Handling of DBS Certificate Information Policy

IALM

Handling of DBS Certificate Information Policy

1. Purpose

This policy explains the obligations of the Institute for Advanced Learning and Metacognition (IALM) with regard to the secure storage, handling, use, retention and disposal of Disclosure and Barring Service (DBS) certificates and the information they contain.

2. General principles

As an organisation that uses the DBS checking service to help assess the suitability of individuals for positions of trust, IALM complies fully with the DBS Code of Practice in relation to the correct handling, use, storage, retention and disposal of certificates and certificate information.

IALM also complies fully with its obligations under the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018 and other relevant legislation relating to the safe handling, use, storage, retention and disposal of certificate information. This written policy is available to anyone who wishes to see it on request.

3. Scope

This policy applies to everyone involved in requesting, receiving, viewing, handling, storing or disposing of DBS certificate information on behalf of the Institute, including trustees, employees and volunteers. Access to certificate information is restricted to those who are entitled to see it as part of their duties — in practice, the Designated Safeguarding Lead and any nominated individual authorised to verify DBS information.

4. Storage and access

Certificate information is kept securely, with access strictly controlled and limited to those who are entitled to see it as part of their duties. Any paper-based certificate information is held separately from the individual's personnel file, in lockable, non-portable storage. Any electronic certificate information is held on a secure, password-protected system accessible only to authorised individuals. Where DBS certificates are received through an online or e-Bulk system, access is restricted by secure password controls to those authorised to view them.

5. Handling

In accordance with section 124 of the Police Act 1997, certificate information is passed only to those who are authorised to receive it in the course of their duties. The Institute maintains a record of all those to whom certificates, or certificate information, have been revealed. It is a criminal offence to pass this information to anyone who is not entitled to receive it.

6. Usage

Certificate information is used only for the specific purpose for which it was requested, and for which the applicant's full consent has been given.

7. Retention

Once a recruitment or other relevant decision has been made, the Institute does not keep certificate information for any longer than is necessary, giving full consideration to data protection law and the rights of the individual. As a general rule, certificate information is retained for no longer than six months from the date of the decision, to allow for the consideration and resolution of any disputes, complaints or appeals, or for the purpose of a safeguarding audit.

Where any DBS risk-assessment documentation is retained, it is held only for as long as necessary for the same purposes, and any decision to retain it, together with the reason, is recorded. Throughout any retention period, the usual conditions regarding safe storage and strictly controlled access continue to apply.

8. Disposal

Once the retention period has elapsed, the Institute ensures that any DBS certificate information is destroyed by secure means — for example, by shredding, pulping or burning paper records, or by securely deleting electronic files. While awaiting destruction, certificate information is not kept in any insecure receptacle (such as a waste bin or an unsecured confidential-waste sack). Where certificate information is held electronically through an online system, that information is deleted automatically after six months.

The Institute does not keep any photocopy or other image of a certificate, or any copy or representation of its contents. It may, however, keep a record of the date of issue of a certificate, the name of the subject, the type of certificate requested, the position for which it was requested, the certificate's unique reference number, and the details of the recruitment decision taken.

9. Use of a registered or umbrella body

Where the Institute processes DBS checks through a registered or umbrella body, it accepts that the body has a responsibility to help ensure that the Institute complies with the DBS Code of Practice and with this policy, and it undertakes to keep that body informed of any change in its organisation, personnel or practices that could affect this. Should the Institute ever act as an umbrella body itself, it will take all reasonable steps to satisfy itself that any organisation on whose behalf it processes checks handles certificate information in full compliance with the DBS Code of Practice and this policy.

10. Breaches of this policy

Any breach of this policy relating to the handling of DBS certificate information will be taken seriously and may lead to action under the Institute's disciplinary arrangements, as well as, where relevant, referral to the appropriate authorities.

11. Related documents

12. Further information

The DBS Code of Practice is available on the UK Government website at https://www.gov.uk/government/publications/dbs-code-of-practice.

13. Review

This policy will be reviewed by the Board of Trustees at least every two years, or sooner if required by changes in legislation, the DBS Code of Practice, or the Institute's practices.

The Board of Trustees approved this policy on 24th June 2026.

Scroll to Top