Recruiting Staff: GDPR and Criminal Convictions
Summary: What you need to know
- Employers are responsible for looking after confidential personal data and ensuring legal responsibilities are met.
- You should consider whether you require criminal records information for specific job roles, rather than take a blanket approach.
- Employers can still ask for applicants to disclose unspent criminal conviction information during the recruitment process where necessary and where entitled to under the law.
- But consideration should be given as to whether this information is really necessary and when is the best time to request it.
- Collecting criminal records information at application stage is unlikely to be compliant with data protection laws.
- Applicants should be informed where criminal records data is to be requested or checked, and provided with privacy information.
- It's important to consider how this information is stored and retained once it has been obtained.
- You should outline your recruitment process and demonstrate how it complies with the data protection principles.
When it comes to recruiting employees or volunteers, there is a lot to consider if information relating to criminal convictions is being requested or checked, especially within the context of the recent changes to data protection law under the General Data Protection Regulation (GDPR) and Data Protection Act 2018.
This also applies to the recruitment of volunteers or indeed anyone else where criminal records data is involved (such as sessional staff). And even if you don't recruit directly or have direct access to the data, you may still be considered to be the data controller and therefore responsible for ensuring lawful compliance.
The relevant legislation, including data protection law, should be considered whether asking applicants to self-disclose or carrying out criminal records checks via AccessNI.
The Information Commissioner's Office (ICO) points to recent guidance produced by Unlock, which provides a useful reference for anyone recruiting staff and volunteers. Focusing specifically on the issue of GDPR, data protection and processing criminal records in recruitment, this guidance suggests that employers should consider whether they should ask applicants about their criminal records (self-disclosure) and when is the right time to request such information, as well as carrying out official checks.
Research by Unlock has also found that many recruiters are asking applicants to provide criminal records information in a way that is unfair and potentially unlawful. 75% of vacancies surveyed asked applicants to declare a criminal record up front without providing any guidance on how the information would be used, stored or retained.
Considering the issues at hand can help employers to avoid the risks treating applicants unfairly and running foul of the law.
Can an employer request criminal convictions information?
There are other laws which apply to recruitment and criminal records other than data protection laws. These are concerned with treating people fairly in cases where they have undergone rehabilitation after conviction.
Instead of taking a ‘one-size-fits-all’ approach to requesting information, recruiters should think specifically about the role they are recruiting for as well as the context within which that role is based. Questions should be asked as to whether processing information relating to criminal convictions is necessary to that particular job role.
- If the need to process information relating to criminal convictions does not exist, then it is unlikely that processing such information will be compliant with the new regulations.
- If a need to process criminal records data is identified, then it is possible to obtain and process criminal conviction information when recruiting employees.
It remains the case that under the terms of the Rehabilitation of Offenders (Northern Ireland) Order 1978 as amended (ROA), prospective employers are entitled to ask applicants to disclose details of any unspent convictions (where the full period of rehabilitation has not yet passed). Basic-level AccessNI disclosure checks can also be carried out for any prospective employee. However, employers should consider if they are complying with data protection laws when they make this decision.
Some jobs are considered so sensitive or risky that they are exempt from the ROA under the Rehabilitation of Offenders (Exceptions) Order (Northern Ireland) 1979. For posts of this nature all criminal offences, all convictions can or must be declared regardless of whether they are spent or unspent. In these cases, standard or enhanced levels of AccessNI disclosure checks can be carried out, which will provide details of both spent and unspent convictions.
Posts that fall within this exemption category are extensive, but can be summarised as follows:
- Work that involves contact with children and young people or vulnerable adult groups– e.g. provision of health care or social services, work with children such as youth work, education, leisure centres, or with adults with learning disabilities, mental illness, the elderly, taxi drivers.
- Professions that are regulated by law- e.g. medical practitioner, nurse, chemist, optician, accountant, manager of an insurance company.
- Posts involving national security - e.g. security personnel or senior civil service posts.
- Posts concerned with administration of Justice - e.g. police officers, solicitors, probation officers, traffic wardens, judges, prison officers.
How do the data protection principles apply?
Any processing of personal data must meet with the data protection principles, and there are some specific provisions in the law relating to criminal convictions data.
If an employer wishes to request information relating to criminal convictions, they must have identified a clear need to process personal data of this nature (the data protection principle of ‘purpose limitation’). The criminal records should only be used for another purpose if it is compatible with the recruitment purpose, unless the data subject's explicit consent has otherwise been given.
Consideration should be given to when it is appropriate and necessary to gather information of this nature.
Rather than requesting this information at the application form stage (which is unlikely to be compliant with data protection principles), this information could instead be gathered at another point of the recruitment process. This information could be sought after shortlisting, at interview, after you’ve selected the most suitable candidate, or when a conditional job offer is made. Though the information is not being sought up-front, applicants should still be informed that it will be requested or checked at a later stage.
The principle that you should adhere to is 'data minimisation' — to process only the minimum amount of personal data to achieve a specific purpose. Limiting requests to as few applicants as necessary is in line with this principle, and requesting the information where it is not necessary would therefore not be compliant with the principles and, therefore, the GDPR.
This minimises the risk — to both applicant and recruiter — of unnecessarily processing sensitive personal data, and it limits the scale and privacy impact of a potential breach (e.g. loss, hacking, unauthorised access). It may also help to ensure your recruitment process treats applicants more fairly by not asking for convictions up front.
The Data Protection Act 2018 also requires controllers who are processing criminal records data to have ‘appropriate policy documentation’ in place (regardless of whether the information is used for recruitment or another purpose). This documentation must set out how the controller complies with the data protection principles as well as explaining how long the data will be stored for and how it will be erased.
As data subjects must also be informed how their personal data is being used, a privacy notice for applicants could act as an appropriate policy document if it meets the necessary requirements. It can be made available to prospective applicants before they submit any information.
See our Data Protection Toolkit on writing a privacy notice.
Storage and retention of criminal records data
Employers also need to give some thought to they retain and store criminal records data:
- Unspent convictions can become spent during the course of employment, and therefore should not be retained by the employer past that point, unless otherwise necessary.
- Access should be limited only to members of staff that require access (for example, the HR manager or selection panel) and, as a general rule, should be disclosed only with the data subjects consent or where a legal obligation applies.
- Controllers will need to think about how this information is transmitted and stored securely, as the level of risk to applicants or employees of a breach is increased due to its sensitivity. Hard copies should be stored in locked cabinets and electronic copies protected with encryption.
- Criminal records data can be treated separately to other recruitment and employee information (e.g. application forms, personnel files etc) regarding their storage and retention.
- When the information is no longer necessary, it should be thoroughly and securely destroyed. Think about where multiple electronic or paper copies may exist, and ensure that print outs aren't just thrown in the bin — they should be shredded.
You will find more detailed and helpful advice in the guide from Unlock, including a checklist at the Annex.