DBS digital identity verification guidance
Updated 26 June 2025
漏 Crown copyright 2025
This publication is licensed under the terms of the Open Government Licence v3.0 except where otherwise stated. To view this licence, visit or write to the Information Policy Team, The National Archives, Kew, London TW9 4DU, or email: psi@nationalarchives.gov.uk.
Where we have identified any third party copyright information you will need to obtain permission from the copyright holders concerned.
This publication is available at /government/publications/dbs-identity-checking-guidelines/dbs-digital-identity-verification-guidance
This guidance sets out how Registered Bodies (RBs) and Responsible Organisations (ROs) can use digital identity verification as part of an application for a DBS check.
A glossary can be found at the end of this guidance document.
Introduction
1.a. This guidance sets out how RBs and ROs can meet their obligations under the DBS Code of Practice (for RBs), and under the Basic check processing standards (for ROs), when an RB or RO uses a digital verification service (DVS) to meet DBS identity verification requirements.
1.b. A digital identity provided by a digital verification service certified against the trust framework and the DBS supplementary code is equivalent to an identity verified using:
- ID checking guidelines for Standard/Enhanced DBS check applications from 22 April 2025 - 天美影院
- Basic check ID checking guidelines from 22 April 2025 - 天美影院
1.c. This guidance sets out how to obtain a digital identity verification to prove and verify a person鈥檚 identity for processing Basic DBS checks and Standard, Enhanced, or Enhanced with Barred Lists DBS checks. These are the DBS鈥 identity verification criteria.
1.d. The 2015 update to the recognises the role of RBs in identity verification and the associated guidance published on 天美影院. The code of practice states:
鈥淚dentity verification - Registered Bodies must:
- verify the identity of the applicant prior to the submission of an application for a DBS product by following the current guidelines issued by DBS
- ensure that any person undertaking identity verification checks on their behalf follows the current guidelines issued by DBS
- make sure Lead or Countersignatories do not validate their own applications for any DBS products鈥
1.e. The Basic check processing standards recognises the role of ROs in identity verification and the associated guidance published on 天美影院. The processing standards state:
鈥淚dentity verification - Responsible Organisations must:
- verify the identity of the applicant prior to the submission of an application for a basic check by following the current guidelines issued by DBS.
- ensure that any person undertaking identity verification checks on their behalf follows the current guidelines issued by DBS.鈥
1.f. This guidance makes extensive reference to the UK digital identity and attributes trust framework (the 鈥榯rust framework鈥) published by the Office for Digital Identities and Attributes (鈥極fDIA鈥), part of the Department for Science, Innovation and Technology (鈥楧SIT鈥). The trust framework is a set of rules and standards that show what good digital verification services look like.
1.g. A DVS can be certified against an additional set of rules published by OfDIA known as the supplementary code for Disclosure and Barring Service digital identity checks (鈥榯he supplementary code鈥) to help demonstrate they meet the DBS identity verification criteria.
1.h. RBs and ROs must use a DVS certified against a current publication of both the trust framework and the supplementary code, and follow all other rules in this guidance, to be considered compliant with the DBS identity verification criteria. A list of digital verification services certified against the trust framework and the supplementary code is available on 天美影院..
2. Working with a DVS
2.1 Risk assessment
2.1.a This guidance does not replace the RBs鈥 and ROs鈥 responsibility to carry out a risk assessment for every transaction. The RB or RO remains liable for undertaking its own due diligence. The identity verification process forms a part of the risk assessment. The use of a certified DVS can simplify the risk assessment process. The risk assessment must identify the level of confidence required (see section 3).
2.1.b An RB or RO can show it has met its obligations in respect of identity verification by using a DVS certified against the trust framework and the supplementary code and demonstrating that it has fulfilled any responsibilities it retains as specified in this guidance.
2.1.c RBs and ROs must ensure the identity has been verified in accordance with the DBS digital identity verification guidance at the time the identity is asserted.
2.2 Trusting a DVS
2.2.a The DBS code of practice and Basic check processing standards support the use of third-party identity providers for identity verification, enabling RBs and ROs to delegate the activity to suitable third parties. RBs and ROs can do this by working only with DVS providers who are certified against a current version of the trust framework and of the supplementary code. This guidance explains any additional responsibilities RBs and ROs still retain.
2.2.b RBs and ROs must be sure that an identity has been verified in accordance with the trust framework, the supplementary code and this guidance at the time the identity is asserted.
2.3 Certification and audit
2.3.a RBs and ROs must use a DVS certified by an approved conformity assessment body (or 鈥楥AB鈥) against a current publication of both the trust framework and the supplementary code to conduct digital identity verification as part of their processing of DBS applications. If RBs or ROs undertake digital identity verification using their own processes, they must themselves be so certified.
2.3.b A list of digital verification services certified against the trust framework and the supplementary code is available on 天美影院.
3. Verifying identities
3.a RBs and ROs must only use DVS certified against the trust framework and the supplementary code as part of DBS checks. The process that a DVS follows may depend on what type of DBS check the identity verification relates to, whether the service is reusable, and whether the RB and RO asks the DVS to verify additional attributes on their behalf, for example to verify address information.
3.1 Levels of confidence
3.1.a There are different methods you can use to prove and verify someone鈥檚 identity. Government guidance on proving and verifying someone鈥檚 identity is set out in Good Practice Guide 45 (GPG 45 and this breaks the process down into 5 steps, describing a way to score each element and provides combinations of scores known as identity profiles. A profile can help achieve four different levels of confidence: low, medium, high or very high.
3.1.b Medium is the minimum level of confidence required for a Basic DBS check. RBs and ROs may choose to verify individuals鈥 identity to a higher level of confidence.
3.1.c High is the minimum level of confidence required for a Standard, Enhanced, and Enhanced with Barred Lists DBS check.
3.2. Reusable services
3.2.a Your chosen DVS may allow the user to hold and repeatedly assert attributes (information about themselves).
3.2.b To be used as part of a DBS identity check, a holder service must be certified against the rules for holder service providers (HSPs) set out in the trust framework and in the supplementary code.
3.2.c It is recommended that one of the authentication factors used for accessing a holder service is biometric information, as described in guidance on using authenticators to protect an online service
3.3 Data collection
3.3.a RBs and ROs retain the responsibility to ensure they obtain data from DVS following a digital identity check. See section 5 for further detail on RBs鈥 and ROs鈥 responsibilities for data collection.
3.3.b RBs and ROs may decide to ask the DVS to provide more data than they are required to provide according to the supplementary code. If so, it is the RB or RO鈥檚 responsibility to ensure the DVS provides this information in line with wider DBS application and identity checking rules and in compliance with wider legislative or regulatory requirements.
3.4 Right to work
3.4.a A DBS check does not provide evidence of a person鈥檚 right to work in the UK. You must do a separate check to make sure a job applicant is allowed to work in the UK which also includes roles for voluntary work. Certain DVS may also be used to undertake right to work checks, and many DVS providers are certified against the supplementary code for digital right to work checks for this purpose.
4. Data collection and retention
4.a RBs and ROs retain the responsibility to ensure they obtain data from a DVS about the user following a digital identity check. RBs and ROs will need to check this data against the completed application form to make sure the form is completed accurately with all current identity information.
4.b RBs and ROs will also need to obtain additional information in order to complete the application form.
4.1 Name verification and previous names
4.1.a The applicant鈥檚 identity must be verified against the claimed identity鈥檚 current 鈥榦fficial name鈥. The 鈥榦fficial name鈥 must be used for the DBS check and is the name on official documents the applicant may have, such as their passport.
4.1.b RBs and ROs must also ask applicants to declare all previous name changes.
4.1.c Failure to declare all previous names can result in delays caused by conflicted applications that may be withdrawn.
4.2 Current address and five-year address history
4.2.a The applicant鈥檚 current address must be verified either as part of the digital identity verification provided by the DVS, or within 90 days of the digital identity verification by providing documentary evidence to the RB or RO from the list of documents set out in the following DBS identity guidelines (dependent on the level of DBS check being requested):
- ID checking guidelines for Standard/Enhanced DBS check applications from 22 April 2025 - 天美影院
- Basic check ID checking guidelines from 22 April 2025 - 天美影院
4.2.b The permanent address will be the applicant鈥檚 correspondence address and where DBS will send the DBS certificate. Further guidance on addresses can be found in the unusual addresses guide. If the applicant鈥檚 current address is verified by the RB or RO using documentary evidence as set out in the DBS Identity Guidelines then a record should be retained by the RB or RO for DBS audit purposes (specifying evidence checked by, date of check and the documents used).
4.2.c For DBS checks, the applicant must also declare a minimum of 5 years鈥 address history to the RB or RO. The applicant must make sure they fill in the address part of the form correctly if they have an unusual address, for example if they live abroad, in student accommodation, or in a hostel.
4.2.d Failure to provide a 5 year address history can result in delays caused by conflicted applications that may be withdrawn
4.3 Data which must be obtained from the DVS
4.3.a For each identity verified by the聽DVS, the RB or RO must obtain the data in table 1 from the DVS.
| Field name | Mandatory / Optional | Sent to DBS |
|---|---|---|
| Forename | Mandatory | Y |
| Middle names | Mandatory if applicable | Y |
| Present Surname | Mandatory | Y |
| Date Of Birth | Mandatory | Y |
| Current Address Verified (Y/N) | Mandatory | N |
| Current Address | Mandatory if sourced from DVS | Y |
| Date of address check | Mandatory if sourced from the DVS. | N |
| Identity Verified (Y/N) | Mandatory | Y |
| Evidence Checked By | Mandatory. This must be the DVS鈥 name as it appears on their trust framework certificate. | Y |
| Passport Details | Mandatory if sourced from DVS | Y |
| Driving Licence Details | Mandatory if sourced from DVS | Y |
| GPG45 profile | Mandatory.This must be the identity profile according to which the identity was created. | N |
| GPG44 level | Mandatory if an HSP conducted the DBS identity check | N |
| Subject ID | Mandatory | N |
4.4 Additional data to be collected or obtained
4.4.a RBs and ROs retain their responsibility to make sure applications for DBS products are completed accurately and fully as set out in the and Basic Check Processing Standard
4.4.b e-Bulk enabled RBs and ROs submitting data to DBS will continue to meet the requirements set out in the Business Message Specification (BMS) e-Bulk Interface, which can be found on the E-bulk technical documents 天美影院 page.
4.4 c. e-Bulk enabled RBs and ROs could consider asking DVS to provide any data they have obtained to meet the BMS requirements, so they do not have to do this themselves before sending to DBS.
4.4.d RBs and ROs submitting Basic Disclosure will continue to meet the requirements set out in the Web Service specification (WSS), INT022 Submit Disclosure Application
4.5 Data retention
4.5.a The RB or RO must maintain an audit trail showing details of each application submitted, including the data from the DVS, which must be kept for a minimum of 2 years and made available to the DBS if requested.
5. Illustrative examples
5.1 Working with a DVS providing a one-time service (an Identity Service provider)
An RO that manages Basic DBS checks has chosen to employ the services of a DVS to digitise the identity checking for the DBS check applications it processes.
To meet the requirements set out in this guidance, the RO chooses a DVS that is certified against the trust framework and the DBS supplementary code. The RO integrates the DVS with its application portal, so applicants are directed during their application to prove their identity with the DVS.
The DVS has been certified to conduct an identity check to achieve a medium level of confidence.
When an applicant successfully uses the DVS to prove their identity as part of the RO application process, the RO receives an output report which provides all of the information specified in section 4.3 above.
The RO retains the DVS output report in compliance with section 4.5 above.
5.2 Working with a DVS offering a reusable service (a Holder Service Provider)
An RB that manages Standard and Enhanced DBS checks would like to enable its applicants to prove their identity using digital identities that were created prior to the DBS application being submitted.
To meet the requirements set out in this guidance, the RB chooses to work with a DVS that is certified against the trust framework and the DBS supplementary code.
Because it wants to enable the use of digital identities that were created prior to the DBS check being undertaken, the RB ensures that its chosen digital verification service (DVS) has been certified against the trust framework and DBS supplementary code to perform the role of HSP. And because the RB conducts Standard and Enhanced checks, they will ensure that the DVS only provides identities that were created to a level of confidence of high or very high.
When an applicant successfully uses the DVS to prove their identity as part of the RB application process, the RB receives an output report which provides all of the information specified in section 4.3 above.
The RB retains the DVS output report in compliance with section 4.5 above.
5.3 RB or RO operating as a DVS
An RB which manages Standard and Enhanced DBS checks has chosen to build its own digital identity service to digitise the identity checking for the DBS check applications it processes.
To meet this guidance, the RB will need to undergo certification against the trust framework and the DBS supplementary code.
As it will be acting as the DVS and RB, the RB will need to collect and retain the data specified in section 4.
Glossary
You can refer to the 鈥榞lossary of terms and definitions鈥 in a current version of the trust framework for definitions of technical terms relating to digital identity.
Disclosure and Barring Service
The Disclosure and Barring Service (DBS) delivers disclosure and barring functions on behalf of government. This includes DBS checks for England, Wales, Jersey, Guernsey, and the Isle of Man, and barring functions for England, Wales, and Northern Ireland. More information about DBS and how we work to make recruitment safer can be found on the DBS website.
Enhanced DBS check/certificate
An Enhanced DBS certificate is a DBS product that shows spent and unspent convictions, cautions plus any information held by local police that is considered relevant to the role being applied for.
Enhanced with Barred Lists DBS check/certificate
An Enhanced with Barred Lists DBS certificate is a DBS product that shows the same as an Enhanced DBS certificate, alongside whether the applicant is on the Adults鈥 Barred List, Children鈥檚 Barred List, or both.
Registered Body
A Registered Body (RB) is an organisation registered with DBS to submit Standard, Enhanced, and Enhanced with Barred Lists DBS checks.
Responsible Organisation
A Responsible Organisation (RO) is an organisation or person registered with DBS to submit Basic DBS checks.
Standard DBS check/certificate
A Standard DBS certificate is a product of DBS that shows spent and unspent convictions, cautions.