At a glance
- The UK GDPR gives extra protection to the personal data of offenders or suspected offenders in the context of criminal activity, allegations, investigations, and proceedings.
- If you have official authority, you can process personal data about criminal convictions and offences, because you are processing the data in an official capacity.
- If you do not have official authority, you can only process criminal offence data if you can identify a specific condition for processing in Schedule 1 of the DPA 2018.
- You cannot keep a comprehensive register of criminal convictions, unless you do so in an official capacity.
- You must determine your condition for processing criminal offence data, or identify your official authority for the processing, before you begin the processing, and you should document this.
- You must still have a lawful basis for your processing under Article 6.
- In many cases, you also need an ‘appropriate policy document’ in place in order to meet a UK Schedule 1 condition for processing in the DPA 2018.
- You need to complete a data protection impact assessment (DPIA) for any type of processing which is likely to be high risk. You must therefore be aware of the risks of processing the criminal offence data.
☐ We have checked that the processing of the criminal offence data is necessary for the purpose we have identified and are satisfied there is no other reasonable and less intrusive way to achieve this purpose.
☐ We have identified an Article 6 lawful basis for processing the criminal offence data.
☐ Where applicable, we have identified in law our official authority to process the criminal offence data.
☐ Where we do not have official authority to process criminal offence data, we have identified an appropriate DPA 2018 Schedule 1 condition.
☐ Where required, we have an appropriate policy document.
☐ We have considered whether we need to do a DPIA.
☐ We include specific information about our processing of criminal offence data in our privacy information for individuals.
☐ We have considered whether the risks associated with our use of criminal offence data affect our other obligations around data minimisation, security, and appointing Data Protection Officers (DPOs) and representatives.
- What is criminal offence data?
- What are the rules for criminal offence data?
- What are the Schedule 1 conditions for processing criminal offence data?
- In more detail
The UK GDPR gives extra protection to “personal data relating to criminal convictions and offences or related security measures”. We refer to this as criminal offence data.
This covers a wide range of information about offenders or suspected offenders in the context of:
- criminal activity;
- investigations; and
It includes not just data which is obviously about a specific criminal conviction or trial, but may also include personal data about:
- unproven allegations; and
- • information relating to the absence of convictions.
It also covers a wide range of related security measures, including
- personal data about penalties;
- conditions or restrictions placed on an individual as part of the criminal justice process; or
- civil measures which may lead to a criminal penalty if not adhered to.
It does not cover information about other individuals, including victims and witnesses of crime. However, information about victims and witnesses is likely to be sensitive, and controllers should take particular care when processing it.
You must always ensure that your processing is generally lawful, fair and transparent and complies with all the other principles and requirements of the UK GDPR. To ensure that your processing is lawful, you need to identify an Article 6 basis for processing.
In addition, you can only process criminal offence data if the processing is either:
- under the control of official authority; or
- authorised by domestic law. This means you need to meet one of the conditions in Schedule 1 of the DPA 2018.
You may only keep a comprehensive register of criminal convictions if this register is “under the control of official authority”.
Public bodies, or private bodies who are given public sector tasks, may have “official authority” to process criminal offence data. This official authority may derive from either common law or statute. If you are a public body, you must identify the specific law that gives you official authority to process criminal offence data.
If you do not have official authority for the processing, it must be authorised by domestic law. This authorisation in law is set out in the conditions listed in Schedule 1 of the DPA 2018.
You must also identify whether you need an “appropriate policy document” under the DPA 2018. Our template appropriate policy document shows the kind of information this should contain.
You must do a DPIA for any type of processing that is likely to be high risk. This means that you are more likely to need to do a DPIA for processing criminal offence data. For further information, please see our guidance on DPIAs.
You should also consider how the risks associated with criminal offence data affect your other obligations – in particular, obligations around data minimisation, security, transparency, and DPOs.
The 28 conditions which are available for the processing of criminal offence data are set out in paragraphs 1 to 37 Schedule 1 of the DPA 2018:
- Employment, social security and social protection
- Health or social care purposes
- Public health
- Statutory and government purposes
- Administration of justice and parliamentary purposes
- Preventing or detecting unlawful acts
- Protecting the public against dishonesty
- Regulatory requirements relating to unlawful acts and dishonesty
- Journalism in connection with unlawful acts and dishonesty
- Preventing fraud
- Suspicion of terrorist financing or money laundering
- Safeguarding of children and individuals at risk
- Elected representatives responding to requests
- Disclosure to elected representatives
- Informing elected representatives about prisoners
- Publication of legal judgments
- Anti-doping in sport
- Standards of behaviour in sport
- Vital interests
- Not-for-profit bodies
- Manifestly made public by the data subject
- Legal claims
- Judicial acts
- Administration of accounts used in commission of indecency offences involving children
You should identify which of these conditions appears to most closely reflect your purpose. Our detailed guidance gives you some further advice on how the conditions generally work, but you always need to refer to the detailed provisions of each condition in the legislation itself to make sure you can demonstrate it applies.
For some of the conditions, you also need to justify why you cannot give individuals a choice and get explicit consent for your processing. In many cases, you must have an ‘appropriate policy document’ in place.