It’s essential to have a good institutional understanding of the way that criminal records data is managed by law. Data protection is everyone’s business.
Information about criminal records is, naturally, sensitive. The sensitive nature of criminal record data is recognised in law. Under the GDPR, criminal records data (Article 10 data) is treated as its own, distinct category of data; separate from other kinds of special category data.
This means that specific criteria must be met and documented to allow processing of criminal record data. There is a high burden on anyone collecting this type of data to demonstrate that the processing is necessary, proportionate and is managed lawfully. (The specific criteria that must be evidenced to collect criminal records data are explained in more detail below).
From 2019, UCAS stopped asking every applicant about their criminal record
Prior to 2019, every student applying to higher education via UCAS was asked about criminal records. UCAS stopped asking every applicant about their criminal record from 2019 onward. In making this decision, UCAS recognised the following:
- that asking all applicants about criminal records was having a disproportionate impact & potentially deterring applicants
- that the justification threshold for collecting data of this kind is very high.
Applicants to regulated courses continue to be asked about criminal records when applying with UCAS. There is a specific and proportionate purpose for collecting this data for these courses.
Further consultation was taken as to when or whether criminal records data might be relevant and fair to collect for non-regulated courses. It was left to individual institutions to determine their own approach. Recommended best practice was to ask applicants about conditions relating to a criminal record which might impede their studies. This question should be voluntary. Doing so allows for a number of considerations to be met:
- Providers are collecting only data that is proportionate and relevant, and will likely be able to rely on the consent basis (see below) in order to be legally compliant.
- Applicants are supported to succeed. Some legal restrictions may make certain aspects of a course or study challenging. If identified, any challenges relating to criminal records can be better identified and hopefully resolved.
- Providers can be confident that they are working in tandem with statutory services, who will apply and enforce those restrictions they consider necessary to manage any risks.
There are other circumstances in which it may be relevant to ask about criminal records, not outlined above (e.g. where a student is applying to University accommodation, or undertaking a student role involving regulated activity).
Since 2019, many higher education providers have followed UCAS’ lead, and ceased to ask all applicants about their criminal record. A larger proportion continue to ask all applicants as standard, but have moved this question to later in the application process (for example, after a firm offer). This is a positive first step, allowing applicants to be considered on their merits first, before having any criminal record taken into account.
However, where providers continue to ask later in the application/enrolment process, many don’t explain this in advance. This leaves prospective applicants uncertain about how they and their data will be treated.
For those providers who continue to ask about criminal records in the application or enrollment process, there are means of making this process fairer. Providers should provide upfront, clear guidance regarding when, how and what is asked about criminal records in advance of the question being asked.
The UCAS good practice guide and supporting resources can be found here.
How does the law apply to higher education?
Any organisation processing criminal records data should be confident in its processes for doing so. The underpinning principles of the GDPR apply to all data processing. They must be observed by any provider processing criminal records data. Failure to comply with these principles can lead to some of the highest tier of administrative fines.
The GDPR requires any organisation that processes criminal records data to have both a lawful basis under Article 6 and a condition under Article 10. These should be determined before processing and documented in a policy.
Most of these do not apply for admissions to most courses and relying on them could mean your policy is non-compliant. Applicants could be asked to voluntarily disclose information that could be used to support them. This would be compliant with the consent basis.
Once an Article 6 lawful basis and Article 10 lawful condition for processing have been identified, these should be documented in a policy.
Art 35 of the GDPR also obliges data controllers to conduct Data Protection Impact Assessments (DPIAs) where data processing is likely to lead to high risks to the rights and freedoms of data subjects. A DPIA is also required if the processing of criminal records data is on a large scale (collecting criminal records data from every applicant is arguably collecting on a large scale).
The ICO has excellent and comprehensive guidance on the processing of criminal records data, available here. The following are a few key points to draw your attention to:
- GDPR obligations are the same whether convictions are revealed or not. If asking about criminal records, where an applicant responds ‘no’, this is itself data about criminal records and attracts the same legal obligations as if an applicant says ‘yes’ and declares a criminal record.
- It also covers ‘related security measures’. These are not defined by the GDPR but will be relevant for those institutions requesting information only about restrictions which may limit study (eg. bail conditions, electronic tagging, probation information.)
- Article 10 also covers suspicions or allegations of criminal activity.
The Rehabilitation of Offenders Act 1974
The Rehabilitation of Offenders Act 1974 (ROA) assigns every sentence a ‘rehabilitation period’. During this period, a conviction is considered ‘unspent’. Once this period has passed and, if there are no further convictions, then it will become ‘spent’. The ROA gives people with spent convictions the right to withhold details of their criminal record in certain situations; this will be the case for most applicants to most higher education courses.
Certain professions and roles are exempt from the Rehabilitation of Offenders Act, meaning spent criminal records remain disclosable when asked for these positions. These can be found in the Rehabilitation of Offenders Act (Exceptions) Order 1975.
For courses leading to exempt professions, applicants will be required to declare whether they have cautions and spent or unspent convictions on their UCAS application. However, some spent criminal records are eligible to become ‘protected’ after a period of time. This process is also referred to as ‘filtering’ ; further information on filtering can be found here.
Under the GDPR there is a general need to ensure that processing does not contravene other legislation, such as the ROA. If higher education providers are processing criminal record data in contravention of legislation such as the ROA, then they will be processing data unlawfully and will not be complying with the provisions of the GDPR.