Will employers be able to carry out criminal records checks under the General Data Protection Regulation (GDPR)?

Under the General Data Protection Regulation (2016/679 EU) (GDPR), personal data relating to criminal convictions and offences can be processed only:

  • under the control of official authority; or
  • when it is authorised by law providing for appropriate safeguards for the rights and freedoms of data subjects.

On the face of it, this means that it would not be lawful for employers to carry out criminal records checks as a matter of course, unless they are recruiting for a role for which checks are authorised by law, for example roles involving work with vulnerable adults or children where a Disclosure and Barring Service check is required.

However, the Government intends to legislate to authorise the use of criminal records checks by organisations other than those vested with official authority (the GDPR includes a derogation to allow such legislation). The Government published the Data Protection Bill on 13 September 2017, which will supplement the GDPR. The Bill includes provision for authorising the processing of criminal convictions data where necessary for the purposes of performing or exercising employment law obligations or rights. To carry out such processing, an employer would have to have in place a policy that explains its procedures for securing compliance with the principles of the GDPR in relation to the processing of the criminal records data, and that explains its policies on erasure and retention of the data. The Bill also authorises processing criminal records data in other circumstances, including where the subject has given his or her consent. This would allow employers to request a criminal records check where the prospective employee agrees to this, provided that the consent meets the specific requirements under the GDPR.

The GDPR will come into effect on 25 May 2018. It is not yet known when the Data Protection Bill will come into force.