Using a spent conviction to revoke an employment offer breaches data subject rights

RQT, an IT company based in Wales, required all potential employees to consent to a basic criminal record check being carried out by a DBS Responsible Organisation (RO).

As the job was in Wales, the RO should have requested a check from the Disclosure and Barring Service (DBS). Instead the RO wrongly requested a check from Disclosure Scotland, which revealed a previous conviction that was unspent under Scottish law but spent in England and Wales. The candidate had not disclosed this conviction, as was his right under the Rehabilitation of Offenders Act 1974. Because of this, he had agreed for the disclosure certificate to be sent directly to RQT.

Upon receipt of the certificate, RQT asked the candidate to attend a meeting, where a senior manager told him they would be revoking his job offer as he had failed to disclose a conviction. The candidate asked for a copy of the certificate, certain that a mistake had been made.

The candidate then contacted Unlock for advice.

After reviewing the certificate, we were able to confirm that the RO had wrongly applied to Disclosure Scotland rather than the DBS. We explained that as of 1st January 2018 Disclosure Scotland were responsible for carrying out basic checks for anybody applying for a job in Scotland, whilst the DBS undertook checks for individuals working in England and Wales. Disclosure Scotland produce certificates using Scottish law whilst the DBS use English law.

We suggested that the candidate apply to the DBS for his own basic certificate (which would come back blank). He should then appeal the decision to revoke the job offer as they should, by law, ignore a spent conviction.

The candidate took our advice and appealed the decision, providing them with a copy of his DBS certificate. After a long wait, RQT decided to uphold their decision to revoke the offer of employment.

We wrote several times to RQT explaining that, as the conviction was spent under the Rehabilitation of Offenders Act, it should be disregarded. We also considered that the use of this information was in breach of the Data Protection Act 2018 as the company had:

  1. Obtained information relating to a spent conviction; and
  2. Processed the information unlawfully by using it as a reason to disadvantage the candidate.

RQT’s response:

“We acknowledge and appreciate that the previous criminal convictions are spent in England and Wales, the checks nevertheless revealed the fact that Mr X has had criminal convictions and that is a material consideration in connection with a decision to employ him. Ultimately, he was considered unsuitable for the role as a result and the dismissal was made”.

We referred the case to the Information Commissioners Office (ICO) who, having considered our complaint ruled that:

“The organisation has acknowledged that the incorrect organisation was used to obtain this information. However, as it is still taking your client’s spent conviction into account and refusing to reinstate him in his job, we are of the view that they have infringed upon Principles (a) and (c) of the General Data Protection Regulations”.

Principle (a) of the GDPR requires that the processing of data must be fair and cannot be in breach of other laws. In this case, the employer has taken into account a spent conviction (obtained inappropriately) which is unlawful under the ROA. As a result, this makes the processing of this data unlawful under data protection law.

Principle (c) requires organisations to ensure that the personal data they are processing is adequate, relevant and limited to what is necessary. RQT were unable to demonstrate why it was proportionate to obtain information relating to a spent conviction nor why it continues to process this data.

The ICO wrote to the organisation providing advice and guidance. They also confirmed that Articles 79 and 82 of the GDPR, provide individuals with the right to take proceedings to court if they believe their information rights have been infringed.

“If a court is satisfied that the individuals rights have been infringed and an individual has suffered material or non-material damage (such as distress) as a result of an infringement, they may also be able to receive compensation from the controller or processor.”

The candidate is currently seeking legal advice regarding a claim for compensation.


There have been several failings in this case – from the Responsible Organisation wrongly requesting information from Disclosure Scotland to RQT using information unfairly when making an employment decision. As a result, RQT received advice and guidance from the ICO, and the candidate is seeking compensation for the breaching his data and privacy rights and not following the basic principles of data protection. These GDPR breaches could fall into the higher tier for sanctions, which could prove costly and time consuming for RQT.


Read more about the Rehabilitation of Offenders Act and when convictions become spent

Learn more about data protection law and processing criminal convictions during recruitment

Notes about this case study

Print Friendly, PDF & Email

Leave A Comment?