Table of Contents
In Short
- Employers must comply with UK GDPR and the Data Protection Act 2018 when processing criminal offence data, including criminal records checks on potential employees.
- Key legal requirements include having a lawful basis for processing the data, meeting Schedule 1 conditions, ensuring data security, and maintaining appropriate policy documentation.
- Non-compliance can result in significant legal and financial penalties, so seeking legal advice is essential to navigate the complex data protection requirements.
Tips for Employers
When processing criminal offence data, ensure you have a lawful basis under UK GDPR and meet a Schedule 1 condition of the DPA 2018. Keep clear records of your data processing activities and provide employees with transparent privacy notices. Implement robust security measures to protect sensitive data and consider consulting a data protection solicitor to ensure compliance.
Pre-employment background checks can be critical practical tools for employers who are looking for new hires as part of the recruitment process. As well as employment history, an employer may want to understand additional information about potential employees for certain roles. Your business may need to carry out criminal records checks on job applicants applying to be employees as a potential employer. While you may feel this is a genuine business need for particular roles, it’s crucial to understand that strict data protection laws apply when processing personal data relating to criminal offences.
Your business must be well-versed in its obligations under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 (DPA 2018) to ensure compliance and avoid legal risks. Criminal offence data (including criminal history) is deemed to be highly sensitive and subject to strict legal safeguards under data protection law rules. Failure to comply may result in financial penalties, legal claims, or reputational harm. This article will delve into why data protection law applies to employers, its importance, and key issues for UK employers to consider under data protection law rules when they seek to carry out criminal records checks that involve criminal offences data.
Why is Your Employer Business Subject to Data Protection Rules?
The UK has a stringent data protection law regime to protect individuals’ personal information. The UK GDPR regulates how businesses process personal data, including employee information. It establishes core data protection principles, requiring your company to process data following strict legal rules. The Data Protection Act 2018 supplements the UK GDPR and introduces additional rules for processing certain data types, such as criminal offence data.
Data controllers determine the reasons and methods for processing personal data and must fulfil various obligations under data protection law. Data protection law rules will apply to an employer when acting as a data controller and processing personal data about employees, applicants, and workers. Most employment-related activities involve handling personal data (such as recruitment, payroll, or performance management), so your business must ensure its data processing complies with the UK GDPR and DPA 2018.
Which Legal Requirements Should Your Employer Business Consider When Processing Criminal Offence Data?
Criminal offence data is a particularly high risk under data protection law. This means your business must meet additional legal requirements before processing it.
The UK GDPR and the DPA 2018 restrict your business’ use of particularly sensitive data, such as criminal records, police cautions, and allegations. It is vital to follow the applicable rules when carrying out criminal record checks.
This factsheet sets out how your business can become GDPR compliant.
Complex rules govern the use of criminal offence data. Private employers do not have ‘official authority’ to process criminal offence data under UK GDPR. This means employers must meet a Schedule 1 condition under the DPA 2018 to process this data lawfully. Simply put, your business can only process such data if it meets a lawful basis under Article 6 of UK GDPR and complies with one of the conditions in Schedule 1 of the DPA 2018.
Key Legal Requirements
Some key legal requirements for processing criminal offence data include the following:
- Lawful basis and Schedule 1 condition: Your business must identify a lawful basis under Article 6 of UK GDPR before processing criminal offence data. This alone, however, does not satisfy compliance. Your company must also meet a Schedule 1 condition under the DPA 2018 – such as processing for employment, social security, or crime prevention purposes. In practice, this may be challenging for you. Your business must document both requirements to demonstrate compliance;
- Restrictions on keeping criminal records: Your business cannot maintain a register of criminal convictions unless it obtains official authority to do so. While individual background checks may be justified, the law prohibits your business from creating or storing a comprehensive database of employees’ criminal records;
- Appropriate policy document: Many Schedule 1 conditions require your business to prepare an appropriate policy document that explains how it collects, stores, and protects criminal offence data. This document must specify why the data is processed, how long it is kept, and the security measures to protect it;
- Data Protection Impact Assessment (DPIA): Processing criminal offence data can be inherently high-risk, meaning you may require a DPIA to process this data;
- Maintaining processing records: Under UK GDPR, your business must keep detailed records of its data processing activities. Your company must document the lawful basis, the Schedule 1 condition relied upon, and security measures applied to protect the data;
- Informing individuals: Your business must provide clear and accessible privacy notices explaining how and why you process criminal offence data and individual rights under data protection laws; and
- Implementing security measures: Your business must keep criminal offence data secure.
How Can Legal Advice Support Legal Compliance?
Seeking legal advice from a data protection solicitor can help your business meet its obligations under the UK GDPR and the DPA 2018 and reduce risk. This is vital for avoiding penalties and building trust and a culture of respect for privacy rights to reassure your staff.
Working with a data protection lawyer can help your business understand its legal obligations, draft and implement compliance policies and procedures and build strong data protection best practices within your company. Employers can face significant risks around the potential misuse of employee and HR data, so working with a data protection lawyer is a sensible step to help you get this right.
Key Takeaways
Your business must comply with UK GDPR and DPA 2018 when processing criminal offence data, for example, by ensuring it meets a lawful basis and a Schedule 1 condition. Seeking legal advice can help your business ensure you understand the legal rules that apply to your data processing activities and avoid risk.
If you need help complying with UK GDPR, our experienced data, privacy and IT lawyers can assist as part of our LegalVision membership. For a low monthly fee, you will have unlimited access to lawyers to answer your questions and draft and review your documents. Call us today on 0808 196 8584 or visit our membership page.
Frequently Asked Questions
As an employer, your business must comply with the UK General Data Protection Regulation when processing personal data about individuals, such as employees, job applicants, and workers.
Criminal offence data is regulated under UK GDPR and DPA 2018, meaning it is subject to strict controls. For example, your business must identify a lawful basis under Article 6 of the UK GDPR and meet one of the conditions in Schedule 1 of the DPA 2018.
We appreciate your feedback – your submission has been successfully received.
