Pre-employment vetting: Data protection and criminal records

Does the GDPR prohibit employers from undertaking pre-employment vetting in relation to criminal records? This article clarifies the complex position in relation to data protection and criminal offence personal data.

Although it has been over 2 and half years since the General Data Protection Regulation (Regulation (EU) 2016/679) (the GDPR) came into force, one tricky topic continues to trouble employers: whether the GDPR prevents them from undertaking criminal record checks on their prospective and current employees.

The GDPR does not dictate whether an employer can carry out criminal record checks. However, once an employer carries out pre-employment vetting and starts to process any criminal offence data it obtains, the GDPR will bite.

Lawful basis for processing criminal record data

Any information about an actual or alleged criminal offence constitutes personal data. To process such data, an employer must have both:

• a lawful basis for processing; and
• a legal or official authority for the processing.

The lawful basis for processing could include where processing is necessary for compliance with a legal obligation to which the employer is subject e.g. where the employer must carry out criminal record checks for certain roles under safeguarding requirements or FCA Conduct Rules, or where processing is necessary for the purposes of the legitimate interests pursued by the employer, e.g. to ensure the safety and security of business and customer information where it is clear from the role in question that checking is justified such as with very senior employees or those with access to customer financial data. Employers would need to have a written legitimate interest assessment in place to rely on this as a lawful basis for processing.

However, unlike with other personal data, a lawful basis alone is not sufficient to comply with the GDPR in relation to criminal offence data. Employers must also have a legal or official authority for the processing of such data. ‘Official authority’ is limited to an organisation performing public functions and exercising powers established by law. So where does this leave employers who do not possess official authority?

It seems that the only option is for employers to rely on a legal authority under the Data Protection Act 2018 (the DPA 2018). The DPA 2018 authorises the processing of criminal offence data by organisations if the processing meets one of the following conditions:

• the processing is necessary for the purposes of performing or exercising employment law obligations or rights (e.g. where there is a legal requirement to vet employees for certain roles)
• the processing meets one of the substantial public interest conditions set out in the DPA 2018 or
• the processing meets one of the following conditions:
  • the employee has consented to the processing (but remembering the difficulty in obtaining valid consent in an employment context)
  • processing is carried out with appropriate safeguards in the course of the legitimate activities of a foundation, association or other not-for-profit body which has a political, philosophical, religious or trade union aim
  • the processing relates to personal data which has been manifestly made public by the employee
  • the processing is necessary for the purpose of, or in connection with, any legal proceedings (live and prospective), is necessary for the purpose of obtaining legal advice or is otherwise necessary for the purposes of establishing, exercising or defending legal rights

Additionally, where processing meets one of these conditions, the employer must also have an appropriate policy in place and must observe the additional safeguards set out in the DPA 2018.

• An appropriate policy document explains the employer’s procedures for complying with the data protection principles in connection with the processing of the data and should explain the retention periods in relation to the data. Many employers will already have such documents in place in the form of a data protection policy or privacy notice
• Safeguards include employers retaining the appropriate policy document, reviewing and updating it from time to time and making it available to the ICO on request, as well as maintaining records of processing activities.

What is clear is that a blanket approach to carrying out criminal records checks across all roles will not be lawful and that a more targeted approach is required.

Data protection principles

Alongside ensuring there is a lawful basis and legal authority for the processing of criminal offence data, employers must also ensure any processing is adequate, relevant and not excessive, in line with the data protection principles.

Top tips for employers

The Information Commissioners Office (ICO) Employment Practices Code sets out recommendations which assist employers in adhering to the data protection principles when vetting prospective employees for criminal offences.

Employers who do undertake criminal records checks should ensure:

• it is made clear to applicants very early on in the recruitment process that vetting will take place, including explaining how the vetting will be conducted
• ideally the checks themselves should be left to very late in the recruitment process, so that only successful applicants who have been selected for employment are subject to the background checks
• criminal offence data is only sought if it is relevant to the job being filled
• the data sought relates to the specific role in question. For example, an applicant for an admin role within a logistics company should not be asked for details of any driving offences if this information is only relevant to the recruitment of drivers
• the information sought should only be that which is actually required. For example, asking candidates to confirm if they have had any convictions in the last 5 years involving dishonesty is too wide. Prospective employees should not be made to believe, whether by omission of an explanation or otherwise, that they have to reveal any spent convictions if they do not wish to

ICO calls for views on processing of criminal convictions personal data

The ICO is currently conducting a survey to identify gaps in data controllers' awareness and understanding around processing criminal offence data. The survey ends on 28 February 2020 and covers topics such as key challenges faced when processing such data and what would assist further understanding. It is hoped that this survey results in informed updated guidance in relation to this tricky area.