Skip to content
LegalVision UK

Can You Risk Discrimination When Processing Criminal Records in the UK?

Avatar photo

By Sej Lamba
Expert Legal Contributor and Lawyer

Updated on
Reading time: 5 minutes

Meets editorial guidelines

This article meets our strict editorial principles. Our lawyers, experienced writers and legally trained editorial team put every effort into ensuring the information published on our website is accurate. We encourage you to seek independent legal advice. Learn more.

Follow us on LinkedIn

In Short

  • Criminal offence data is highly sensitive and subject to strict rules under UK data protection law.
  • Employers can only use this data where there is a clear legal basis, and it is genuinely necessary for the role.
  • Misuse can lead to compliance breaches and unfair or discriminatory outcomes.

Tips for Businesses

Only request criminal record checks where they are clearly justified for the role. Document your legal grounds, assess whether less intrusive options could work, and limit access to trained staff. Provide clear information to individuals and review your approach regularly to ensure decisions remain proportionate and lawful.

Summary

This article explains the data protection rules that apply when organisations use criminal record information in recruitment and employment in the UK. Prepared by LegalVision, a commercial law firm specialising in advising clients on data protection and employment-related compliance matters, it outlines the legal requirements, discrimination risks, and practical steps to reduce risk.

Summarise with:
ChatGPT logo ChatGPT Perplexity logo Perplexity

Open now
Table of Contents

If your organisation relies on criminal record checks as part of its recruitment, it is vital to understand that using this data raises important legal considerations and potential risks, particularly from a data protection law perspective. 

Criminal offence data has strict requirements under UK data protection law, and misunderstanding the rules can result in both compliance failures and unfair outcomes for individuals. 

This article explores: 

  • the rules that apply to criminal offence data; 
  • the discrimination risks that can arise; and 
  • the steps your organisation can take to ensure compliance and reduce risk when processing criminal records. 

This article is a simplified guide to a complex topic and focuses solely on data protection issues. You should also consider any other legal or regulatory obligations that may apply and seek legal advice if you are unsure. 

Criminal Offence Data Discrimination Risks and Considerations 

This type of data can include information about an individual’s criminal history, such as: 

  • convictions; 
  • police cautions;  
  • probation conditions;
  • allegations;
  • investigations; or
  • records showing the absence of criminal convictions, such as a clear Disclosure and Barring Service (DBS) check.

Criminal offence data can even be information relating to criminal offences and convictions, even if no conviction is revealed. As criminal offence information is highly sensitive, the law gives it extra protection. 

Put simply, a business can only use this type of data if the processing is either carried out under the control of an official authority or is clearly authorised by data protection law rules. It must be truly necessary for a specific purpose, and the business must show that there is no less intrusive way to achieve the same outcome.

Handling Criminal Record Information Responsibly

Data protection law treats criminal record information as especially sensitive because its misuse can cause real harm to individuals. Therefore, it requires enhanced protection.

Using this information carelessly can: 

  • damage someone’s reputation; 
  • limit their job opportunities; and 
  • intrude on their privacy. 

People with criminal records may already face stigma, and unnecessary or poorly thought-out use of this data can make that worse. 

In the workplace, this can lead to unfair or indirectly discriminatory decisions, especially where employers rely on assumptions instead of facts or apply blanket policies without proper justification. Therefore, employers should ensure that the decision to obtain or use this type of data is based on clear, job-related criteria rather than general concerns or assumptions. They must comply with strict data protection rules when processing criminal offence information about individuals. 

The UK GDPR takes a cautious approach to this type of data. Guidance from the regulator stresses the need for: 

  • clear reasons; 
  • proportionate decisions; and 
  • strict compliance with the law.

Before collecting criminal offence data, such as for background checks, your organisation must be able to show that: 

  • using the data is lawful; 
  • it is genuinely needed for the role; and 
  • processing is necessary and proportionate. 

You must take into account whether a less intrusive approach could reasonably achieve the same aim. Employers should keep intrusion to a minimum and avoid asking for checks simply because they think they might be useful.

Continue reading this article below the form

Criminal offence data is treated as a particularly sensitive category of personal information and is subject to extra restrictions under data protection law. 

Private employers may only process this type of information  when they have both:

  1. a lawful basis (i.e. a valid legal reason for processing under data protection law); and
  2. official authority to process the data or meet a specific legal condition that allows it under data protection law.

As long as you meet all legal requirements and relevant safeguards, conditions that could permit you to process criminal offence data may include:

  • meeting your safeguarding duties; 
  • protecting the public 
  • preventing unlawful acts,

In practice, finding an appropriate condition can be challenging. As an employer, you need to assess whether a criminal record check is legally justified for a relevant role when processing criminal records for employment checks. If the law requires a criminal record check, you may be allowed to carry one out for certain roles. This usually applies in regulated sectors or where DBS checks are legally required.

If the law does not require a criminal record check, you may still be able to rely on “legitimate interests”. However, this is only possible if all legal conditions are met and you carefully assess the risks in a legitimate interests assessment.

These simplified issues are complex and high-risk. You should carefully consider whether processing criminal offence data is lawful and justified, and seek advice from a data protection solicitor if needed. Getting this wrong could lead to breaches of data protection law and discriminatory practices.

Consent from the individual is usually not appropriate in recruitment, because candidates may feel pressured to agree, and consent may not be freely given.

Practical Steps to Reduce Risks

The rules regarding criminal offence data are technical and complex. You should have a clear plan when using criminal offence data that complies with data protection laws and avoids unintended discrimination. The following steps can help demonstrate compliance:

  • Identify and document why a criminal record check is needed for the role.
  • Consider whether a less intrusive method could achieve the same purpose and document your reasoning. For example, reviewing references if that suffices. 
  • Review and comply with regulatory guidance for best practice and mandatory rules.
  • Confirm whether you have valid legal grounds authorising the processing of criminal offence data.
  • If the data processing is high risk, complete a Data Protection Impact Assessment and implement an Appropriate Policy Document where required.
  • Provide individuals with clear information about why processing criminal data is needed and how you intend to use it. 
  • Restrict access to any criminal offence data to trained and authorised staff and apply strong security measures to protect the information.
  • Keep internal records explaining your legal grounds for processing. 
  • Train your teams so they understand the legal rules, the sensitivity of the data and the risk of discriminatory outcomes.

Compliance with data protection law rules is crucial to avoid legal breaches and discriminatory behaviour and outcomes which could prejudice individuals. 

To reduce risk, employers should seek legal advice to understand whether a role justifies processing criminal offence data and whether they can use such information lawfully. 

Front page of publication
GDPR Essentials Factsheet

This factsheet sets out how your business can become GDPR compliant.

Download Now

Key Takeaways

Criminal offence data is highly sensitive and subject to strict controls under data protection law rules. Processing this data is only allowed if strict legal rules are followed. A planned and documented approach to criminal records processing is essential to demonstrate compliance, reduce legal risk and avoid unfair or discriminatory outcomes. 

LegalVision provides ongoing legal support for businesses through our fixed-fee legal membership. Our experienced lawyers help businesses manage contracts, employment law, disputes, intellectual property, and more, with unlimited access to specialist lawyers for a fixed monthly fee. To learn more about LegalVision’s legal membership, call 0808 196 8584 or visit our membership page

Frequently Asked Questions

What is the UK GDPR?

The UK GDPR is the key UK data protection law that sets the rules for how organisations can use personal information. Data protection law sets out strict rules to follow when processing criminal records data.

What does the data protection law state about using criminal record information?

The law only allows organisations to use criminal offence data in certain circumstances. The rules are complex, and you should seek legal advice if you are unsure about your position.

Register for our free webinars

Is Franchising Right for You? What You Need to Know

Online
Join our free webinar to understand franchise opportunities, franchisor support, and how to succeed as a franchisee.
Register Now

Key Contracts Every Manufacturing Business Needs (and How to Get Them Right)

Online
Discover key contracts every manufacturing business needs and how to get them right in this free webinar.
Register Now

2026 Employment Law Changes: What Your Business Needs to Know

Online
Join our free webinar on 2026 employment law updates, covering leave, flexible working, dismissal rights, and statutory payments.
Register Now

Before You Sign That Lease: What Every Retail Business Must Check

Online
Join our free webinar to navigate key retail lease considerations and protect your business before signing.
Register Now
See more webinars >
Sej Lamba

Sej Lamba

Sej is an Expert Legal Contributor at LegalVision. She is an experienced legal content writer who enjoys writing legal guides, blogs, and know-how tools for businesses. She studied History at University College London and then developed a passion for law, which inspired her to become a qualified lawyer.

Qualifications: Legal Practice Course, Kaplan Law School; Graduate Diploma in Law, Kaplan Law School; BA, History, University College.

Read all articles by Sej

About LegalVision

LegalVision is an innovative commercial law firm that provides businesses with affordable, unlimited and ongoing legal assistance through our membership. We operate in Australia, the United Kingdom and New Zealand.

Learn more

Related articles

3 Documents Your Company Needs to Demonstrate GDPR Compliance

Is My Business Allowed to Handle Criminal Offence Data?

Criminal Checks in the UK: What Employers Need to Know

Four Benefits of Your Company in England Having a Data Protection Officer

LegalVision is an award-winning business law firm

  • Award

    2025 Future of Legal Services Innovation Finalist - Legal Innovation Awards

  • Award

    2024 Law Company of the Year Finalist - The Lawyer Awards

  • Award

    2024 Law Firm of the Year Finalist - Modern Law Private Client Awards

  • Award

    2023 Economic Innovator of the Year Finalist - The Spectator

  • Award

    2023 Law Company of the Year Finalist - The Lawyer Awards