Review the company Data Protection/GDPR policy to ensure that it is fit for purpose to handle sensitive information around disclosures received during recruiting. Information about convictions is particularly sensitive as its unplanned release could have significant consequences for the company and the individual. Such information must be stored securely and have very limited distribution.

Destroy disclosure information received from unsuccessful applicants following conclusion of the recruitment process. There is no requirement to hold such information after time has elapsed for any appeal to be submitted and it must be destroyed completely, possibly by burning or use of a cross-cut shredder.

Ensure disclosure information received from successful applicants is stored securely and separately from routine HR records. You may decide to hold such information for a period of time, dependent on the individual, the role or the offence. However, it must be held in a separate and secure system and not available with the rest of the routine HR files. Some companies use a coded mark on a folder to indicate that there is a further confidential element to the files held which may be viewed by a limited number of staff in specified circumstances.

Arrange for periodic review of disclosures received from successful candidates to decide whether they should be retained, returned or destroyed. You will need to consider destruction or return of disclosures made when a conviction becomes “spent” in law as you will have no right to hold onto the information, unless it is for a “regulated” role e.g, schools, hospitals etc. Destruction is one option in such circumstances but you could offer to return a hard-copy disclosure to the employee so that they have the evidence that they did legally disclose when asked.