Well technically that statement is true. Directly under GDPR, personal data relating to criminal convictions and offences can be processed only:

  • under the control of official authority; or
  • when it is authorised by law providing for appropriate safeguards for the rights and freedoms of data subjects.

So if we take this at face value, it means it would not be lawful for employers to carry out criminal records checks as a matter of course, unless recruiting for a role already exempt from the Rehabilitation of Offenders Act 1974.  For example, roles involving work with vulnerable adults or children where a Disclosure and Barring Service check is required.

But not everything is as it seems. The UK government have wisely and timely addressed this issue that would be a blow to many organisations’ compliance and recruiting by introducing legislation (The Data Protection Bill) to authorise the use of criminal records checks by all organisations. The GDPR includes a specific derogation to allow such legislation.

GDPR has direct effect across all EU member states and has already been passed, meaning organisations will still have to comply with this regulation and we will still have to look to the GDPR for most legal obligations. However, the GDPR gives member states opportunities to make provisions for how it applies in their country. One element of the Data Protection Bill is the details of these. It is therefore important the GDPR and the Bill are read side by side.

The UK’s third generation of data protection law has already entered Parliament and was published on 14 September 2017 and aims to modernise data protection laws to ensure they are effective in the years to come. It will supplement the GDPR. The Bill includes provision for authorising the processing of criminal convictions data where necessary for the purposes of performing or exercising employment law obligations or rights. To carry out such processing, an employer would have to have in place a policy that explains its procedures for securing compliance with the principles of the GDPR in relation to the processing of the criminal records data and that explains its policies on erasure and retention of the data.

Also (and here’s the big one which actually means nothing really changes from the current process) the Bill also authorises processing criminal records data in other circumstances, including where the subject has given his or her consent. This would allow employers to request a criminal records check where the prospective employee agrees to this, provided that the consent meets the specific requirements under the GDPR.

So great news as Giant already works with its clients to obtain that explicit consent and also is all ready for GDPR including in relation to the processing of the criminal records data and explaining policies on erasure and retention of the data then you can work with a partner so you can continue to get great insight into your applicants.

Your background checks and screening should be GDPR compliant but getting there shouldn’t be hard work for you.  Giant are the experts and will be delivering GDPR screening programmes to all its clients.

For more information call Practical HR on 01702 216573.

Matt Armstrong – Managing Director, Giant Group