GDPR bitesize: Criminal convictions data

United Kingdom

Many employers routinely vet prospective staff for any criminal history, either by checks conducted through the Disclosure and Barring Service or by asking an individual to disclose directly information relating to criminal convictions and offences.  This practice continues to be challenged by social justice charities such as Nacro and Unlock  and the campaign Ban the box, on the basis it breaches not only data protection principles but also penalises those from disadvantaged backgrounds. The Information Commissioner’s Office (“ICO”) recently worked closely with Unlock on its guidance for employers on data protection and criminal records data.  This highlights the difficulties that many employers will have in justifying obtaining criminal records information.  It also includes a critique of real life examples of employers’ practices which do not comply with data protection requirements.

The emphasis on demonstrating compliance, combined with the significantly higher penalties for breach  under the GDPR, mean that an employer should be ready to justify why obtaining criminal records information is necessary to its recruitment decision and ongoing employment relationship rather than simply being desirable.

If an employer is required by law to carry out a criminal record check, for example, where an individual is to work with children or vulnerable adults, then the lawful basis for processing will be that it is necessary for compliance with a legal obligation.  Where there is no specific legal requirement to check an individual’s background, but an employer nevertheless wishes to do so, it will need to identify another legal basis.  This could be that gathering such information is necessary for the purposes of the employer’s legitimate interests, but this would be subject to a “legitimate interests assessment” under which it would need to demonstrate that its interests in obtaining and otherwise processing such personal data are not overridden by the rights and freedoms of the individual.

An employer will also need to demonstrate that a relevant DPA condition on processing criminal records information is satisfied. Broadly, given concerns around the validity of consent in an employer/employee relationship, the conditions most relevant to processing criminal records information in an employment context are:

  • where it is necessary for the purposes of performing or exercising obligations or rights which are imposed or conferred by law on an employer or the individual; or
  • the “substantial public interest” conditions.  These are complex, however, with an employer having to satisfy a number of different requirements before being able to rely safely on them.  Until more guidance is available from the ICO, our view is that these are likely only to apply in very specific circumstances.

In addition to the above, relevant information around criminal records processing will need to be given to an individual by way of a data privacy notice and an employer should also have in place appropriate policies setting out how it complies with the data protection principles and requirements relating to retention and destruction of personal data. Obtaining criminal records information should be done only in relation to the successful candidate with an opportunity being given to them to explain any criminal history that checks reveal. An employer should subsequently retain a record only of whether or not the results of any checks were satisfactory and ensure this is destroyed in line with its retention policies.