The High Court has dismissed substantially all of an HMRC employee’s claims relating to the lawfulness of HMRC’s processing of personal data relating to alleged criminal offences committed by the employee: Hopkins v HMRC  EWHC 2355 (QB). The employee was arrested by the police and, as required by her employment contract, disclosed this to HMRC which suspended the employee pending an investigation. Two years have passed and the employee remains suspended although no criminal charges have (yet) been brought against the employee.
The General Data Protection Regulation includes stricter requirements for the processing of criminal offence data (including allegations of offences) than it does for ‘ordinary’ personal data. It’s a complex area but, broadly, criminal offence (including alleged offences) personal data is treated in a similar way to Article 9 special data and can only be processed if certain ‘special conditions’ set out in national legislation (here the Data Protection Act 2018) are established and the controller has an appropriate policy document in place that covers the processing.
In terms of establishing a ‘special condition’, HMRC was able to establish that its processing was necessary for reasons of substantial public interest and necessary in the exercise of a function conferred on HMRC. It’s important to note that not every employer will be able to establish such a special condition – it’s justified for some roles and for some contexts but not all. It is very unlikely that this decision will be taken to mean that blanket processing of criminal offence data for recruitment purposes (probably the most common use case of criminal offence data in a workplace context) is always in the public interest; rather employers/engagers will still have to grapple with the usual limitations of whether roles are covered by the Rehabilitation of Offenders Act 1974 and the limitations of explicit consent.
As regards to an appropriate policy document, this can be a source of confusion for some controllers. The DPA states that the policy document needs to (a) explain how the controller complies with the general principles relating to data processing and (b) the controller’s general policies as regards to retention and erasure of personal data. However, does this policy need to be distinct from general privacy notices that are always required to be provided to staff to explain how and why their personal data (whether or not criminal) is processed? No, is the clear answer from this case – HMRC’s general Staff Privacy Notice (of which relevant extracts are set out at paragraph 52 of the judgment) satisfied this requirement. Hopefully this logic will apply to all references to appropriate policy documents in the DPA (e.g. for processing of other types of special data).
In all, the case highlights the importance of ensuring that appropriate privacy notices and/or policies are in place that adequately inform individuals of their processing. Processing criminal record (and any other ‘special category’, e.g. health related) personal data always carries risk and needs to be clearly thought through.
HMRC had in place, and made available to the Claimant, the Staff Privacy Notice... the ICO did not perceive any deficiencies in the Staff Privacy Notice... In my judgment... there is no realistic prospect of the Claimant establishing at trial that HMRC failed to comply with the requirement to have in place an appropriate policy document.