Policy paper

Registered Body Compliance Policy

Published 3 April 2019

© Crown copyright 2019

This publication is licensed under the terms of the Open Government Licence v3.0 except where otherwise stated. To view this licence, visit nationalarchives.gov.uk/doc/open-government-licence/version/3 or write to the Information Policy Team, The National Archives, Kew, London TW9 4DU, or email: psi@nationalarchives.gov.uk.

Where we have identified any third party copyright information you will need to obtain permission from the copyright holders concerned.

This publication is available at https://www.gov.uk/government/publications/registered-body-compliance-policy/registered-body-compliance-policy

1. Introduction

The Disclosure and Barring Service (DBS) was established in December 2012 under Part V of the Protection of Freedoms Act (POFA) to undertake disclosure and barring functions. DBS is responsible for ensuring Registered Bodies (RBs) are compliant with the DBS Code of Practice for Registered Persons (COP), issued under section 122 of the Police Act 1997 and the Conditions attached to Registration (COR) as set out in the Police Act 1997 (Criminal Records)(Registration) Regulations 2006).

Additionally RBs that submit checks electronically to DBS via an eBulk system must comply with the eBulk Interchange Agreement and ensure that eBulk systems are built in line with the eBulk Business Message Specification (BMS).

The purpose of the RB compliance programme is to ensure that the RB network delivers its responsibilities, as failure to achieve this could compromise the integrity of the service. The compliance programme also provides assurance to DBS, the Home Office and other stakeholders of the standard of the RB network.

Where requirements are not being met, the compliance programme will identify this and ensure that appropriate action is taken and improvements are made.

The Police Act 1997 (Criminal Records) (Registration) Regulations 2006 sets out Conditions of Registration. Regulation 7(h) requires compliance with the Code of Practice issued under section 122 of the Police Act. Failure to comply with the Conditions of Registration can result in the suspension or cancellation of registration.

This purpose of this policy is to outline DBS’ current compliance procedures.

2. Scope

This policy applies to all organisations (RBs) registered with DBS under section 120 of the Police Act 1997. This includes RBs that provide an umbrella function to non-registered organisations.

3. How DBS monitors compliance

DBS has produced a compliance standards document. This outlines all the requirements which RBs must meet. The compliance standards document links each requirement to the relevant section of the COR, COP, Interchange Agreement and BMS. The compliance standards document includes the questions that DBS will ask as part of the compliance programme, however DBS are not limited to these questions.

DBS also uses internal evidence to identify compliance issues. This includes application data, police force conflicts, disputes and customer complaints.

There are three key stages to the DBS compliance process:

3.1 Self-assessment questionnaire

This is a short questionnaire which is completed by RBs to provide an initial indication of their level of compliance.

This helps RBs assess themselves against the compliance requirements in preparation for the full compliance questionnaire. It is also used to identify RBs that have any high risk compliance issues which may impact on safeguarding, for a full compliance questionnaire.

RBs have 10 working days to return this.

3.2 Full compliance questionnaire

This is a more detailed questionnaire which is completed by RBs. This questionnaire defines their procedures and processes against the following 8 key areas of compliance:

  • Registration details
  • Eligibility
  • Identity verification
  • Application process
  • Policies
  • eBulk system (where relevant)
  • Payment of fees
  • Volumes

RBs have 10 working days to return this questionnaire.

A DBS compliance manager will review the full compliance questionnaire and assess each compliance section as either “appears to be compliant” or “appears to be non-compliant”. A determination of appearing to be non-compliant will be made in an area if any of the questions elicit an unsatisfactory response based upon the requirements in the compliance standards document. This assessment will then be referred to a senior compliance manager to confirm the assessment undertaken.

The senior compliance manager will then decide if an inspection is required based on the following considerations:

  • high risk issues identified which impact on safeguarding
  • volumes of applications submitted
  • random sample of remaining RBs

If a compliance inspection is not required, a feedback report will be provided to the RB. This will include any requirements the RB is obliged to undertake. If the RB fails to do this within the timescales given they may be referred for a compliance inspection.

3.3 Compliance inspection

If a RB is selected for a compliance inspection, this takes place at the premises of the RB and includes:

  • an introductory meeting with lead signatory
  • a review of the full compliance questionnaire
  • a walkthrough of RB processes and eBulk system (where relevant)
  • feedback on findings

The inspection must take place within 28 days of formal notice being given of the inspection.

Following the inspection, a compliance inspection report will be issued to the RB. Each compliance area will be assessed individually and an overall RB compliance assessment will be given.

RBs must co-operate in full, in line with the timescales given for both the full compliance questionnaire and the compliance inspection. Failure to do so could lead to suspension or cancellation of the RB.

4. Compliance assessment

4.1 Compliance assessment - full compliance questionnaire

Individual key compliance area assessment

Each of the 8 key areas of compliance will be assessed as either:

  • Appears to be compliant
  • Appears to be non-compliant

Overall RB compliance assessment

An overall RB compliance assessment is given. The possible outcomes are:

Appears to be non-compliant If non-compliance is identified in the Identity Verification area and/or the Application Process area, the overall assessment will be “appears to be non-compliant”. This is because these areas present the risk of inaccurate or incomplete information being provided to DBS, and information not being disclosed on a DBS certificate. This could result in a safeguarding risk.
Appears to be partially compliant If non-compliance is identified in one or more of the other key compliance areas, the overall assessment will be “appears to be partially compliant”. This is because requirements have been identified for the RB, however a safeguarding risk has not been identified.
Appears to be compliant If all areas are assessed as compliant, the overall assessment will be “appears to be compliant”. There are no requirements identified for the RB and DBS has not identified any safeguarding risks; however, there may be recommendations which the RB could choose to implement.

The assessment of “appears to be” compliant or non-compliant, for individual areas and overall assessment, is based on an evaluation of responses to the compliance questionnaire.

This term “appears to be” is used as the assessment is based on the questionnaire only. An on-site inspection of the systems, policies and procedures has not taken place; consequently, it is not possible to definitively state that an RB is “compliant” or “non-compliant”.

4.2 Compliance assessment following compliance inspection

Individual key compliance area assessment

Each of the 8 key areas of compliance will be assessed as either:

  • Compliant
  • Non-compliant

Overall RB compliance assessment

An overall RB compliance assessment is given. The possible outcomes are:

Non-compliant If non-compliance is identified in the Identity Verification area and/or the Application Process area, the overall assessment will be “non-compliant”. This is because these areas present the risk of inaccurate or incomplete information being provided to DBS and information not being disclosed on a DBS certificate. This could result in a safeguarding risk.
Partially compliant If non-compliance is identified in one or more of the other key compliance areas, then the overall assessment will be “partially compliant”. This is because requirements have been identified for the RB, however a safeguarding risk has not been identified.
Compliant If all areas are assessed as compliant, the overall assessment will be “compliant”. There are no requirements identified for the RB and we have not identified any safeguarding risks; however, there may be recommendations which the RB could choose to implement.

The assessment of compliant or non-compliant, for individual areas and overall assessment, is based on an evaluation of responses to the compliance questionnaire and the information/evidence obtained from the inspection.

4.3 Requirements and recommendations

As part of the assessment of the 8 key areas, an RB may be required to undertake certain actions. DBS may also make “recommendations”. DBS’ conclusions will fall into the following categories:

Requirements in the Identity Verification and Application Process area(s) Requirements recorded against these areas are high priority requirements and must be in place within 4 weeks of the feedback report or inspection report being issued. However, DBS reserves the right to request immediate action if the risk identified is deemed to warrant this.
Requirements in all other key compliance areas Requirements recorded against these areas are lower priority requirements and must be in place within 8 weeks of the feedback report or inspection report being issued.
Recommendations DBS may provide recommendations to improve RB processes or systems, based on best practice. There are no timeframes attached to these and the RB is not obliged to introduce them.

DBS will request that requirements are implemented for any key area that is assessed as non-compliant.

5. Post-compliance assessment support

The Relationship Management Team is available to support RBs that need to implement requirements identified by the compliance process, in the timeframes given.

6. Suspension or cancellation of an RBs registration

If a non-compliant RB does not demonstrate that they are putting measures in place to meet their obligations, they may have their registration suspended until these are put in place.

A RB must have undergone a compliance inspection before a suspension can be considered.

The decision to suspend will take into consideration:

  • the risk impact of the non compliance
  • the effort made by the RB to comply
  • the likelihood of the RB reaching compliance within a timeframe appropriate to the level of risk

An RB’s registration will be cancelled if the requirements cannot be met or if, following the expiration of 6 months from the date of suspension, an RB has not reached a compliant state.

DBS must adhere to the following:

  • DBS must send written notice of its intention to suspend or cancel an RB’s registration
  • The written notice must give the reasons for its intention to suspend/cancel and must inform an RB that they can make representations within 21 days of the letter being served on them
  • If no representations are received, an RB’s registration can be suspended or cancelled after 21 days from the date the letter was served on them
  • If, following representations being made, the decision is made to suspend or cancel an RB’s registration, any suspension or cancellation will not take effect until 6 weeks after a letter is served, informing them of the decision

Please note, RBs may also be suspended or cancelled when issues are identified outside of the compliance process, as described in this Policy. These reasons include:

  • Non-payment of fees
  • Failure to meet volume thresholds
  • Fraud

7. Reviews and representations

7.1 Review of DBS compliance assessment

An RB has the right to request a review of the compliance assessment made by DBS.

If an RB wishes to request a review they should email rbmanagement@dbs.gov.uk and provide the reasons why they feel the assessment should be reviewed.

A request for a review must be made within 28 days of receiving the feedback form or the inspection report being issued.

7.2 Review of suspension/cancellation of RB’s registration

An RB also has the right to ask for a review of the decision to suspend or cancel its registration.

If an RB wishes to request a review they should email rbmanagement@dbs.gov.uk and request a review form. This must be submitted within 28 days of receiving the written notice of suspension or cancellation.

Once an RB’s registration with DBS has been cancelled it cannot be reinstated. A new registration application would need to be submitted and considered in line with the DBS registration process.

An RB may wish to seek their own independent legal advice in this regard.

8. Contact points

For further information about the compliance process please email rbmanagement@dbs.gov.uk or contact our call centre on 0300 0200 190.

Back to top