Practical guidance – Understanding criminal record disclosure legislation

Aim of this guidance

This guidance explains the key pieces of legislation that relate to criminal records, disclosure and employment. It’s linked to from various sections of this site. Here we provide a simple overview of each, with an explanation and links to further information on this site about how they relate to recruiting people with convictions and dealing with criminal records fairly.

It sits in the approach to criminal records section; understanding the legislation and applying it correctly is important when developing your approach towards criminal records.

Why this is important

  • It’s confusing – The legislation surrounding criminal records and disclosure is complex and confusing
  • It’s often changing – Major (and separate) changes to legislation have come into force in 2013, 2014, 2015 and 2020
  • This site regularly refers to this legislation – Many of the practical guidance pages of this site refer to the legislation on this page, so we’ve brought it all together so that we can provide simple, clear and consistent explanations for each.

Rehabilitation of Offenders Act 1974

The Rehabilitation of Offenders Act 1974 (ROA) supports the reintegration of people with convictions into society by giving them legal protection from having to disclose their record after a certain period of time of not re-offending. Most people with a criminal record will benefit from the Act at some point in their lives, except those that have received a prison sentence of over 4 years.

In short, the ROA is the law that:

  • Determines when criminal records become ‘spent’
  • Gives people with spent convictions and cations the legal right not to disclose them when applying for most jobs and for other purposes, like when buying insurance.

After a certain period of time (known as the rehabilitation period, and based on the sentence received) criminal records can be considered spent.

Once spent, the person is considered ‘rehabilitated’ and, where the law applies, they are treated as if they haven’t got a criminal record. The result is that they don’t need to disclose it when applying for most paid or voluntary jobs. It also applies to buying insurance, applying for housing and enrolling on education courses.

The effect of this is that it makes it illegal for employers to discriminate against an ex-offender on the grounds of a spent conviction, for roles where the law applies.

Most roles are covered by the ROA (although many roles are ‘exempt’ – see below). Where the ROA applies, it is illegal for an employer to discriminate against somebody with a spent criminal record, so employers should ignore spent criminal records. Where the criminal record is unspent, it is generally up to the discretion of the employer whether or not to employ the person.

In March 2014, changes were made to how the law applies to England & Wales through section 139 of the Legal Aid, Sentencing and Punishment of Offenders Act 2012. This saw a significant reduction in the length of time it takes for most convictions to become spent. These changes also increased the maximum sentence that could become spent. Previously, sentences over 30 months could not become spent – this has now increased to 4 years.

Rehabilitation of Offenders Act 1974 (Exceptions) Order 1975

The Rehabilitation of Offenders Act 1974 (Exceptions) Order 1975 (Amendment) (England and Wales) Order 2020 lists the positions, professions, offices and licences that are not covered by (known as ‘exempt’ from) the ROA.

If something is ‘exempt’ from the ROA, it means that the Rehabilitation of Offenders Act 1974 (see above) doesn’t apply. It also means that either standard or enhanced check can be carried out (which check can be carried out is specified in law).

The nature of this order means that there is no single comprehensive list of positions exempt from the ROA. Additions and amendments come into force through secondary legislation.

Common positions include:

  1. Nurses
  2. Social workers
  3. Primary and secondary school teachers

Some professions include:

  1. Actuaries
  2. Solicitors – on entry to the profession
  3. Barristers – on entry to the profession
  4. Veterinary surgeon
  5. FCA ‘approved person’
  6. Membership of the Master Locksmiths Association

Offices include:

  1. Crown Prosecution Service
  2. Gambling Commission
  3. HMRC
  4. Revenue and Customs Prosecutions Office

Licences include:

  1. Security Industry Authority licence
  2. Taxi driver

Rehabilitation of Offenders Act 1974 (Exceptions) Order 1975 (Amendment) (England and Wales) Order 2013

It sets out the situations in which cautions and convictions become ‘protected’ from disclosure on standard and enhanced checks. To implement this, the DBS introduced a system of ‘filtering’ (whereby, broadly speaking, once a caution or conviction becomes ‘protected’, it would no longer be disclosed on (or, would be filtered from) a standard or enhanced certificate) – this came about via amendments to the Police Act (see below)

The order also made it unlawful for an employer to take into account a caution or conviction that is ‘protected’ (and that would not be disclosed on a standard or enhanced disclosure certificate).

Employers often refer to this order when they ask applicants to disclose their criminal record for a post that involves a standard or enhanced check.

The image below is taken from Unlock’s guidance on the filtering process.


Part V of the Police Act 1997

Part V of the Police Act 1997 is the central piece of legislation that enabled the creation of the DBS (or CRB, as it was then). It established the provision of criminal record certificates (and of different types). It also established the content of these certificates, and the broad legislative framework by which the system of obtaining them would operate.

It established the legal basis for employers to ask exempted questions, to obtain information about an applicant’s spent cautions and convictions. Amendments to the Act placed limits on which spent cautions and convictions could be obtained.

Section 122 of the Police Act established the role of a code of practice for overseeing the operation of criminal record certificates.

Section 123 of the Police Act established offences relating to the process. Of particular importance for this site are sections 123(2) and 123(3), which are:

(2) A person commits an offence if he knowingly makes a false statement for the purpose of obtaining, or enabling another person to obtain, a certificate under this Part.

(3) A person who is guilty of an offence under this section shall be liable on summary conviction to imprisonment for a term not exceeding six months or to a fine not exceeding level 5 on the standard scale, or to both.

Effectively, this makes an employer potentially liable if it carries out a criminal record check at a level that is not legally allowed under the relevant legislation.

Police Act 1997 (Criminal Record Certificates: Relevant Matters) (Amendment) (England and Wales) Order 2020

The Police Act 1997 (Criminal Record Certificates: Relevant Matters) (Amendment) (England and Wales) Order 2020 is linked to the Rehabilitation of Offenders Act 1974 (Exceptions) Order 1975 (Amendment) (England and Wales) Order 2020

The Police Act order amended the definition of ‘relevant matter’ in the Police Act 1997 – a ‘relevant matter’ is what is disclosed on a standard and enhanced criminal record disclosure certificate.

Effectively, the order sets out what information can be disclosed by the DBS – it restricts this definition to information that doesn’t qualify for filtering.

Police Act 1997 (Criminal Record) regulations

These regulations set out the positions that are eligible for enhanced checks. They also specifically includes positions that are able to check the appropriate barred list(s). These positions will also be included in the ROA Exceptions Order. Like that order, there is no single comprehensive list.

General Data Protection Regulation (GDPR) and Data Protection Act 2018 (replacing the Data Protection Act 1998)

The GDPR makes it a requirement that organisations identify both a lawful basis (Article 6) and a schedule condition (Article 10) before processing criminal records information. Failing to do so exposes an organisation to significant fines and the potential for a civil claim by an individual if information is unlawfully collected.

Section 184 of the Data Protection Act 2018, which came into force on 25 May 2018, replaced section 56 of the Data Protection Act 1998, which came into force on 10 March 2015. This makes it a criminal offence for an employer to require an applicant or existing employee to make what’s known as an ‘enforced subject access’ request and then share the information with the employer.

An enforced subject access is where, for example, and employer requires an applicant to obtain a copy of their police record directly from the police (not through the DBS) as part of the application process for the job. This type of record displays significantly more personal information than what an employer is legally entitled to be in possession of.

The Information Commissioners Office (ICO) has indicated that it intends to prosecute those who continue to make enforced subject access requests.

Protection of Freedoms Act 2012

A number of reviews were carried out into the criminal record disclosure regime between 2009 and 2012. An independent expert panel set up by the Home Office, led by Sunita Mason and including Unlock, made a number of recommendations that were accepted by the government and implemented through the Protection of Freedoms Act 2012.

There were a number of changes to criminal record disclosure that came about through this legislation. Structurally, the most visible change was that the Disclosure and Barring Service (DBS) was established by merging the Criminal Records Bureau (CRB) with the Independent Safeguarding Authority (ISA).

Of the other changes, the most relevant to this site include:

  1. There being a new definition of ‘regulated activity’ – this was more narrowly focused than the old definition (which still remains in force and enables enhanced checks, but doesn’t allow checks against the barred lists). The new definition is mostly based on work which involves close and unsupervised work with children or vulnerable groups.
  2. The restriction of barred lists checks to roles meeting the new definition of regulated activity (with some exceptions). It remains the case that it is an offence for an employer to knowingly allow a barred person to be engaging in regulated activity with a group that they are barred from (and it still remains the case that it is an offence for a barred person to seek work with a group that they are barred from)
  3. The criminal record disclosure certificate no longer being sent to the employer – instead of two certificates, only one would now be issued, direct to the applicant.
  4. The launch of the DBS update service, which enables (with some limitations) the portability of disclosure certificates
  5. A minimum age of 16 at which a person can apply for a DBS check.
  6. More rigorous testing of relevance for when the police are deciding whether to disclose ‘other relevant information’ on an enhanced disclosure certificate.
  7. A new representations process for individuals to challenge inaccurate information disclosed or other relevant information disclosed.
  8. The removal of the police power to disclose ‘additional information’ (also known as ‘brown envelope’ information) directly to employers, as police can use existing common law powers.

Useful resources

There are links to relevant guidance in each of the sections above.

More information

  1. There is more information about how to approach criminal records, which forms part of the practical guidance section of Recruit!
  2. For further advice about this guidance, please contact us.

Has this been useful?

Let us know if this guidance has been useful. Have you used it in your organisation? Has it helped you to change your policy or practice? Please let us know so that we can show the impact of this guidance and continue to help others.

You can let us know by:

  1. Writing a comment on this page (see below)
  2. Sending your feedback directly to us
  3. Emailing us at
This guidance was last updated in August 2016

Is there anything wrong with this guidance? Let us know – email


Print Friendly, PDF & Email