The ICO has issued new guidance on the processing of criminal offence data. Whilst further guidance will certainly be welcomed for controllers who process this sort of data, ultimately there will still be some tricky decisions to be made when deciding whether and how to process this sort of information.
The processing of criminal offence data is an area where there has historically been a good deal of uncertainty, with controllers (particularly employers) unclear as to how the GDPR rules fit with the existing DBS regime, and just exactly when processing criminal records data will be lawful.
The new ICO guidance aims to help controllers determine the extent to which they can process criminal offence data from a data privacy perspective, and the measures controllers should take when doing so. However, the guidance does not offer any hard and fast rules for controllers who want certainty in this area. Instead the focus is on controllers themselves ensuring that they have a legal basis that is applicable to their specific circumstances, and that the processing they carry out is reasonable and proportionate given their specific situation.
Key points from the guidance include the following:
- The restrictions on processing criminal offence data apply to personal data ‘relating to’ criminal convictions and offences. This includes data relating to suspicions, allegations and even the absence of convictions. It also covers the data of victims, not just of the offender/ alleged offender.
- Controllers can only process criminal data (a) under the control of official authority; or (b) where authorised by EU or member state law (in the UK this means that one of the conditions in Schedule 1 Data Protection Act 2018 needs to apply). Generally, it is the latter (b) that will be relevant for private organisations.
- Schedule 1 of the Data Protection Act 2018 contains a number of legal bases which can potentially apply (and must do so in addition to the controller's article 6 condition). These legal bases include: consent; where the processing is necessary for performing obligations in relation to employment; or where the processing is necessary for the prevention or detection of unlawful acts. However, the onus will be on the controller to determine what is necessary in their specific case.
- As consent needs to be freely given, public authorities, employers and other organisations in a position of power may not be able to rely on it, meaning another legal basis will likely be needed. The fact that consent is required for a DBS check does not mean that that consent will be a valid lawful basis for data privacy purposes.
- Where the legal basis relied on is based around using the data for a specific purpose it will be important for controllers to critically assess whether their use of the data is necessary and proportionate to that purpose.
- Many of the legal bases in Schedule 1 require the controller to have an 'appropriate policy document' in place. This must be maintained for at least six months after the processing and must be kept under review.
- Controllers likely need to carry out a data protection impact assessment (or "DPIA") where they are processing criminal offence data.
It is not enough to argue that processing is necessary because it is part of your particular business model, processes or procedures, or because it is standard practice. The question is whether the processing of the criminal offence data is a targeted and proportionate way of achieving the purpose described in the condition.