Will employers be able to carry out criminal records checks under the General Data Protection Regulation (GDPR)?

Under the General Data Protection Regulation (GDPR), personal data relating to criminal convictions and offences can be processed only:

  • under the control of official authority; or
  • when it is authorised by law providing for appropriate safeguards for the rights and freedoms of data subjects.

On the face of it, this means that it would not be lawful for employers to carry out criminal records checks as a matter of course, unless they are recruiting for a role for which checks are authorised by law, for example roles involving work with vulnerable adults or children where a Disclosure and Barring Service check is required. Consent is not a valid ground for processing data relating to criminal convictions, so the employer cannot request a check even if the employee agrees to it.

However, the Government has said that it intends to legislate to authorise the use of criminal records checks by organisations other than those vested with official authority (the GDPR includes a derogation to allow such legislation).

The GDPR will come into effect on 25 May 2018.