This guidance discusses criminal offence data in detail. Read it if you have detailed questions not answered in the Guide, or if you need a deeper understanding of the rules for processing criminal offence data to help you comply in practice. It is aimed at DPOs and those with specific data protection responsibilities in larger organisations.
If you haven’t yet read the ‘in brief’ page on criminal offence data in the Guide to Data Protection, you should read that first. It introduces the topic and sets out the key points you need to know, along with practical checklists to help you comply.
This guidance is not aimed at ‘competent authorities’ with law enforcement functions who are processing for law enforcement purposes. This falls under the separate law enforcement regime in Part 3 of the DPA 2018. See our Guide to Law Enforcement Processing.
Contents
What is criminal offence data?
- What is ‘criminal offence data’?
- Why are there special rules for this data?
- When do these rules apply?
- Does it cover suspicion or allegations of criminal activity?
- Does it cover data relating to the absence of convictions?
- Does it cover the personal data of victims and witnesses of crime?
- What are ‘related security measures’?
What are the rules on criminal offence data?
- What does the UK GDPR say?
- What does ‘under the control of official authority’ mean?
- What counts as a ‘comprehensive register’ of criminal convictions?
- When is processing authorised by UK law?
- What is the combined effect of these rules?
- How does this affect our lawful basis?
- Do we need to do a data protection impact assessment (DPIA)?
- What else do we need to do?