• 13 Sep 2023
• •
• 2 min read

On what basis can my organisation process personal data about an employee's criminal convictions?

In our previous article we looked at the requirement for an organisation to have a lawful basis to process personal data. However, if the personal data is criminal conviction data there is an additional hurdle as the organisation also needs to meet one of the additional conditions in Schedule 1 of the Data Protection Act 2018 (note that we are assuming for the purposes of this article that we are talking about a private organisation and not one which is carrying out any official / governmental function as different rules apply to them). 

There are 28 conditions in Schedule 1 but some of the ones which are more likely to be relevant and helpful are below: 

1. Where the processing is necessary for employment purposes
2. Where the processing is necessary for health and social care purposes
3. Where the processing is necessary to make a disclosure where there is a suspicion of money laundering
4. Where the relevant individual has given consent
5. Where the criminal offence data has been manifestly made public by the individual
6. Where the processing is necessary for obtaining legal advice and for legal claims
7. Where the processing is necessary for an insurance purpose (and other specific criteria are met)

For some of the conditions, the organisation relying on the condition needs to justify why the data subject cannot be given a choice as to whether the organisation processes their criminal conviction personal data and be asked to provide their consent for the organisation to do so. Given the risks to individuals, there is more emphasis on obtaining consent for processing criminal conviction data.

Typical criminal conviction personal data held by organisations are DBS checks which may be held, for example, by a care provider in relation to its carers (these count as criminal conviction personal data even if the check confirms there are no criminal convictions). Other organisations who provide company cars to their employees will have data relating to employees’ driving offences (e.g penalty points for speeding). In both of these cases the lawful basis for processing is most probably legitimate interests (and in the care home example, compliance with a legal obligation as well) but the Schedule 1 condition for processing could be “employment”.

Finally, organisations should be aware that there are some additional requirements to consider when / before criminal conviction personal data is collected and processed:

1. The organisation should ensure that the processing of the criminal conviction data is necessary for the intended purpose and that it is satisfied there is no other reasonable and less intrusive way to achieve the same purpose.
2. There are some additional documents which are, or may be, required including a record of the processing carried out, a policy relating to the processing of the criminal conviction personal data, a data protection impact assessment (DPIA) and a legitimate interests assessment (LIA). We will cover DPIAs and LIAs in future articles.
3. The collection and processing of criminal conviction personal data should be explained in the organisation’s privacy notice.
4. Whether the organisation needs to adopt any additional security measures to protect the sensitive criminal conviction personal data.
5. Whether the organisation needs to appoint a data protection officer.

Our data protection team have many years of experience in advising organisations on their compliance with UK data protection law. To speak to one of the team you can get in touch here or call us on 0800 2800 421. 

If you have not received this article directly, but would like to receive articles and data protection news alerts from Trethowans, please click below.