Disclosure and Barring Service (DBS) services - Disclosures
Atlantic Data's Disclosures service allows organistions to process, administer and manage criminal record checks for staff, volunteers and other workers, by providing an online solution which connects to the Disclosure and Barring Service via its eBulk service.
Disclosures also provides a comprehensive suite of management information tools to assist organistions.
- Comprehensive, online criminal record check system
- Secure user access
- Electronic record of applicant's identity check
- Internal user and applicant dashboard to track DBS applications
- Comprehensive management reports covering the entire process
- Administrator functions and user-management
- Flexible charging arrangements, including online billing
- Bespoke options available
- Comprehensive validation to ensure completeness and accuracy of DBS applications
- Fast turnaround between submission and final result
- Quick and easy processing of DBS criminal record applications
- Reduced costs as compared to paper DBS applications
- Convenience - online access from any internet-enabled device
- Consistent application of DBS rules
- Correct level of check, correct workforce
- Guidance provided regarding DBS and legislative rules
- Additional employee background checks on request
- Enhanced security
- Reduce unnecessary and inefficient paper applications
- Disclosure Scotland and DBS services available
£6.80 per transaction
0333 320 7300
|Software add-on or extension||No|
|Cloud deployment model||Private cloud|
|Service constraints||The service is accessible via any internet-enabled device. Organisations must establish a legal entitlement to carry out standard or enhanced level criminal records checks. Any organisation can carry out basic level criminal records checks.|
|System requirements||Service is accessible via any internet-enabled PC or device|
|Email or online ticketing support||Email or online ticketing|
|Support response times||
Questions can be submitted via telephone, email or a built-in secure messaging facility.
An initial response to e-mails and messages is provided within 1 working day. If the matter cannot be dealt with on the first contact, a priority approach is adopted whereby the most critical of technical issues are dealt with as a high priority.
The Disclosures system boasts an uptime in excess of 99%, so technical issues resulting in a total lack of service are rare. The majority of queries relate to DBS processes such as correct level of check, or whether a role meets the DBS standards.
|User can manage status and priority of support tickets||Yes|
|Online ticketing support accessibility||WCAG 2.1 AA or EN 301 549|
|Phone support availability||9 to 5 (UK time), Monday to Friday|
|Web chat support||No|
Support for users of the Disclosures system is via a helpdesk and/or client relationship management team. Both of these support services are available 9am to 5pm. Each of these teams offer a level of technical support and are able to resolve the vast majority of technical issues. Specialist technical support is available via a priority-based ticketing system, which the helpdesk support advisers and relationship management team have access to.
Key customers and customised accounts qualify for a dedicated account manager as primary contact for support. These customers are provided a unique email address for contact purposes.
Support is included in annual account maintenence fees.
|Support available to third parties||No|
Onboarding and offboarding
Getting started with Disclosures is very straight forward. Disclosures and Disclosures Manager are very intuitive systems to use. Formal training is rarely required. However the systems contain a Quick Start Guide and video tutorials. The Quick Start Guide is an online training module which talks users through the key functions of the system upon registration. Video tutorials provide more in-depth training on how to use key functionality within the system.
Inline help is available throughout the Disclosures system. So, for example, if a user is initiating a new application the system provides 'more information' boxes or pop-up help text to guide the user seamlessly through the process.
|End-of-contract data extraction||This can be acheived in a number of ways. Certain Disclosures systems contain reports which allows users to extract data at the end of the contract. Otherwise this can be managed by Atlantic Data on behalf of its customers.|
There are not usually any additional costs at the end of the contract. If the customer wishes to extract data in a format which is not directly available in the user interface of the system, this may incur an additional charge, which would be agreed on an ad-hoc basis.
If a customer would like Atlantic Data to consult or liaise with a new supplier at the end of the contract period, its reasonable costs of doing so would be agreed with the customer.
Using the service
|Web browser interface||Yes|
|Application to install||No|
|Designed for use on mobile devices||Yes|
|Differences between the mobile and desktop service||Certain versions of Disclosures work on mobile devices with no difference in functionality.|
|Accessibility standards||WCAG 2.1 AA or EN 301 549|
|Accessibility testing||One of Atlantic Data's key clients is a well-known disability charity, providing support and services to blind and partially sighted people across the UK, through the provision of guide dogs, mobility and other rehabilitation services. This national charity provided vital assistance to ensure Disclosures' WCAG2.1AA compliance, and by testing against assistive technologies, such as JAWS Screen Reader and Zoom Text Screen Magnification software.|
|What users can and can't do using the API||
Certain versions of Disclosures offer an API. The API allows users to carry out the following functions from an integrated 3rd party system:-
- initiate a DBS application
- receive status updates
- receive result information
- cancellation applications
Atlantic Data is also able to deliver alternative integration solutions, using most technical methods - SFTPS, SQL access and SOAP.
|API documentation formats|
|API sandbox or test environment||Yes|
|Description of customisation||
Certain versions of Disclosures have the ability to be configured to suit the customers' requirements. Customisable aspects include:
- bespoke job roles specific to the organisations requirements
- combinations and levels of DBS checks to suit the customer's needs
- users configured within a structure of departments, branches and divisions to reflect the customer's own corporate structure, or physical network of offices.
- an application/information flow which suits the customer's own business processes
- outsourced I.D. check options
- corporate branding
- integration with customers' own/third party systems
|Independence of resources||Atlantic Data processes in excess of 300,000 DBS applications each year. It maintains enough capacity to easily exceed this at peak times. Atlantic Data's Disclosures service are configured to handle approximately 100,000 concurrent sessions - i.e. simultaneous users and DBS applicants using the service at any given time.|
|Service usage metrics||Yes|
|Metrics types||Disclosures has a suite of management reports which allow users to track applications, as well as obtain useful MI regarding the organisations Disclosure applications.|
|Supplier type||Not a reseller|
|Staff security clearance||Other security clearance|
|Government security clearance||Up to Developed Vetting (DV)|
|Knowledge of data storage and processing locations||Yes|
|Data storage and processing locations||United Kingdom|
|User control over data storage and processing locations||No|
|Datacentre security standards||Complies with a recognised standard (for example CSA CCM version 3.0)|
|Penetration testing frequency||At least once a year|
|Penetration testing approach||‘IT Health Check’ performed by a CHECK service provider|
|Protecting data at rest||
|Data sanitisation process||Yes|
|Data sanitisation type||
|Equipment disposal approach||Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001|
Data importing and exporting
|Data export approach||
The export of data can be achieved in a number of ways. Firstly, the reporting suite within Disclosures allows reports to be exported, typically in Excel format.
Bespoke versions of Disclosures contain a customised export facility with fields of data specifically agreed with the customer.
Otherwise this can be managed by Atlantic Data on behalf of its customers.
|Data export formats||CSV|
|Data import formats||CSV|
|Data protection between buyer and supplier networks||
|Data protection within supplier network||TLS (version 1.2 or above)|
Availability and resilience
|Guaranteed availability||Atlantic Data makes a service level commitment to its clients which guarantees that its online and support services will be available to users between 9am and 5pm. In practice, though, the online aspects of the Disclosures system are available 24 hours a day 7 days a week. Disclosures users benefit from a system which boasts in excess of 99% uptime.|
|Approach to resilience||
As an ISO 27001-certified organisation for IT security management systems, Atlantic Data implements robust measures to ensure resilience. Such meansures include SLAs, disaster recovery and business continuity planning, and historic performance demonstrates an uptime in excess of 99%.
Further information about the resilience of Atlantic Data's systems are availabale on request.
Atlantic Data maintains a log management policy. As part of this policy authorised systems administrators review the audit trail logs on a daily basis. The logs are captured and stored in a centralised log analyser, which proactively triggers alerts on any suspicious activity or authentication failures. A root cause analysis process addresses any security incidents that occur and appropriate corrective action is taken to correct and prevent any future occurrence.
Where necessary, outages are reported to affected customers via a combination of system messages, public dashboard, email alerts and personal client relationship contact.
Identity and authentication
|User authentication needed||Yes|
|Access restrictions in management interfaces and support channels||
Atlantic Data maintains an access control policy, which details the segregation of duties and ensures the confidentiality and integrity of data by restricting access only to authorised personnel.
User access is granted only after a formal authorisation process. Most Disclosures systems adopt a role-based access principle. All access is provided by creating unique user credentials which helps in audit trails.
The service is configured with multiple levels of privileges based on the roles, which ensures the confidentiality of the data by segregation of duties.
Support services are provided by utilising registered user passwords.
|Access restriction testing frequency||At least once a year|
|Management access authentication||
Audit information for users
|Access to user activity audit information||Users have access to real-time audit information|
|How long user audit data is stored for||At least 12 months|
|Access to supplier activity audit information||Users have access to real-time audit information|
|How long supplier audit data is stored for||At least 12 months|
|How long system logs are stored for||At least 12 months|
Standards and certifications
|ISO/IEC 27001 certification||Yes|
|Who accredited the ISO/IEC 27001||British Standards Institution|
|ISO/IEC 27001 accreditation date||01/02/2019 (01/02/2007 was the orginal accreditation)|
|What the ISO/IEC 27001 doesn’t cover||The certification covers business process outsourcing services, software development and support, client administration, customer support, DBS umbrella body services, compliance with UK data protection legislation, eBulk services, hosting and web services, support functions such as legal, IT, administration and facilities.|
|ISO 28000:2007 certification||No|
|CSA STAR certification||No|
|Who accredited the PCI DSS certification||Self-certificated|
|PCI DSS accreditation date||3 April 2019|
|What the PCI DSS doesn’t cover||Current Attestation is for PCI level 4|
|Other security certifications||Yes|
|Any other security certifications||ISO 27001|
|Named board-level person responsible for service security||Yes|
|Security governance certified||Yes|
|Security governance standards||ISO/IEC 27001|
|Information security policies and processes||
Atlantic Data is ISO 27001-certified. Some of the security measures in place are as follows:-
clear desk and clear screen policy, restricted physical access within the premises to authorised personnel, shred/disposal of sensitive data policies, password policy, physical and environmental controls (e.g. biometric access doors and RFID), encryption of data in transit and at rest, firewall policy, visitor management processes and an annual IT health check.
In addtion to the above, Atlantic Data has an internal security forum, with representation at board level, to review regular updates on security on a periodic basis and monitor compliance with policies and process.
Compliance with policies and processes is also ensured through rigorous training, internal and external audits.
|Configuration and change management standard||Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402|
|Configuration and change management approach||
Changes to Atlantic Data's Disclosures systems invariably stem from one of three main sources 1. Changes initiated by a change in process by the DBS; 2. changes requested by the client; 3. changes/modifications/upgrades to the system initiated by Atlantic Data.
In any of these cases, Atlantic Data follows a strict change management process as part of its ISO controls. This includes robust tracking and monitoring of all change requests. Before being deployed to a live environment, any changes are tested in a staging environment for QA and assessed for risks, such as any potential impact on security.
|Vulnerability management type||Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402|
|Vulnerability management approach||
Atlantic Data has an Internal Security Forum which regularly reviews updates on security. All systems and the environments they are hosted on are regularly reviewed. Independent IT health checks are conducted and appropriate fixes are applied. The workstation environment is also patched regularly to address vulnerabilities.
The IT perimeter is secured using the EAL4+-compliant UTM which acts as the IPS system. The production systems are configured using iptables, firewall, TCP wrappers and application firewalls. All these systems report to a centralised log analyser, which records an audit trail of any incident and triggers alerts on suspicious activity to authorised personnel.
|Protective monitoring type||Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402|
|Protective monitoring approach||Atlantic Data carries out protective monitoring via a centralised log analyser. This allows authorised systems administrators to review logs on a daily basis. The analyser proactively triggers alerts on any suspicious activity or authentication failures. A root cause analysis process ensures that in the event of any security incidents appropriate and timely corrective action is taken to correct that instances and prevent any future occurrence. Incidents are address immediately.|
|Incident management type||Conforms to a recognised standard, for example, CSA CCM v3.0 or ISO/IEC 27035:2011 or SSAE-16 / ISAE 3402|
|Incident management approach||
Atlantic Data's disaster recovery plan and business continuity plans define the processes necessary for the effective restoration/recovery of critical functions. The plans detail strategies for business recovery, plans in the event of communication failure, testing, key employee contact lists, and vendors' emergency contacts. The RTO for IT infrastructure, data and client support is 24 hours.
A back-up site is isolated from Atlantic Data's primary location on a TIER 4 datacentre with the same level of security controls and resilience as the primary. The DR site is a mirror of the production set up and capable of the shortest of RPO.
|Approach to secure software development best practice||Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)|
Public sector networks
|Connection to public sector networks||Yes|
|Other public sector networks||The Disclosures and Barring Service's e-Bulk network|
|Price||£6.80 per transaction|
|Discount for educational organisations||No|
|Free trial available||No|