The UK’s independent authority set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals.

What is ‘criminal offence data’?

The GDPR gives extra protection to ‘personal data relating to criminal convictions and offences or related security measures’. This covers a wide range of information about criminal activity, allegations, investigations and proceedings.

In this guidance, we refer to this data collectively as ‘criminal offence data’, although this is not a term used in the GDPR.

It includes not just data which is obviously about a specific criminal conviction or trial, but also any other personal data ‘relating to’ criminal convictions and offences.

‘Relating to’ should be interpreted broadly. It covers any personal data which is linked to criminal offences, or which is specifically used to learn something about an individual’s criminal record or behaviour. This is consistent with the broad interpretation of ‘relates to’ in other GDPR and DPA 2018 provisions, such as the definition of personal data.

Why are there special rules for this data?

It is not just that this type of information might be seen as more sensitive or ‘private’. Recital 75 to the GDPR explains that this type of personal data merits specific protection. This is because use of this data could create significant risks to the individual’s fundamental rights and freedoms. For example, data about criminal allegations or convictions may have a particular impact on:

  • the right to liberty and security;
  • the right to a fair trial;
  • the right to respect for private and family life;
  • freedom to choose an occupation and the right to engage in work; or
  • freedom to conduct a business.

The presumption is that you need to treat this type of data with greater care, because collecting and using it is more likely to interfere with these fundamental rights or open someone up to discrimination. This is part of the risk-based approach of the GDPR.

However, this type of data is treated differently to other types, eg special category data, which are considered particularly sensitive and risky in terms of fundamental rights and freedoms. This is because the interests of society at large and the need to protect the public from criminal activity are likely to mean that you can justify the use of criminal offence data in a wider variety of circumstances, despite the potential impact on individual rights.

When processing special category data, many conditions require you to explicitly demonstrate that the processing is necessary for reasons of substantial public interest. This requirement doesn’t apply to criminal offence data.

When do these rules apply?

These rules apply if you are processing criminal offence data under the general processing regime set out in the GDPR and Part 2 of the DPA 2018, ie if you are not processing for law enforcement purposes. You need to comply with these rules if you are a commercial, voluntary or community (third-sector) organisation processing criminal offence data for any purpose (including disclosures to the police or other organisations processing for law enforcement purposes). You also need to comply if you are a public authority without law enforcement functions or if you are processing for non-law enforcement purposes. 

These rules do not apply if you are a ‘competent authority’ with law enforcement functions as defined in Section 30 of the DPA 2018, and are processing for law enforcement purposes. This falls under the separate law enforcement regime in Part 3 of the DPA 2018.

These rules do apply to competent authorities when processing criminal offence data for purposes not related to law enforcement. For example, a police force processing data about its employees’ criminal records for human resources purposes, or sharing data with victim support services, needs to comply with the GDPR.

For more information, see our separate guidance on Which regime applies. There is also guidance on Law enforcement processing.

Does it cover suspicion or allegations of criminal activity?

Yes. This is still personal data ‘relating to’ a criminal offence. These rules are not just about confirmed criminal convictions. Unproven allegations are potentially even more likely to have an unjustified impact on an individual’s interests, rights and freedoms, and so need special protection.

Section 11(2) of the DPA 2018 specifically confirms that criminal offence data includes personal data relating to:

“(a) the alleged commission of offences by the data subject, or

(b) proceedings for an offence committed or alleged to have been committed by the data subject or the disposal of such proceedings, including sentencing.”

Example

A shop manager suspects an employee of stealing money from the till. The manager compiles a report showing the shifts of the individual and collects CCTV footage of them at the till during those shifts.

This personal data is criminal offence data as it relates to the alleged commission of an offence which is as yet unproven.

Does it cover data relating to the absence of convictions?

Yes. The fact that a person has no criminal convictions is personal data ‘relating to’ criminal convictions.

Section 11(2) of the DPA 2018 specifically confirms that criminal offence data includes personal data relating to the disposal of criminal proceedings, which includes information about acquittals.            

You should only process specific personal data about whether or not someone has a conviction if you have a valid reason for doing so. This means, for example, that if you process the results of a criminal records check on your employees, you must comply with the rules on criminal offence data, whether or not the check returns any convictions.

Example

A school employs a teacher following a clear criminal records check. They keep this result in their personnel files. This data ‘relates to’ criminal convictions and so collecting and holding it means the school is processing criminal offence data. This applies even though the check does not reveal any convictions.

Does it cover the personal data of victims of crime?

Yes. Information about a specific crime committed against an identifiable victim is the personal data of the victim and ‘relates to’ criminal offences. This is true whether or not you identify the offender.

There is nothing in the GDPR which limits criminal offence data only to the personal data of offenders (or suspected offenders). Section 11(2) of the DPA 2018 focuses on the offender as data subject to clarify the specific position on allegations and trial data, but this does not limit the application of Article 10 of the GDPR.

Information about victims and witnesses of crime is therefore data relating to criminal offences and is covered by Article 10 of the GDPR. 

This is in accordance with national and international policy on victims’ rights, which requires you to give extra protection to this type of personal data. Processing such sensitive data creates significant risks to the privacy and wellbeing of the individuals concerned. Article 10 of the GDPR therefore provides safeguards to support the rights of victims of crime and helps ensure that you can only process their data with good reason.

Example

A police force passes the details of an individual who has been the victim of violent crime to an organisation which provides support to victims of crime. This personal data ‘relates to’ a criminal offence but is not processing for law enforcement purposes. It therefore falls under Article 10 of the GDPR.

What are ‘related security measures’?

The GDPR does not define ‘related security measures’. However, it is likely to include personal data about penalties, conditions or restrictions placed on an individual as part of the criminal justice process, or civil measures which may lead to a criminal penalty if not followed.

Civil proceedings and orders made as a result would not usually fall within ‘related security measures’, unless the penalty for non-compliance carries with it a criminal sanction.

Some examples of related security measures that fall within the scope of Article 10 are:                            

  • police cautions;
  • bail conditions;
  • information about probation or parole;
  • electronic tagging data;
  • civil injunctions (where these carry a criminal sanction for non-compliance);
  • binding over orders;
  • community protection notices (CPNs);
  • criminal behaviour orders (CBOs);
  • anti-social behaviour orders (ASBOs) in Scotland;
  • drinking banning orders (DBOs);
  • football banning orders; or
  • restraining orders.