GDPR Criminal Offences Data: Guide to Special Category Protections
Processing criminal offences data under the General Data Protection Regulation requires understanding complex legal safeguards that go beyond standard personal data protections. Unlike ordinary personal data, criminal offences data receives special treatment under Article 10 of the UK GDPR and Section 11(2) of the Data Protection Act 2018, creating additional obligations for organisations that handle information relating to criminal convictions, allegations, or related security measures.
This comprehensive guide explores the legal framework governing criminal offence data, explaining when and how organisations can lawfully process this sensitive information while ensuring appropriate safeguards for data subjects’ fundamental rights and freedoms.
Key Takeaways
• Criminal offence data under GDPR requires both an Article 6 lawful basis and specific authorisation through member state law, with processing restricted to official authorities or legally authorised private organisations with appropriate safeguards in place.
• The scope extends beyond proven convictions to include allegations, investigations, proceedings, and even clear criminal records, with employment screening, financial services, and public sector functions representing the most common processing contexts.
• Organisations must conduct data protection impact assessments for high-risk processing, implement enhanced security measures, maintain appropriate policy documents, and carefully balance data subject rights against legitimate public safety and legal obligations.
What is Criminal Offence Data Under GDPR
Criminal offence data constitutes a distinct category of personal data relating to criminal convictions and offences, or to related security measures, under Article 10 of the UK GDPR. The Data Protection Act 2018, Section 11(2), provides a specific definition of personal data that covers criminal convictions, offences, and related security measures within the UK’s legal framework.
This category encompasses far more than proven convictions. Under the DPA 2018, criminal offence data includes:
• Unproven allegations
• Information about ongoing investigations
• Criminal proceedings data
• Details about cautions, penalties, or conditions imposed through the criminal justice process
The scope intentionally captures the entire spectrum of criminal justice involvement, recognising that even suspected criminal activity can significantly impact individuals’ lives.
Practical Examples of Criminal Offence Data
| Type of Data | Description |
| CCTV Footage | Footage showing suspected theft or criminal behaviour |
| Criminal Background Checks | Results from DBS checks are used for employment screening |
| Court Records | Details of criminal trials or sentencing |
| Police Incident Reports | Documentation of alleged criminal activity |
| Caution Records | Formal warnings for minor offences |
The distinction from special category data under Article 9 is crucial for compliance. While Article 9 lists specific categories such as racial origin, political opinions, religious beliefs, and health data, criminal offences data is covered under separate rules in Article 10. Many member states, including the UK, treat criminal offence data with the same level of stringency as special category data in practice, even though it’s technically regulated under different mechanisms.
Criminal offence data also covers information about the absence of criminal convictions. Information confirming the absence of criminal convictions, such as a clear DBS result, may still constitute criminal offence data if processed for the purpose of assessing an individual’s criminal history or suitability, depending on the context and manner of processing.
Why Criminal Offence Data Receives Special GDPR Protection
The enhanced protection for processing criminal offence data stems from the significant risks to fundamental rights and freedoms identified in Recital 75 of the UK GDPR. Criminal justice information carries exceptional potential for stigmatisation and discrimination, making individuals vulnerable to lasting harm if mishandled.
Criminal offences data can profoundly impact:
• Employment opportunities
• Housing access
• Insurance coverage
• Social relationships
A person with a history of criminal convictions may face ongoing challenges in securing work, even in roles where their past offences pose no relevant risk. This creates a high-risk context requiring enhanced safeguards to protect data subjects from disproportionate consequences.
The risk-based approach under GDPR recognises that criminal offence data processing often involves systematic evaluation of individuals’ character, trustworthiness, or potential future behaviour. Such processing can reinforce social exclusion and prevent rehabilitation, conflicting with broader criminal justice goals of reintegration.
Comparison with exceptional category data protection levels reveals similar concerns about discrimination and impacts on fundamental rights. Health data receives special protection because medical conditions shouldn’t disadvantage individuals unfairly; criminal offence data receives comparable protection because past involvement with criminal justice shouldn’t create permanent barriers to social participation.
The potential for automated decision-making using criminal offence data adds additional risk dimensions. Algorithmic systems that automatically exclude job candidates based on historical convictions, or that generate risk scores for insurance purposes, can systematise discrimination and limit human review of individual circumstances.
Scope of Criminal Offence Data Under GDPR
The scope of GDPR’s criminal offence data protections extends across commercial organisations, voluntary groups, and public authorities, but with important exceptions for competent authorities operating under specialised law enforcement frameworks.
Commercial Organisations
Commercial organisations fall squarely within the UK GDPR scope when processing criminal offence data. Examples include:
• Employment agencies conducting background checks
• Insurance companies assessing fraud risk
• Financial services providers screening for anti-money laundering purposes
All must comply with Article 10 requirements alongside standard GDPR obligations.
Law Enforcement Authorities
Law enforcement authorities operating under Part 3 of the DPA 2018 are subject to different rules optimised for criminal justice functions. Police forces, courts, and prison services typically process criminal offence data under the law enforcement regime rather than standard GDPR rules.
However, these same competent authorities must follow UK GDPR rules when processing criminal offence data for non-law enforcement purposes, such as human resources functions or public communications.
Cross-Border Processing
Cross-border processing within the EU creates additional complexity. Organisations processing criminal offence data across multiple member states must navigate varying national implementations of Article 10, as different countries have established different conditions and safeguards for legitimate processing.
Allegations and Suspected Criminal Activity
The inclusion of unproven allegations under DPA 2018 Section 11(2) reflects recognition that suspicion alone can trigger significant consequences for individuals. Examples include:
• CCTV footage capturing suspected shoplifting
• Incident reports documenting alleged workplace theft
• Witness statements describing possible criminal behaviour
Processing suspicion-based data demands particular attention to the principles of accuracy and fairness. Organisations must implement safeguards to prevent the indefinite retention of unsubstantiated allegations or their inappropriate use in decision-making. The data minimisation principle becomes especially relevant here.
Absence of Criminal Convictions Data
Information confirming the absence of criminal convictions, such as a clear DBS check, may constitute criminal offence data where it is processed for the purpose of assessing criminal history or suitability. This assessment is context-specific and depends on the purpose and manner of processing.
This principle extends to acquittals and case dismissals, which provide information about an individual’s relationship to the criminal justice system even when no conviction results.
Victims and Witnesses Personal Data
Notably, the Article 10 criminal offence data definition excludes information about crime victims and witnesses, even though such data can be highly sensitive and require strong protection under the GDPR’s general principles.
Victims and witnesses merit separate protection considerations under standard GDPR frameworks. Organisations supporting crime victims or managing witness protection programs can rely on standard GDPR lawful bases and safeguards rather than navigating the additional restrictions for processing criminal offence data.
Legal Basis Requirements for Processing Criminal Offence Data
Processing criminal offence data requires satisfying both Article 6 lawful basis requirements and additional Article 10 conditions, creating a two-tier compliance framework.
Article 6 Lawful Basis
Article 6 of the GDPR provides the legal basis for processing personal data. Common bases include:
• Legitimate interests for fraud prevention
• Legal obligation for regulated sectors requiring criminal record checks
• Public task for government agencies administering justice functions
However, having an Article 6 basis alone is insufficient for criminal offence data.
Article 10 Additional Conditions
Article 10 imposes additional gates requiring either:
• Processing “under the control of official authority” (see ROPA – Requirements and Exemptions – GDPR Local for more details)
• Specific authorisation by member state law
The UK’s DPA 2018 Schedule 1 operationalises this framework through 28 specific conditions that organisations can rely upon for lawful processing of criminal offence data.
The official authority requirement covers public bodies with statutory criminal justice functions: police forces, courts, prosecution services, and prison authorities.
For private organisations, Schedule 1 conditions provide the essential bridge between business needs and legal authorisation. Examples include:
• Employment, social security, and social protection conditions enabling background checks for job applicants
• Preventing or detecting unlawful acts, conditions supporting fraud prevention in financial services
Each condition includes specific constraints and often requires maintaining an appropriate policy document.
Documentation requirements extend beyond identifying applicable lawful basis and conditions. Organisations must maintain records demonstrating compliance with data protection principles, retention and deletion policies for criminal offence data, and procedures for facilitating data subject rights.
Criminal Offence Data in Employment Context
Employment represents one of the most common contexts for processing criminal offence data, involving DBS checks and employee vetting procedures across numerous sectors.
DBS Checks
DBS checks enable employers to access criminal record information for specific roles where criminal history poses relevant risks. Types include:
• Standard DBS: spent and unspent convictions, cautions, reprimands, warnings (subject to filtering)
• Enhanced DBS: same as standard, plus relevant local police information and barred list checks
The level of check must be proportionate to the role’s responsibilities and risk profile.
Enforced Subject Access Prohibition
The DPA 2018 prohibits enforced subject access, preventing employers from requiring job applicants to obtain their own criminal record checks for submission. This protection ensures consistent standards and prevents employers from circumventing official vetting procedures.
However, employers can require self-disclosure of criminal history where legally justified, subject to rehabilitation thresholds.
Rehabilitation of Offenders Act 1974
This legislation allows individuals to treat certain older convictions as spent, meaning they need not disclose them for most employment purposes.
Positions exempted from rehabilitation protections, typically those involving trust, security, or vulnerable populations, require disclosure of both spent and unspent convictions.
Best Practices for Employers
ICO and Unlock guidance emphasises:
• Data minimisation and purpose limitation principles
• Conducting criminal record checks only where genuinely necessary
• Considering the nature of the work, contact with vulnerable groups, and supervision levels
• Avoiding blanket policies requiring checks for all employees
Retention periods require balancing ongoing business needs versus privacy impact. Criminal record check results should typically be destroyed once employment decisions are made, with only limited information retained if necessary for continuing employment management.
Data Protection Impact Assessment (DPIA) Requirements
Processing criminal offence data frequently triggers mandatory DPIA requirements under Article 35, reflecting the inherent high risk to data subjects’ rights and freedoms.
When is a DPIA Required?
DPIAs are often required, but not every instance automatically triggers Article 35. Examples include:
• Employment agencies conducting regular background checks
• Insurance companies screening for fraud indicators
• Government departments managing large criminal justice databases
DPIA Considerations
Risk assessment criteria encompass both likelihood and severity of potential impacts. DPIA templates should address:
• Accuracy measures for criminal justice information
• Retention periods aligned with rehabilitation principles
• Security controls preventing unauthorised access
• Procedures for handling data subject rights requests
Ongoing Review and ICO Consultation
DPIAs must be regularly reviewed and updated as processing activities evolve. When residual high risk remains after mitigation, consultation with the ICO becomes mandatory under Article 36.
Data Subject Rights and Criminal Offence Data
Data subjects retain fundamental rights regarding their criminal offence data, but these rights are subject to constraints designed to protect public safety, ongoing investigations, and the rights of others.
Access Rights
Right of access limitations under DPA 2018 allow organisations to restrict information disclosure where providing access would prejudice law enforcement activities, legal proceedings, or public safety.
Rectification and Erasure
These rights remain available but may conflict with legal obligations to maintain criminal justice records. Organisations must balance deletion requests against competing legal obligations.
Restriction of Processing
This right offers a middle ground when data subjects dispute the accuracy or lawfulness of their data, but deletion isn’t appropriate.
Data Portability
Typically excluded from criminal offence data, as this right focuses on personal autonomy rather than facilitating data movement.
Objection Rights
Individuals may object to processing, but organisations can often demonstrate compelling legitimate grounds that override objections, especially where public safety or regulatory compliance is involved. For more information on when an organisation can refuse to comply with a Data Subject Access Request, see the GDPR guidance on exemptions.
International Transfers and Criminal Offence Data
Transferring criminal offence data internationally requires careful evaluation of protections in the destination country and the implementation of specific safeguards.
Adequacy Decisions and Safeguards
Adequacy decisions provide the most straightforward basis for transfers, but few countries have adequacy status specifically for law enforcement data.
Standard contractual clauses require supplementary measures when transferring to jurisdictions without adequate protection, such as enhanced encryption or restricted access controls.
Law Enforcement Cooperation
Mutual legal assistance treaties and other agreements may override standard restrictions but require the implementation of available safeguards.
Post-Brexit Considerations
Post-Brexit, criminal justice and law enforcement data sharing between the UK and EU operates under Part 3 of the DPA 2018 and the EU–UK Trade and Cooperation Agreement, rather than the general UK GDPR adequacy framework.
FAQs
Q: Does CCTV footage of suspected criminal activity always qualify as criminal offence data under GDPR?
A: CCTV footage does not automatically become criminal offence data. It becomes Article 10 data only when it is processed for the purpose of investigating, detecting, or evidencing criminal offences, or when it is clearly linked to an identified or identifiable alleged offender. Mere capture of suspicious behaviour, without that processing purpose, may remain ordinary personal data.
Q: Can employers require job applicants to obtain their own DBS checks for submission?
A: No, the DPA 2018 prohibits enforced subject access, preventing employers from requiring applicants to obtain their own criminal record checks. Employers must use official DBS checking procedures when criminal record information is legitimately necessary for a role. However, employers can ask for self-disclosure of criminal history where legally justified, subject to rehabilitation thresholds.
Q: What’s the difference between criminal offence data and special category data under GDPR?
A: Criminal offence data is regulated separately under Article 10, while special category data falls under Article 9. Special category data includes health information, racial origin, political opinions, and sexual orientation. Though regulated differently, many member states treat criminal offence data with similar stringency, requiring enhanced safeguards and specific legal authorisation for processing.
Q: How long can organisations retain criminal offence data obtained through employment screening?
A: Retention periods must comply with data minimisation and storage limitation principles. Criminal record check results should typically be destroyed once employment decisions are made, with only essential information retained if necessary for ongoing employment management. Indefinite retention of detailed criminal history information rarely satisfies GDPR requirements, and retention policies must align with legitimate business needs and legal obligations.
Q: Are international transfers of criminal offence data subject to additional restrictions beyond standard GDPR requirements?
A: While the exact Chapter V transfer mechanisms apply, criminal offence data’s enhanced sensitivity requires additional scrutiny. Organisations must evaluate whether destination countries provide adequate protection for criminal justice information, implement supplementary safeguards when using standard contractual clauses, and consider the heightened risks of discrimination or misuse in different legal systems.
Note: This content was created with AI assistance.