Does the General Data Protection Regulation (GDPR) allow employers to undertake routine criminal record checks on staff? As with many things GDPR, the answer is more complicated than one would expect.
Article 10 of the GDPR contains a prohibition on the processing of personal data relating to criminal conditions or offenses. Specifically, Article 10 prohibits such processing except: (1) under the control of “official authority”, or (2) where such processing has been authorized by European law or that of any EU Member State. For purposes of this note, we will ignore the first exception, since “official authority” refers to an organization performing public functions and exercising powers that have been established by law. So where does that leave an employer which (like nearly all private employers) does not have “official authority”?
As a starting point, an employer seeking to process personal data (of any nature) must have a lawful basis for processing under Article 6 of the GDPR. Naturally, this holds true for personal data relating to criminal convictions or offences. Employers will generally look to one of the three lawful bases for such processing: (1) the job applicant or employee has consented to the processing; (2) the processing is necessary to comply with a legal obligation to which the employer is subject; or (3) the processing is necessary for the employer’s legitimate interests, for example, to ensure the reliability of its staff and protect its reputation.
Where an employer has established a lawful basis for processing (and cannot assert “official authority”, as discussed above), it may only process personal data relating to criminal convictions or offences if it is permitted to do so under European or Member State law. The United Kingdom, for example, has permitted such processing through the Data Protection Act of 2018 (the “2018 Act”). Specifically, Section 10(5) of the 2018 Act allows for processing of personal data relating to criminal convictions or offences where one of the following two conditions are met: (1) the processing is necessary for the purposes of performing or exercising obligations or rights which are imposed or conferred by law on the controller or the data subject in connection with employment; or (2) the individual has given their consent.
The first condition likely only applies where there is a legal requirement to vet employees in certain specialized fields. For example, UK employers can routinely seek information on an “unspent conviction” (i.e. a conviction that will appear on a Basic Criminal Record Check) for certain categories of professional employment such as doctors, lawyers, and those working with minors. For other categories of employment that are not excepted professions, however, the employer may only ask the job applicant to voluntarily disclose unspent convictions, or consent to a basic background check. In practice, most UK employers are left seeking consent.
When it comes to consent, however, employers must be mindful of the power imbalance inherent in the employment relationship. GDPR requires consent to be “freely given,” and the UK’s Information Commissioner’s Office warns that: “those who depend on your services, or fear adverse consequences, might feel they have no choice but to agree – so consent is not considered freely given” and that “[t]his will be a particular issue for public authorities and employers.” With this in mind, to help an employer appropriately gain consent from the job applicant or employee, and to ensure the employer develops retention, security, erasure, and use policies related to the personal data processed, the 2018 Act requires the development of an “appropriate policy document.” This document must set out the procedures for complying with the six principles of Article 5 of the GDPR, set appropriate retention and erasure procedures, and be maintained and updated regularly.
In summary, if an employer concludes that (1) requesting a criminal record check is justified, (2) that it has a lawful ground for processing under Article 6 of the GDPR, and (3) it has “official authority” or has been authorized to do so by European law or that of any EU Member State under Article 10 of the GDPR, it may process such personal data in pursuit of a criminal record check. In the UK, employers have been granted a limited authorization to process such personal data so long as: (1) the processing is necessary in connection with employment; or (2) the individual has given their consent. In most cases, the employer will not have a separate legal basis for exercising such background check and so consent by the data subject will be required.