As individuals we all have a right to privacy and this includes details about spent convictions. However a range of exemptions exist that allow employers to obtain details of spent convictions and other information. It is important to note that asking a job seeker or staff member for this information or submitting request for a Disclosure and Barring Service (DBS) certificate, without a specific exemptions that allows your organisation to collect this information, is an offence.

If you are permitted to ask about spent convictions and "barring" you are then required to abide by the DBS Code of Practice in relation to the way in which you store, share and use this information.

Secure storage, handling, use, retention and disposal of Disclosure and Barring Service (DBS) certificates and certificate information

The DBS code of practice requires that all registered bodies must have a written policy on the correct handling and safekeeping of DBS certificate information.

It also obliges registered bodies to ensure that a body or individual, on whose behalf they are countersigning applications, has a written policy.

To help you meet this requirement, the DBS has produced the following sample policy statement which can be used or adapted for this purpose.

Does your organisation have an appropriate policy? When did you last read it and are you abiding by it? If you do not know the answer to any of these questions please speak urgently to your line manager for guidance.

DBS have produced a sample policy statement so your own organisation's policy will probably look something like the following.

Mishandling of information disclosed on a DBS certificate can result in both criminal and civil offences being committed and ignorance of the legislation is not a defence.

Sample Policy Statement

General principles

As an organisation using the Disclosure and Barring Service (DBS) checking service to help assess the suitability of applicants for positions of trust, [Organisation Name] complies fully with the Code of Practice regarding the correct handling, use, storage, retention and disposal of certificates and certificate information. It also complies fully with its obligations under the Data Protection Act 1998 and other relevant legislation pertaining to the safe handling, use, storage, retention and disposal of certificate information and has a written policy on these matters, which is available to those who wish to see it on request.

Storage and access

Certificate information should be kept securely, in lockable, non-portable, storage containers with access strictly controlled and limited to those who are entitled to see it as part of their duties.


In accordance with section 124 of the Police Act 1997, certificate information is only passed to those who are authorised to receive it in the course of their duties. We maintain a record of all those to whom certificates or certificate information has been revealed and it is a criminal offence to pass this information to anyone who is not entitled to receive it.

To note: those registered care homes which are inspected by the Care Quality Commission (CQC), those organisations which are inspected by Ofsted and those establishments which are inspected by the Care and Social Services Inspectorate for Wales (CSSIW ) may retain the certificate until the next inspection. Once the inspection has taken place the certificate should be destroyed in accordance with the Code of Practice.


Certificate information is only used for the specific purpose for which it was requested and for which the applicant’s full consent has been given.


Once a recruitment (or other relevant) decision has been made, we do not keep certificate information for any longer than is necessary. This is generally for a period of up to six months, to allow for the consideration and resolution of any disputes or complaints. If, in very exceptional circumstances, it is considered necessary to keep certificate information for longer than six months, we will consult the DBS about this and will give full consideration to the Data Protection and Human Rights of the individual before doing so. Throughout this time, the usual conditions regarding the safe storage and strictly controlled access will prevail.


Once the retention period has elapsed, we will ensure that any DBS certificate information is immediately destroyed by secure means, i.e. by shredding, pulping or burning. While awaiting destruction, certificate information will not be kept in any insecure receptacle (e.g. waste bin or confidential waste sack). We will not keep any photocopy or other image of the certificate or any copy or representation of the contents of a certificate. However, not withstanding the above, we may keep a record of the date of issue of a certificate, the name of the subject, the type of certificate requested, the position for which the certificate was requested, the unique reference number of the certificates and the details of the recruitment decision taken.

Source Code of Practice

Request a consultation

Please fill out the form and a member of our team will get back to you.