This guidance is designed to support employers to ensure that their policy on collecting criminal records data is compliant with the General Data Protection Regulation (GDPR) and the Data Protection Act 2018 (DPA18).
Unlock regularly engages with the Information Commissioner’s Office (ICO) and they have contributed to the data protection content of this document. We are grateful for the advice and support that we have received from the ICO in producing this guidance. The document also contains hyperlinks to relevant ICO guidance.
Too often, employers overlook skills, experience and qualifications if an applicant declares they have a criminal record. We encourage you to think about whether you need to collect criminal records data. This guidance makes it clear that collecting at application stage is unlikely to be compliant with the GDPR and the DPA18, but employers should also think about why they are asking at any stage. To ensure compliance, employers must demonstrate that processing criminal records data is necessary at whatever stage they decide to collect it. If processing is not necessary, it is not compliant.
Your organisation may have a policy on recruiting people with convictions – whether that be an inclusive policy or a blanket ban. Whatever your approach, if you are using criminal records as part of your recruitment practice, you should have a policy in place on collecting applicants’ personal data, and this should include a specific section on the processing of criminal records data. Your policy should clearly identify the purpose of collecting criminal records data, the lawful basis for collecting it, and explain how long you will retain this data, who it will be shared with and the applicants’ legal rights in relation to their information.
Unlock recommends employers follow a three stage process to setting out their approach to processing criminal records data. To ensure compliance with the GDPR and the DPA18 you should:
- Define the purpose of collecting criminal records data
- Identify a lawful basis and condition for processing
- Set out your privacy policy and data subject rights
Key points in this guidance are that:
- Collecting criminal records at application stage is unlikely to be necessary and therefore in breach of the GDPR and the DPA18
- Collecting criminal records at any stage must be justified by a link between purpose and processing.
- You must identify a lawful basis for processing AND meet a condition of processing
- Applicants have data subject rights that must be upheld
- Explaining how you will uphold applicants’ rights is essential to GDPR compliance
We hope this guidance helps employers to review their approach towards criminal records and ensure that if information is collected, it is used fairly and only where necessary.
You can also read the press release linked to the publication of this guidance on Unlock’s main site.
