Employers doing criminal record checks: don’t forget about GDPR.

Under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 (DPA), criminal records data, such as that obtained through a DBS check, is classified as special category data. This means it requires a higher level of protection due to its sensitive nature. To process this data lawfully, employers must establish a lawful basis for processing the data under Article 6 of the UK GDPR and in addition, meet one of the special conditions outlined in Schedule 1 of the DPA. Employers must also carry out a Data Protection Impact Assessment and ensure an ‘appropriate policy document’ is in place.

Employers typically rely on one of the following to establish a lawful basis:

• Legal obligation: Employers in regulated industries or those hiring for roles requiring statutory DBS checks (such as education, healthcare, or financial services) may rely on the legal obligation basis. This is where the employer is legally required to conduct a criminal record check, typically to meet regulatory or safeguarding obligations.
• Legitimate interest: For other roles, employers may seek to rely on ‘legitimate interests’, where the need for a criminal record check is considered necessary for the job, such as protecting company assets or safeguarding the workforce. However, this needs to be balanced carefully with the individual’s rights and freedoms. The legitimate interest must be specific, necessary, and proportionate.
• Consent: Some employers may be tempted to rely on consent as a lawful basis for conducting DBS checks. This poses a challenge as to whether consent is ‘freely given’. Job applicants may feel pressured to consent to a DBS check for fear of losing the job opportunity. The ICO  warns that consent obtained in this context is unlikely to be valid under UK GDPR. Even if consent is obtained, job applicants have the right to withdraw it at any time, leaving practical issues for employers and complications in the hiring process.

Beyond establishing a lawful basis for processing personal data, employers must also meet one of the special conditions set out in Schedule 1 of the DPA 2018.

Employers in certain regulated sectors are able to rely on condition 1 (employment, social security and social protection) which applies when the processing of criminal data is necessary for the purposes of exercising obligations which are imposed by law.  This is to ensure workplace safety or meeting obligations in sectors such as healthcare, education or financial services. However, the employer must have an appropriate policy in place which outlines compliance measures and retention policies.

Condition 18 (safeguarding of children and vulnerable adults) is also commonly relied upon for roles where there is a clear responsibility to safeguard vulnerable individuals, for example a social worker or carer.

But what about employers in unregulated sectors?  For example, a marketing company might want to obtain a DBS check on a job applicant who has applied for a Finance Assistant role.  The company would not be able to rely on either of the conditions above, as there is unlikely to be any legal obligation or safeguarding need for a DBS check to be done.  So what condition can be relied upon?

Condition 29 permits processing if the data subject consents.  As with the lawful basis for processing already mentioned, consent is unlikely to be deemed freely given (i.e. genuinely optional) in the context of a DBS check requirement on recruitment and so would not be capable of being relied on.

The Information Commissioner’s Office (ICO) suggests that employers may be able to rely on condition 10, which permits the processing of criminal records data when it is “necessary for the prevention or detection of unlawful acts”. This condition may appear to be a logical choice for employers concerned about potential criminal behaviour, particularly in roles that involve financial responsibility, or handling sensitive data. However there is a lack of guidance around when this condition can be relied upon and based on the requirements of condition 10 below, it will often be the case that it will not be applicable:

• Necessity and Proportionality: Condition 10 requires employers to demonstrate that processing the criminal data is ‘necessary’to prevent unlawful acts. This is a high bar to meet and requires a clear and specific connection between the role and the risk of unlawful behaviour. Employers must show that the DBS check is directly relevant to preventing harm or unlawful acts in the workplace.
• Carried out ‘without consent’: Condition 10 requires that the processing of the data ‘must be carried out without the consent of the data subject so as not to prejudice [the prevention or detection of the unlawful act]’. That should mean the employee will not know about it for good reason (e.g. if an investigation about them might be prejudiced).  It is difficult to see in what circumstances an employer will need to process criminal records data on recruitment effectively in secret, in order to prevent or detect unlawful activity.  This is likely to mean that most employers will struggle to justify their reliance on condition 10.
• Context-Specific Application: Condition 10 is highly context-specific. It is not designed for broad application across all roles but is intended for positions where there is a clear and present risk of unlawful behaviour. Using condition 10 for routine roles with low risk of criminal activity could be seen as an unjustified invasion of privacy, leading to potential non-compliance with GDPR.
• Justification and Documentation: Employers must be able to justify their use of condition 10 with evidence that the DBS check is necessary for preventing a specific unlawful act. This means documenting the reasoning behind the check, outlining the risk assessment, and proving that the check is proportionate to the threat. Failure to do so could result in GDPR breaches and regulatory scrutiny from the ICO.
• Potential for Discrimination: There is also a risk that using condition 10 too broadly could inadvertently lead to discriminatory practices. For example, conducting DBS checks on certain employees based on perceived risks rather than clear, objective criteria could expose the employer to claims of unfair treatment or bias.

Many employers feel that a DBS check on recruitment is necessary for various job roles.  In some cases employers will put a blanket policy in place requiring it for all new recruits.  The analysis above shows that it may be extremely difficult to find a special condition to lawfully process criminal record data in all but the clearest of cases.  Condition 10 does seem to be of very limited application in the recruitment process.

If your organisation does want to obtain DBS checks on recruitment, the ICO suggests best practices including performing a thorough role-based risk assessment to determine whether a DBS check is necessary and proportionate to the role. Transparency is also a core principle of GDPR and employers must ensure that individuals are fully informed about the DBS check process. The ICO guidance suggests that employers should provide clear and accessible privacy notices explaining why the check is necessary, how the data will be used, the legal basis for processing and special conditions which apply.

If your organisation needs assistance navigating these requirements, then RWK Goodman’s employment team would be happy to assist and help you stay compliant to mitigate any legal risks.