How does GDPR affect criminal records checks during recruitment?

Under GDPR and the updated Data Protection Act, you might need to change the way that you’ve collected data about your potential recruits’ criminal convictions. Whether you’ve worked with a self-reporting criminal convictions policy, or undertaken full DBS checks, there are some changes that you’ll likely need to make. Unlock has published new guidance, highlighting how important it is for you to be aware of how data protection can affect your recruitment and employment processes. You can read the full guide here, and we’ve summarised what you need to know below.

Under the new laws, you can’t legally process criminal conviction or record information of future employees, unless:

• You have a legal basis to do so; and
• You either have an official authority to do so, or
• Your processing falls under one of the specific conditions that the DPA 2018 sets out.

Essentially, this means that you can’t simply request self-disclosure, or carry out blanket DBS checks (even at a basic level) as a matter of course during recruitment or employment, without considering the data protection laws. Lots of businesses have done so for many years – but this way of working is not legal. This applies whether you’re carrying out the checks yourself, or using a third party to do it for you.

As a starting point, collecting criminal records during the initial application stage of recruitment is unlikely to be necessary – and, therefore, in breach of data protection law. There are three key principles that you can use as a guide to make sure you’re acting lawfully at each stage of your recruitment process:

1. If you’re collecting criminal records at any stage of a recruitment process, you must have a clear link between purpose and processing
2. You need to identify a lawful basis for processing criminal records data, and meet certain conditions
3. You must uphold your applicant’s data subject rights – this is key to meeting the conditions of being able to process their data in the first place.

The rules that apply to disclosing criminal records is complex. If you need to ask about criminal convictions because a contract with a client requires you to do so, for example, you could get into hot water – as there’s no condition under the DPA that allows you to do so other than consent, which will be difficult to demonstrate as freely given. It’s important, then, that you comply with the new data protection laws, while still being able to manage your organisation effectively. This can be a difficult balance to strike.

If you’re unsure about whether your existing practices are compliant, need advice on whether you’ve got a legal basis to process criminal conviction data, or want to update your privacy notices to cover that processing, we can help. Get in touch with our GDPR experts for more information.