5 min read

Writen by Ana Mishova

Posted on: April 5, 2023

Criminal Records Data

Criminal Records Data and You: What You Need to Know

Your organisation may process more data relating to criminal records than you might first imagine. If, for example, your business makes anti-terrorism, anti-money laundering or child safeguarding checks of people associated with it, you may be storing or processing criminal records data. That means you have additional responsibilities above and beyond usual data requirements.

When any business collects, stores or processes personal data, it will need to show a lawful reason to do so. That’s laid down in Article 6 of the UK GDPR. An extra tier of care comes into play when you hold particularly sensitive data, for example data which concerns or reveals an individual’s religious beliefs, political opinions, sexual orientation or biometric data. Such additional responsibilities for this “special category data” are laid out in Article 9 of UK GDPR.

But there’s a further tier that comes into play for data relating to criminal records. If your organisation processes personal data relating to criminal convictions, offences or related security measures, you’ll only be legally able to process that data if you meet the requirements of Articles 6, 9 and 10.

How does Article 10 GDPR affect you?

Article 10 of GDPR states: “Processing of personal data relating to criminal convictions and offences or related security measures based on Article 6(1) shall be carried out only under the control of official authority or when the processing is authorised by Union or Member State law providing for appropriate safeguards for the rights and freedoms of data subjects.”

If we unpick that a little, the detail of who can and can’t process criminal data becomes clear:

“Official authority”: Generally speaking, sensitive criminal data can only be processed by the relevant authorities. As you might expect, in the UK these include bodies such as the courts, DVLA and the DBS (the Disclosure Barring Service, from whom you’ll have required a check if you’ve ever worked in a school, hospital, children’s home etc.).

“Authorised by Union or Member State law”: In the UK, the appropriate law is Schedule 1 of the Data Protection Act 2018. If you’re not an official authority, you’ll need to meet at least one of the 28 conditions under which it is permissible to process criminal offence data. These conditions include specific safeguarding and security reasons, together with a fairly eclectic range of interests covering insurance, journalism, research and the impressively vague “vital interests”. 

Schedule 1 also includes a requirement for you to keep an appropriate policy document and records of processing in relation to criminal offence data. There are even stricter rules if you are involved in storing comprehensive registers of criminal convictions, although this would be a niche group.

As an example of the latter, the ICO describes a company which sells lists of individuals with criminal convictions (so called ‘blocklists’) to other businesses. The lists would constitute a “comprehensive register of criminal convictions” but would not satisfy any of the 28 conditions under which it would be lawful to keep them.  

How to comply with Article 10 UK GDPR 

Compliance certainly looks rather complicated – there are a number of appropriate controls and technical measures to put in place –  but in practice, compliance comes down to the following: 

  • Carefully consider whether processing this sort of criminal data is necessary. It’s not uncommon for circumstances to change and render a legacy process redundant.
  • Review your system security to ensure the data is kept safe. Updating your website to ensure it is protected against vulnerabilities is always a wise move.
  • Complete the usual documentation: Privacy Policy, DPIA, ROPA, LIA, Data Retention, DPA, Terms and Conditions. Your data controller or processor (DPO) should know what these are and will be able to determine exactly what you need to do. If they don’t, we can help.

Legitimate interests

Remember, if you are relying on ‘legitimate interests’ as your Section 6 lawful basis for using the data, your legitimate interests assessment will need to take into account the particular risks associated with criminal offence data. You may need to put in place more robust safeguards to mitigate any impact or risks to individuals to demonstrate that the legitimate interests basis applies. 

It’s also worth noting that your choice of lawful basis under Article 6 does not dictate which Schedule 1 condition you must apply, and vice versa. You’re free to choose whichever of the conditions best fits the circumstances, irrespective of your lawful basis.

If you’re concerned about the way your organisation is processing criminal records data or other sensitive data, talk to a GDPR Local account manager now.

Access a world of data protection advice here

Contact Us

Hope you find this useful. If you need an EU Rep, have any GDPR questions, or have received a SAR or Regulator request and need help then please contact us anytime. We are always happy to help...
GDPR Local team.

Contact Us

Recent blogs

ISO 27001 Controls: A Comprehensive Step-by-Step Guide

Organisations in today's world filled with technology require a good information security setup and

Comparing Information Security Frameworks and Data Protection Frameworks

With cyber threats evolving at an unprecedented rate and regulations tightening globally, understan

EU AI Act Summary: Key Compliance Insights for Businesses

The EU AI Act is a pioneering attempt to regulate AI systems, striving for a balance between foster

Get Your Account Now

Setup in just a few minutes. Enter your company details and choose the services you need.

Create Account

Get In Touch

Not sure which option to choose? Call, email, chat to us

Contact Us

Stay Up-To-Date

Leave your details here and we’ll send you updates and information on all aspects of GDPR and EU Representative. We won’t bombard you with emails and you will be able to tell us to stop anytime.

Full Name is required!

Business Email is required!

Company is required!

Please accept the Terms and Conditions and Privacy Policy