Editorial & Advertiser disclosure

Global Banking & Finance Review® is an online platform offering news, analysis, and opinion on the latest trends, developments, and innovations in the banking and finance industry worldwide. The platform covers a diverse range of topics, including banking, insurance, investment, wealth management, fintech, and regulatory issues. The website publishes news, press releases, opinion and advertorials on various financial organizations, products and services which are commissioned from various Companies, Organizations, PR agencies, Bloggers etc. These commissioned articles are commercial in nature. This is not to be considered as financial advice and should be considered only for information purposes. It does not reflect the views or opinion of our website and is not to be considered an endorsement or a recommendation. We cannot guarantee the accuracy or applicability of any information provided with respect to your individual or personal circumstances. Please seek Professional advice from a qualified professional before making any financial decisions. We link to various third-party websites, affiliate sales networks, and to our advertising partners websites. When you view or click on certain links available on our articles, our partners may compensate us for displaying the content to you or make a purchase or fill a form. This will not incur any additional charges to you. To make things simpler for you to identity or distinguish advertised or sponsored articles or links, you may consider all articles or links hosted on our site as a commercial article placement. We will not be responsible for any loss you may suffer as a result of any omission or inaccuracy on the website.

Home > Business > STEP BY STEP: HOW BUSINESSES SHOULD KEEP EMPLOYEE’S DATA AS PRIVATE AS POSSIBLE

STEP BY STEP: HOW BUSINESSES SHOULD KEEP EMPLOYEE’S DATA AS PRIVATE AS POSSIBLE

Published by Gbaf News

Posted on September 12, 2017

7 min read

Last updated: January 21, 2026

Shisha tobacco culture growth and global impact on cafes and social gatherings - Global Banking & Finance Review — An illustration depicting the rise of shisha tobacco culture and its influence on social gatherings, cafes, and restaurants, highlighting its global market growth as discussed in the FMI study.

For most businesses, handling an employee’s confidential data can present a number of challenges.

It is important to educate the team on the importance of handling data to ensure confidence to not have to face any of the legal implications of a data leak.

Here, Michelle Mellor, Managing Director at Personnel Checks, gives her top advice on how companies should handle confidential information in the best way possible.

How should a business keep DBS data private?

First and foremost, in line with the DBS code of practice, businesses need a formal written policy on the secure handling of any information provided.

Companies would usually request DBS checks for successful job applicants, at which point they must make the details of this policy available to the applicant in question.

The employer must handle all information provided to them by DBS in line with the obligations under Data Protection Act 1998.

What can a business do with DBS data?

To keep a record, businesses that receive DBS information can look:

The date of issue of a disclosure
The name of the subject
The type of disclosure requested
The position for which the disclosure was requested
The unique reference number of the disclosure
The details of the recruitment decision taken

What can’t a business do with DBS data?

A business cannot reproduce a DBS certificate or related information in such a way that it infers that it is a certificate issued by DBS.

Disclosure information should never be kept on an applicant’s personnel file and should be kept separately and securely, in a lockable, non-portable storage container with access strictly controlled and limited to those who are entitled to see it as part of their duties.

How long are companies allowed to keep hold of DBS data?

Once a recruitment decision has been made, organisations should not keep disclosure information for any longer than is absolutely necessary. This is generally for a period of up to six months to allow for the consideration and resolution of any disputes or complaints.

How should they dispose of it?

Organisations should ensure that the information is destroyed via secure means, i.e. by shredding, pulping or burning.

Employee files should be kept in a secure, locked cabinet, and access should be restricted to trusted individuals. In line with regulations, DBS reports should be securely destroyed after six months.

What are employers legally allowed to do if they find criminal information on a DBS check?

The DBS code of practice states that employers must ensure that all applicants for relevant positions are notified in advance of the requirement for a disclosure.

Employers should also notify all applicants of the potential effect of a criminal record history on the recruitment and selection process and any recruitment decision. The content of the disclosure should be discussed with the applicant before withdrawing any offer of employment.

As outlined in the Recruitment of Ex-Offenders Act 1974:

“All employers must treat Disclosure and Barring Service (DBS) check applicants who have a criminal record fairly and not discriminate automatically because of a conviction or other information revealed.”

What should a company do with an employee who leaks DBS data?

A leak of any applicant’s personal information should mean disciplinary action against the employee responsible. This could even lead to the termination of that employee’s contract.

It is an employer’s responsibility to ensure all staff understand their responsibility when handling confidential data and the consequences they should expect if they breach guidelines.

Before any disciplinary action can begin, however, a full and proper investigation should take place to determine whether formal procedures are necessary.

Breach of confidentiality is gross misconduct, and the company in question must make a decision based on the severity of the breach.

For most businesses, handling an employee’s confidential data can present a number of challenges.

It is important to educate the team on the importance of handling data to ensure confidence to not have to face any of the legal implications of a data leak.

Here, Michelle Mellor, Managing Director at Personnel Checks, gives her top advice on how companies should handle confidential information in the best way possible.

How should a business keep DBS data private?

First and foremost, in line with the DBS code of practice, businesses need a formal written policy on the secure handling of any information provided.

Companies would usually request DBS checks for successful job applicants, at which point they must make the details of this policy available to the applicant in question.

The employer must handle all information provided to them by DBS in line with the obligations under Data Protection Act 1998.

What can a business do with DBS data?

To keep a record, businesses that receive DBS information can look:

The date of issue of a disclosure
The name of the subject
The type of disclosure requested
The position for which the disclosure was requested
The unique reference number of the disclosure
The details of the recruitment decision taken

What can’t a business do with DBS data?

A business cannot reproduce a DBS certificate or related information in such a way that it infers that it is a certificate issued by DBS.

Disclosure information should never be kept on an applicant’s personnel file and should be kept separately and securely, in a lockable, non-portable storage container with access strictly controlled and limited to those who are entitled to see it as part of their duties.

How long are companies allowed to keep hold of DBS data?

Once a recruitment decision has been made, organisations should not keep disclosure information for any longer than is absolutely necessary. This is generally for a period of up to six months to allow for the consideration and resolution of any disputes or complaints.

How should they dispose of it?

Organisations should ensure that the information is destroyed via secure means, i.e. by shredding, pulping or burning.

Employee files should be kept in a secure, locked cabinet, and access should be restricted to trusted individuals. In line with regulations, DBS reports should be securely destroyed after six months.

What are employers legally allowed to do if they find criminal information on a DBS check?

The DBS code of practice states that employers must ensure that all applicants for relevant positions are notified in advance of the requirement for a disclosure.

Employers should also notify all applicants of the potential effect of a criminal record history on the recruitment and selection process and any recruitment decision. The content of the disclosure should be discussed with the applicant before withdrawing any offer of employment.

As outlined in the Recruitment of Ex-Offenders Act 1974:

“All employers must treat Disclosure and Barring Service (DBS) check applicants who have a criminal record fairly and not discriminate automatically because of a conviction or other information revealed.”

What should a company do with an employee who leaks DBS data?

A leak of any applicant’s personal information should mean disciplinary action against the employee responsible. This could even lead to the termination of that employee’s contract.

It is an employer’s responsibility to ensure all staff understand their responsibility when handling confidential data and the consequences they should expect if they breach guidelines.

Before any disciplinary action can begin, however, a full and proper investigation should take place to determine whether formal procedures are necessary.

Breach of confidentiality is gross misconduct, and the company in question must make a decision based on the severity of the breach.