Criminal Records Checks and data protection law

Criminal Records Checks In Employment Contexts: Old And New Obligations Under Data Protection Law

Access and evaluation of the criminal history and records of individuals can provide valuable information about their characteristics, attitudes and suitability for a particular position. It can be employed as an assessment tool and a preventive measure to protect the company, colleagues, clients and society at large from antisocial and unlawful behaviours. Nonetheless, criminal records checks can be significantly intrusive, excessive and disproportionate depending on the position and application phase. In this article, we discuss the employers’ common practice to request personal information about criminal records and activities from their current and potential employees. Our approach is from a data protection perspective – not from an anti-discriminatory point of view – and analyses under which conditions an employer could ask an employee or applicant to provide their criminal records.

Under the old UK Data Protection Act 1998 (DPA98), personal information about the commission or alleged commission of any offence and any relevant proceedings fell under the category of sensitive data. As Regulation (EU) 2016/679 (General Data Protection Regulation – GDPR) replaced the old DPA98 and replaced the term ‘sensitive data’ with the new ‘special categories of personal data’ (Article 9 GDPR), criminal convictions and offences were given their own regime, fully autonomous from the Article 9 regime.

According to Article 10 GDPR ‘processing of personal data relating to criminal convictions and offences or related security measures based on Article 6(1) shall be carried out only under the control of official authority or when the processing is authorised by Union or Member State law providing for appropriate safeguards for the rights and freedoms of data subjects. Any comprehensive register of criminal convictions shall be kept only under the control of official authority.’ This means that data controllers, such as employers and recruiters, could conduct criminal records checks only if they identify, justify and document a lawful basis under Article 6 (simple data) and apply the required safeguards under national law.

Therefore, although personal data relating to criminal convictions and offences (criminal data) is not treated as sensitive data under the new legislation, it enjoys a second layer of safeguards and restrictions, which will be presented in this article. Additionally, this data category is broader than the previous one since it also includes related security measures.

National law provisions

The focus of this article is on the UK legislation and it also provides some insights from the Irish legislation. As far as the UK is concerned, regarding spent convictions, individuals are not required to disclose information about convictions that have lapsed unless otherwise provided under the Rehabilitation of Offenders Act 1974 (ROA). This means that employers should not take into consideration spent convictions and request relevant personal information in the first place. On the contrary, regarding unspent convictions, employers could check criminal records only for particular positions. For roles covered by the ROA, an employer can carry out a basic criminal record check. A basic certificate can only be applied for by the individual concerned. If the data processing is not relevant to the provided positions under the above Act, then individuals could share their personal information only on a voluntary basis. Individuals could also agree to basic checks or provide the employers with their consent to obtain it on their behalf through a responsible organisation.

For roles exempt from the ROA, an employer could carry out a standard or enhanced criminal record check. The Disclosure and Barring Service (DBS) is responsible for issuing official criminal record checks. Organisations based in Northern Ireland can obtain a disclosure from Access NI and organisations in Scotland can obtain a disclosure from Disclosure Scotland.

Criminal Records Checks and data protection law, national law provisions

Identifying the appropriate lawful basis

The new Data Protection Act 2018 (DPA18) repealed the Data Protection Act 1998 and complements the GDPR. Section 184(6) DPA18 adopts a broad definition of the notion of ‘employment’, encompassing paid employment, voluntary placements and relevant training.

As mentioned above, there is a cumulative requirement for lawfully processing criminal data, i.e. establishing a lawful ground under Article 6 GDPR and applying the national safeguards. With regard to Article 6, data controllers could consider the individuals’ consent and vital interests, contractual basis, legal obligation, legitimate interests, and public task as potentially applicable lawful grounds for processing. Organisations should contact their Data Protection Officers for an ad hoc assessment.

Regarding national safeguards, the DPA18 requires adherence to stringent measures and safeguards for processing criminal data for employment purposes. Indeed, according to section 10(5) DPA18, the processing of personal data relating to criminal convictions and offences or related security measures that is not carried out under the control of official authority is permitted provided that this processing meets a condition in Part 1, 2 or 3 of Schedule 1 of the same Act. In practice, criminal data could be processed for employment purposes under one or more of the following conditions:

Part 1. The data processing is‘necessary for the purposes of performing or exercising obligations or rights which are imposed or conferred by law on the controller or the data subject in connection with employment.’ In this case, data controllers should conduct a well-grounded necessity test and produce an appropriate policy in place, which should include all the necessary information about this processing.

Part 2. Substantial public interest. Criminal data could be processed for employment reasons if the data controller proves that there is a substantial public interest, as exhaustively specified in Part 2 of Schedule 1 DPA18. For example, this could be the case of using personal information for preventing or detecting unlawful acts and Protecting the public against dishonesty. The requirement for a policy document also applies in this case.

Part 3. Additional conditions. According to Part 3 of Schedule 1 DPA18, criminal data could be processed for employment purposes if:

  1. The employee has consented to this processing. We would discourage data controllers from relying on consent. Consent is not the silver bullet among the provided lawful grounds and it is highly questioned in the employment context. Under the GDPR, it is clearly provided that consent must be freely given, specific, informed and unambiguous. Consent should be also freely withdrawn. Even during the stage of application, interviews and recruitment, applicants are not entirely free to provide, deny or revoke their consent, which could affect the progress of their application and success.
  2. The processing is necessary to protect the vital interests of an individual and the employee cannot physically or legally give consent.
  3. The processing is carried out with appropriate safeguards in the course of the legitimate activities of a foundation, association or another not-for-profit body which has a political, philosophical, religious or trade union aim.
  4. The processing relates to personal data which has been manifestly made public by the employee. This is a very interesting situation where the data controller obtains access to public information about the criminal records of the employee. For example, articles and news reports can reveal such information. Nonetheless, employers should be circumspect about using this information since it is not often the case that this information is manifestly made public by the data subject. Moreover, employers should take into account that this information may be neither accurate nor updated.
  5. The processing is necessary for the purpose of, or in connection with, any legal proceedings (including prospective legal proceedings), is necessary for the purpose of obtaining legal advice or is otherwise necessary for the purposes of establishing, exercising or defending legal rights.

For the sake of completeness, it is worth mentioning that similar provisions apply under the Irish legislation. Due to space constraints, it suffices to say that information on spent convictions should not be requested as provided under the Criminal Justice (Spent Convictions and Certain Disclosures) Act 2016 and Children Act 2001 for offences committed by minors, except in certain circumstances. This is the case of people working with children or vulnerable adults. The National Vetting Bureau (Children and Vulnerable Persons) Acts 2012-2016 provide that it is obligatory to be vetted by the Garda Síochána National Vetting Bureau.

The main provision under the Irish Data Protection Act 2018 is section 55, according to which ‘without prejudice to the Criminal Justice (Spent Convictions and Certain Disclosures) Act 2016 and subject to compliance with Article 6(1) and to suitable and specific measures being taken to safeguard the fundamental rights and freedoms of the data subject, personal data referred to in Article 10 may be processed when:

(i) the data subject has given explicit consent to the processing for one or more specified purposes except where the law of the European Union or the law of the State prohibits such processing,

(ii) processing is necessary and proportionate for the performance of a contract to which the data subject is a party or in order to take steps at the request of the data subject prior to entering into a contract,

(iii) processing is:

(I) necessary for the purpose of providing or obtaining legal advice or for the purposes of, or in connection with, legal claims, prospective legal claims, legal proceedings or prospective legal proceedings, or

(II) otherwise necessary for the purposes of establishing, exercising or defending legal rights,

(iv) processing is necessary to prevent injury or other damage to the data subject or another person or loss in respect of, or damage to, property or otherwise to protect the vital interests of the data subject or another person, or

(v) processing is permitted in regulations made under subsection (3) or is otherwise authorised by the law of the State.’

Additional obligations

Organisations should take into consideration that conducting criminal records checks is a high-risk activity and further data protection obligations arise under the GDPR. For example, under Article 37(c) GDPR the controller and the processor are obliged to designate a Data Protection Officer (DPO) and to perform a data protection impact assessment (DPIA) pursuant to article 35(3)(b) GDPR. Organisations should also consult their DPOs regarding the prohibitions on automated individual decision-making ex Article 22 GDPR.

Practical implications and advice

What can be concluded is that carrying out criminal records checks is a complex task and organisations should request assistance from data protection experts. Indeed, in addition to establishing and recording the appropriate lawful ground, it is necessary that any data processing is compliant with the sectoral and national legislation and with data protection law at large. For example, the DPA18 requires data controllers to produce a policy document. Organisations should request the assistance and involvement of their DPOs to ensure compliance with this legal requirement.

Furthermore, conducting criminal records checks can be challenged for being excessive and disproportionate. As the employment practices code issued by the Information Commissioner’s Office notes, employers can request information about an applicant’s criminal convictions only if this information is necessary, relevant and minimal. In this context, this request should be timely and relevant. For example, we would not advise data controllers to request such information in a very preliminary stage, such as in the job application, or even in all short-listed candidates. Similarly, ‘blank’ and routine criminal records checks should be avoided. There must be a concrete and demonstratable reason for asking this information.

Moreover, organisations should update their policies regarding criminal records checks in line with the DPA18 and anticipate any guidance by the ICO. This article also aims to highlight the need for clear, concise, comprehensible and user-friendly privacy notices, where the processing of criminal data is explained in an understandable fashion and all the necessary information is provided to the data subjects. This information should be provided at the time the information is collected. The GDPR provides for the necessary elements of this information and the way this information should be communicated to the individuals in accordance with Articles 12-14, including information on the purpose and lawful basis of the data processing, retention periods, and data subject rights.

Finally, as recruiting and human resources teams engage various stakeholders, it is vital that organisations make sure that access to criminal data is highly restricted to protect data confidentiality and prevent any adverse effects on data subjects.

For more information visit Trilateral Data Protection Officer page and contact our team:

Adam Panagiotopoulos , Data Protection Advisor at Trilateral Research

Adam Panagiotopoulos
Tags: