Skip to content

Is My Business Allowed to Handle Criminal Offence Data?

Table of Contents

In Short

  • Processing criminal offence data requires a lawful basis and meeting a Schedule 1 condition under the DPA 2018.
  • Compliance includes security measures, transparency with individuals, and documentation of processing activities.
  • Conducting a Data Protection Impact Assessment (DPIA) may be necessary due to the sensitivity of this data.

Tips for Businesses

Ensure compliance with UK GDPR by establishing a lawful basis and meeting specific conditions to handle criminal offence data. Prepare an appropriate policy document, maintain processing records, and inform individuals clearly about data use. Seek legal guidance if needed.

If you are a business hiring staff, you may need to use criminal offence data for various reasons, such as to carry out important criminal records checks on potential applicants. However, processing criminal offence data is subject to strict legal requirements under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 (DPA 2018). Criminal offence data relates to personal information about criminal convictions, allegations, or related security measures. Due to the sensitive nature of this data, businesses must comply with specific data protection legal rules to avoid breaches and potential penalties. This article will explore key issues and rules from a data protection law perspective when processing criminal offence data in your business.

What is Criminal Offence Data?

Criminal offence data includes information about an individual’s criminal history, such as convictions, police cautions, or probation conditions. It also covers information about allegations, investigations, and even records showing the absence of criminal convictions, such as a clear Disclosure and Barring Service check. 

Due to its sensitivity, processing this data requires extra protection under the law. Businesses can only handle this data if they have legal authority or meet specific legal requirements in the UK GDPR and DPA 2018.

Can My Business Process Criminal Offence Data?

Your business may process criminal offence data from a data protection law standpoint, but only if certain legal conditions are met. For privacy businesses, you should consider the following essential requirements: 

You Must Have a Lawful Basis and Meet a Schedule 1 Condition

Under Article 6 of the UK GDPR, you need a lawful reason for processing criminal offence data. For example, an employer may have a legitimate interest in processing data related to an applicant’s criminal record to assess their suitability for employment. 

Additionally, you must meet a condition listed in Schedule 1 of the DPA 2018 to justify processing this data.

Before processing criminal offence data, your business must identify and record the lawful basis and the appropriate Schedule 1 condition to ensure compliance with data protection law.

This documentation is critical to demonstrating that the processing is legal and protecting your business from potential penalties.

You Cannot Maintain a Comprehensive Register of Convictions Without Official Authority

Businesses are not permitted to keep records of criminal convictions unless they have official authority to do so, such as public bodies tasked with specific legal duties.

Continue reading this article below the form
Need legal advice?
Call 0808 196 8584 for urgent assistance.
Otherwise, complete this form and we will contact you within one business day.

What Compliance Steps Should Your Business Take When Processing Criminal Offence Data?

Your business may need to take various actions to ensure compliance with legal rules to process criminal offence data, such as:

The Need to Prepare an Appropriate Policy Document

Many of the conditions under Schedule 1 require businesses to have an appropriate policy document that sets out how the data will be handled, secured, and retained. 

The Requirement to Carry Out a Data Protection Impact Assessment

If handling criminal offence data involves significant risks to individuals’ privacy or rights, you must carry out a Data Protection Impact Assessment (DPIA). Processing this type of sensitive data could be high-risk, so a DPIA helps evaluate and manage those risks.

The Need for Maintaining Processing Records

Under Article 30 of the UK GDPR, businesses must maintain records of their data processing activities. This includes the lawful basis, the specific Schedule 1 condition, and the data security method.

Informing Individuals Correctly 

Businesses must provide clear privacy notices explaining how criminal offence data will be processed, including the purposes for which it is collected, how it will be used, and the rights of the individuals involved.

As part of your transparency obligations, you should ensure that individuals are explicitly informed about your handling of their criminal offence data.

Implementing Security Measures

You must securely protect criminal offence data. Implementing robust security measures (such as encryption and controlled access) is essential to prevent unauthorised access or misuse of such sensitive data.

Appointing a Data Protection Officer 

Suppose your organisation processes large amounts of criminal offence data or performs high-risk processing. In that case, you may need to appoint a Data Protection Officer to oversee your data protection practices and ensure ongoing compliance.

If you need support understanding the rules you must follow concerning the criminal offence data you seek to process, you should seek legal advice. 

Front page of publication
GDPR Essentials Factsheet

This factsheet sets out how your business can become GDPR compliant.

Download Now

Key Takeaways

Although your business may need to process criminal offence data, it is vital to remember compliance with mandatory data protection law rules. In addition to having a lawful basis, you must identify and meet one of the conditions set out in Schedule 1 of the DPA 2018. Additionally, your business must comply with rules requiring specific documentation, security measures, and transparency obligations. 

If you need advice on UK GDPR compliance, our experienced data privacy lawyers can assist as part of our LegalVision membership. For a low monthly fee, you gain unlimited access to lawyers who can answer your questions and draft or review your documents. Call us today on 0808 196 8584 or visit our membership page.

Frequently Asked Questions

What is the DPA 2018?

The Data Protection Act 2018 is the UK’s national legislation that supplements the UK GDPR, which sets out specific rules for handling personal data, including sensitive categories like criminal offence data. It provides additional conditions and protections for processing this data, ensuring that businesses comply with UK data protection principles.

Can I process criminal offence data?

Your business can only process criminal offence data if it satisfies specific legal requirements. For instance, where you have a lawful basis under Article 6 of the UK GDPR and meet one of the conditions set out in Schedule 1 of the DPA 2018. To ensure lawful and responsible data handling, you must comply with documentation, transparency, and security obligations.

Register for our free webinars

Preparing Your Business For Success in 2025

Online
Ensure your business gets off to a successful start in 2025. Register for our free webinar.
Register Now

2025 Employment Law Changes: What Businesses Should Know

Online
Ensure your business stays ahead of 2025 employment law changes. Register for our free webinar today.
Register Now

Buying a Tech or Online Business: What You Should Know

Online
Learn how to get the best deal when buying a tech or online business. Register for our free webinar.
Register Now

How the New Digital and Consumer Laws Impact Your Business

Online
Understand how the new digital and consumer laws affect your business. Register for our free webinar.
Register Now
See more webinars >
Sej Lamba

Sej Lamba

Sej is an Expert Legal Contributor at LegalVision. She is an experienced legal content writer who enjoys writing legal guides, blogs, and know-how tools for businesses. She studied History at University College London and then developed a passion for law, which inspired her to become a qualified lawyer.

Qualifications: Legal Practice Course, Kaplan Law School; Graduate Diploma in Law, Kaplan Law School; BA, History, University College.

Read all articles by Sej

About LegalVision

LegalVision is an innovative commercial law firm that provides businesses with affordable, unlimited and ongoing legal assistance through our membership. We operate in Australia, the United Kingdom and New Zealand.

Learn more

We’re an award-winning law firm

  • Award

    2024 Law Company of the Year Finalist - The Lawyer Awards

  • Award

    2024 Law Firm of the Year Finalist - Modern Law Private Client Awards

  • Award

    2023 Economic Innovator of the Year Finalist - The Spectator

  • Award

    2023 Law Company of the Year Finalist - The Lawyer Awards

  • Award

    2023 Future of Legal Services Innovation - Legal Innovation Awards