Background
On 25th May 2018, the General Data Protection Regulation (GDPR) came into force and the Data Protection Act 1998 was replaced by the Data Protection Act 2018 (DPA18) to incorporate the GDPR provisions which are specific to the UK.
Together, this legislation significantly strengthens the rights individuals have over processing of their personal data. Individuals now have more power to demand that companies reveal or delete any personal data they hold and, where data protection breaches are proven, enforcement action could have serious consequences for organisations with the maximum fine now reaching the higher of £17.5 million or 4% of the company’s annual global turnover.
GDPR and the DPA18 applies to the processing of all personal data. However, criminal records data (including cautions, convictions and allegations) are a separate category of data (“criminal offence data”) and, where organisations collect this information as part of their recruitment process, certain safeguards must be put in place to protect individuals.
This guidance deals specifically with the use of GDPR and DPA18 for recruitment purposes and the collection and processing of criminal record data. It sets out what personal data employers are allowed to collect and process, and the steps you can take if you believe an employer has breached GDPR/DPA18.
What difference will GDPR make to the recruitment process?
From the outset of the recruitment process, employers will ask you to share a lot of personal data (your name, address, contact details, qualifications, work experience etc) to enable them to contact you and assess your suitability for a role.
It has become common practice for many UK employers to ask prospective employees about their criminal convictions and to also carry out formal criminal record checks. The GDPR does not regulate an employer’s ability to carry out criminal record checks but rather an employer’s ability to process the data relating to criminal convictions following these checks.
As a result of GDPR, employers will need to more carefully consider what information it is necessary for them to have and, at what stage of the recruitment process they need it. They will have to be able to fully justify the processing of criminal record data especially where there is no actual legal requirement to do so.
The lawful basis and condition for processing criminal record data
Where an employer wants to process data relating to criminal convictions, they must have a lawful basis for doing so under Article 6 of the GDPR. Every piece of personal data held by an organisation must be justified according to one of six lawful bases. These are:
Where there is a clear reason why an employee’s contract would need an employer to collect criminal record data. For example a recruitment agency providing nursing or teaching staff.
Where the processing is necessary for the employer to comply with the law. For example a school, nursery or care home who, as a result of regulations would be required to carry out enhanced Disclosure and Barring Service checks.
Where processing is necessary to save or protect someone’s life. It is unlikely that any employer would be able to use this as a suitable lawful basis.
Where the processing is necessary as part of official tasks or to perform functions which are in the public interest. For example prison or police officers.
Where an employer has been given explicit and informed consent from an applicant/employee to process personal data. Any employer could use this basis but they would need to offer genuine choice and would have to allow you to withdraw your consent.
Where the processing is necessary for the legitimate interests of the employer and an employer can protect the rights of the individual. Any employer can use this basis but their purpose must be clearly defined.
We believe that the majority of employers are likely to rely on consent, legal obligation and legitimate interest as their lawful basis.
In addition to having a lawful basis, employers who are processing criminal records data will also need to identify a condition for processing. Schedule 1 of the DPA18 states that the condition will be met if:
- The processing is necessary for the purpose of performing or exercising obligations or rights which are imposed or conferred by law on the controller or the data subject in connection with employment, social security or social protections, and
- The controller has an appropriate policy document in place.
To meet the condition, employers will need to demonstrate that processing is both necessary and have an appropriate policy in place.
Can employers ask about criminal record data and carry out criminal record checks under GDPR?
Asking about criminal records
If an employer wants to know whether you have a criminal record, they cannot ask about cautions or spent convictions unless you are going to be employed in a role which is listed in the Rehabilitation of Offenders Act 1974 (Exceptions) Order 1975 (this would include doctors, solicitors, anybody working with children or vulnerable adults). These employers have a legal obligation to carry out a standard or enhanced DBS check.
For all other roles, an employer can only ask you to:
- Voluntarily disclose whether you have any unspent convictions; or
- Agree to a basic criminal record check through the Disclosure and Barring Service
If you’re being asked to disclose any unspent convictions, then an employer will need to provide you with details of their lawful basis for asking and also a copy of their privacy policy which should set out the data retention periods and who your data will be shared with.
We do not believe that asking all applicants to disclose at application stage would meet the GDPR necessity test as it is neither a specific nor targeted means of collecting criminal records data and could potentially be a breach of the GDPR and DPA18. Unlock’s guidance for employers on GDPR strongly encourages employers to join the Ban the Box campaign and remove questions about criminal records from application forms.
Automated decision making
Under GDPR you have the right to contest decisions based on automated decision making. This includes decisions on whether or not to shortlist you for employment. We’re aware of application systems that make automated decisions to decline applicants based on their criminal record disclosure although we’re unsure how widespread this practice is.
GDPR does allow employers to make shortlisting decisions on a solely automated basis but insists that they inform you of this and put in place safeguards, including the right for you to request a human intervention in the processing, to express a view and contest the decision.
Carrying out official criminal record checks
Some employers are legally obliged to carry out criminal record checks and the Rehabilitation of Offenders Act 1974 (Exceptions) Order 1975 sets out where standard and enhanced checks can be done for specified roles and professions.
Other employers are able to carry out basic criminal record checks. Some employers will ask you to self-disclose and will base their decision on this information. The GDPR does not prevent employers carrying out basic checks and DPA18 includes a provision to allow checks where it is ‘necessary for the purposes of performing or exercising employment law obligations or rights’. Employers will however now need to demonstrate the necessity of carrying out the checks and identify the lawful basis under which the checks will be carried out.
Asking about criminal records but not verifying the information is unlikely to fulfil the purpose of processing, and could therefore be considered excessive data collection.
The issue with employee consent
Some application forms make it a condition of employment that applicants consent to a check. However, given the imbalance of the relationship between an employer and a job applicant, consent will generally be invalid unless it is freely given. If you’re told by an employer that failure to give consent may have unfavourable consequences for you (for example not getting the job) then this would make it difficult for an employer to rely on consent as their lawful basis.
“Appropriate policy” document
Any employer that is collecting and processing criminal record data as part of their recruitment process must have a policy in place (a privacy policy) which covers the purpose and lawful basis for collecting personal data, the retention period and who information will be shared with. It should also set out an individual’s data protection rights. A copy of the policy should be given to you at the time the information is collected. Employers can be asked to make the document available to the Information Commissioners Office on request.
What other rights do you have under GDPR?
In addition to setting out the data processing principles that organisations need to adhere to, the GDPR also defines the rights that you have to access and control your data. These are referred to as data subject rights and include:
When collecting data from you, organisations must properly inform you of what data they are collecting, what they will be using it for, how long they will keep it and which organisations (if any) they will share it with.
You have the right to contact an organisation and ask them to provide you with details of the data they hold on you. This will include (a) what the data is, (b) why they hold it and (c) what they do with it, including any organisations they share it with.
You have the right to ensure that information about you is correct, and to ensure that information is corrected if it is found to be inaccurate.
Also referred to as the ‘right to be forgotten’. This means you have the right to demand that information an organisation holds about you is deleted, in part or entirely. It’s not an absolute right, and in some circumstances your request could be refused.
You have the right to deny consent for an organisation to process your data even if you have given consent for it to do so in the past. This right is also not absolute and can, in some circumstances be refused. However, an organisation must be able to show you what it is doing with your data so that you can decide to restrict processing if you wish.
This right gives you the opportunity to take the data an organisation holds on you and extract it for use elsewhere.
This allows you to demand that organisations stop using your data in ways you object to.
Finally, with the growth in profiling and the use of data to make automated decisions in say job applications, this provides you with the right to object or appeal against automated decisions that affect you.
What to do when things go wrong
You have the right to expect that your employer or any other organisation will handle your personal information responsibly and in line with good practice. You may be concerned about the way an employer is handling your information if it:
- Is not keeping your information secure;
- Holds inaccurate information about you;
- Has disclosed information about you;
- Is keeping information about you for longer than is necessary; or
- Has collected information for one reason and is using it for something else.
You may be concerned that an organisation has not been able to identify a lawful basis for processing your criminal record data or that you’ve been affected by an automated decision making process.
In addition, you may want to consider the ways in which employers store, retain and share your criminal record data. For example:
- An unspent conviction can become spent during the course of employment and therefore should not be retained by the employer past that point.
- Access to your data should be limited only to members of staff that require access (for example the HR manager) and should only be disclosed with your consent.
- Your criminal record data should be transmitted and stored securely due to it’s sensitivity and the level of risk posed.
- Your criminal record data should be treated separately to other recruitment and employee information (e.g. application forms, payroll etc).
- When your information is no longer necessary, it should be securely destroyed.
Raising a concern with an organisation
If you believe that breach of the GDPR/DPA18 has occurred then it’s always best to initially raise your concern in writing with the organisation concerned. We have put together a template letter which can be downloaded here.
Other things to remember when raising a concern with your employer:
The longer it takes you to raise your concern, the harder it will be for your employer to look into it thoroughly.
It’s always worth contacting your employer to find out who to send your concern to. It may not be the office where you’re based.
Typed documents are always easiest to read.
Although you might be aware of the relevant legislation relating to your concern, you don’t have to quote it. Just explain clearly and simply what has happened and, what effect it has had on you.
If you’ve had a long relationship with the employer, make sure you only set out the specific concern you have and nothing that is historic or unrelated.
Although you may be justifiably angry or upset, keep your letter calm and polite as this will help get your points across more clearly.
Ask when you can expect your employer to respond and resist the temptation to contact them again before that.
Include all relevant details to help your employer identify you and your concern.
Send copies of all key documents you have as evidence.
Clearly date all letters, make notes of all related conversations and keep copies of everything.
If the ‘final’ response you receive does not resolve the matter to your satisfaction make sure you follow any appeals process you are provided with.
Raising a concern with the Information Commissioners Office
If your employer is unable or unwilling to resolve your concern, you can raise the matter with the Information Commissioners Office (ICO). Fines for non-compliance with GDPR are much higher than under the previous Data Protection Act 1998. The GDPR introduced “effective, proportionate and dissuasive” administrative fees of up to 4% of annual global or £17.5 million.
Besides the power to impose fines, the ICO has a range of corrective powers and sanctions to enforce GDPR which include:
- Issuing warnings and reprimands;
- Imposing a temporary or permanent ban on data processing;
- Ordering the rectification, restriction or erasure of data.
You will need to raise the matter with the ICO within three months of your last meaningful contact with the organisation.
Taking your case to court
Under Articles 79 and 82 of GDPR, you have the right to take proceedings to court if you believe that your information rights have been breached.
If a court is satisfied that your rights have been breached, it may order that the controller/processor of that data takes steps to comply with its data obligations. You may be able to receive compensation from the data controller/processor if you’ve suffered any material or non-material damage (for example distress).
If you wish to pursue this course of action, we’d suggest that you seek independent legal advice.
Raising a concern with your MP
If you want government to do more to encourage employers to sign up to the Ban the Box campaign and recruit people with convictions then it could be worth contacting your MP if you believe that GDPR/DPA18 has been breached. Your MP may be able to raise the issue with the appropriate Minister or in some cases, make the issue public by raising it in the House of Commons.
Frequently asked questions
Employers have no legal obligation to ask about criminal records at application stage and asking all applicants to disclose at application stage is unlikely to meet the necessity test under GDPR. To meet the test, employers should only be requesting criminal records data from the successful applicant.
You could always agree to a basic DBS check if you’re offered the job. If the employer doesn’t do formal criminal record checks to verify the information you disclose, they could potentially be collecting excessive data which would again breach GDPR.
If it’s an online application form and you get a ‘sorry not suitable’ message after ticking the box, the employer may be in breach of the GDPR’s rules on ‘automated decision making’.
If an employer is asking all applicants to disclose their criminal record on application this is likely to be a breach of GDPR. They should have a privacy policy for you to read that should explain what they ask and why, and how your information is kept. You could raise your concerns with the company’s HR department and if you’re not happy with their response, your next step would be to raise it with the Information Commissioners Office (ICO).
If an employer wants to know whether you have a criminal record, they can’t ask you about cautions or spent convictions unless you’re going to be employed in a role that is listed in the ROA (Exceptions) Order. If you’re being asked to disclose any unspent convictions then the employer should provide you with details of their lawful basis for asking and also a copy of their privacy policy. You should ask them for this if they don’t provide it freely.
If you decide to disclose your criminal record and your application is unsuccessful then you should make sure that you make a request to the organisation to delete your personal data.
The majority of jobs in healthcare are exempt from the ROA (Exceptions) Order 1975 meaning that an employer would be legally obliged to carry out a criminal record check. Before you disclose anything, make sure that the employer is carrying out the correct level of check for the role that you’re applying for.
NHS Employers policy is that, in general, applicants will only be asked about criminal records after they’ve been offered a job.
As the agency will be supplying staff to a workplace where an enhanced DBS check is required, then under GDPR they would probably have a contractual requirement to collect the information.
If an employer needs to ask about unspent convictions then they should provide you with a copy of their privacy policy which explains their lawful basis for asking as well as the process for disclosing and how a recruitment decision will be made.
Useful links
Below you will find links to useful websites relating to this page. More specific details (including addresses and telephone numbers) of some of the organisations listed below can be found here.
- Information Commissioners Office – The UK’s independent authority set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals. Also provide advice on how to protect personal information and how to gain access to official records.
More information
- Read more – your right to be forgotten
- For practical information – We have more information on criminal convictions and data protection
- Questions – If you have any questions about this, you can contact our helpline.
Get involved
Help us to add value to this information. You can:
- Comment on this page (below)
- Send your feedback directly to us
- Discuss your views and experiences with others on our online forum
- Share your personal story by contributing to our online magazine, theRecord.
If you have something on your dbs. Can your manager freely share this with your colleagues?
This has happened to me and I did not consent to it
Hi
Information contained in a DBS certificate is sensitive data and should always be treated confidentially. There are some circumstances when it may be necessary for your manager to share the information, for example with an HR professional when making a recruitment decision. The information most definitely shouldn’t be shared freely with work colleagues.
Although this would be a data protection breach, one of the problems can be that these types of breach can be extremely difficult to prove. If your employer has an HR department, it might be worth in the first instance making a complaint against your manager.
Best wishes
Debbie