It’s essential to have a good institutional understanding of the way that criminal records data is managed by law. Data protection is everyone’s business.
Information about criminal records is, naturally, sensitive. The sensitive nature of criminal record data is recognised in law. Under the GDPR, criminal records data (Article 10 data) is treated as its own, distinct category of data; separate from other kinds of special category data.
This means that specific criteria must be met and documented to allow processing of criminal record data. There is a high burden on anyone collecting this type of data to demonstrate that the processing is necessary, proportionate and is managed lawfully. (The specific criteria that must be evidenced to collect criminal records data are explained in more detail below).
From 2019, UCAS stopped asking every applicant about their criminal record
-
Prior to 2019, every student applying to higher education via UCAS was asked about criminal records. UCAS stopped asking every applicant about their criminal record from 2019 onward. In making this decision, UCAS recognised the following:
- that asking all applicants about criminal records was having a disproportionate impact & potentially deterring applicants
- that the justification threshold for collecting data of this kind is very high.
Applicants to regulated courses continue to be asked about criminal records when applying with UCAS. There is a specific and proportionate purpose for collecting this data for these courses.
-
Further consultation was taken as to when or whether criminal records data might be relevant and fair to collect for non-regulated courses. It was left to individual institutions to determine their own approach. Recommended best practice was to ask applicants about conditions relating to a criminal record which might impede their studies. This question should be voluntary. Doing so allows for a number of considerations to be met:
- Providers are collecting only data that is proportionate and relevant, and will likely be able to rely on the consent basis (see below) in order to be legally compliant.
- Applicants are supported to succeed. Some legal restrictions may make certain aspects of a course or study challenging. If identified, any challenges relating to criminal records can be better identified and hopefully resolved.
- Providers can be confident that they are working in tandem with statutory services, who will apply and enforce those restrictions they consider necessary to manage any risks.
There are other circumstances in which it may be relevant to ask about criminal records, not outlined above (e.g. where a student is applying to University accommodation, or undertaking a student role involving regulated activity).
-
Since 2019, many higher education providers have followed UCAS’ lead, and ceased to ask all applicants about their criminal record. A larger proportion continue to ask all applicants as standard, but have moved this question to later in the application process (for example, after a firm offer). This is a positive first step, allowing applicants to be considered on their merits first, before having any criminal record taken into account.
However, where providers continue to ask later in the application/enrolment process, many don’t explain this in advance. This leaves prospective applicants uncertain about how they and their data will be treated.
For those providers who continue to ask about criminal records in the application or enrollment process, there are means of making this process fairer. Providers should provide upfront, clear guidance regarding when, how and what is asked about criminal records in advance of the question being asked.
-
The UCAS good practice guide and supporting resources can be found here.
How does the law apply to higher education?
Any organisation processing criminal records data should be confident in its processes for doing so. The underpinning principles of the GDPR apply to all data processing. They must be observed by any provider processing criminal records data. Failure to comply with these principles can lead to some of the highest tier of administrative fines.
General principles of the GDPR
The General Data Protection Regulation (GDPR) applies to all processing, including collecting, recording, storing, using, analysing, disclosing or deleting information. The entire piece of legislation is underpinned by seven key principles, which are:
Lawfulness, fairness and transparency
Is your approach to applicants with criminal records in accordance with the law? How might it affect their access to higher education? How can applicants find out how their information will be treated and managed?
Purpose limitation
What is the purpose of asking applicants for this information? How do you ensure that it is only used for the intended purpose, not in others?
Data minimisation
Only collect what you need. If the information you collect does not cover what you need, then it is excess data by definition – if it does not fulfil the stated purpose, then it has been collected arbitrarily, and is excessive.
Accuracy
Is requesting self-disclosure from every applicant likely to produce accurate data? Accuracy also means data should be up-to-date. Have you kept data about criminal records that are now spent?
Storage limitation
How have you ensured that data will only be stored during the time that it is required for use?
Integrity and confidentiality (security)
How does your institution ensure protection of criminal records’ data? This is especially important where data is retained in order to support students, as this is likely to mean more staff involved in handling the data.
Accountability
If asked, could you demonstrate to data subjects, or the Information Commissioner’s Office how, why and when you process data, with relevant policies and procedures detailed?
Specific obligations
The GDPR requires any organisation that processes criminal records data to have both a lawful basis under Article 6 and a condition under Article 10. These should be determined before processing and documented in a policy.
Identifying an Article 6 basis
The purpose of collecting criminal records underpins the suitable lawful basis. Each basis requires that processing is necessary and there should be a clear and rational link between the purpose and the processing. There are six lawful bases for processing personal data:
a) Consent
Can applicants still be considered if they refuse to consent to processing of criminal records?
The GDPR sets an incredibly high standard for consent. In order to give consent, data subjects have to have genuine control, and should be able to withhold consent without suffering detriment. Consent should not be a condition of receiving some service you are offering (such as processing an application). Freely given consent is difficult to obtain if there is an imbalance of power between subject and controller.
b) Contract
Is there a reason why your contract with an applicant requires processing criminal records data?
c) Legal obligation
Are you legally obliged to process criminal records data for this course?
This might be in the case of courses that lead to certain regulated professions, for example
d) Vital interests
Are you collecting criminal records data to save or protect someone’s life?
This lawful basis is very limited in its scope, and generally only applies to matters of life and death.
e) Public task
Are you processing criminal records data as part of official tasks/functions in the public interest?
Section 8 of the Data Protection Act 2018 (DPA 2018) says that the public task basis will cover processing necessary for: the administration of justice; parliamentary, statutory or governmental functions; or activities that support or promote democratic engagement. It applies to statistical and archival functions but is unlikely to apply to processing for admissions.
f) Legitimate interests
Have you a legitimate interest in processing criminal records data AND can protect the rights of the individual?
Most of these do not apply for admissions to most courses and relying on them could mean your policy is non-compliant. Applicants could be asked to voluntarily disclose information that could be used to support them. This would be compliant with the consent basis.
Identifying an Article 10 condition
HE providers will also need to identify an ‘official authority’ or a separate condition for processing, under Article 10. A full list can be found in Schedule 1 of the Data Protection Act 2018. The Schedule is split into four parts.
- Part 1 – Conditions relating to employment, health and research
- Part 2 – Substantial public interest conditions
- Part 3 – Additional conditions relating to criminal offence data
- Part 4 – Appropriate policy document and additional safeguards
Compliance depends on necessity so higher education providers will need a clear purpose of processing before identifying an appropriate condition.
- the processing is necessary for the purposes of performing or exercising obligations or rights which are imposed or conferred by law on the controller or the data subject in connection with employment, social security or social protection, and
- the controller has an appropriate policy document in place (see paragraph 39 in Part 4 of this Schedule).
Meeting the condition depends on both demonstrating that processing is necessary, and having an appropriate policy in place.
Once an Article 6 lawful basis and Article 10 lawful condition for processing have been identified, these should be documented in a policy.
Art 35 of the GDPR also obliges data controllers to conduct Data Protection Impact Assessments (DPIAs) where data processing is likely to lead to high risks to the rights and freedoms of data subjects. A DPIA is also required if the processing of criminal records data is on a large scale (collecting criminal records data from every applicant is arguably collecting on a large scale).
The ICO has excellent and comprehensive guidance on the processing of criminal records data, available here. The following are a few key points to draw your attention to:
- GDPR obligations are the same whether convictions are revealed or not. If asking about criminal records, where an applicant responds ‘no’, this is itself data about criminal records and attracts the same legal obligations as if an applicant says ‘yes’ and declares a criminal record.
- It also covers ‘related security measures’. These are not defined by the GDPR but will be relevant for those institutions requesting information only about restrictions which may limit study (eg. bail conditions, electronic tagging, probation information.)
- Article 10 also covers suspicions or allegations of criminal activity.
The Rehabilitation of Offenders Act 1974
The Rehabilitation of Offenders Act 1974 (ROA) assigns every sentence a ‘rehabilitation period’. During this period, a conviction is considered ‘unspent’. Once this period has passed and, if there are no further convictions, then it will become ‘spent’. The ROA gives people with spent convictions the right to withhold details of their criminal record in certain situations; this will be the case for most applicants to most higher education courses.
Certain professions and roles are exempt from the Rehabilitation of Offenders Act, meaning spent criminal records remain disclosable when asked for these positions. These can be found in the Rehabilitation of Offenders Act (Exceptions) Order 1975.
For courses leading to exempt professions, applicants will be required to declare whether they have cautions and spent or unspent convictions on their UCAS application. However, some spent criminal records are eligible to become ‘protected’ after a period of time. This process is also referred to as ‘filtering’ ; further information on filtering can be found here.
Under the GDPR there is a general need to ensure that processing does not contravene other legislation, such as the ROA. If higher education providers are processing criminal record data in contravention of legislation such as the ROA, then they will be processing data unlawfully and will not be complying with the provisions of the GDPR.
Checklist
- The questions we ask (when we ask them) are a targeted and proportionate means of achieving our purpose
- We ask about criminal records only if – and when – necessary
- When we do ask, we have defined the purpose of collecting criminal records. There is a clear and rational link between the purpose and asking
- We have identified an Article 6 basis and Article 10 condition
- We have provided clear guidance to data subjects explaining their rights, how we use their data, and how to make a complaint
- We ensure all staff are aware of the specific considerations for processing criminal record data, throughout the study journey – not just for admissions
- We have documented our legal approach in an appropriate policy
