As an employer, you may need to carry out either self-reporting criminal convictions processes, or undertake DBS checks, as part of your recruitment process. But, with GDPR and the Data Protection Act 2018, there are changes to what data you can legally process, and for what reason.
Under GDPR and the updated Data Protection Act, you might need to change the way that you’ve collected data about your potential recruits’ criminal convictions. Whether you’ve worked with a self-reporting criminal convictions policy, or undertaken full DBS checks, there are some changes that you’ll likely need to make. Unlock has published new guidance, highlighting how important it is for you to be aware of how data protection can affect your recruitment and employment processes. You can read the full guide here, and we’ve summarised what you need to know below.
Under the new laws, you can’t legally process criminal conviction or record information of future employees, unless:
Essentially, this means that you can’t simply request self-disclosure, or carry out blanket DBS checks (even at a basic level) as a matter of course during recruitment or employment, without considering the data protection laws. Lots of businesses have done so for many years – but this way of working is not legal. This applies whether you’re carrying out the checks yourself, or using a third party to do it for you.
As a starting point, collecting criminal records during the initial application stage of recruitment is unlikely to be necessary – and, therefore, in breach of data protection law. There are three key principles that you can use as a guide to make sure you’re acting lawfully at each stage of your recruitment process:
The rules that apply to disclosing criminal records is complex. If you need to ask about criminal convictions because a contract with a client requires you to do so, for example, you could get into hot water – as there’s no condition under the DPA that allows you to do so other than consent, which will be difficult to demonstrate as freely given. It’s important, then, that you comply with the new data protection laws, while still being able to manage your organisation effectively. This can be a difficult balance to strike.
If you’re unsure about whether your existing practices are compliant, need advice on whether you’ve got a legal basis to process criminal conviction data, or want to update your privacy notices to cover that processing, we can help. Get in touch with our GDPR experts for more information.