HR staff are required to undertake three yearly risk assessments in respect of existing staff that have previously needed a DBS check. The DBS Govt Guidance is specific as to what data is kept for a DBS check. The HR staff want to keep records of offences and detailed information about their risk assessment, as they believe this will be useful for the next assessment 3 years hence. The level of information IMHO is both excessive and exceeds retention advice by the UK Gov. of 6 months. HR have allegedly been told by the ICO help line that its ok to keep the data as they have Schedule 1 and Article 6 bases. HR feel that the ICO advice over rules the UK Gov Guidance on DBS data. Advice please
Chris Roberts
I regularly deal with DBS data in our client base. My view is that the organisation only needs to hold the DBS Pass or Fail status of the prospective/current staff member. There a number of very good services in the UK that helps HR teams gain the information they need without having to process significant personal data. If I were a HR team I’d want to reduce my risk – what’s really behind their wanting to keep all this detail is perhaps the key to understanding the situation and resolving it appropriately?
Smurf333
Thanks for the response Chris. The key for wanting to keep the data is that they don’t want to replicate information they have already requested 3 years previously, and the added inconvenience of dealing with staff questioning why they need it again. Ways of decreasing their workload around DBS involve reducing the number of positions that require a DBS check, which from a risk management perspective may not be serving the interests of the organisation and its customers. I have in the interim received advice from the ICO that is in line with my views, and conveyed this to our HR department.