The ICO exists to empower you through information.

What is ‘criminal offence data’?

The UK GDPR gives extra protection to ‘personal data relating to criminal convictions and offences or related security measures’. This covers information about offenders or suspected offenders in the context of criminal activity, allegations, investigations and proceedings.

In this guidance, we refer to this data collectively as ‘criminal offence data’, although this is not a term used in the UK GDPR.

It includes not just data which is obviously about a specific criminal conviction or trial, but also any other personal data ‘relating to’ criminal convictions and offences. For example, it can also cover suspicion or allegations of criminal activity.

‘Relating to’ should be interpreted broadly. It covers any personal data which is linked to criminal offences, or which is specifically used to learn something about an individual’s criminal record or behaviour. This is consistent with the broad interpretation of ‘relates to’ in other UK GDPR and DPA 2018 provisions, such as the definition of personal data.

Why are there special rules for this data?

It is not just that this type of information might be seen as more sensitive or ‘private’. Recital 75 to the UK GDPR explains that this type of personal data merits specific protection. This is because use of this data could create significant risks to the individual’s fundamental rights and freedoms.

It’s important to remember that individuals suspected or convicted of crimes are a highly stigmatised group. They may often be marginalised in a variety of different ways. For example, data about criminal allegations or convictions may have a particular impact on:

  • the right to liberty and security;
  • the right to a fair trial;
  • the right to respect for private and family life;
  • freedom to choose an occupation and the right to engage in work; or
  • freedom to conduct a business.

The presumption is that you need to treat this type of data with greater care, because collecting and using it is more likely to interfere with these fundamental rights or open someone up to discrimination. This is part of the risk-based approach of the UK GDPR.

However, this type of data is treated differently to other types, eg special category data, which are considered particularly sensitive in terms of fundamental rights and freedoms. This is because the interests of society at large and the need to protect the public from criminal activity are likely to mean that you can justify the use of criminal offence data in a wider variety of circumstances, despite the potential impact on individual rights.

When processing special category data, many conditions require you to explicitly demonstrate that the processing is necessary for reasons of substantial public interest. This requirement doesn’t apply to criminal offence data.

When do these rules apply?

These rules apply if you are processing criminal offence data about offenders or suspected offenders under the general processing regime set out in the UK GDPR and Part 2 of the DPA 2018, ie if you are not processing for law enforcement purposes. You need to comply with these rules if you are a commercial, voluntary or community (third-sector) organisation processing criminal offence data for any purpose (including disclosures to the police or other organisations processing for law enforcement purposes). You also need to comply if you are a public authority without law enforcement functions or if you are processing for non-law enforcement purposes. 

These rules do not apply if you are a ‘competent authority’ with law enforcement functions as defined in Section 30 of the DPA 2018, and are processing for law enforcement purposes. This falls under the separate law enforcement regime in Part 3 of the DPA 2018.

These rules do apply to competent authorities when processing criminal offence data for purposes not related to law enforcement. For example, a police force processing data about its employees’ criminal records for human resources purposes needs to comply with the UK GDPR.

For more information, see our separate guidance on Which regime applies. There is also guidance on Law enforcement processing.

Does it cover suspicion or allegations of criminal activity?

Yes. This is still personal data ‘relating to’ a criminal offence. These rules are not just about confirmed criminal convictions. Unproven allegations are potentially even more likely to have an unjustified impact on an individual’s interests, rights and freedoms, and so need special protection.

Section 11(2) of the DPA 2018 specifically confirms that criminal offence data includes personal data relating to:

“(a) the alleged commission of offences by the data subject, or

(b) proceedings for an offence committed or alleged to have been committed by the data subject or the disposal of such proceedings, including sentencing.”

Example

A shop manager suspects an employee of stealing money from the till. The manager compiles a report showing the shifts of the individual and collects CCTV footage of them at the till during those shifts.

This personal data is criminal offence data as it relates to the alleged commission of an offence which is as yet unproven.

Does it cover data relating to the absence of convictions?

Yes. The fact that a person has no criminal convictions is personal data ‘relating to’ criminal convictions.

Section 11(2) of the DPA 2018 specifically confirms that criminal offence data includes personal data relating to the disposal of criminal proceedings, which includes information about acquittals.

You should only process specific personal data about whether or not someone has a conviction if you have a valid reason for doing so. For exampleif you process the results of a criminal records check about your employees, you must still comply with the rules on criminal offence data even if this shows there were no convictions.

Example

A school employs a teacher following a clear criminal records check. They keep this result in their personnel files. This data ‘relates to’ criminal convictions and so collecting and holding it means the school is processing criminal offence data. This applies even though the check does not reveal any convictions.

Does it cover the personal data of victims and witnesses of crime?

No. Information about a specific crime committed against an identifiable victim is the personal data of the victim, but we do not consider it to be criminal offence data (unless it also identifies an offender or suspected offender).

Article 10 only applies to the personal data of offenders or suspected offenders. This means that criminal offence data does not cover information about victims or witnesses of crime, and you do not require a Schedule 1 condition under the DPA 2018 to process their personal data.

However, information about victims or witnesses is likely to be sensitive or high risk, and you should take particular care when processing it. Remember you must always treat personal data fairly and lawfully – and national and international policy on victims’ rights means you should give extra protection to this type of personal data. Processing such sensitive data creates significant risks to the privacy and wellbeing of the individuals concerned. Victims and witnesses may be vulnerable, or have experienced trauma. Depending on the circumstances, they may also be at risk of further crime or intimidation, particularly in the event of a data breach.

If you frequently and systematically process personal data about victims and witnesses of crime, it’s good practice to have a policy in place. It may also be appropriate to carry out a DPIA to cover your processing. See ‘When do we need to carry out a DPIA?

If you process special category data about victims or witnesses, for example, health information including details about physical injuries or psychological trauma, you must be able to satisfy a further condition for processing under Article 9. See our guidance on ‘Special category data’.

Example

A police force passes the details of an individual who has been the victim of violent crime to an organisation which provides support to victims of crime. This personal data ‘relates to’ a criminal offence but is not processing for law enforcement purposes, and therefore falls under the UK GDPR. However, it is not criminal offence data, so Article 10 does not apply.

Even so, the police must carefully consider the circumstances, including any particular risks in sharing this information, and the impact on the individual concerned. And if they intend to share details about the victim’s injuries or medical care, this will be special category data and they must also satisfy a condition under Article 9 of the UK GDPR.

What are ‘related security measures’?

The UK GDPR does not define ‘related security measures’. However, it is likely to include personal data about penalties, conditions or restrictions placed on an individual as part of the criminal justice process, or civil measures which may lead to a criminal penalty if not followed.

Civil proceedings and orders made as a result would not usually fall within ‘related security measures’, unless the penalty for non-compliance carries with it a criminal sanction.

Some examples of related security measures that fall within the scope of Article 10 are:

  • police cautions;
  • bail conditions;
  • information about probation or parole;
  • electronic tagging data;
  • civil injunctions (where these carry a criminal sanction for non-compliance);
  • binding over orders;
  • community protection notices (CPNs);
  • criminal behaviour orders (CBOs);
  • anti-social behaviour orders (ASBOs) in Scotland;
  • drinking banning orders (DBOs);
  • football banning orders; or
  • restraining orders.