Criminal Records Data and You: What You Need to Know
Your organisation may process more data relating to criminal records than you might first imagine. If, for example, your business makes anti-terrorism, anti-money laundering or child safeguarding checks of people associated with it, you may be storing or processing criminal records data. That means you have additional responsibilities above and beyond usual data requirements.
When any business collects, stores or processes personal data, it will need to show a lawful reason to do so. That’s laid down in Article 6 of the UK GDPR. An extra tier of care comes into play when you hold particularly sensitive data, for example data which concerns or reveals an individual’s religious beliefs, political opinions, sexual orientation or biometric data. Such additional responsibilities for this “special category data” are laid out in Article 9 of UK GDPR.
But there’s a further tier that comes into play for data relating to criminal records. If your organisation processes personal data relating to criminal convictions, offences or related security measures, you’ll only be legally able to process that data if you meet the requirements of Articles 6, 9 and 10.
How does Article 10 GDPR affect you?
Article 10 of GDPR states: “Processing of personal data relating to criminal convictions and offences or related security measures based on Article 6(1) shall be carried out only under the control of official authority or when the processing is authorised by Union or Member State law providing for appropriate safeguards for the rights and freedoms of data subjects.”
If we unpick that a little, the detail of who can and can’t process criminal data becomes clear:
“Official authority”: Generally speaking, sensitive criminal data can only be processed by the relevant authorities. As you might expect, in the UK these include bodies such as the courts, DVLA and the DBS (the Disclosure Barring Service, from whom you’ll have required a check if you’ve ever worked in a school, hospital, children’s home etc.).
“Authorised by Union or Member State law”: In the UK, the appropriate law is Schedule 1 of the Data Protection Act 2018. If you’re not an official authority, you’ll need to meet at least one of the 28 conditions under which it is permissible to process criminal offence data. These conditions include specific safeguarding and security reasons, together with a fairly eclectic range of interests covering insurance, journalism, research and the impressively vague “vital interests”.
Schedule 1 also includes a requirement for you to keep an appropriate policy document and records of processing in relation to criminal offence data. There are even stricter rules if you are involved in storing comprehensive registers of criminal convictions, although this would be a niche group.
As an example of the latter, the ICO describes a company which sells lists of individuals with criminal convictions (so called ‘blocklists’) to other businesses. The lists would constitute a “comprehensive register of criminal convictions” but would not satisfy any of the 28 conditions under which it would be lawful to keep them.
How to comply with Article 10 UK GDPR
Compliance certainly looks rather complicated – there are a number of appropriate controls and technical measures to put in place – but in practice, compliance comes down to the following:
Legitimate interests
Remember, if you are relying on ‘legitimate interests’ as your Section 6 lawful basis for using the data, your legitimate interests assessment will need to take into account the particular risks associated with criminal offence data. You may need to put in place more robust safeguards to mitigate any impact or risks to individuals to demonstrate that the legitimate interests basis applies.
It’s also worth noting that your choice of lawful basis under Article 6 does not dictate which Schedule 1 condition you must apply, and vice versa. You’re free to choose whichever of the conditions best fits the circumstances, irrespective of your lawful basis.
If you’re concerned about the way your organisation is processing criminal records data or other sensitive data, talk to a GDPR Local account manager now.