Practical guidance – Developing a policy for applicants with a criminal record

Aim of this guidance

This guidance is designed to help employers develop a policy that complies with the law and offers a fair chance to applicants with criminal records. It’s part of our practical guidance on developing an approach to applicants with criminal records.

Although we provide suggestions for how you might go about each area, this guidance doesn’t include a template policy. As a data controller, employers are accountable for making sure processing is legally compliant. The need to process criminal records data will vary between employers, and will depend on the nature of your business, your values and culture. For that reason we think a policy should come from inside, rather than outside, the business.

Instead, we provide guidance on legal obligations, principles of fair recruitment and a checklist of things to take into account.

Why develop a policy?

The GDPR requires any employer who wishes to ask about criminal records to identiy a lawful basis under Article 6 and a condition of processing under Article 10 of the GDPR, and this should be documented.

The DBS Code of practice requires employers who carry out DBS checks to have a policy on applicants with a criminal record.

Having a clear, accessible policy is a principle of fair chance recruitmentMany people with criminal records don’t apply because of the shame and embarrassment they feel, even where their criminal record wouldn’t make them a risk. Others don’t apply for roles because they believe they will be unfairly discriminated against. Employers want to recruit the best person for the job and if your policy puts off talented applicants, you’ll be missing out.

A policy on processing criminal records should:

  1. Clearly set out your approach, so applicants and staff know what to expect
  2. Explain why it is necessary to collect criminal records
  3. Explain what needs to be disclosed and when
  4. Instil confidence in applicants that they’ll be treated fairly

Equality and diversity is all about treating people fairly. So it’s right to think of your approach towards applicants with a criminal record as part of your broader equal opportunities policy.

Some organisations include their approach to criminal records in their equality and diversity policy, but it can also exist as a standalone policy. Either way, a general statement in your equality and diversity policy can be useful. For example, you could say:

“We are committed to the fair treatment of our staff, potential staff and users of our services, regardless of race, gender, religion, sexual orientation, responsibilities for dependants, age, physical/mental disability or offending background.”

Although having a criminal record is not a protected characteristic under the Equality Act 2010, discriminating against this group can result in indirect discrimination – for example, some ethnic groups are more likely to be criminalised. Increasingly, employers are realising that diversity and inclusion is about more than ticking a box – it’s about making sure that your business benefits from the best talent, regardless of their background.

Organisations that work with children or vulnerable adults will have safeguarding policies and processes to ensure vulnerable people are protected from harm.  This will normally include a focus on recruitment, induction and supervision, including what checks you carry out on new people who work or volunteer. For some roles in these organisations, asking about criminal records will be a legal obligation.

We recommend that organisations see their policy on applicants with a criminal records as one strand of their safeguarding approach. Unless a person is barred from working in regulated activity, there is no legal reason why you can’t employ them. Most criminal records will not make someone unsuitable for work with children or vulnerable adults. People in recovery, or those who have moved away from gangs, will often have a criminal record, but does that make them automatically unsuitable for work with others experiencing what they once were? Those who have turned their life around after a difficult past can often bring valuable skills and experience which should not be overlooked.

A blanket ban on people with a criminal record is not an effective approach to safer recruitment. Focusing too heavily on formal vetting procedures can create a false sense of security. Safeguarding depends on training, oversight and responding to concerns. Read more about why formal vetting is not a solution.

Skills for Care have produced a guide to recruiting people with convictions for social care roles.

The GDPR means individuals have rights over their data, including the right to be informed. Applicants should be made aware of what data you plan to collect, what you will use it for and how – and for how long – it will be stored. If you ask about criminal records, you should make sure that applicants are able to access this information from the outset.

Making your policy public shows the world that you are a transparent and fair-minded company. You may choose to keep more detailed guidance for internal use only. You might want to consider how to communicate your policy to existing staff. For example, you could include a section in your staff handbook that explains that you employ people with criminal records, the benefits this can bring to the organisation, and what staff should do if they have any questions or concerns.


What makes a good policy

This section covers the areas that a policy should include, and suggests some text that might be appropriate.

For each area, we describe what we mean (‘What?’) and provide details of how you might do this (‘How?’) with some examples that you might use and adapt (although these will only work if they accurately reflect your approach)


A good policy is…

…clear and accessible

A policy needs to be easy to understand. Try not to use complex legal language. Applicants also need to know it exists.
Don’t simply copy legislation – interpret the legislation and apply it to your process. Link to the policy from all your vacancies. Make sure it’s available to all applicants at the start of the recruitment process without them having to specifically request it; if you make it available ‘on request’, applicants may be concerned about flagging up that they have a criminal record (which they may not need to actually reveal to you).

…welcoming and positive

A policy should start from a positive basis. Negative phrases such as “having a criminal record will not necessarily bar you from working with us,” (which we often see) sends the wrong message as it suggests that you’re starting from the presumption that it probably will.
For example, you could say:

“[Organisation] actively promotes equality of opportunity for all and welcomes applications from a wide range of candidates. [Organisation] recognises the contribution that people with criminal records can make as employees and volunteers and welcome applications from those with a criminal record. We select all candidates for interview based on their skills, qualifications and experience”

…realistic about risk

The vast majority of applicants with a criminal record will have one-off offences from many years ago. Some might have more recent offences that are not relevant to the role. It’s important to recognise this in your policy, instead of solely focusing on more serious examples that are likely to be rare.

For example, you could say:

“Suitable applicants will not be rejected because of offences that are not relevant to the role applied for. We judge each case on its own merits and do not discriminate against any applicant on the basis of criminal record information disclosed to us.”

…tailored to your business

Your policy should be tailored to your organisation and reflect its values and processes. It needs to work for your business; avoid copying templates.
Think about the types of roles that you have. How does disclosure legislation apply to these roles? Which roles will involve which levels of criminal record check?

…compliant with the law

Your policy needs to demonstrate compliance with law on criminal records, rehabilitation and disclosure. Too often we see phrases such as “we carry out enhanced DBS checks on roles in the organisation” (as only certain roles are eligible for enhanced DBS checks).

There are a couple of phrases that will make sure you don’t misinterpret disclosure legislation:

“We only ask applicants to provide details of convictions and cautions that we are legally entitled to know about”

“For roles covered by the Rehabilitation of Offenders Act, we ask applicants to disclose unspent convictions only. Spent convictions do not need to be disclosed.”

“For roles that are exempt from the Rehabilitation of Offenders Act, we ask applicants to disclose any convictions and cautions that would not currently by filtered by the DBS.

…explains what, when and why you ask about criminal records

Your policy should explain what you ask about criminal records, and when you ask. This means applicants know when they should (and shouldn’t) disclose, reducing the risk that people disclose before or after you want them to. The DBS sample policy suggests asking “at interview, or in a separate discussion”. Adopting this wording exactly will still leave it unclear when you ask, or why. Organisations should have a specific process in place, and this should be noted in your policy.

The GDPR means you must explain the purpose and lawful basis for asking – in essence, why you’re asking. Our guidance for employers can help you identify a purpose and lawful basis.

For example, if you ask those you offer a position to, you could say:

“The successful candidate/s will be asked about relevant criminal records as part of pre-recruitment checks. If a relevant criminal record is disclosed we will ensure and open and fair discussion takes place before making a final offer. Failure to disclose information that is then later revealed on the relevant criminal record check could lead to withdrawal of an offer of employment. After receiving a criminal record certificate, we will discuss any matters revealed that have not been previously addressed, before reconsidering the conditional offer of employment. “

If you’ve signed up to the ‘Ban the Box’ campaign, you could say:

“We support ‘Ban the Box’. To ensure that we shortlist purely on merit, we don’t ask for criminal record details at application stage. What applicants are required to disclose will depend on the role that they are applying for. We will make it clear in the job description what type of role it is, and therefore what will need to be disclosed.”

…explains what checks you’ll do

If you carry out criminal record checks on successful applicants, you should make it clear what level of check you’ll be undertaking. Simply saying “a criminal record check will be undertaken on all roles” is not enough. Bear in mind that referring to “carrying out DBS checks” is not clear enough, as the DBS provide different levels of check.
For example, you could say:

“For those positions where a criminal record check is identified as necessary, all application forms, job adverts and recruitment briefs will make clear what level of check will be submitted on the individual being offered the position”

…explains the decision-making process

Your policy should explain how you make decisions based on criminal records disclosed by applicants or revealed on criminal record checks.

Our guidance on assessing criminal records should help. We have a criminal record assessment template. If you use something similar in your processes, you could say something like:

“For any information disclosed, cases will be looked on an individual basis, taking into account details such as;

  • Whether it’s information we are legally allowed to consider
  • Whether the offence is relevant to the position applied for
  • The age at the time of the offence(s)
  • The length of time since
  • The circumstances surrounding the offence(s), and what has changed since

Any information disclosed will be treated in the strictest confidence. We will consider any information disclosed before confirming an offer of employment. If necessary, we may arrange a face-to-face discussion with the applicant to obtain further details. Failure to disclose relevant information when requested could result in disciplinary proceedings or dismissal.”

…gives confidence

Many people with criminal records feel ashamed, embarrassed and worried about what will happen to the details they’re providing to you. Some will back out of the process as a result.

You can explain how you understand some of the concerns applicants may have and what steps you take in response. For example, you could say that:

“We take a positive approach to applicants with past criminal records”

“We ensure that all those involved in the recruitment process have received appropriate guidance and training in the legislation and practice of recruiting people with criminal records.”

“We ensure that all those who are involved in making suitability decisions based on an applicants’ criminal record have been trained to do so.”

…uses the right language

The words that you use in your policy will give a strong impression of how you approach your process.
Avoid meaningless phrases like “you need to have a satisfactory DBS”. Stay away from stigmatising phrases like “ex-offenders” – use “applicants with a criminal record” as this is factually accurate.

…provides an overview of the process and is consistent

Although your policy should aim to be short, it may end up being a couple of pages long. If this is the case, a short summary of the end-to-end process, from an applicants perspective, will help to ensure your policy is clear and easy to understand. Depending on how you build your policy, you need to make sure that, overall, it’s consistent and doesn’t give mixed messages
A simple ‘disclosure process’, broken down as bullet-points or in a flow-chart, will help applicants understand the process.

…directs people to support

Applicants may have questions about your policy. They may be thinking of applying but have a question about your policy before they do. They may have general questions about their criminal record where they need to be pointed to sources of support externally.

Provide a specific point of contact internally who can answer general questions about your policy. Provide details of external sources of support (such as Unlock’s information site) that can help give advice to people with a criminal record.

For example, you could say:

For positions covered by the Rehabilitation of Offenders Act 1974, we will ask applicants to disclose any unspent convictions. For guidance in answering this question, visit the Unlock information site which has useful information on this legislation.

For positions exempt from the Rehabilitation of Offenders Act 1974, we will ask applicants to disclose any convictions, cautions, reprimands or final warnings that would not be currently filtered by the Disclosure and Barring Service. For guidance in answering this question, visit the Unlock information site which has useful information on filtering.

…is reviewed and kept up to date

Your policy needs to be accurate, which means regularly reviewing it to keep it up to date. Criminal records and disclosure legislation and practice is constantly changing. Despite the CRB becoming the DBS in 2012, we still see policies refer to companies “doing CRB checks”.
You should aim to review your policy on an annual basis, and publish any updates on your website.


…complies with the DBS code of practice

If you do DBS checks as part of your recruitment process, you should comply with the DBS code of practice.

The code of practice (published under section 122 of the Police Act 1997) advises that registered bodies must:

  • “Have a written policy on the suitability of ex-offenders for employment in relevant positions” (the DBS has produced the a sample policy statement which can be used or adapted for this purpose, although the problem with sample policies is partly why we have this guidance)
  • “Notify all potential applicants of the potential effect of a criminal record history on the recruitment and selection process and any recruitment decision”
  • “Discuss the content of the Disclosure with the applicant before withdrawing any offer of employment”

…complies with the GDPR/DPA 18

Examples of good practice

Do you know of a good policy? Let us know and we’ll look at featuring it here. 

Examples of bad practice

To illustrate why this guidance is important, we’ve included some examples where practice could (and should) be improved.

  • We regularly see reference to “the CRB” – this refers to the Criminal Records Bureau, which hasn’t existed since 2012. This alone indicates that a company hasn’t properly (or effectively) reviewed its policy in a while
  • Many organisations simply take the DBS sample policy (which includes reference to “ex-offenders”) without tailoring it to their organisation. Read our blog on why this is bad for your business.

Frequently asked questions

This section will be added to over time, responding to the common questions we receive about this guidance.

Help with updating your policy

This guidance should help you to work on your policy. We welcome organisations coming forward who are actively working on their policy to update it to reflect this guidance. We are happy to confidentially review draft policies that are in the process of being updated. Get in touch by emailing

Useful resources

The DBS sample policy is worth looking at, but use this as guidance instead of simply adopting that policy.

More information

  1. There is more information about developing your approach to criminal records, which forms part of the practical guidance section of Recruit!
  2. For further advice about this guidance, please contact us.

Has this been useful?

Let us know if this guidance has been useful. Have you used it in your organisation? Has it helped you to change your policy or practice? Please let us know so that we can show the impact of this guidance and continue to help others.

You can let us know by:

  1. Writing a comment on this page (see below)
  2. Sending your feedback directly to us
  3. Emailing us at
This guidance was last updated in April 2021.

Is there anything wrong with this guidance? Let us know – email

Print Friendly, PDF & Email