+N.I.
• 2(1)The processing is necessary for the purposes of exercising or
performing any right or obligation which is conferred or imposed by law
on the data controller in connection with employment.E+W+S+N.I.
• The processing—E+W+S+N.I.
• (a)is carried out in the course of its legitimate activities by any body or
association which—
(i)is not established or conducted for profit, and
(ii)exists for political, philosophical, religious or trade-union purposes,
• (b)is carried out with appropriate safeguards for the rights and freedoms
of data subjects,
• (c)relates only to individuals who either are members of the body or
association or have regular contact with it in connection with its purposes,
and
Scenarios
Loss of information
• If, despite the security measures you take to protect the personal
data you hold, a breach of security occurs, it is important to deal
with the breach effectively. The breach may arise from a theft, a
deliberate attack on your systems, the unauthorised use of personal
data by a member of staff, accidental loss, or equipment failure.
However the breach occurs, you must respond to and manage the
incident appropriately. You will need a strategy for dealing with the
breach, including:
• a recovery plan, including damage limitation;
• assessing the risks associated with the breach;
• informing the appropriate people and organisations that the breach
has occurred; and
• reviewing your response and updating your information security.
Security
•
•
•
•
•
•
•
•
•
Computer security
Install a firewall and virus-checking on your computers.
Make sure that your operating system is set up to receive automatic updates.
Protect your computer by downloading the latest patches or security updates, which should cover
vulnerabilities.
Only allow your staff access to the information they need to do their job and don’t let them share
passwords.
Encrypt any personal information held electronically that would cause damage or distress if it were
lost or stolen.
Take regular back-ups of the information on your computer system and keep them in a separate
place so that if you lose your computers, you don’t lose the information.
Securely remove all personal information before disposing of old computers (by using technology or
destroying the hard disk).
Consider installing an anti-spyware tool. Spyware is the generic name given to programs that are
designed to secretly monitor your activities on your computer. Spyware can be unwittingly installed
within other file and program downloads, and their use is often malicious. They can capture
passwords, banking credentials and credit card details, then relay them back to fraudsters. Antispyware helps to monitor and protect your computer from spyware threats, and it is often free to
use and update.
E mail security
•
•
•
•
•
•
Email security
Consider whether the content of the email should be encrypted or password
protected. Your IT or security team should be able to assist you with encryption.
When you start to type in the name of the recipient, some email software will
suggest similar addresses you have used before. If you have previously emailed
several people whose name or address starts the same way - eg “Dave” - the autocomplete function may bring up several “Daves”. Make sure you choose the right
address before you click send.
If you want to send an email to a recipient without revealing their address to other
recipients, make sure you use blind carbon copy (bcc), not carbon copy (cc). When
you use cc every recipient of the message will be able to see the address it was
sent to.
Be careful when using a group email address. Check who is in the group and make
sure you really want to send your message to everyone.
If you send a sensitive email from a secure server to an insecure recipient, security
will be threatened. You may need to check that the recipient’s arrangements are
secure enough before sending your message.
ICO Registation
• The Data Protection Act 1998 requires every
data controller (eg organisation, sole trader)
who is processing personal information to
register with the ICO, unless they are exempt.