All you need to know about the DBS Code of Practice

If you receive DBS check information for a current or prospective employee, you have a legal duty to handle it in line with the DBS Code of Practice. This code sets out the way to manage, store, and share sensitive criminal record information. 

In this guide, our employment law experts explain what the DBS Code of Practice involves, including your responsibilities as an employer and how to use a DBS consent code correctly.

What is the DBS code of practice

The DBS Code of Practice 2015 is essentially a set of rules and guidelines issued by the Disclosure and Barring Service (DBS). Its main purpose is to make sure that organisations that use DBS checks, and those who receive information from the DBS, handle sensitive personal information responsibly, fairly, and in accordance with the law.

Think of it as a user manual and a set of ethical principles all rolled into one for anyone interacting with the DBS checking system.

What does the DBS code of practice state? 

Let’s run through some of the most significant points from the DBS code of practice, so you can make sure your organisation is handling DBS data correctly. 

Written policy

You must have a written policy that outlines how you securely handle the information provided by the DBS. This should be accessible to anybody you’re asking to complete a DBS application form, so it’s a good idea to upload it electronically. By having a policy in place, you make sure that you’ve got all the processes and procedures set out to handle this sensitive information and stay in line with the Data Protection Act 1998.

Disclosing information to irrelevant individuals

When you receive information from the DBS about an employee, you shouldn’t “disclose information to any member, officer or employee where it’s not related to that employee’s duties”. 

The only reason this changes is if a relevant legal exception applies. Don’t go around risking a penalty. Keep this information between you and only the people who need to know. 

Holding data no longer than necessary

Once the DBS is complete and you’ve made a decision on whether you’re going to hire someone, you shouldn’t keep their DBS certificate information for longer than six months. This is a data handling procedure set out in the DBS code of practice that makes sure companies don’t keep hold of information any longer than needed. 

The DBS Code of Practice is a vital framework that underpins the entire DBS checking process, aiming to balance the need for safeguarding with the rights and privacy of individuals. It makes sure that organisations using DBS checks do so ethically, legally, and effectively.

Who does the code of practice apply to? 

The DBS itself clearly states who the Code of Practice applies to. According to the official document:

“The Code of Practice applies to all Registered Bodies with the Disclosure and Barring Service (DBS) under section 120 of the Police Act 1997 (Registered Bodies) and recipients of Update Service information under section 116a of the Police Act 1997. This includes those Registered Bodies that provide an umbrella function to non registered organisations. The Code refers to any information exchanged between DBS and the Registered Body.“

In simpler terms, this means the Code of Practice 2015 is the rulebook for:

• Organisations registered with the DBS (Registered Bodies): These are the companies, charities, and other entities that are officially signed up with the DBS to request criminal record checks. The Code sets out how they must operate when asking for and handling DBS information.
• Those using the DBS update service: This includes both individuals who subscribe to the service to keep their DBS certificates up to date and organisations that check the status of these certificates online, with consent.
• Umbrella bodies: Even if an organisation acts as a go-between (an “umbrella function”) for other non-registered organisations needing DBS checks, they still fall under the Code of Practice.

Essentially, if you’re an organisation directly registered with the DBS or you’re using the DBS Update Service, then the Code of Practice is relevant to you. It governs how any information is shared between your organisation (or you, if you’re an individual using the Update Service) and the DBS.

The DBS code of practice obligations 

The DBS Code of Practice sets out a number of important responsibilities for employers and organisations using the update service. These are all about protecting vulnerable groups and making sure sensitive personal data is handled fairly and properly.

Let’s take a closer look at each of the eight core obligations and what they mean in practice:

1. Registration details

To start, you need to keep your registration details with the DBS accurate and up to date. That might sound obvious, but it’s important for keeping things running smoothly and making sure only legitimate organisations carry out checks.

Here’s what’s involved:

• You must provide correct information when you register, including your candidate’s name, address, contact info and the types of check you’re requesting. 
• If anything changes, like your address or who the candidate’s Nominated Contact is, you’ll need to let the DBS know straight away.
• You also need to be clear about the kinds of roles you’re requesting checks for (e.g. a nurse, a school teacher, a lawyer) and why, so the DBS can make sure you’re using the system correctly.

Having the right, up-to-date registration details allows the DBS to communicate effectively with you or your candidate, provide important updates, and make sure that you’re requesting checks for appropriate purposes. It also helps with compliance monitoring and addressing any queries or issues that may arise.

2. Application process

There’s a proper way to request DBS checks, and following the right steps helps make the process fair, efficient and legally sound.

That means:

• Only apply for a DBS check if you’re legally entitled to request one for that role.
  
• Make sure the applicant knows what’s happening and has given their informed consent.
  
• Complete the forms accurately – errors and missing information cause delays.
  
• Give the applicant clear information about the process and what to expect.
  
• Submit the application through the correct DBS channels.

Following the application process correctly will protect you and the candidate, and help to keep the process smooth, avoid any unnecessary delays, and get you the results quicker!

3. Identity verification

Checking someone’s identity is a key part of the DBS process. It makes sure the check is being carried out on the right person and helps prevent fraud.

Here’s what that involves:

• You must follow the DBS’s identity checking guidelines carefully, including checking documents from different categories (like passports, bills, or bank statements).
  
• The applicant’s documents should be checked in person, where possible, and the photos compared visually to the individual.
  
• You should also keep a record of which documents you checked, in line with DBS guidance.
  

Strong ID checks help maintain the integrity of the whole system and keep everyone safer.

4. Data handling

DBS checks involve highly sensitive personal information, and how you handle that information really matters. If you mishandle any of the candidate’s data, it could cause severe consequences to your business and how you deal with the DBS going forward.

What you need to do:

• Store DBS certificates and related data securely, whether physical or digital.
  
• Only allow access to those who genuinely need to see the information for recruitment purposes.
  
• Use the information appropriately and only for the reason it was requested.
  
• Don’t keep it longer than necessary, usually no more than six months after a hiring decision.
  
• Once it’s no longer needed, dispose of it securely (like shredding paper copies or permanently deleting digital files).
  
• And of course, follow all relevant data protection laws, including GDPR.
  

Handling data responsibly protects your applicants, builds trust, and keeps you on the right side of the law.

5. Suitability policy

Having a clear policy on how you deal with criminal record information helps make sure people are treated fairly, especially those with past convictions.

What does that mean in practice?

• You should have a written policy on the recruitment of people with criminal records, and be ready to share it with applicants if asked.
  
• When considering disclosures, look at the full picture, things like how serious the offence was, how long ago it happened, the person’s age at the time, and whether it’s relevant to the role.
  
• Avoid blanket bans; each case should be considered individually.
  
• Give applicants the chance to explain the context or share any mitigating circumstances.
  
• Focus on what matters: the potential risk in the context of the job role.
  

It’s all about balancing safeguarding with fair opportunity. Having a clear, thoughtful policy makes that easier.

6. Payment of fees

This one’s pretty straightforward. If you’re requesting DBS checks, you’re also responsible for paying the correct fees! That is, unless someone else (like the applicant) is covering the cost.

You should:

• Understand the current DBS fee structure (it varies depending on the type of check). We clearly outline all our DBS checking services.
  
• Use the accepted payment methods.
  
• Be clear about who’s paying, and if you do charge the applicant, be upfront and transparent about it.

Paying the right fees on time helps avoid any unnecessary delays.

7. Eligibility

You should only request DBS checks for roles that are legally eligible, and for the correct level of check.

To make sure you’re on the right track:

• Get to know the relevant legislation and DBS guidance, like the Safeguarding Vulnerable Groups Act 2006.
  
• Match the level of check (Basic, Standard, or Enhanced) to the responsibilities of the role.
  
• If the role involves regulated activity, make sure you request the right workforce type. To learn more about the different workforce types, take a look at our blog: What does a DBS workforce type mean?
  
• Be prepared to justify why a check is needed.
  

Getting this right is crucial — it protects applicants’ rights and makes sure your safeguarding processes are legally sound.

Want to learn more about which DBS check you need? Take a look at our guide on the different types of DBS checks.

8. Compliance requests

From time to time, the DBS might ask for information or carry out an audit to make sure you’re complying with the Code of Practice.

When that happens, you need to:

• Respond promptly and honestly to any DBS enquiries.
  
• Cooperate fully with audits and compliance checks.
  
• Be ready to provide documentation if asked, whether it’s related to your application process, data handling, or policies.
  
• Take steps to resolve any issues that are flagged.
  

Compliance checks help the DBS keep the system fair and safe, and your cooperation plays a big part in that.

What happens if the code of practice is breached? 

It’s really important to follow the rules in the DBS Code of Practice. Not doing so can have serious consequences for your organisation and the people you work with. Here’s a breakdown of what could happen:

• Fines and penalties: If sensitive DBS information isn’t handled or stored properly, you could face enforcement action. That might include fines or other penalties.

• Data protection breaches: The Information Commissioner’s Office (ICO) can step in if you break data protection laws while failing to follow the code. That could lead to further legal action and financial penalties.

• Reputational damage: Mishandling personal information or failing to safeguard vulnerable people can harm your organisation’s reputation. Once trust is lost, it’s hard to win back.

• Action from the DBS: If you’re not meeting your responsibilities, the DBS can take direct action. This might involve:

• Increased checks and audits: Expect more frequent and thorough inspections from the DBS.
• Conditions on your registration: The DBS might place specific requirements on how you operate.
• Suspension of your registration: You could be temporarily stopped from requesting DBS checks.
• Cancellation of your registration: In serious cases, your ability to request DBS checks could be permanently revoked.

• Undermining safeguarding: Breaching the Code can compromise the very reason DBS checks exist – to protect vulnerable groups. 

• Loss of trust in the DBS system: When organisations don’t follow the rules, it can make people lose faith in the entire DBS checking process.

In short, sticking to the DBS Code of Practice isn’t just about avoiding penalties; it’s about handling sensitive information responsibly, protecting individuals, and maintaining your organisation’s good standing.

What is a DBS consent code? 

A DBS consent code is a unique code that an employee/applicant can share with you to let you view their certificate online. The DBS share code for employers only means that you can view the person’s certificate — it must not be printed.

DBS checks with uCheck 

For a stress free and smooth experience, get your employee’s DBS checks with uCheck! We provide numerous levels of DBS checks, including Basic, Standard and Enhanced. And with our simple pay-as-you-go billing, you only pay for what you need.

With uCheck, you get:

• Rapid turnaround – 24/48 hours on average
• Trust and confidence – we’re trusted by over 30,000 happy customers
• A secure, Home Office approved system

Please don’t hesitate to get in touch with us if you’ve got any more questions – we’re more than happy to help.