An update from the safeguarding team about DBS checks following the APCS data breach last year.
Following the APCS data breach last year, we have made the decision to switch the registered body who processes our DBS checks to ThirtyOne:Eight (31:8). We will shortly be implementing this for diocesan checks and inviting parishes to register so DBS checks can be undertaken locally via 31:8.
31:8 is a Christian charity. It is one of the largest umbrella bodies in England and Wales, processing an average of 86,000 checks per year. They are used by over half of other dioceses, and their advisors have an in-depth understanding of DBS issues as well as working knowledge of the Church of England. They have been awarded the national quality standard for ‘outstanding’ helpline provision, and anecdotally we have heard multiple positive experiences from dioceses when seeking help and advice from them.
Data security
You will be aware that cyber-crime is becoming ever-present in our current age (see for example, M&S, Land Rover etc), and no-one can ever completely guarantee against a data breach, however 31:8 have provided us with good reassurance regarding their data security. They are ISO 27001 accredited and their UK based data security is regularly tested and monitored using sophisticated anti-virus and online security programmes. All confidential data is encrypted using an advanced combination of three encryption techniques in addition to regular backups, which prevent unauthorised access.
Throughout the decision-making process, we have consulted with our network of Parish Safeguarding Officers and DBS administrators and are satisfied 31:8 fulfil the key criteria they told us was important. We introduced the proposed switch at our recent PSO Network meeting, and it was received well.
Roll out process
Where there is already one person (usually either the PSO or assigned administrator) responsible for DBS checks across the whole benefice, we propose to set up a benefice account with 31:8 which this person (known as the lead recruiter) will have access to. Where more than one person in a benefice has responsibility for DBS checks, access can be given to all who require it with one person assigned as ‘lead recruiter’ and others ‘additional recruiters’. However, all recruiters will be able to see information about other DBS checks processed within the benefice, including applicant’s personal details and whether their DBS has come back clear or not (although specific disclosure information will not be made available). This could work well if there are already working agreements in place, but if this is undesirable, we can work with the benefice to set up individual parish accounts instead – we will support whichever arrangement works best for you locally.
Once we are ready to switch over to 31:8, PSOs/DBS administrators will receive a bespoke registration form which will need to be signed by the incumbent and then be returned to the safeguarding team to send on to 31:8.
The need for an umbrella body for DBS checks
We recognise that some people questioned the need for a DBS provider altogether, but individual benefices or parishes will not meet the threshold to submit checks directly to the Disclosure and Barring Service and so will always need to go via an umbrella body like APCS or 31:8. Parishes can choose to make their own arrangements if they prefer, but this is likely to result in a greater cost directly to the parish in terms of admin fees (which will otherwise be covered by the Diocese via a bulk discount with 31:8). If the PCC does choose to pursue their own umbrella body, they will need to ensure they exercise due diligence and abide by the relevant legislation and GDPR. The safeguarding team will still need to liaise regularly with these parishes as information will be required for compliance purposes.
Pilot group
Initially, the safeguarding team will work with a pilot group and gather feedback before rolling the system out more widely. We are conscious that Easter is approaching so do not expect the majority to switch until May/June time. We do have some who are keen to trial it as soon as possible though, and if your parish would like to be considered for the pilot, please let us know. Below we have set out a bit more details in some frequently asked questions.
We will be communicating with our safeguarding network further, but please be in touch via dbsadmin@cofe-worcester.org.uk if you have any questions or would like to discuss any issues raised.
Frequently Asked Questions
Why are we the changing umbrella for our DBS checks?
Following the APCS data breach last year, there was a considerable loss of confidence in their service and the levels of customer service after the breach have been poor. We have therefore made the decision to switch the umbrella bodgy for our DBS checks to ThirtyOne:Eight (31:8). We will shortly be implementing this for diocesan checks and are inviting benefices or parishes to register so DBS checks can be undertaken locally.
Who are ThirtyOne:Eight (31:8)?
31:8 is one of the largest umbrella bodies for processing DBS checks in England and Wales, processing an average of 86,000 checks per year. Over half of other dioceses use them and they are part of the Safeguarding Systems Together project connecting DBS, Safeguarding Hubs and Diocesan management systems. They were awarded the national quality standard for ‘outstanding’ helpline provision by the Helplines Partnership and their advisors have an in-depth understanding of DBS issues as well as a good working knowledge of the Church of England
What reassurance can you give about the security of the 31:8 system?
31:8’s data is securely hosted in the UK by Security Watchdog, which means full compliance with UK data protection law. The system works to global best practice standards, and holds an internationally recognised certificate in information security management (ISO 27001 accredited). The system is regularly tested and monitored (including vulnerability and penetration testing). All confidential data is encrypted using an advanced combination of three encryption techniques, in addition to regular backups, which prevent unauthorised access. Security Watchdog’s high‑security data centre operates the latest monitoring and protection systems, including sophisticated anti‑virus and online security programmes.
Sadly, cyber-crime is becoming ever-present in our current age (see for example, M&S, Land Rover etc.) and therefore we can never completely guarantee a third-party will not act with malicious or unlawful intent. However, we feel reassured that 31:8 has all the necessary measures in place to mitigate security risks to the best of their ability.
How will parishes be transferred over to the new system?
We have done some work looking at our current local structures, and identified that in over half of cases, a PSO or assigned DBS administrator oversees DBS checks for the whole benefice. In these instances, they will have access to an account to manage all their DBS checks and will be known as a “lead recruiter”. In other instances, for example where two or more PSOs/admins are working together across the benefice, both can have access with one person being the “lead recruiter” and others being “additional recruiters” (although all recruiters will be able to see data relating to other applicants put through in the benefice). In cases where neither apply, we can work with individual parishes to ensure they have access to an account – we will work with them to determine the best set-up.
What do parishes need to do?
Once we are ready to switch over to 31:8, PSOs/DBS administrators will receive a set-up form which will need to be returned to us to send on to 31:8. Incumbents will need to sign off on this before the form can be returned to us and the account set-up. This will confirm the recruiters for each benefice/parish structure and inform 31:8 who should have access to the DBS system.
What support is being provided for parishes?
We will be providing training and support for PSOs and others in parishes who will be using the new system in addition to support offered by 31:8.
Why do we need to use an external provider for DBS checks?
Because individual benefices or parishes will not meet the threshold to submit checks directly via the Disclosure and Barring Service, they will always need to go via an umbrella body (of which APCS and 31:8 are two).
What if parishes don’t wish to use 31:8?
It is the PCC’s choice whether to make use of the diocesan arrangement with 31:8 or make their own arrangements for DBS checking, albeit at a greater cost directly to the parish in way of administrative burden and administration fees (which otherwise the diocese would cover at a reduced bulk rate via 31:8). If the PCC does choose to pursue their own umbrella body, they will need to ensure they exercise due diligence and abide by the relevant legislation and GDPR, and the safeguarding team will need to be informed so DBS information can be shared with the Diocese to ensure compliance.
Who are the data controllers/processors?
Most PCC’s are already data controllers because they hold people’s data, e.g. names and contact details, in order to keep church records and run church activities. The PCC is also the data controller in relation to DBS applications, as they decide who is eligible for a check and will be responsible for sending the individuals DBS instructions and undertaking the accompanying ID check (usually the PSO or nominated church administrator will be responsible for this on behalf of the PCC, and must be approved by 31:8 in advance).
31:8 will be the data processor, as they will receive the individual’s information via the DBS application, and will countersign this before submitting it to the Disclosure & Barring Service. As part of the application process, each individual DBS applicant will be required to consent to their data being used for the purposes of the DBS check, otherwise the application will not proceed.
