1. Table of contents

Secure handling, use, storage, retention and destruction of disclosure information


The Code of Practice ("the Code") is published by Scottish Ministers under section 122 of Part V of The Police Act 1997 (“the 1997 Act”). The Code sets out obligations for registered bodies, counter signatories and other recipients of disclosure information issued under the 1997 Act and the Protection of Vulnerable Groups (Scotland) Act 2007 (“the 2007 Act”).

General Principles

We comply with the Code and the 1997 and 2007 Acts regarding the handling, holding, storage, destruction and retention of disclosure information provided by Disclosure Scotland. We comply with Data Protection Legislation as defined by the Data Protection Act 2018 We will provide a copy of this policy to anyone who requests to see it.


We will use disclosure information only for the purpose for which it was requested and provided. Disclosure information will not be used or disclosed in a manner incompatible with that purpose. We will not share disclosure information with a third party unless the subject has given their written consent and has been made aware of the purpose of the sharing.


We recognise that, under section 1241 of the 1997 Act and sections 66 and 67 of the 2007 Act, it is a criminal offence to disclose disclosure information to any unauthorised person. Disclosure information is only shared with those authorised to see it in the course of their duties. We will not disclose information provided under subsection 113B(5)2 of the 1997 Act, namely information which is not included in the certificate, to the subject.

Access and Storage

We do not keep disclosure information on an individual's personnel file. It is kept securely, in lockable, non-portable storage containers. Access to storage units is strictly controlled and is limited to authorised named individuals, who are entitled to see such information in the course of their duties. We keep membership and certificate numbers on electronic personal files.


To comply with Data Protection Legislation, we do not keep disclosure information for longer than necessary. For the 1997 Act, this will be the date the relevant decision has been taken, allowing for the resolution of any disputes or complaints. For the 2007 Act, this will be the date an individual ceases to do regulated work for this organisation. We will not retain any paper or electronic image of the disclosure information. We will, however, record the date of issue, the individual's name, the disclosure type and the purpose for which it was requested, the unique reference number of the disclosure and details of our decision. The same conditions relating to secure storage and access apply irrespective of the period of retention.


We will ensure that disclosure information is destroyed in a secure manner i.e. by shredding, pulping or burning. We will ensure that disclosure information which is awaiting destruction will not be kept in any insecure receptacle (such as a waste bin or unlocked desk/cabinet).

The Serious Organised Crime and Police Act 2005 (“the 2005 Act”) schedule 14, paragraph 12 amended section 124

2 Subsection 163(2) of the 2005 Act inserted subsection 113B into the 1997 Act. *Subsection 113B(5) of the 2005 Act replaces subsection 115(8) of the 1997 Act.*