Can employers carry out criminal records checks under the General Data Protection Regulation (GDPR)?

Under the General Data Protection Regulation (2016/679 EU) (GDPR), personal data relating to criminal convictions and offences can be processed only:

  • under the control of official authority; or
  • when it is authorised by law providing for appropriate safeguards for the rights and freedoms of data subjects.

On the face of it, this means that it would not be lawful for employers to carry out criminal records checks as a matter of course, unless they are recruiting for a role for which checks are authorised by law, for example roles involving work with vulnerable adults or children where a Disclosure and Barring Service check is required.

However, the Data Protection Act 2018, which supplements the GDPR, authorises the use of criminal records checks by organisations other than those vested with official authority (the GDPR includes a derogation to allow such legislation). The Act allows employers to process criminal convictions data where necessary for the purposes of performing or exercising employment law obligations or rights. To carry out such processing, an employer would have to have in place a policy that explains its procedures for securing compliance with the principles of the GDPR in relation to the processing of the criminal records data, and that explains its policies on erasure and retention of the data. The Act also authorises processing criminal records data in other circumstances, including where the subject has given their consent. This would allow employers to request a criminal records check where the prospective employee agrees to this, provided that the consent meets the specific requirements under the GDPR.