ASK MAT – In Jersey, what JFSC-compliant employee checks should be used? Subject Access Request (SAR), Police Certificate, and DBS Checks?

ASK MAT – In Jersey, what JFSC-compliant employee checks should be used? Subject Access Request (SAR), Police Certificate, and DBS Checks?.

MAT SAYS

• JFSC-supervised firms must begin carrying out DBS (criminal record certificate) checks from 31 May 2026, based entirely on official JFSC AML/CTF/CPF Handbook requirements and MONEYVAL/FATF requirements.
• For employee vetting, EMPLOYERS MUST NOT ask for: Subject Access Requests (SARs) or Police Certificates (ACRO)

UNDERSTAND WHY

• To understand how we have arrived here, I have provided a brief update below.
• Also, below I have added a template [draft] HR Policy Clause — Criminal Records Vetting (Jersey)

WHY JFSC FIRMS MUST DO DBS CHECKS FROM 31 MAY 2026

• The JFSC formally deferred the implementation date for the new AML/CFT/CPF Handbook (which includes mandatory enhanced criminal background check requirements) to 31 May 2026.
• This new Handbook introduces criminal record certificate requirements (DBS or foreign equivalent) for Principal Persons (PPs) and Key Persons (KPs) of all supervised persons.

THE JFSC IS STRENGTHENING THE “FIT AND PROPER” TEST FOLLOWING MONEYVAL’S FINDINGS

• In 2022, MONEYVAL found that Jersey firms relied too heavily on self-declarations and occasional database checks rather than obtaining criminal record certificates, creating a vulnerability in screening beneficial owners, controllers, and key function holders.
• The JFSC’s presentation makes this explicit:
• MONEYVAL stated that relying only on self-declarations and database checks is a vulnerability.
• Recommendation: Enhance criminal background checks at market entry and when roles change.
• Therefore, the JFSC introduced new rules to close this weakness and align with FATF standards.
• To create consistency across all sectors and firms
• The JFSC states that one aim of the new regime is to ensure:
• “a more consistent approach across all firms and sectors as to the systems they have in place to check the criminal history of PPs/KPs.”  
• Historically, some sectors performed background checks; others did not. The new regime standardises this.

PROPORTIONATE, RISK-BASED BUT MANDATORY CHECKS

• The JFSC’s new requirements are designed to be:
• Proportionate
• Cost-efficient
• Not harmful to Jersey’s competitiveness  
• Thus, the JFSC adopted:
• Basic DBS as the standard level (or foreign equivalent)
• No longer requiring a blanket 3-year refresh cycle (industry feedback)
• Requirement that firms regularly assess whether PPs/KPs remain fit and proper on a risk-based basis  
• From 31 May 2026, the rules will come into force for appointments and trigger events. From the effective date:

• New PP/KP appointments:
  DBS checks become mandatory immediately for all new applications, role changes, and specific trigger events.
• Existing PP/KP population:

Summary in Plain English

1. JFSC-supervised firms must carry out DBS checks from 31 May 2026 because:
1. The updated AML/CFT/CPF Handbook comes into force on that date.
2. MONEYVAL found Jersey’s old approach (self-declarations) insufficient.
3. The JFSC must meet FATF expectations for screening senior individuals.
4. The new rules ensure consistent, risk-based vetting across all sectors.
5. DBS checks become mandatory for all new PP/KP appointments from that date.
6. Firms must demonstrate reasonable steps that existing PPs/KPs remain fit and proper.

When conducting pre-employment or ongoing employment vetting in Jersey, employers

• Must not ask for: Subject Access Requests (SARs) or Police Certificates (ACRO)
• Must only undertake a basic Disclosure (Disclosure and Protection Scotland) OR  DBS Checks (UK) — only for exempt roles

Subject Access Requests (SARs)

1. Employers cannot ask a candidate or employee to obtain a SAR from the police as part of recruitment, screening, or ongoing vetting.
2. This is expressly prohibited:
1. It is called an “enforced subject access request.”
2. It is illegal under the Data Protection (Jersey) Law 2018.
3. A SAR reveals all police‑held information, including Parish Hall sanctions, which employers are not entitled to see except under very specific legal frameworks.

 Police Certificates (ACRO)

1. Police Certificates (used for visas, emigration, and residency overseas) are not intended for employment vetting and must not be used as a substitute for criminal record checks in Jersey.
2. Police Certificates are for:
1. Visa applications
2. Emigration
3. Citizenship/residency abroad
3. They are not an employment vetting tool, and there is no lawful framework in Jersey that allows employers to require one.

What employers can legally use in Jersey

1. Basic Disclosure (Disclosure and Protection Scotland)
   1. Employers may request that a candidate obtain a Basic Disclosure Certificate showing unspent convictions only.
2. DBS Checks (UK) — only for exempt roles
   1. For roles listed under the Rehabilitation of Offenders (Exceptions) (Jersey) Regulations 2002, employers may request:
3. Standard DBS (spent + unspent convictions)
4. Enhanced DBS (includes standard plus relevant police intelligence for children/vulnerable adult roles)
   1. These apply mainly to:
5. Financial services roles excluded from ROO
6. Regulated professions

• Roles with children or vulnerable adults

Comparison Table: SAR vs Police Certificate vs DBS

Below is a side-by-side comparison table of the three key police-related disclosure types relevant to Jersey: Subject Access Request (SAR), Police Certificate, and DBS Checks.

HR Policy Clause — Criminal Records Vetting (Jersey)

1. Purpose
   To set a lawful, fair, and consistent approach to criminal records vetting for roles within our Jersey operations, in line with the Data Protection (Jersey) Law 2018, the Rehabilitation of Offenders regime, and official guidance on police disclosures.
2. Scope
   This policy applies to all candidates and employees for Jersey roles, including permanent, fixed-term, temporary, and agency staff.
3. Principles
   1. No Enforced Subject Access (SARs): We must not require a candidate or employee to obtain a Subject Access Request (SAR) from the police for employment vetting. Enforced SARs are illegal under the Data Protection (Jersey) Law 2018.
   2. Police Certificates Not for Employment: We do not request Police Certificates (ACRO) for employment vetting; these are intended for visa/emigration purposes, not recruitment.
   3. Use the Minimum Lawful Check:
      • For most roles, we request a Basic Disclosure (Disclosure and Protection Scotland), which shows unspent convictions only.
      • For roles exempt under Jersey’s Rehabilitation of Offenders (Exceptions) regulations, we may request Standard or Enhanced DBS checks via a registered body, in line with role-specific eligibility.
   4. Data Protection & Proportionality: Any vetting must be necessary, proportionate, and relevant to the role, and processed in accordance with the Data Protection (Jersey) Law 2018 (lawfulness, fairness, transparency, data minimisation, storage limitation, and security).  
   5. Transparency: Candidates will be informed in advance about the level of check, the legal basis, and how results will be used and retained.  
4. Process
   1. Role assessment: Hiring managers classify the role (Non-exempt vs. Exempt) before advertising. HR confirms the lawful check level.
   2. Candidate notice & consent: Provide vetting information and obtain consent where appropriate, ensuring no SAR/Police Certificate is requested.  
   3.  Collection:
      • Basic Disclosure: Candidate applies via Disclosure and Shares the certificate with HR.
      • DBS (Standard/Enhanced): Initiated through a registered body for eligible exempt roles only.
   4. Assessment & Decisions: Consider only information relevant to the role; document the rationale.
   5. Retention: Keep results only as long as necessary for the hiring decision, then securely delete in line with retention schedules.
5. Prohibited Practices
   • Requiring or accepting SARs as part of recruitment or employment vetting.
   • Requiring Police Certificates for employment purposes.
6. Escalation
   Questions on eligibility or data protection must be escalated to HR Compliance or the Data Protection Officer.

Notes

• SARs are never acceptable for employment vetting (illegal enforced access).
• Police Certificates (ACRO) are for visas/emigration, not recruitment.  
• Apply data minimisation and purpose limitation under the Data Protection (Jersey) Law 2018 throughout.

Sources

Government of Jersey — Personal Criminal Records Checks (SAR vs DBS, Basic Disclosure, no enforced SARs)

Official page: Government of Jersey — Personal criminal records checks
https://www.gov.je/crimejustice/criminalrecordschecks/pages/personalcriminalchecks.aspx [gov.je]

This page covers:

• What a Subject Access Request (SAR) includes.
• Explanation that enforced SARs are illegal under DPJL 2018.
• When employers can require Basic Disclosure (Disclosure and Protection Scotland).
• When a role is exempt and may require DBS levels (Standard/Enhanced).

Additional general page:

• Criminal records checks (overview)
  https://www.gov.je/CrimeJustice/CriminalRecordsChecks/Pages/index.aspx [gov.je]

States of Jersey Police — Personal Information Access & Police Disclosure Routes

States of Jersey Police — Personal information access

• https://www.jersey.police.je/s/accessing-information/personal-information-access

Covers: [jersey.police.je]

• SAR (local systems + PNC via ACRO).
• Basic Police Disclosure.
• DBS information (for organisations only).
• Police Certificates (for visas/emigration).

States of Jersey Police — Accessing information hub

• https://www.jersey.police.je/s/accessing-information

Provides: [jersey.police.je]

• FOI
• Data protection info
• Child protection disclosure routes
• SAR rights

GOV.UK / ACRO — Police Certificates for Visas & Emigration (Not for Employment Vetting)

ACRO — Police Certificates (Official)

• https://acro.police.uk/s/acro-services/police-certificates

Key details: Police Certificates are for visas, emigration, residency abroad and cannot be used for UK/Channel Islands employment. [acro.police.uk]

GOV.UK — Get a copy of your police records (SAR information)

• https://www.gov.uk/copy-of-police-records [gov.uk]

Police Certificates — Police.uk explanation

• https://www.police.uk/advice/advice-and-information/p-c/police-certificates/ [police.uk]

PSNI — Emigration and Visa Disclosures (reiterates ACRO’s role for visa/emigration certificates)

• https://www.psni.police.uk/request/information-about-yourself/emigration-and-visa-disclosures [psni.police.uk]

Data Protection (Jersey) Law 2018 — Duties, Principles & Rights

Official consolidated law — DPJL 2018

• https://www.jerseylaw.je/laws/current/PDFs/L_3_2018.pdf [jerseylaw.je]

Jersey Office of the Information Commissioner (JOIC) — Duties of a Data Controller

• https://jerseyoic.org/guidance/data-protection/data-controller-processor-duties/your-duties-and-responsibilities-as-a-data-controller [jerseyoic.org]

Government of Jersey — Data Protection laws overview

• https://www.gov.je/Government/dataprotection/pages/dataprotectionlaws.aspx [gov.je]

JOIC Guidance — Duties of Data Controllers (PDF)

• https://www.jerseybusiness.je/media/dogobaea/joic-06a-duties-of-data-controllers_5.pdf [jerseybusiness.je]

Sources –

• [jerseyfsc.org]
• [jcoa.co.uk]= JFSC SLIDE PACK
• [comsuregroup.com]
• [gov.je]
• [jersey.police.je]