This guidance is designed to support employers to ensure that their policy on collecting criminal records data is compliant with the General Data Protection Regulation (GDPR) and the Data Protection Act 2018 (DPA18). Unlock regularly engages with the Information Commissioner’s Office (ICO) and they have contributed to the data protection content of this document.

This guidance makes it clear that collecting at application stage is unlikely to be compliant with the GDPR and the DPA18, but employers should also think about why they are asking at any stage. To ensure compliance, employers must demonstrate that processing criminal records data is necessary at whatever stage they decide to collect it. If processing is not necessary, it is not compliant.

Whatever your approach, if you are using criminal records as part of your recruitment practice, you should have a policy in place on collecting applicants’ personal data, and this should include a specific section on the processing of criminal records data.

Unlock recommends employers follow a three stage process to setting out their approach to processing criminal records data. To ensure compliance with the GDPR and the DPA18 you should:

  1. Define the purpose of collecting criminal records data
  2. Identify a lawful basis and condition for processing
  3. Set out your privacy policy and data subject rights

Key points in this guidance are that:

  1. Collecting criminal records at application stage is unlikely to be necessary and therefore in breach of the GDPR and the DPA18
  2. Collecting criminal records at any stage must be justified by a link between purpose and processing.
  3. You must identify a lawful basis for processing AND meet a condition of processing
  4. Applicants have data subject rights that must be upheld
  5. Explaining how you will uphold applicants’ rights is essential to GDPR compliance
Print Friendly, PDF & Email