Can employers carry out criminal records checks under the UK GDPR?

Under the UK General Data Protection Regulation (retained from EU Regulation 2016/679 EU) (UK GDPR), organisations other than official authorities can process personal data relating to criminal convictions and offences only if the processing is authorised by law providing for appropriate safeguards for the rights and freedoms of data subjects.

The Data Protection Act 2018, which supplements the UK GDPR, authorises employers to process criminal convictions data where necessary for the purposes of performing or exercising employment law obligations or rights. This would cover processing data where this is a legal obligation in accordance with Disclosure and Barring Service rules, for example. To carry out such processing, an employer would have to have in place a policy that explains its procedures for securing compliance with the principles of the UK GDPR in relation to the processing of the criminal records data, and that explains its policies on erasure and retention of the data.

The Data Protection Act 2018 also authorises processing criminal records data where the subject has given their consent. This would allow employers to request a criminal records check where the prospective employee agrees to this, provided that the consent meets the specific requirements under the UK GDPR.