1.1 By accepting these terms, you are agreeing to the following statements, as set out inline with the DBS guidelines and UK GDPR legislation in how we manage your data and results.
2.1 All GDPR personal data is stored within the UK. It will be stored within the UK for the duration of this contract, including any additional Countries that data may be transferred throughout the life of this contract (such as overseas checks coming from other countries into the UK). Our Data Retention systems fully comply with the Data Protection Act and all requirements of the Disclosure and Barring Service, Disclosure Scotland and the Ministry of Justice. Our systems are subject to annual penetration tests, as per the MoJ requirement.
2.2 The information held on the Council’s databases for performance of the said service is registered under the UK GDPR and the Organisation undertakes to maintain the confidentiality of data to which it has authorised access under the terms of this Agreement and the Organisation hereby indemnifies the Council against loss, destruction or unauthorised disclosure of data by itself, its servants or agents within the meaning of the GDPR.
3.1 Operations and data are held within the UK only.
4.1 Multiple checks submitted and processed through with data being collected by means of a web-responsive app which facilitates data entry and document upload for the purpose of DBS check processing and assessment.
4.2 For DBS checks, Data is stored on servers for 6 months. After 6 months all personal data is removed, other than name, DOB, reference number, disclosure date of issue, disclosure number and the data transferred to archive storage to allow for auditing and retrospective review. This archiving meets the secure data storage requirements of the Disclosure and Barring Service and fully meets all Data Protection and ISO 27001 security parameters.
5.1 The Processing will be for the purposes of digitally capturing personal information from candidates to relay to the DBS to conduct a DBS check. The information gathered is held on secure servers and then submitted to the DBS using a secure encrypted link. Once the check is completed, the DBS returns the result via the same digital encrypted link and updates the system. Only registered users and the candidate can see the data held within the application.
6.1 The Personal Data will include:
Name(s), email addresses, postal address, ID information, digital signature
7.1 The Data Subjects will include:
Customers, Employee’s/contractors, Employees of other organisations.
8.1 Any Personal Data of Data Subjects shall be retained by the Provider only for as long as is necessary for the performance of the Services and/or in compliance with the management information retention provisions (if applicable) set out in this Agreement. All Personal Data shall be either destroyed or returned to the Authority on termination of the Services.
8.2 DBS check information (application and hardcopy or PDF DBS outcome, including any attachments) is intended only for the recipient(s) named only. It contains privileged information and should not be read, copied or otherwise used by any other person. If DBS check information is received by any other person than the named recipient, that person should contact the sender immediately.
9.1 It is the responsibility of the Organisation and individual user to ensure that their username and password is not passed to any other individual to access the eDBS system. Where a user no longer requires access, the Organisation is responsible for letting the Council know as soon as possible to ensure they are de-activated immediately.
9.2 Once a recruitment (or other relevant) decision has been made eDBS Services must be notified to allow us to adhere to the DBS code of practice, we do not keep Certificate information for any longer than is necessary. This is generally for a period of up to six months, to allow for the consideration and resolution of any disputes or complaints. If, in exceptional circumstances, it is considered necessary to keep Certificate information for longer than six months, we will consult the DBS about this and will give full consideration to the Data Protection and Human Rights of the individual before doing so. Throughout this time, the usual conditions regarding the safe storage and strictly controlled access will prevail. Disposal of electronic information will be by secure data destruction to security levels equivalent to HMG Infosec No. 5.
9.3 In accordance with section 124 of the Police Act 1997, Certificate information is only passed to those who are authorised to receive it in the course of their duties. We maintain a record of all those to whom Certificates or Certificate information has been revealed and it is a criminal offence to pass this information to anyone who is not entitled to receive it.
9.4 Certificate information is only used for the specific purpose for which it was requested and for which the applicant’s full consent has been given.
9.5 All data stored in encrypted form and access is only by password authenticated users. The online systems used to store information are located in a secure facility which undergoes regular security penetration testing and security audits to meet DBS security requirements. Information management processes are compliant for ISO 27001. User accounts have access only to the information needed for processing purposes for their specific role.