Table of Contents
In Short
- Processing criminal offence data requires a lawful basis and meeting a Schedule 1 condition under the DPA 2018.
- Compliance includes security measures, transparency with individuals, and documentation of processing activities.
- Conducting a Data Protection Impact Assessment (DPIA) may be necessary due to the sensitivity of this data.
Tips for Businesses
Ensure compliance with UK GDPR by establishing a lawful basis and meeting specific conditions to handle criminal offence data. Prepare an appropriate policy document, maintain processing records, and inform individuals clearly about data use. Seek legal guidance if needed.
If you are a business hiring staff, you may need to use criminal offence data for various reasons, such as to carry out important criminal records checks on potential applicants. However, processing criminal offence data is subject to strict legal requirements under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 (DPA 2018). Criminal offence data relates to personal information about criminal convictions, allegations, or related security measures. Due to the sensitive nature of this data, businesses must comply with specific data protection legal rules to avoid breaches and potential penalties. This article will explore key issues and rules from a data protection law perspective when processing criminal offence data in your business.
What is Criminal Offence Data?
Criminal offence data includes information about an individual’s criminal history, such as convictions, police cautions, or probation conditions. It also covers information about allegations, investigations, and even records showing the absence of criminal convictions, such as a clear Disclosure and Barring Service check.
Due to its sensitivity, processing this data requires extra protection under the law. Businesses can only handle this data if they have legal authority or meet specific legal requirements in the UK GDPR and DPA 2018.
Can My Business Process Criminal Offence Data?
Your business may process criminal offence data from a data protection law standpoint, but only if certain legal conditions are met. For privacy businesses, you should consider the following essential requirements:
You Must Have a Lawful Basis and Meet a Schedule 1 Condition
Under Article 6 of the UK GDPR, you need a lawful reason for processing criminal offence data. For example, an employer may have a legitimate interest in processing data related to an applicant’s criminal record to assess their suitability for employment.
Additionally, you must meet a condition listed in Schedule 1 of the DPA 2018 to justify processing this data.
This documentation is critical to demonstrating that the processing is legal and protecting your business from potential penalties.
You Cannot Maintain a Comprehensive Register of Convictions Without Official Authority
Businesses are not permitted to keep records of criminal convictions unless they have official authority to do so, such as public bodies tasked with specific legal duties.
Continue reading this article below the formCall 0808 196 8584 for urgent assistance.
Otherwise, complete this form and we will contact you within one business day.
What Compliance Steps Should Your Business Take When Processing Criminal Offence Data?
Your business may need to take various actions to ensure compliance with legal rules to process criminal offence data, such as:
The Need to Prepare an Appropriate Policy Document
Many of the conditions under Schedule 1 require businesses to have an appropriate policy document that sets out how the data will be handled, secured, and retained.
The Requirement to Carry Out a Data Protection Impact Assessment
If handling criminal offence data involves significant risks to individuals’ privacy or rights, you must carry out a Data Protection Impact Assessment (DPIA). Processing this type of sensitive data could be high-risk, so a DPIA helps evaluate and manage those risks.
The Need for Maintaining Processing Records
Under Article 30 of the UK GDPR, businesses must maintain records of their data processing activities. This includes the lawful basis, the specific Schedule 1 condition, and the data security method.
Informing Individuals Correctly
Businesses must provide clear privacy notices explaining how criminal offence data will be processed, including the purposes for which it is collected, how it will be used, and the rights of the individuals involved.
As part of your transparency obligations, you should ensure that individuals are explicitly informed about your handling of their criminal offence data.
Implementing Security Measures
You must securely protect criminal offence data. Implementing robust security measures (such as encryption and controlled access) is essential to prevent unauthorised access or misuse of such sensitive data.
Appointing a Data Protection Officer
Suppose your organisation processes large amounts of criminal offence data or performs high-risk processing. In that case, you may need to appoint a Data Protection Officer to oversee your data protection practices and ensure ongoing compliance.
If you need support understanding the rules you must follow concerning the criminal offence data you seek to process, you should seek legal advice.
This factsheet sets out how your business can become GDPR compliant.
Key Takeaways
Although your business may need to process criminal offence data, it is vital to remember compliance with mandatory data protection law rules. In addition to having a lawful basis, you must identify and meet one of the conditions set out in Schedule 1 of the DPA 2018. Additionally, your business must comply with rules requiring specific documentation, security measures, and transparency obligations.
If you need advice on UK GDPR compliance, our experienced data privacy lawyers can assist as part of our LegalVision membership. For a low monthly fee, you gain unlimited access to lawyers who can answer your questions and draft or review your documents. Call us today on 0808 196 8584 or visit our membership page.
Frequently Asked Questions
The Data Protection Act 2018 is the UK’s national legislation that supplements the UK GDPR, which sets out specific rules for handling personal data, including sensitive categories like criminal offence data. It provides additional conditions and protections for processing this data, ensuring that businesses comply with UK data protection principles.
Your business can only process criminal offence data if it satisfies specific legal requirements. For instance, where you have a lawful basis under Article 6 of the UK GDPR and meet one of the conditions set out in Schedule 1 of the DPA 2018. To ensure lawful and responsible data handling, you must comply with documentation, transparency, and security obligations.
We appreciate your feedback – your submission has been successfully received.