ICO survey on processing data about criminal convictions

Employers sometimes handle data about criminal offences and convictions when recruiting.  They may ask questions about convictions or carry out criminal record checks.  If an employee is convicted of an out-of-work offence, employers may look into that and, in the process, handle data.  Although in some employment contexts checks are required (e.g. if working with children or in certain financial services roles), there is no generally applicable lawful basis for processing data about criminal offences and convictions.  Also, employers who process data on criminal offences can only do so if they have an “appropriate policy document”: a document which sets out their procedures for ensuring compliance with the data protection principles.

The current ICO guidance on criminal offence data is brief, although it says that the ICO is working on more detailed guidance.

The ICO has now published a short survey for data controllers who process data relating to criminal offences or convictions, including testing suitability for employment. Amongst other things, the survey asks about the challenges of identifying a lawful basis for processing and calls for data controllers to come forward with examples of what they consider to be best practice.

Lewis Silkin will be putting in a response based on our experience of advising clients on this issue. Please get in touch if you’d like to contribute. Alternatively, if you’d like to complete the survey yourself, as a data controller, you can access it here. The survey closes on 28 February 2020.