On 25th May 2018, the General Data Protection Regulation (GDPR) came into force and the Data Protection Act 1998 was replaced by the Data Protection Act 2018 (DPA18) to incorporate the GDPR provisions which are specific to the UK.
Together, this legislation significantly strengthens the rights individuals have over processing of their personal data. Individuals now have more power to demand that companies reveal or delete any personal data they hold and, where data protection breaches are proven, enforcement action could have serious consequences for organisations with the maximum fine now reaching the higher of £17.5 million or 4% of the company’s annual global turnover.
GDPR and the DPA18 applies to the processing of all personal data. However, criminal records data (including cautions, convictions and allegations) are a separate category of data (“criminal offence data”) and, where organisations collect this information as part of their recruitment process, certain safeguards must be put in place to protect individuals.
This guidance deals specifically with the use of GDPR and DPA18 for recruitment purposes and the collection and processing of criminal record data. It sets out what personal data employers are allowed to collect and process, and the steps you can take if you believe an employer has breached GDPR/DPA18.
What difference will GDPR make to the recruitment process?
From the outset of the recruitment process, employers will ask you to share a lot of personal data (your name, address, contact details, qualifications, work experience etc) to enable them to contact you and assess your suitability for a role.
It has become common practice for many UK employers to ask prospective employees about their criminal convictions and to also carry out formal criminal record checks. The GDPR does not regulate an employer’s ability to carry out criminal record checks but rather an employer’s ability to process the data relating to criminal convictions following these checks.
As a result of GDPR, employers will need to more carefully consider what information it is necessary for them to have and, at what stage of the recruitment process they need it. They will have to be able to fully justify the processing of criminal record data especially where there is no actual legal requirement to do so.
The lawful basis and condition for processing criminal record data
Where an employer wants to process data relating to criminal convictions, they must have a lawful basis for doing so under Article 6 of the GDPR. Every piece of personal data held by an organisation must be justified according to one of six lawful bases. These are:
We believe that the majority of employers are likely to rely on consent, legal obligation and legitimate interest as their lawful basis.
In addition to having a lawful basis, employers who are processing criminal records data will also need to identify a condition for processing. Schedule 1 of the DPA18 states that the condition will be met if:
- The processing is necessary for the purpose of performing or exercising obligations or rights which are imposed or conferred by law on the controller or the data subject in connection with employment, social security or social protections, and
- The controller has an appropriate policy document in place.
To meet the condition, employers will need to demonstrate that processing is both necessary and have an appropriate policy in place.
Can employers ask about criminal record data and carry out criminal record checks under GDPR?
Asking about criminal records
If an employer wants to know whether you have a criminal record, they cannot ask about cautions or spent convictions unless you are going to be employed in a role which is listed in the Rehabilitation of Offenders Act 1974 (Exceptions) Order 1975 (this would include doctors, solicitors, anybody working with children or vulnerable adults). These employers have a legal obligation to carry out a standard or enhanced DBS check.
For all other roles, an employer can only ask you to:
- Voluntarily disclose whether you have any unspent convictions; or
- Agree to a basic criminal record check through the Disclosure and Barring Service
We do not believe that asking all applicants to disclose at application stage would meet the GDPR necessity test as it is neither a specific nor targeted means of collecting criminal records data and could potentially be a breach of the GDPR and DPA18. Unlock’s guidance for employers on GDPR strongly encourages employers to join the Ban the Box campaign and remove questions about criminal records from application forms.
Automated decision making
Under GDPR you have the right to contest decisions based on automated decision making. This includes decisions on whether or not to shortlist you for employment. We’re aware of application systems that make automated decisions to decline applicants based on their criminal record disclosure although we’re unsure how widespread this practice is.
GDPR does allow employers to make shortlisting decisions on a solely automated basis but insists that they inform you of this and put in place safeguards, including the right for you to request a human intervention in the processing, to express a view and contest the decision.
Carrying out official criminal record checks
Some employers are legally obliged to carry out criminal record checks and the Rehabilitation of Offenders Act 1974 (Exceptions) Order 1975 sets out where standard and enhanced checks can be done for specified roles and professions.
Other employers are able to carry out basic criminal record checks. Some employers will ask you to self-disclose and will base their decision on this information. The GDPR does not prevent employers carrying out basic checks and DPA18 includes a provision to allow checks where it is ‘necessary for the purposes of performing or exercising employment law obligations or rights’. Employers will however now need to demonstrate the necessity of carrying out the checks and identify the lawful basis under which the checks will be carried out.
Asking about criminal records but not verifying the information is unlikely to fulfil the purpose of processing, and could therefore be considered excessive data collection.
The issue with employee consent
Some application forms make it a condition of employment that applicants consent to a check. However, given the imbalance of the relationship between an employer and a job applicant, consent will generally be invalid unless it is freely given. If you’re told by an employer that failure to give consent may have unfavourable consequences for you (for example not getting the job) then this would make it difficult for an employer to rely on consent as their lawful basis.
“Appropriate policy” document
What other rights do you have under GDPR?
In addition to setting out the data processing principles that organisations need to adhere to, the GDPR also defines the rights that you have to access and control your data. These are referred to as data subject rights and include:
What to do when things go wrong
You have the right to expect that your employer or any other organisation will handle your personal information responsibly and in line with good practice. You may be concerned about the way an employer is handling your information if it:
- Is not keeping your information secure;
- Holds inaccurate information about you;
- Has disclosed information about you;
- Is keeping information about you for longer than is necessary; or
- Has collected information for one reason and is using it for something else.
You may be concerned that an organisation has not been able to identify a lawful basis for processing your criminal record data or that you’ve been affected by an automated decision making process.
In addition, you may want to consider the ways in which employers store, retain and share your criminal record data. For example:
- An unspent conviction can become spent during the course of employment and therefore should not be retained by the employer past that point.
- Access to your data should be limited only to members of staff that require access (for example the HR manager) and should only be disclosed with your consent.
- Your criminal record data should be transmitted and stored securely due to it’s sensitivity and the level of risk posed.
- Your criminal record data should be treated separately to other recruitment and employee information (e.g. application forms, payroll etc).
- When your information is no longer necessary, it should be securely destroyed.
Raising a concern with an organisation
If you believe that breach of the GDPR/DPA18 has occurred then it’s always best to initially raise your concern in writing with the organisation concerned. We have put together a template letter which can be downloaded here.
Other things to remember when raising a concern with your employer:
Raising a concern with the Information Commissioners Office
If your employer is unable or unwilling to resolve your concern, you can raise the matter with the Information Commissioners Office (ICO). Fines for non-compliance with GDPR are much higher than under the previous Data Protection Act 1998. The GDPR introduced “effective, proportionate and dissuasive” administrative fees of up to 4% of annual global or £17.5 million.
Besides the power to impose fines, the ICO has a range of corrective powers and sanctions to enforce GDPR which include:
- Issuing warnings and reprimands;
- Imposing a temporary or permanent ban on data processing;
- Ordering the rectification, restriction or erasure of data.
You will need to raise the matter with the ICO within three months of your last meaningful contact with the organisation.
Taking your case to court
If a court is satisfied that your rights have been breached, it may order that the controller/processor of that data takes steps to comply with its data obligations. You may be able to receive compensation from the data controller/processor if you’ve suffered any material or non-material damage (for example distress).
If you wish to pursue this course of action, we’d suggest that you seek independent legal advice.
Raising a concern with your MP
If you want government to do more to encourage employers to sign up to the Ban the Box campaign and recruit people with convictions then it could be worth contacting your MP if you believe that GDPR/DPA18 has been breached. Your MP may be able to raise the issue with the appropriate Minister or in some cases, make the issue public by raising it in the House of Commons.
Below you will find links to useful websites relating to this page. More specific details (including addresses and telephone numbers) of some of the organisations listed below can be found here.
- Information Commissioners Office – The UK’s independent authority set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals. Also provide advice on how to protect personal information and how to gain access to official records.
- Read more – your right to be forgotten
- For practical information – We have more information on criminal convictions and data protection
- Questions – If you have any questions about this, you can contact our helpline.
Help us to add value to this information. You can: