If your organisation receives criminal record information as part of your recruitment process, you have a duty to handle it responsibly.
The Disclosure and Barring Service (DBS) Code of Practice exists to make sure organisations use DBS check results fairly, store information securely, and only share it with people who genuinely need to see it.
In 2023-24 alone, the DBS issued almost 7.4 million DBS certificates across England and Wales. With that volume, it’s essential that employers have clear, compliant processes for requesting checks, reviewing outcomes, and managing sensitive data.
What is the DBS, and what does it stand for?
DBS stands for the Disclosure and Barring Service, the government body responsible for processing criminal record checks in England and Wales.
In certain roles, the DBS also supports safeguarding by checking whether someone is barred from working with children and/or vulnerable adults. The result is used by employers to make safer recruitment decisions, and that the right level of screening is carried out for the role.
You might still hear people refer to ‘CRB Checks’. This is because the DBS replaced the Criminal Records Bureau (CRB) and the Independent Safeguarding Authority (ISA) back in 2012, bringing those services together under one system.
What is the DBS Code of Practice?
A DBS check is a criminal record check that helps employers make safe, informed recruitment decisions. A DBS check reveals any relevant details about an applicant’s criminal history; depending on the level of check, this could show anything from unspent convictions, to police-issued warnings. For certain roles, depending on the nature of the offence, this may mean someone is barred from working in regulated activity.
The DBS Code of Practice is the rulebook for how organisations must manage the process around checks, not just the application itself.
In plain terms, it sets expectations for:
- Requesting the right level of check for every role
- Verifying identity correctly
- Treating applicants fairly, especially those with convictions
- Handling certificate information securely (including retention and disposal)
Who does the DBS Code of Practice apply to?
The Code of Practice applies to organisations that are Registered Bodies with DBS, and to recipients of DBS Update Service Information (when they check certificate status with the individual’s consent).
It covers:
- Registered Bodies (organisations that can request DBS checks directly with the DBS)
- Umbrella Bodies (organisations that fall under the ‘Registered Bodies’ category, that can submit checks on behalf of other non-registered organisations)
- Employers using the Update Service to check whether a certificate is still current (with permission)
What does the DBS Code of Practice require?
There are a few key requirements employers should know when it comes to the Code of Practice.
- Registration details
If you’re a Registered Body (or working through an umbrella company), the Code expects your registration details to be kept accurate and up to date. This helps the DBS verify that checks are being requested legitimately and means the right people can be contacted if there are questions about an application, compliance, or safeguarding.
This means keeping things like your organisation’s details, nominated contacts, and relevant account information current, and updating the DBS if anything changes.
- Application process
The Code requires organisations to follow the correct DBS application process and only to request checks where they’re legally entitled to do so. This is partly about safeguarding, but it’s also about fairness and preventing the misuse of DBS systems.
A compliant application process typically includes making sure:
- The candidate understands that a DBS check is being requested and why
- The correct level of check is selected for the role
- The application is completed accurately to avoid delays
- Identity verification is carried out in line with DBS guidance
Getting the application stage right helps protect the candidate and your organisation. It also helps reduce the risk of checks being held up by avoidable errors.
- Written policy
You should have a clear, written policy explaining how you handle DBS information. This should be available to applicants so they understand what you’ll do with any information they disclose and how it will be protected.
As part of this, make sure your policy reflects current data protection expectations (including UK GDPR and the Data Protection Act 2018), rather than older, outdated references.
- Use and disclosure on a strict need-to-know basis
DBS information must only be used for the purpose it was requested — typically for checking if someone is suitable for a specific role. You should never share it internally unless the person receiving the information has a legitimate role-related reason to see it.
A simple rule of thumb: if someone doesn’t need the information to make the recruitment or safeguarding decision, they shouldn’t have access to it.
- Secure storage, controlled access and safe disposal
DBS certificate information is sensitive and should be handled like it. That means:
- Secure storage (whether physical or digital)
- Restricting access to only those who need it
- And secure disposal when it’s no longer needed
- Don’t keep certificate information longer than necessary
One of the most common compliance issues comes from keeping DBS certificate data for too long.
Government guidance makes it clear that certificate information should be destroyed after a suitable period has passed, usually no longer than six months.
This period is intended to give enough time to resolve any disputes or complaints, not to create a long-term archive.
- Identification verification must follow DBS guidance
Identity checking is a core safeguard. The Code expects you to follow DBS identity guidance to make sure the application relates to the correct person and reduces fraud risk.
Where possible, identity documents should be verified properly and recorded in line with guidance, without storing more personal data than you actually need.
- A fair, consistent suitability policy
You should have a written policy on recruiting people with criminal records and apply it consistently.
Good suitability decisions consider a variety of contextual factors, including:
- Relevance of the information to the role
- Seriousness of the offence
- How long ago it occurred
- Whether the role involves a regulated activity or increased safeguarding risk
Avoid blanket bans, such as not hiring anyone who has been involved in a certain offence. The Code is designed to balance safeguarding with fair opportunities.
- Eligibility and the correct level of check
You must only request a DBS check where the role is eligible, and only at the correct level. Misusing the DBS system, for example, requesting an Enhanced check where a Basic check would be enough, can put your organisation at compliance risk.
You can learn about the different levels of DBS checks here.
- Fees
If you’re requesting DBS checks, the Code expects you to handle the fees appropriately. This includes paying the correct fee for the level of check being requested and being transparent about who’s paying.
Where candidates are asked to contribute towards the cost (where permitted), it’s best practice to be upfront and clear to avoid surprises, and make sure the arrangement is fair and consistent across applicants.
- Cooperation with compliance checks and audits
The DBS can request evidence of compliance, so you should be prepared to provide any supporting documentation they ask for. Think about your policies, audit trails, and evidence of your processes, and be sure to respond to the DBS promptly.
What happens if the Code of Practice is breached?
Breaching the DBS Code of Practice can create some big risks for your business, legally, operationally, and reputationally.
Some of the consequences can include:
- Data protection breaches: These occur if sensitive criminal record data is mishandled. Plus, the Information Commissioner’s Office (ICO) can step in if you break data protection laws while failing to follow the code. That could lead to further legal action and financial penalties of up to £17.5 million or 4% of an organisation’s annual turnover (whichever is higher).
- DBS action against your organisation’s ability to process checks: This may include increased compliance requests, and changes, suspension, or cancellation of your registration arrangements. In really strict cases, your ability to request DBS checks could be permanently revoked.
- Loss of trust with candidates, clients, regulators, and the wider public, particularly in safeguarding-focused sectors
The simplest protection is consistency: a clear policy, controlled access, secure storage, and a defined retention and disposal process go a long way.
What is a DBS consent code?
A DBS consent code is used to confirm that an applicant has given permission for an organisation to check their certificate status, for example, via the DBS Update Service.
Consent-based access is not a free pass to download, print, or distribute sensitive information, so the same need-to-know and secure-handling principles still apply.
Get DBS checks with uCheck
If you want to simplify compliance while keeping hiring moving, we bring the key pieces together.
- Over 80,000 organisations trust uCheck to handle their pre-employment screening
- We complete over 1,000,000 DBS checks each year
- Most of our checks are completed within 48 hours – and our Enhanced DBS checks are typically returned up to 40% faster than national averages
- Our easy-to-use HR platform streamlines the entire process, allowing you to request and track multiple checks in one central place
- Our UK-based client support team is on hand via live chat or phone
Reduce admin and support your team today with our online DBS checks.
