Atlantic Data

Disclosures DBS - Disclosure and Barring Service (DBS) services

Atlantic Data's Disclosures service allows organistions to process, administer and manage criminal record checks for staff, volunteers and other workers, by providing an online solution which connects to the Disclosure and Barring Service via its eBulk service.

Disclosures also provides a comprehensive suite of management information tools to assist organistions.


  • Comprehensive, online criminal record check system
  • Secure user access
  • Electronic record of applicant's identity check
  • Internal user and applicant dashboard to track DBS applications
  • Comprehensive management reports covering the entire process
  • Administrator functions and user-management
  • Flexible charging arrangements, including online billing
  • Bespoke options available
  • Comprehensive validation to ensure completeness and accuracy of DBS applications
  • Fast turnaround between submission and final result


  • Quick and easy processing of DBS criminal record applications
  • Reduced costs as compared to paper DBS applications
  • Convenience - online access from any internet-enabled device
  • Consistent application of DBS rules
  • Correct level of check, correct workforce
  • Guidance provided regarding DBS and legislative rules
  • Additional employee background checks on request
  • Enhanced security
  • Reduce unnecessary and inefficient paper applications
  • Disclosure Scotland and DBS services available


£6.80 per transaction

Service documents


G-Cloud 11

Service ID

3 3 0 3 4 1 5 8 3 9 7 6 7 8 7


Atlantic Data

Client Services team

0333 320 7300

Service scope

Software add-on or extension
Cloud deployment model
Private cloud
Service constraints
The service is accessible via any internet-enabled device. Organisations must establish a legal entitlement to carry out standard or enhanced level criminal records checks. Any organisation can carry out basic level criminal records checks.
System requirements
Service is accessible via any internet-enabled PC or device

User support

Email or online ticketing support
Email or online ticketing
Support response times
Questions can be submitted via telephone, email or a built-in secure messaging facility.

An initial response to e-mails and messages is provided within 1 working day. If the matter cannot be dealt with on the first contact, a priority approach is adopted whereby the most critical of technical issues are dealt with as a high priority.

The Disclosures system boasts an uptime in excess of 99%, so technical issues resulting in a total lack of service are rare. The majority of queries relate to DBS processes such as correct level of check, or whether a role meets the DBS standards.
User can manage status and priority of support tickets
Online ticketing support accessibility
WCAG 2.1 AA or EN 301 549
Phone support
Phone support availability
9 to 5 (UK time), Monday to Friday
Web chat support
Onsite support
Support levels
Support for users of the Disclosures system is via a helpdesk and/or client relationship management team. Both of these support services are available 9am to 5pm. Each of these teams offer a level of technical support and are able to resolve the vast majority of technical issues. Specialist technical support is available via a priority-based ticketing system, which the helpdesk support advisers and relationship management team have access to.

Key customers and customised accounts qualify for a dedicated account manager as primary contact for support. These customers are provided a unique email address for contact purposes.

Support is included in annual account maintenence fees.
Support available to third parties

Onboarding and offboarding

Getting started
Getting started with Disclosures is very straight forward. Disclosures and Disclosures Manager are very intuitive systems to use. Formal training is rarely required. However the systems contain a Quick Start Guide and video tutorials. The Quick Start Guide is an online training module which talks users through the key functions of the system upon registration. Video tutorials provide more in-depth training on how to use key functionality within the system.

Inline help is available throughout the Disclosures system. So, for example, if a user is initiating a new application the system provides 'more information' boxes or pop-up help text to guide the user seamlessly through the process.
Service documentation
Documentation formats
  • HTML
  • PDF
End-of-contract data extraction
This can be acheived in a number of ways. Certain Disclosures systems contain reports which allows users to extract data at the end of the contract. Otherwise this can be managed by Atlantic Data on behalf of its customers.
End-of-contract process
There are not usually any additional costs at the end of the contract. If the customer wishes to extract data in a format which is not directly available in the user interface of the system, this may incur an additional charge, which would be agreed on an ad-hoc basis.

If a customer would like Atlantic Data to consult or liaise with a new supplier at the end of the contract period, its reasonable costs of doing so would be agreed with the customer.

Using the service

Web browser interface
Supported browsers
  • Internet Explorer 7
  • Internet Explorer 8
  • Internet Explorer 9
  • Internet Explorer 10
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari 9+
  • Opera
Application to install
Designed for use on mobile devices
Differences between the mobile and desktop service
Certain versions of Disclosures work on mobile devices with no difference in functionality.
Service interface
Description of service interface
Disclosures is accesible over the internet. Each authorised user is provided with a system-generated username and password. Depending on their role within the organisation, users are presented with a number of actions within their remit - i.e. to initiate a DBS check, to carry out an I.D. check, to authorise/cancel an existing check, or to access management information and reports relevant to their area of the business.
Accessibility standards
WCAG 2.1 AA or EN 301 549
Accessibility testing
One of Atlantic Data's key clients is a well-known disability charity, providing support and services to blind and partially sighted people across the UK, through the provision of guide dogs, mobility and other rehabilitation services. This national charity provided vital assistance to ensure Disclosures' WCAG2.1AA compliance, and by testing against assistive technologies, such as JAWS Screen Reader and Zoom Text Screen Magnification software.
What users can and can't do using the API
Certain versions of Disclosures offer an API. The API allows users to carry out the following functions from an integrated 3rd party system:-
- initiate a DBS application
- receive status updates
- receive result information
- cancellation applications

Atlantic Data is also able to deliver alternative integration solutions, using most technical methods - SFTPS, SQL access and SOAP.
API documentation
API documentation formats
API sandbox or test environment
Customisation available
Description of customisation
Certain versions of Disclosures have the ability to be configured to suit the customers' requirements. Customisable aspects include:
- bespoke job roles specific to the organisations requirements
- combinations and levels of DBS checks to suit the customer's needs
- users configured within a structure of departments, branches and divisions to reflect the customer's own corporate structure, or physical network of offices.
- an application/information flow which suits the customer's own business processes
- outsourced I.D. check options
- corporate branding
- integration with customers' own/third party systems


Independence of resources
Atlantic Data processes in excess of 300,000 DBS applications each year. It maintains enough capacity to easily exceed this at peak times. Atlantic Data's Disclosures service are configured to handle approximately 100,000 concurrent sessions - i.e. simultaneous users and DBS applicants using the service at any given time.


Service usage metrics
Metrics types
Disclosures has a suite of management reports which allow users to track applications, as well as obtain useful MI regarding the organisations Disclosure applications.
Reporting types
  • API access
  • Real-time dashboards
  • Regular reports
  • Reports on request


Supplier type
Not a reseller

Staff security

Staff security clearance
Other security clearance
Government security clearance
Up to Developed Vetting (DV)

Asset protection

Knowledge of data storage and processing locations
Data storage and processing locations
United Kingdom
User control over data storage and processing locations
Datacentre security standards
Complies with a recognised standard (for example CSA CCM version 3.0)
Penetration testing frequency
At least once a year
Penetration testing approach
‘IT Health Check’ performed by a CHECK service provider
Protecting data at rest
  • Physical access control, complying with CSA CCM v3.0
  • Encryption of all physical media
  • Scale, obfuscating techniques, or data storage sharding
Data sanitisation process
Data sanitisation type
  • Explicit overwriting of storage before reallocation
  • Deleted data can’t be directly accessed
Equipment disposal approach
Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Data importing and exporting

Data export approach
The export of data can be achieved in a number of ways. Firstly, the reporting suite within Disclosures allows reports to be exported, typically in Excel format.
Bespoke versions of Disclosures contain a customised export facility with fields of data specifically agreed with the customer.

Otherwise this can be managed by Atlantic Data on behalf of its customers.
Data export formats
Data import formats

Data-in-transit protection

Data protection between buyer and supplier networks
  • Private network or public sector network
  • TLS (version 1.2 or above)
  • Legacy SSL and TLS (under version 1.2)
Data protection within supplier network
TLS (version 1.2 or above)

Availability and resilience

Guaranteed availability
Atlantic Data makes a service level commitment to its clients which guarantees that its online and support services will be available to users between 9am and 5pm. In practice, though, the online aspects of the Disclosures system are available 24 hours a day 7 days a week. Disclosures users benefit from a system which boasts in excess of 99% uptime.
Approach to resilience
As an ISO 27001-certified organisation for IT security management systems, Atlantic Data implements robust measures to ensure resilience. Such meansures include SLAs, disaster recovery and business continuity planning, and historic performance demonstrates an uptime in excess of 99%.

Further information about the resilience of Atlantic Data's systems are availabale on request.
Outage reporting
Atlantic Data maintains a log management policy. As part of this policy authorised systems administrators review the audit trail logs on a daily basis. The logs are captured and stored in a centralised log analyser, which proactively triggers alerts on any suspicious activity or authentication failures. A root cause analysis process addresses any security incidents that occur and appropriate corrective action is taken to correct and prevent any future occurrence.

Where necessary, outages are reported to affected customers via a combination of system messages, public dashboard, email alerts and personal client relationship contact.

Identity and authentication

User authentication needed
User authentication
  • Public key authentication (including by TLS client certificate)
  • Dedicated link (for example VPN)
  • Username or password
Access restrictions in management interfaces and support channels
Atlantic Data maintains an access control policy, which details the segregation of duties and ensures the confidentiality and integrity of data by restricting access only to authorised personnel.

User access is granted only after a formal authorisation process. Most Disclosures systems adopt a role-based access principle. All access is provided by creating unique user credentials which helps in audit trails.
The service is configured with multiple levels of privileges based on the roles, which ensures the confidentiality of the data by segregation of duties.

Support services are provided by utilising registered user passwords.
Access restriction testing frequency
At least once a year
Management access authentication
  • Public key authentication (including by TLS client certificate)
  • Dedicated link (for example VPN)
  • Username or password

Audit information for users

Access to user activity audit information
Users have access to real-time audit information
How long user audit data is stored for
At least 12 months
Access to supplier activity audit information
Users have access to real-time audit information
How long supplier audit data is stored for
At least 12 months
How long system logs are stored for
At least 12 months

Standards and certifications

ISO/IEC 27001 certification
Who accredited the ISO/IEC 27001
British Standards Institution
ISO/IEC 27001 accreditation date
01/02/2019 (01/02/2007 was the orginal accreditation)
What the ISO/IEC 27001 doesn’t cover
The certification covers business process outsourcing services, software development and support, client administration, customer support, DBS umbrella body services, compliance with UK data protection legislation, eBulk services, hosting and web services, support functions such as legal, IT, administration and facilities.
ISO 28000:2007 certification
CSA STAR certification
PCI certification
Who accredited the PCI DSS certification
PCI DSS accreditation date
3 April 2019
What the PCI DSS doesn’t cover
Current Attestation is for PCI level 4
Other security certifications
Any other security certifications
ISO 27001

Security governance

Named board-level person responsible for service security
Security governance certified
Security governance standards
ISO/IEC 27001
Information security policies and processes
Atlantic Data is ISO 27001-certified. Some of the security measures in place are as follows:-
clear desk and clear screen policy, restricted physical access within the premises to authorised personnel, shred/disposal of sensitive data policies, password policy, physical and environmental controls (e.g. biometric access doors and RFID), encryption of data in transit and at rest, firewall policy, visitor management processes and an annual IT health check.

In addtion to the above, Atlantic Data has an internal security forum, with representation at board level, to review regular updates on security on a periodic basis and monitor compliance with policies and process.

Compliance with policies and processes is also ensured through rigorous training, internal and external audits.

Operational security

Configuration and change management standard
Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Configuration and change management approach
Changes to Atlantic Data's Disclosures systems invariably stem from one of three main sources 1. Changes initiated by a change in process by the DBS; 2. changes requested by the client; 3. changes/modifications/upgrades to the system initiated by Atlantic Data.

In any of these cases, Atlantic Data follows a strict change management process as part of its ISO controls. This includes robust tracking and monitoring of all change requests. Before being deployed to a live environment, any changes are tested in a staging environment for QA and assessed for risks, such as any potential impact on security.
Vulnerability management type
Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Vulnerability management approach
Atlantic Data has an Internal Security Forum which regularly reviews updates on security. All systems and the environments they are hosted on are regularly reviewed. Independent IT health checks are conducted and appropriate fixes are applied. The workstation environment is also patched regularly to address vulnerabilities.

The IT perimeter is secured using the EAL4+-compliant UTM which acts as the IPS system. The production systems are configured using iptables, firewall, TCP wrappers and application firewalls. All these systems report to a centralised log analyser, which records an audit trail of any incident and triggers alerts on suspicious activity to authorised personnel.
Protective monitoring type
Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Protective monitoring approach
Atlantic Data carries out protective monitoring via a centralised log analyser. This allows authorised systems administrators to review logs on a daily basis. The analyser proactively triggers alerts on any suspicious activity or authentication failures. A root cause analysis process ensures that in the event of any security incidents appropriate and timely corrective action is taken to correct that instances and prevent any future occurrence. Incidents are address immediately.
Incident management type
Conforms to a recognised standard, for example, CSA CCM v3.0 or ISO/IEC 27035:2011 or SSAE-16 / ISAE 3402
Incident management approach
Atlantic Data's disaster recovery plan and business continuity plans define the processes necessary for the effective restoration/recovery of critical functions. The plans detail strategies for business recovery, plans in the event of communication failure, testing, key employee contact lists, and vendors' emergency contacts. The RTO for IT infrastructure, data and client support is 24 hours.

A back-up site is isolated from Atlantic Data's primary location on a TIER 4 datacentre with the same level of security controls and resilience as the primary. The DR site is a mirror of the production set up and capable of the shortest of RPO.

Secure development

Approach to secure software development best practice
Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)

Public sector networks

Connection to public sector networks
Connected networks
Other public sector networks
The Disclosures and Barring Service's e-Bulk network


£6.80 per transaction
Discount for educational organisations
Free trial available

Service documents

Return to top ↑