Criminal record checks and the GDPR
We have had a number of clients ask whether the General Data Protection Regulation (GDPR) prohibits them from undertaking routine criminal record checks on their staff.
This is because the GDPR, which came into force on 25 May, contains a general prohibition from processing personal data relating to criminal convictions and offences or “related security measures” except under the control of “official authority” or where such processing has been authorised by European law or that of any EU Member State (Article 10). In this context, “official authority” refers to an organisation performing public functions and exercising powers that have been established by law.
So where does Article 10 of the GDPR leave employers that do not have official authority?
Can you undertake a criminal record check in the first place?
First, it is important to note that the GDPR does not regulate an employer’s ability to carry out criminal record checks per se, but rather an employer’s ability to process personal data relating to criminal convictions and offences obtained as a result of such checks. As such, employers must consider whether they can lawfully undertake a criminal record check in the first place.
Except where an individual is to be employed in a specific role which is listed in Schedule 1 of the Rehabilitation of Offenders Act 1974 (Exceptions) Order 1975 (which includes doctors, solicitors, those working with under 18’s or vulnerable adults), they cannot be required to disclose “spent convictions” (i.e. convictions that have lapsed, as they are considered to be rehabilitated). However when it comes to “unspent convictions” (i.e. convictions that have not lapsed), the position is more complex.
If an employer wants to know whether an individual has any unspent convictions, they cannot routinely undertake a Disclosure and Barring Service (DBS) check unless the individual is to be employed in one of the specific roles listed in the Schedule referred to above. For any other roles, an employer may only ask a job applicant or employee to:
- voluntarily disclose whether they have any unspent convictions (which clearly has its limitations); or
- agree to obtaining a “basic check” which shows any unspent convictions and conditional cautions (employees can obtain these directly from DBS or give employers consent to obtain it on their behalf through a “responsible organisation” that has been authorised by DBS).
If an individual refuses either of the above, an employer may draw inferences from this; however this may have implications from an employment law perspective, which is outside the scope of this article.
Can you process personal data relating to criminal convictions or offences?
Where an employer wishes to process personal data relating to criminal convictions or offences (which includes the alleged commission of an offence and any related proceedings and sentences), it must have a lawful ground for doing so under Article 6 of the GDPR. The most relevant grounds for employers are:
- where the job applicant or employee has consented to the processing;
- where the processing is necessary to comply with a legal obligation to which the employer is subject (this is more limited than it first appears – perhaps only permitting checks for roles that fall within the Schedule referred to above);
- where the processing is necessary for the employer’s legitimate interests, for example, to ensure the reliability of its staff and protect its reputation (this requires a careful assessment in the form of a “Legitimate Interests Assessment”, to consider whether those legitimate interests are not outweighed by the fundamental right to privacy that each job applicant or employee has).
Having identified a lawful ground for processing, an employer that does not have “official authority” can only process personal data relating to criminal convictions or offences if it is permitted under European or Member State law. This is where the Data Protection Act 2018, which also became law on 25 May, comes in.
The 2018 Act supplements the GDPR and provides that an organisation may process such personal data provided a further condition is met. The most relevant conditions in an employment context are where the:
- processing is necessary in connection with performing or exercising obligations or rights in connection with employment; or
- individual has given their consent (though consent does not need to be given twice under Article 6 and this condition).
There is also a narrower condition for foundations, associations and other not-for-profit bodies with a political, philosophical, religious or trade union aim.
Many employers will jump to the conclusion that the first condition applies because of the employment context. However, as noted above, this condition is only likely to apply where there is a legal requirement to vet employees which is limited to certain roles. This leaves an employer with obtaining a job applicant or employee’s consent to processing personal data relating to criminal convictions or offences on a voluntary basis or by obtaining a basic check.
Of course consent has its own challenges in an employment context. Given the imbalance of the relationship between an employer and a job applicant or employee, consent will generally be invalid unless it is freely given. If an individual is informed that any failure to give consent may have unfavourable consequences for them (e.g. not getting a job or not being able to work on a specific client project), this will make it difficult for an employer to rely on consent.
The position for employers that do not have “official authority” or any legal obligation to obtain criminal record checks is therefore somewhat unclear. However the Employment Practices Code published by the Information Commissioner’s Office (ICO) advises that criminal record checks should only be obtained for job applicants that an employer intends to appoint rather than all short-listed applicants.
What is an “appropriate policy document” and why do we need one?
If an employer concludes that requesting a criminal record check is justified, that it has a lawful ground for processing under Article 6 and that it satisfies one of the conditions in the 2018 Act, an employer must:
- have an “appropriate policy document” in place which explains its procedures for complying with the key principles set out in Article 5 of the GDPR and its retention and erasure policy; and
- retain and review such document and make it available to the ICO on request for as long as the processing of such personal data is ongoing and for a period of six months after such processing has ended.
It is unclear whether the 2018 Act requires the policy document to be entirely separate from an employer’s fair processing notice for processing other categories of personal data; though there is an argument that it should be a separate document that is brought to an individual’s attention at the appropriate time.
How long should a criminal records check be retained for?
Neither the GDPR nor the 2018 Act prescribe how long personal data relating to criminal convictions or offences should be retained for. However the ICO Employment Practices Code provides that such personal should be deleted as soon as the check has been verified unless, in exceptional circumstances, the information will be relevant to the ongoing employment relationship (for example, where the role is listed in the Schedule referred to above).
How can we help?
If you require any support with your data protection compliance initiatives or have any specific questions arising from this article, please contact someone from our Data Protection team.