Skip to main content
Global HR Lawyers

Criminal Records Checks in Employment

05 December 2022

Criminal record checks can be a useful and sometimes necessary way of checking the suitability of an employee for a particular role. However, employers must be careful that they are not exceeding the boundaries of what they are permitted to request and are complying with their data protection obligations. This Inbrief covers how employers can carry out criminal record checks on prospective or existing employees, and the limitations on what they can do.


Why might an employer want to undertake background checks?

Employers often want to check the suitability of candidates applying for a role - particularly where that role is senior or involves a high degree of trust. Even for more junior roles, employers may well want to undertake some background checks, such as seeking references and checking qualifications. It is a way of protecting the business, its clients and employees by checking that the potential recruit has provided accurate information and does not pose a safety or financial risk. It is also common practice for employers to make the commencement of employment conditional upon “passing” relevant background and suitability checks. 

Criminal record checks are just one part of a suite of potential background checks and can reveal whether an employee has been involved in activity which could pose a risk for the business. In some roles, criminal records checks are necessary from a legal or regulatory perspective. As explained below, however, the criminal record check process is highly regulated. Whether it is appropriate, or indeed permissible, will depend on the circumstances. 

Criminal Records Checks – an overview

Criminal records checks in England and Wales are administered by the Disclosure and Barring Service (DBS) and are frequently referred to as DBS checks. In Scotland, a similar scheme is operated by Disclosure Scotland, and Northern Ireland uses a system called AccessNI. This note focusses on the process in England and Wales.

Important terminology

It is helpful to understand some of the key terminology:

  • A Responsible Organisation is an organisation that has registered with DBS to submit applications for basic checks.
  • A Registered Body is an organisation that is registered with DBS and is permitted to undertake standard and enhanced DBS checks. They are required to check and verify any DBS checks an employer proposes to make.
  • An Umbrella Body is a Registered Body which provides a service to employers which are not themselves registered with DBS to conduct basic and enhanced checks on their behalf.
  • “Spent” refers to cautions or convictions which, due to the passage of time since the conviction, an individual does not have to disclose when applying for most jobs or volunteer roles and which will not appear on a basic DBS check (although they will appear on a standard or enhanced check). The time limit after which a conviction or caution will become spent will depend on the nature and seriousness of the crime committed as well as the age of the individual when they committed the offence. Convictions which result in a prison sentence of over 4 years will never become spent. 
  • “Unspent” refers to cautions and convictions which are not spent.
  • The “barred list” is a database, maintained by DBS, of people who have been barred from working with children or vulnerable adults.

Types of DBS Checks

There are three levels of DBS check:

  • Basic disclosure
  • Standard disclosure
  • Enhanced disclosure

Basic Disclosure

A basic DBS check will show information on unspent criminal convictions.

Any individual over the age of 16 can apply for a basic check, regardless of the reason. Employers can ask employees to make the application themselves or can use a Responsible Organisation to do the check on their behalf (with the individual’s consent).

Standard Disclosure

A standard disclosure will show information on spent and unspent convictions and cautions as well as police reprimands and warnings.

It is not possible for an individual to apply for a standard check on themselves – a Registered Person will need to apply with the individual’s consent. If the employer carries out fewer than 100 checks per year, it will need to use an Umbrella Body to undertake this check. If it carries out more than 100 checks, the employer can either use an Umbrella Body or register with DBS itself to carry out the check as a Registered Body.

Enhanced Disclosure

An enhanced disclosure will contain the same information as a standard disclosure and, in addition, the police will be asked if there is any other relevant information which should be shared, taking into account the role that is being applied for. This could include allegations made against the individual, cautions and convictions of those who the individual lives with, or fixed penalty notices. If a role is eligible for a barred list check, this would also cover the barred list.

The process for applying for enhanced disclosure is the same as for standard disclosure.

Which level of DBS check can an employer apply for?

An employer can request a basic disclosure for any employee.  However, this needs to be considered very carefully to avoid breaching data protection rules – see below.

Despite the name, standard disclosure can in fact only be requested for individuals working in or applying for certain roles or professions as listed in what is known as the “Exceptions Order”. This means that the level of check is not a matter of choice but rather a question of what the law allows, depending on the nature of the role in question.

Some of the most common roles eligible for standard disclosure include:

  • Those who hold regulated positions in the financial sector, commonly referred to as being an approved person, senior manager or carrying out a controlled function.
  • Any work in the health sector where the individual will have contact with patients.
  • Those who work in other regulated professions, such as accountants, actuaries, lawyers and vets.
Enhanced checks are limited to roles which involve a high degree of trust and security, such as those who work with vulnerable adults or children. The relevant role must be listed in the Exceptions Order and also the Police Act 1997 (Criminal Records) regulations.

Employers may want to do more detailed DBS checks on their employees, particularly if they are in senior positions or positions of trust such as those in finance. In most instances, the employer will only be able to undertake a basic check, due to the very limited scope of the Exceptions Order. The DBS has a helpful online tool to assist employers determine what type of DBS check they can get for a particular role.

Limitations on DBS checks

Employers should be aware that there are limitations on the information provided in a DBS check and be mindful of this when considering taking action in respect of the outcome of a check.

  • A DBS check will only show basic information about the conviction or caution and not the context behind it.
  • Youth cautions, reprimands and warnings (sometimes referred to as “protected cautions”) will not be disclosed unless it is relevant for the purpose of an enhanced disclosure.
  • DBS checks are only correct at the date of issue, so a certificate presented by an employee may not show any recent convictions or cautions.
  • DBS checks will not automatically show details of overseas convictions.

Data Protection Considerations

Although in theory an employer can ask for a basic check for any role, the rules on protection of personal data place important limits on when and how this can be done.

Information about an individual’s criminal convictions or cautions is personal data and so employers must ensure this is processed lawfully. Anything that is “criminal offence data” is also given special extra protection under the Data Protection Act 2018 (DPA) and the UK GDPR. This covers all personal data relating to criminal convictions and offences or related security measures and applies even if the information is only that someone has no criminal convictions. 

  • The employer needs a lawful basis for processing such data.  Firstly, an Article 6 UK GDPR condition is required for processing this personal data (as with all other personal data). The most likely condition is that the employer has a legitimate interest in doing so. Consent is very unlikely to be a valid legal basis for processing this data in an employment context as the consent would not be considered to be freely given or revocable.
  • In order to process criminal convictions data specifically, the employer will also need to comply with Article 10 of the UK GDPR. This provides that data relating to criminal convictions shall only be processed under the control of official authority (i.e. the DBS or similar) or “when the processing is authorised by UK law providing for appropriate safeguards for the rights and freedoms of data subjects”. Relevant to this condition would be the Exceptions Order (referred to above), which sets out the roles for which criminal background checks are permitted. For roles not covered by the Exceptions Order, employers may need to rely on one of the DPA’s substantial public interest conditions (for example that processing of criminal convictions data is necessary for the purposes of the prevention or detection of an unlawful act).
  • Where processing criminal convictions data, the employer must have an “appropriate policy document” in place.  This is a short document which outlines the employer’s compliance measures and retention policies for criminal offence data. The document does not have to take any particular form, as long as it briefly outlines: the lawful basis for processing; procedures for complying with each of the UK GDPR principles; retention and deletion policies; and an indication of the retention period for the specific data.
  • The employer should also complete a data protection impact assessment. This is needed for any type of processing which might be high risk, and so is likely to cover processing of criminal offence data.  It is also advisable to help show that the employer has thought about the issues thoroughly.  The assessment should describe the processing activity, its purpose, and consider why it is necessary. It should then consider the risks posed in respect of affected data subjects, any existing measures to address these, and whether any further measures could be implemented to reduce the risks.

These data protection rules mean that employers should not have a blanket policy where DBS checks are used for all candidates / employers and should instead consider whether it is really necessary for the type of role the individual performs. For example, roles which involve the handling of money or working in a position of trust might justify a criminal records check – but only if the employer has satisfied the above conditions and carried out a data protection impact assessment which considers whether there are any less intrusive ways of achieving the same aims. In addition, vetting should be left until as late as possible in the recruitment process, ideally being carried out at the offer stage rather on application.

If an employer does wish to carry out blanket checks on candidates / employees, they should be aware of the risks and mitigate them as far as possible. One potential risk is of enforcement action being taken by a data regulator, which can lead to large fines.

As well as establishing a lawful basis for processing, employers must be mindful of other data protection principles. These include:

  • ensuring the data is kept secure and only accessed by employees who need to see the information;
  • being transparent about whether DBS checks are required and how that information is used (this should be noted in the employer’s privacy notices);
  • keeping the data for no longer than is necessary; and
  • collecting and retaining only the minimum amount of criminal offence data needed for the employer’s purposes.

For more information on data protection rules please see our Inbrief on Data Protection and Employment.  The Information Commissioner has also published detailed guidance on criminal offence data.

Other considerations

In addition to data protection legislation and guidance, the DBS Code of Practice requires employers who intend to request information on a candidate’s criminal record to:

  • ensure that application forms make clear that the candidate will be subject to a DBS check;
  • make candidates aware of what the effect of prior criminal convictions or cautions could be;
  • discuss anything revealed by a DBS check with the candidate prior to withdrawing an offer; and
  • provide a copy of the DBS Code of Practice if the candidate requests.

What can employers do if a candidate or employee has a criminal record?

How much weight should disclosure of a criminal record be given during recruitment?

This will largely depend on the role. For some roles, such as teachers or those who work with vulnerable people, the disclosure of a criminal record may mean they are entirely precluded from being considered for a role. In other cases, there may be industry-specific guidance about what should be taken into account, such as in the legal industry or in financial services.

Where there is no specific guidance, employers will need to decide how much weight to attach. Factors employers may wish to consider include:

  • how relevant the conviction or other matter revealed is to the role the candidate is applying for;
  • how long ago the offence took place and the age of the individual when it happened;
  • how serious the offence is;
  • whether there are multiple offences or just one single offence; and
  • any explanation the candidate gives.

Can an employer refuse to hire someone because of their criminal record?

Again, this depends on the role in question. There may be industry specific guidance which determines whether an employer can hire the individual. If not, whether the conviction is spent or unspent will be relevant. If the role was not one listed within the Exceptions Order, an employer should not have asked for information on spent convictions - but it may have come across that information by other means.

  • If the conviction is spent, an employer is prohibited from refusing employment to someone unless their role is listed on the Exceptions Order. In practice, an employee would only be able to bring a claim of unfair dismissal if they have at least 2 years’ service.
  • If the conviction is unspent, the employer will need to exercise reasonable judgment, taking into account the factors set out above.

Do existing employees have an obligation to inform their employer of new convictions or cautions?

Employees in roles covered by the Exceptions Order would be required to disclose new convictions or cautions.  Other employees would not have to inform their employer unless there is an express contractual obligation on them to do so.

Related items

Related services

Back To Top