The ICO exists to empower you through information.

What does the UK GDPR say?

Article 10 restricts the processing of criminal offence data:

“Processing of personal data relating to criminal convictions and offences or related security measures based on Article 6(1) shall be carried out only under the control of official authority or when the processing is authorised by domestic law providing for appropriate safeguards for the rights and freedoms of data subjects.”

So you can only process criminal offence data if the processing is either:

Use of criminal offence data, particularly on a large scale, can also affect your other obligations. In particular, it affects the need for documentation, data protection impact assessments (DPIAs) and DPOs. See below for what else you need to do.

Article 10 also sets out a stricter rule on comprehensive registers of convictions:

“Any comprehensive register of criminal convictions shall be kept only under the control of official authority.”

What does ‘under the control of official authority’ mean?

Under Article 10, if your processing is carried out ‘under the control of official authority’, you do not need any further authorisation in UK law – that is, you do not need to identify a DPA 2018 Schedule 1 condition for your processing.
In addition, you may only keep a comprehensive register of criminal convictions if this register is ‘under the control of official authority’.

Public bodies, or private bodies vested with public sector tasks, may have ‘official authority’ laid down by law to process criminal offence data. This official authority may derive from either common law or statute. The public body is responsible for identifying the specific law that gives them the official authority to process criminal offence data. If they wish to keep a comprehensive register of criminal convictions, they also need to consider whether they have sufficient official authority to do so.

For example, the DBS, Disclosure Scotland, Access NI, the DVLA and the courts all have a specific official authority to process any criminal offence data they hold, as well as to keep a comprehensive register.

A comprehensive register may remain under the control of official authority, even if a public authority delegates the maintenance of the register to another controller (or data processor). However, this only applies if the controller or processor cannot act autonomously and if the public authority retains a decisive influence over the processing.

What counts as a ‘comprehensive register’ of criminal convictions?

A ‘comprehensive register’ of criminal convictions would clearly apply to a full national database of criminal convictions such as the Police National Computer (PNC). However, competent authorities will usually process the PNC under the separate law enforcement regime in Part 3 of the DPA 2018, rather than under the UK GDPR regime.

It also applies to other official registers or databases which only record a particular type of conviction, if that register has clearly defined parameters and is intended to be comprehensive within those parameters. For example:

  • Disclosure and Barring Service (DBS), Disclosure Scotland or Access NI barred lists;
  • motoring offences recorded on the DVLA driver register; or
  • court records.

We also consider that it applies to any list of individuals which is made available to the public or to interested third parties (whether or not on payment of a fee) and is intended to be used as a centralised or consolidated source of information on convictions.

For example, it would apply to industry ‘blocklists’ – databases of employees shared between different employers and used as a recruitment screening tool – but only to the extent that they related to criminal convictions. Organisations are unlikely to have official authority to maintain a comprehensive register like this, and so in most cases, maintaining an industry blocklist based on criminal offence data will be in contravention of Article 10.

However, it would not apply to records held by an organisation about their own employees.

Example

A company holds a list of individuals with criminal convictions who work in their industry sector because it considers those individuals should not be employed. The company offers access to this ‘blocklist’ to other companies in the same industry. The list is considered to be a ‘comprehensive register of criminal convictions’. However the company does not have the official authority based in law to keep it. This processing therefore breaches Article 10.

Example

A large public authority maintains a landlords register, which contains information about private landlords and letting agents who have been prosecuted or fined. It is a comprehensive register of criminal offence data which a number of councils access.

Because the public authority has official authority to control and maintain this register, it does not require a Schedule 1 condition for processing in order to comply with Article 10.

When is processing authorised by UK law?

If you do not have official authority for the processing, it must be authorised by domestic law. In the UK, this authorisation in law is set out in the conditions listed in Schedule 1 of the DPA 2018.

Schedule 1 sets out 28 potential conditions for processing criminal offence data.

Schedule 1 (at paragraphs 5 and 38 to 41) also includes additional requirements for you to keep an appropriate policy document and records of processing in relation to criminal offence data. These requirements apply for some, but not all, of the conditions. For further detail see ‘How do the conditions work?’.

What is the combined effect of these rules?

You must always ensure that your processing is generally lawful, fair and transparent, and complies with all of the other principles and requirements of the UK GDPR.

Remember that you always need to identify an Article 6 basis for processing, in order for your processing to be lawful.

In addition, in accordance with Article 10, you can only process criminal offence data if you have official authority for the processing, or if you can meet a DPA 2018 Schedule 1 condition.

You need to be able to demonstrate that your processing meets the specific requirements of the relevant conditions. For more detail on each condition, see ‘What are the conditions for processing?’.

How does this affect our lawful basis?

Your lawful basis is not affected. Article 10 rules do not replace or override the usual rules on having a lawful basis for processing. Instead, they operate as an additional layer of conditions on top of the usual rules.

If you are processing criminal offence data, this means you must still identify a lawful basis for your processing, in exactly the same way as for any other personal data. In other words, you must identify both:

  • a lawful basis under Article 6; and
  • either official authority or a Schedule 1 condition for processing criminal offence data under Article 10.

However, if you are relying on legitimate interests as your lawful basis, you will need to take into account the particular risks associated with criminal offence data in your legitimate interests assessment. You may need to put in place more robust safeguards to mitigate any impact or risks to the individual to demonstrate that the legitimate interests basis applies.

Your choice of lawful basis under Article 6 does not dictate which Schedule 1 condition you must apply, and vice versa. You can choose whichever condition best fits the circumstances, irrespective of your lawful basis.

Of course, in some cases there may be an obvious link between the lawful basis and a particular condition. For example, if consent is your lawful basis, it would make sense to use consent as your condition to process criminal offence data.

However, some of the lawful bases do not have a direct link with a particular condition. This is because the conditions for criminal offence data are designed to be more restrictive and specific. This does not mean that you will never have a condition; just that you need to look at all of them to see if you can identify one that fits the circumstances and justifies that element of your processing.

In particular, even if you are not using consent as your lawful basis for all the data, you can still consider consent as your condition for processing any criminal offence data.

Do we need to do a data protection impact assessment (DPIA)?

You must do a DPIA for any type of processing which is likely to be high risk. This means you are more likely to need to do a DPIA to manage the risks of processing criminal offence data appropriately and proportionately.

In particular, you must carry out a DPIA if you plan to process criminal offence data on a large scale, or to determine access to a product, service, opportunity or benefit.

If in doubt, we recommend you carry out a DPIA. This will make it easier to ensure you have appropriate safeguards in place and can demonstrate your compliance.

What else do we need to do?

You must always ensure that your processing is generally lawful, fair and transparent, and complies with all the other principles and requirements of the UK GDPR. Be aware that the particular risks associated with criminal offence data might affect what is considered fair or what you need to do to comply.

In particular, you may need to consider:

  • Data minimisation: it is particularly important to make sure you collect and retain only the minimum amount of criminal offence data, and can justify why you need this specific type of data.
  • Security measures: one of the considerations for determining the appropriate level of security is the sensitivity of the personal data. You may need to consider whether you need additional security measures for criminal offence data.
  • Transparency: you need to include information about categories of data in your privacy notice and other privacy information for individuals. If you are processing criminal offence data, you should make this clear (unless an exemption applies).
  • Documentation: you must keep records if you process criminal offence data. You must also identify whether you need an ‘appropriate policy document’ under the DPA 2018. If so, your general documentation must include your Schedule 1 condition for processing the data, how you satisfy a lawful basis for that processing, and specific details about whether you have followed your retention and deletion policies; and if not, why not.
  • Data protection officer (DPO): you must appoint a DPO if your core activities (in other words, your primary business objectives) require large scale processing of criminal offence data.
  • UK representative: if you are not established in the UK but you offer services to or monitor individuals in the UK, and you process criminal offence data on a large scale, you will need to designate a representative in the UK. You may need a representative even for occasional small-scale processing of criminal offence data, unless you can show that it is low risk.