Criminal convictions checks under the GDPR

Written on 10 Sep 2018

Following the implementation of the EU General Data Protection Regulation (GDPR) and the UK Data Protection Act 2018 (DPA), UK businesses need to revisit their policies for carrying out criminal record checks (including on employees and prospective employees).

Pre-GDPR, it became common practice for many UK businesses to carry out criminal convictions checks on their prospective employees as a matter of course, and to require their suppliers to do the same. UK businesses now need to carefully consider whether they can justify processing criminal convictions data under the GDPR where there is no actual legal requirement to carry out a criminal record check.

Processing of criminal convictions personal data under the GDPR and DPA

Article 10 of the GDPR states that any employer who is processing criminal convictions personal data can only do so where a lawful basis exists to justify that processing and national law permits that processing (and puts in place appropriate safeguards).

Lawful basis

As with the processing of any types of personal data, there still needs to be a lawful basis for processing criminal convictions data. Consequently, where there is no strict legal obligation for a business to carry out criminal convictions screening, there still needs to be careful consideration as to whether they can rely on another lawful basis.

For example, where an employer is seeking to rely on legitimate interests, it must conduct further analysis to assess (among other issues) if its interests are enough to outweigh the intrusion on an employee’s privacy.

The DPA conditions

The DPA (under section 10(5)) has introduced further conditions that businesses must meet (in addition to the requirements of the GDPR) and again, businesses must assess and be able to justify whether a specific condition applies.

There is no condition which permits any employers to carry out blanket criminal conviction checks as part of its recruitment process and so the conditions will need to be reviewed on a case-by-case basis depending on the purpose of the processing.

For instance, businesses may process criminal convictions data (in accordance with the GDPR) where there is a ‘regulatory requirement’ and this includes ‘requirements forming part of general accepted principles of good practice’ in relation to the relevant area, as well as those set out in law. This is likely to be a relevant condition for a business which is authorised by the Financial Conduct Authority.

The issue of employee consent

Where alternative conditions do not exist there remains scope for businesses to rely on consent, both under the GDPR and the DPA, to carry out criminal record screening. However, there may well be difficulties in obtaining consent in such scenarios.

For example, there will always remain a risk that obtaining consent from an employee (or prospective employee) raises issues given that the imbalance of power in the employer / employee relationship arguably negates real consent for fear of reprisals (we explore those issues in our earlier article here).

Further, businesses also need to be wary that any consent mechanism, and any consent obtained, meets the enhanced requirements of the GDPR – for example, for consent to be freely given an individual should be entitled to refuse consent without being prejudiced as a result.

However, absent any other available conditions, in practice consent is likely to be the only viable means of justifying the processing of criminal convictions data for a number of businesses (including in an employment context).

What should businesses do next?

Any UK business which routinely conducts criminal convictions screening will need to reconsider some of their basic screening and recruitment practices or risk being in breach of the GDPR and/or the DPA. With guidance from the Information Commissioner’s Office on this area still outstanding, analysis carried out should be kept under review and updated where appropriate.

Aside from recruitment practices, businesses should also be assessing the impact of these issues on other aspects of their business. For example, service providers who are under obligations from clients to undertake criminal screening of their own employees as a condition of being appointed to an account will need to carefully consider whether those activities remain lawful under the new regime.

Whatever the outcome of any further analysis, the format, positioning, provision and content of privacy notices relating to the use of criminal convictions data takes on new significance for all businesses (particularly where consent is required). Therefore, businesses will need to make sure their own employee privacy policies set out their adopted approach to criminal convictions data in a concise, transparent, intelligible and easily accessible form.

How we can help?

We are regularly advising clients on this issue at present, including helping clients navigate the relevant conditions in the DPA. If you would like to discuss this (or any issue relating to the GDPR and the DPA) further, please contact one of our specialists below, or your usual Osborne Clarke contact.