DBS: Wessex LMC and Client Agreement
Please read these Terms & Conditions carefully. . .
Terms and Conditions
The Criminal Records Bureau (from 1st December 2012 working with the Independent Safeguarding Authority as the Disclosure and Barring Service) recommends that each Umbrella Body develops a written agreement between themselves and their clients. Therefore, the purpose of this agreement is to set out the expectations and responsibilities of both the Wessex LMC and Cantium Business Solutions Limited (Cantium) in providing the DBS service, and the clients in utilising the DBS service.
For the purposes of this document, the Umbrella Body refers to the Wessex Local Medical Committees Limited (LMC), and the client refers to any organisation (usually a general Practice) that is utilising the service offered by the LMC.
There are set standards required by the DBS, where it is necessary for both the LMC and the client to confirm that they are meeting their obligations as outlined in this agreement.
The agreement includes information on the following areas:
- An overview of the interaction between the parties (the LMC, Cantium, the client, and the applicant). The applicant is the member of staff for whom the practice want a DBS check.
- What disclosure information the umbrella body is to share with the organisation to whom it is providing the Disclosure service
- The role each party plays, if any, in the recruitment decision and the obligation to comply with the LMC’s policy on the recruitment of ex-offenders
- What arrangements are kept in place by both parties for handling disclosure information and observing the Code of Practice including, for example, a policy on the storage and retention of disclosure information
- Where the responsibility lies for verifying the identity of an applicant
- Security of transmission arrangements for sharing disclosure information between the parties
- Service levels between the parties
- What charges will be made for providing the service
- Payment and invoicing arrangements
- Conditions regarding withdrawal of the service
An Overview of the Process
Key: Umbrella Body = Wessex LMCs and Wessex LMCs’ partner, Cantium (online e-bulk system provider)
UB Client = Umbrella Body Client i.e. a General Practice
Applicant = Member of the Practice
UB Client Applicant
Sharing of Disclosure Information between Parties
- DBS Disclosure Information is returned from the DBS to the EmploymentCheck via XML files sent over SFTP.
- This data is securely loaded into the EmploymentCheck database to allow users to view the data on the front end.
- Automated email templates can be configured to notify managers when Disclosure Results are returned.
- For email notifications, TLS 1.2 is used as standard.
- The process of loading in Disclosure Result files is automated and runs nightly.
- The sharing of Disclosure Information is handled in line with the DBS Interchange Agreement and DBS Code of Practice
The Recruitment Decision and the Recruitment of Ex-Offenders
- Any decisions pertaining to the recruitment of a new or existing employee who requires a DBS check is the sole responsibility of the client.
- The LMC cannot advise on an applicant’s suitability for recruitment purposes.
- Once the applicant has received the disclosure from DBS, the practice must then request sight of the certificate and decide on employment.
- It is a requirement of the DBS Code of Practice that all registered bodies and its clients must treat disclosure applicants who have a criminal record fairly and do not discriminate because of a conviction or other information revealed. The Code of Practice also obliges registered bodies and their clients to have a written policy on the recruitment of ex-offenders, a copy of which can be given to applicants at the outset of the recruitment process. The DBS has produced a sample policy statement on their website, which can be used or adapted for this purpose https://www.gov.uk/government/organisations/disclosure-and-barring-service
- The LMC confirms that it has met the criteria as required by the DBS, in that it has a policy on the recruitment of ex-offenders. Clients agree that they will adopt and comply with the LMC’s policy, or create a suitable similar policy of their own which meets the standards set by the DBS.
- Therefore, the recruitment decision and responsibilities of that decision rests with the client and not the LMC. In such circumstances, no liability should lie against the LMC if a claim were subsequently made on the basis that the employing organisation had acted unfairly against the applicant.
Storage and Retention of Disclosure Information
- It is a requirement of the DBS Code of Practice that all registered bodies must have a written policy on the correct handling and safekeeping of disclosure information. It also obliges registered bodies to ensure that the client on whose behalf they are countersigning disclosure applications has a written policy
- The LMC confirms that it has met the criteria as set by the DBS, in that it has a policy on the safe storage and handling of disclosure information. Clients agree that they will adopt and comply with the LMC’s policy, or create a suitable similar policy of their own which meets the standards set out by the DBS.
- Once the Practice has had sight of the DBS certificate, the practice should record:
- The date of issue of the check
- The name of the subject
- The date of birth of the subject.
- The type of check requested.
- Whether the children’s and/or adults barred list was checked and the outcome.
- The position for which the check was requested.
- The unique reference number of the check, and.
- The details of the employment decision taken.
Verification of Applicant Identity
- Verification must be undertaken by a member of senior management employed by the client, such as a partner in the organisation, or senior manager/deputy senior manager. This individual will be referred to as the ‘client representative’.
- It is the responsibility of the client and the LMC to ensure that the identity of the person on whom the DBS check is required has been verified and validated according to DBS guidance.
- However, the actual process of ID verification and validation will be undertaken by the client to whom the LMC is providing the service.
- Therefore, the client must agree to conduct the preliminary verification, and the LMC agrees to provide secondary verification to ensure the form has been completed correctly.
- The client representative must view the original documentation required by the DBS, according to the List of Approved Documents (Group 1, Group 2a and Group 2b). Full details can be found at https://www.gov.uk/government/organisations/disclosure-and-barring-service? and then enter details onto the online system. The client representative must not accept photocopies of documents from applicants.
- The LMC will be responsible for ‘countersigning’ the application form (via the online system) on behalf of the client confirming that there is a legal entitlement to the check, the information provided is true and accurate, and that the client has not knowingly made a false declaration.
Security of Transmission Arrangements for Sharing Disclosure Information between the Parties
Data is transferred between the Cantium EmploymentCheck system and the DBS via the transfer of XML files via SFTP.
The data transmission is encrypted using an AES-256 algorithm to ensure message integrity. and pre-shared integrity keys are installed on both EmploymentCheck and DBS servers are used to ensure the secure transfer of data between the two parties.
For email notifications, TLS 1.2 is used as standard.
When data is processed and transmitted to the DBS the EmploymentCheck system complies with and where possible exceeds all DBS approved cryptographic requirements to ensure secure transmission of data between itself and the authorities.
Access to data on the system is tightly controlled and only authorised personnel have access to the minimum data/information required to perform their designated tasks. The database itself is password protected to prevent any unauthorised access.
Service Levels between the Parties
- the LMC via Cantium will endeavour to process all online applications within 24 hours timescale
- https://www.gov.uk/government/organisations/disclosure-and-barring-service Please note that the LMC cannot be held responsible for the time taken by the DBS to process the form and has no control of this process.
Charges for DBS processing costs will be as follows:
Volunteer: £10.00 (no change)
Please be advised that any DBS applications that are initiated but not completed will no longer be eligible for a refund. There, please ensure that when initiating and paying for a DBS check for either a new employee or an existing member of staff that it is required.
Payment and Invoicing Arrangements
- All payments should be made online when initiating a DBS application. Please see the DBS section of the LMC website for further details Create & Submit an Application
- This involves an online payment from the client representative/applicant to the LMC. Payments should not be made directly to the DBS.
- Wessex LMCs will not raise or send invoices for this service.
- Payment must be made before the LMC can begin processing a completed application; a completed application will not be submitted to the DBS until payment is received.
- It is at the discretion of the client to determine if the client or the applicant should pay the appropriate fee.
Conditions regarding withdrawal of Service
- Compliance with the DBS Code of Practice is a condition of this service. Failure to do so will result in withdrawal of the service to the client. The LMC cannot act for organisations that appear unable to adhere to the DBS Code of Practice.
- Compliance includes adopting or creating policies on storage and retention of disclosure information, and the recruitment of ex-offenders. Failure to adhere to a policy on this will result in the withdrawal of the service to the client.
Portability – Accepting a previously issued DBS Check
Ultimately it is for the employer to determine whether to accept a previously issued criminal record check.
However you should consider the following before making a decision:
- The applicant’s criminal record or other relevant information may have changed since its issue.
- The decision made by a Chief Police Officer to disclose information on a DBS certificate was made based on the position for which the criminal record check was originally applied for. You cannot assume that no other intelligence would be disclosed for a different position.
- The information revealed was based on the identity of the applicant, which was validated by another registered body, at the time that the original check was requested. Therefore, you should ensure that the identity details on the certificate match those of the applicant.
- If you are contacted by another organisation about a previously issued criminal record check, any information disclosed can only be passed to individuals who need to see it as part of the recruitment decision.
- You can only confirm whether or not the information provided is the same as on your copy of the DBS certificate.
Online Update Service
From 2013 any applicant who applies for a DBS check can choose to join this service for £13 pa. To join, view https://www.gov.uk/dbs-update-service and enter your unique identifier number plus personal ID details. The benefits of this are:
- the applicant can see their certificate
- the certificate can be taken from one employer to the next (e.g. for bank staff)
- the applicant can give employers permission to check their certificate
Existing DBS Checks – How long is a criminal record check valid for?
There is no official expiry date for a criminal record check. Any information revealed on a certificate will be held by police at the time the check was issued.
- You should check the date of issue on the certificate to decide whether to request a new one. In certain employment sectors a criminal record check may be required periodically.
- It is particularly important to check the DBS status of an employee if they change positions within your organisations, e.g. from a receptionist to a phlebotomist.
- You can keep a criminal record check – or other related information – for no longer than six months, to allow for consideration and resolution of any disputes or complaints after a recruitment or suitability decision is made. If it is considered necessary to keep the certificate information for longer, you should consult the DBS.
- The information contained in this document is aligned with the recommendations of the DBS.
- Please refer for more information to https://www.gov.uk/government/organisations/disclosure-and-barring-service
In providing the DBS application support service Wessex LMC is operating as a data processor for the practices taking up the service. The Practices are the data controllers. Wessex LMC also contract with Cantium Solutions Ltd (HR Connect) to provide the online application service. In using this service the Practice is accepting this agreement to act as a data processing agreement between the Practice (as controller) and Wessex LMC (as the processor) with Cantium Solutions Ltd (as a sub-processor). The Disclosure and Barring Service (DBS) is a separate controller in receipt of the data transferred to them and is not part of this processing agreement.
Subject matter of the processing – Provision of service to support practices, practice staff and potential employees in submitting DBS checks related to employment.
Duration of the processing – for individual applications the processing will cease when the certificate has been issued. Wessex LMC will hold details of practice contacts who have utilised the service on the expectation that they will continue to use the service for future applications. Practices with no intent to use the service again can request their contact details are deleted. Wessex LMC will periodically check and remove practice contact details where the service has not been used for a significant period.
Nature and purpose of the processing – To support effective and efficient DBS checks in support of employment purposes for staff working in general practice. To realise economies of scale and to ensure consistent quality of checks.
Data subjects – Employees and prospective employees of the general practice controller. Staff contact details for managing the service.
Wessex LMC will only process the required data on the instruction of the practice and will not process the data for any other purpose unless required to do so by law, in which case Wessex LMC will inform the controller prior to such processing, unless the law prohibits such informing on grounds of important public interest.
No data shall be transferred outside of the UK for this processing.
Wessex LMC shall ensure all staff processing data for this service are subject to an employment contract clause that commits them to maintaining the confidentiality of data that they are required to process.
Wessex LMC will take all reasonable measures, taking account of the cost of implementation, nature, scope, context and purposes of processing to implement appropriate technical and organisational measures to ensure a level of security for the data, commensurate with the risk. This shall include:
- All transmission of data via electronic means shall be encrypted to industry standards.
- Storage of data in any form will be kept to a minimum in terms of both volume and storage period.
- Access to data by staff will be limited to just those staff who work in support of the service provision.
- Ensuring the security & availability of the relevant electronic data systems to a level commensurate with the risk related to the personal data processed, including regular assessment of the effectiveness of technical and organisational control measures.
Wessex LMCs will not engage any other processor without informing and seeking authorisation from the controller. For this service if Wessex LMCs do need to engage another processor, then all controllers who have utilised the service will be informed. If they choose to continue to use the service for further applications, they will have been deemed to have agreed to the use of the other processor. If a controller does not wish to agree, then they can choose to have their contact details removed and not utilise the service.
Wessex LMC will assist the controller with any request they receive with regard to the rights of the data subject(s).
In the case of any suspected, alleged or potential data breach, Wessex LMCs will support any controller potentially affected, to investigate, assess, take appropriate remedial action and report any confirmed data breach.
Any controller subject to this agreement who undertakes an assessment of the data protection impacts of this processing will be supported by Wessex LMCs to complete such assessment by provision of any information reasonably necessary to do so.
Wessex LMCs commits at the choice of the controller to delete or return any personal data at the end of the service, unless Wessex LMCs is required to keep such data for any specified period by any legal requirement.
At the request of and cost to the controller, Wessex LMCs commit to demonstrating compliance and contributing to any audits related to the personal data subject to this agreement as reasonably required by the controller.
Where Wessex LMCs engage any other processor for this service, they commit to engaging processors who are subject to the same obligations as set out in this agreement. Where any such processor fails to fulfil such obligations then Wessex LMCs shall remain fully liable to the controller for the performance of the other processor’s obligations.