Think back to the last time you applied for a job. Did the application include a tick box question on criminal convictions?
Last year Unlock published research showing that three quarters of national employers still ask about criminal records on application forms. This can be off-putting to applicants with convictions and we don’t think it’s necessary for employers to ask this question so early on. Employers are responsible for deleting unnecessary information – whether its from applicants who don’t take the job, or employees who have left. This post looks at how you can request that your data is deleted when it’s no longer needed.
Deleting criminal records information
Where an organisation (known as a data controller) wants to process data about criminal convictions, they must have a lawful basis for doing so under Article 6 and a condition of processing under Article 10 of the GDPR. As a result of GDPR, organisations need to consider what information is necessary, and when. Here we’ll focus on employers but the same rules apply to any organisation that collects personal data – housing providers, colleges or universities, insurance companies. If you’re being asked to disclose information about convictions, you should be able to access the employer’s privacy policy which will tell you how long your data will be retained. Employers should delete information within these timescales.
However, a CIPHR survey found that this is not always happening as it should. 137 HR professionals were asked if they had published retention periods, and whether data was being deleted at the right time. 83% had published retention periods for data, but only 69% had actually deleted the information as they should have. More than half used paper notes or calendar reminders rather than automated systems to let them know when data should be deleted.
Where data protection breaches are proven, enforcement action could have serious consequences for organisations. The 30% of HR teams who admitted they had not deleted data as required were exposing their companies to significant financial penalties – the maximum fine now is £17.5 million or 4% of the company’s annual global turnover (whichever is higher).
What can you do?
The GDPR gives individuals rights over their data – we recently published guidance for individuals on this. When your information is no longer necessary, it should be securely destroyed. This is known as the right to erasure or the ‘right to be forgotten’ and means you have more power to hold data controllers to account. Where might you want to use your right to erasure?
If you have:
- ticked the box on an application form for a job, for housing or a place at college or university
- disclosed more detailed information during the recruitment process
- provided your employer with a DBS certificate
- disclosed an unspent conviction that has become spent
- left a job where your criminal record information was collected during recruitment.
If any of these apply to you, consider asking the data controller to #deletemydata. You can download a template here.
Already done this? Tell us about it.
If they are unable or unwilling to resolve your concern, you can raise the matter with the Information Commissioners Office within three months of your last meaningful contact with them.