- What conditions are available?
- Are the conditions the same as for special category data?
- How do the other conditions work?
- Do we need to show ‘substantial public interest’?
- What does ‘necessary’ mean?
- How does consent work?
- Do we need an ‘appropriate policy document’?
The 28 conditions which are available for the processing of criminal offence data are set out in paragraphs 1 to 37 Schedule 1 of the DPA 2018. Some Schedule 1 conditions apply only to special category data and so are not included here.
- Employment, social security and social protection
- Health or social care purposes
- Public health
- Statutory and government purposes
- Administration of justice and parliamentary purposes
- Preventing or detecting unlawful acts
- Protecting the public against dishonesty
- Regulatory requirements relating to unlawful acts and dishonesty
- Journalism in connection with unlawful acts and dishonesty
- Preventing fraud
- Suspicion of terrorist financing or money laundering
- Safeguarding of children and individuals at risk
- Elected representatives responding to requests
- Disclosure to elected representatives
- Informing elected representatives about prisoners
- Publication of legal judgments
- Anti-doping in sport
- Standards of behaviour in sport
- Vital interests
- Not-for-profit bodies
- Manifestly made public by the data subject
- Legal claims
- Judicial acts
- Administration of accounts used in commission of indecency offences involving children
You should identify which of these conditions appears to most closely reflect your purpose. This guidance gives you some general advice on how the conditions work, but you always need to refer to the detailed provisions of each condition in the legislation itself to make sure you can demonstrate it applies.
Remember that if none of the conditions apply, you may only process criminal offence data if you have official authority to do so.
The conditions outlined in Schedule 1 do not all apply to both criminal offence data and special category data. There are many conditions which apply to both types of data, but some apply only to special category data, and others only to criminal offence data. The conditions also have different requirements and some are applied differently, depending on the nature of the data.
Note the conditions at paragraphs 29 to 34 are similar to the conditions for processing special category data which are listed in Article 9 of the UK GDPR. However, instead of being listed in Article 10 of the UK GDPR, they are outlined in Schedule 1 of the DPA 2018. This means there is further consistency in the conditions for Articles 9 and 10.
It is also important to be aware that the conditions do not necessarily work in the same way with respect to special category and criminal offence data. It is important you are clear what type of data you are processing and which condition applies to that specific data. You must make sure you apply the right provisions.
First you need to be clear about why you need criminal offence data, as most of the conditions are based on the specific purpose for the processing. You can then identify the most relevant condition.
Given the potential risks to individuals’ rights, the conditions are narrowly drawn. You are often required to meet detailed criteria and put in place specific safeguards and accountability measures. Some conditions are also limited to specific types of controllers.
For some of the conditions, you need to justify why you cannot give individuals a choice and get consent for your processing. This is different to the separate rules on having a lawful basis for processing personal data, where there is no preference for consent. Given the risks to individuals, there is more emphasis on obtaining consent for processing criminal offence data. However, this justification is not required for all conditions. Even where it is required, the law acknowledges there may be good reasons why you cannot get valid consent in some cases.
If you are unsure of the most appropriate condition, it can be useful to start by considering whether you could reasonably get consent for your processing. However, consent will not always be appropriate, particularly in the public sector. If there are good reasons why consent would not work, you can then consider the other Schedule 1 conditions. You should focus on your purpose for processing, ensuring that the criminal offence data is actually necessary for that purpose.
If your purpose is not covered by any of the conditions, you cannot process the criminal offence data. It does not matter how good your reason for processing might be. You need to change your plans to avoid using criminal offence data.
The only potential exemption from Article 10 is the public interest exemption for journalism, academia, art or literature. There are no other exemptions from Article 10.
The ICO cannot authorise the use of criminal offence data in the absence of a condition. Adding further conditions is a matter for government and would require new legislation.
In some cases, you must also have an ‘appropriate policy document’ in place.
|Schedule 1 Condition||Justify why no consent||Appropriate policy document|
|1. Employment, social security and social protection||N||Y|
|2. Health or social care purposes||N||N|
|3. Public health||N||N|
|6. Statutory and government purposes||N||Y|
|7. Administration of justice and parliamentary purposes||N||Y|
|10. Preventing or detecting unlawful acts||Y||Y/N*|
|11. Protecting the public||Y||Y|
|12. Regulatory requirements||Y||Y|
|13. Journalism, academia, art and literature||N||N|
|14. Preventing fraud||N||Y|
|15. Suspicion of terrorist financing or money laundering||N||Y|
|18. Safeguarding of children and individuals at risk||Y||Y|
|23. Elected representatives responding to requests||Y||Y|
|24. Disclosure to elected representatives||Y||Y|
|25. Informing elected representatives about prisoners||N||Y|
|25. Publication of legal judgments||N||Y|
|27. Anti-doping in sport||N||Y/N*|
|28. Standards of behaviour in sport||Y||Y|
|30. Vital interests||N||N|
|31. Processing for not-for–profit bodies||N||N|
|32. Manifestly made public by the data subject||N||N|
|33. Legal claims||N||N|
|34. Judicial acts||N||N|
|35. Administration of accounts used in commission of indecency offences involving children||N||Y|
*Under conditions 10 and 27, you do not need an appropriate policy document to disclose data to the relevant authorities (or prepare to disclose it). However, you still need an appropriate policy document for other processing activities.
Further reading – ICO guidance
For more detail on how the following conditions are likely to work, read our guidance on the equivalent special category condition:
Schedule 1 refers to conditions 6-28 as the ‘substantial public interest’ conditions. These conditions apply both to criminal offence data and to special category data processing.
Each of these conditions outlines their own processing requirements. Some of the conditions assume that processing under that condition is always in the substantial public interest, for example ensuring equality or preventing fraud.
Other conditions, such as preventing or detecting unlawful acts or safeguarding of children and individuals at risk, explicitly require you to demonstrate that the processing is ‘necessary for reasons of substantial public interest’. However, paragraph 36 of Schedule 1 removes this requirement for criminal offence data, although the requirement remains in place for the processing of special category data. So if you are processing criminal offence data only, and not special category data, you can rely on one of the listed conditions without needing to demonstrate that the processing is necessary for reasons of substantial public interest.
Most of the conditions depend on you being able to demonstrate that the processing is ‘necessary’ for a specific purpose. This does not mean that processing has to be absolutely essential. However, it must be more than just useful or habitual. It must be a targeted and proportionate way of achieving that purpose.
The condition does not apply if you can reasonably achieve the same purpose by less intrusive means; and in particular, if you could do so by using data unrelated to criminal offences. This links to the data minimisation principle, which you should consider carefully for criminal offence data.
It is not enough to argue that processing is necessary because it is part of your particular business model, processes or procedures, or because it is standard practice. The question is whether the processing of the criminal offence data is a targeted and proportionate way of achieving the purpose described in the condition.
Further reading – ICO guidance
Condition 29 permits you to process criminal offence data if the individual consents to the processing.
Consent must be freely given, specific, informed, affirmative (opt-in),unambiguous and able to be withdrawn at any time.
You need to be particularly careful if you ask for consent as a condition of accessing a service, or if you are in a position of power over the individual, eg you are a public authority or the individual’s employer.
If you need to process criminal offence data to provide a service to the individual, consent may be available as your condition for processing that data, even if it is a condition of service. However, you must be confident that you can demonstrate consent is still freely given. In particular, the service itself must be genuinely optional for the individual, and the processing needs to be objectively necessary to perform the service and not just included in your terms for other purposes.
Some of the Schedule 1 conditions only apply if there is a good reason why you cannot get valid consent.
As a general rule, for these conditions you should consider first whether you could give individuals a choice and only process criminal offence data with their consent. However, there will often be a good reason why you should not give individuals an upfront choice. For example, you might not want to ask for consent if you were investigating someone and informing them might prejudice your investigation. Alternatively, you may be able to show that you cannot technically get valid consent in the circumstances, but there is a good reason to go ahead anyway. For example, public authorities, employers and other organisations in a position of power may not be able to demonstrate that consent would be freely given.
The details of the conditions vary, so if you do have a reason for not getting consent, or you do not think it would be valid, you must always check the detail of the relevant condition to see exactly what justification you need.
Further reading – ICO guidance
A delivery company wants to perform criminal record checks on their self-employed riders. They also wish to retain the results of this check.
Personal data contained in a criminal record check will be personal data ‘relating to criminal convictions and offences’ and will therefore fall under Article 10, even when the check reveals no convictions.
If the company can demonstrate there is a potential risk of unlawful behaviour in employing riders with a criminal record, they may be able to rely on condition 10 – preventing or detecting unlawful acts.
The company would not be able to use consent as their condition for processing (condition 29). Whilst the company may require consent to carry out the DBS check, this does not mean they can use that consent as their lawful basis for the processing. Under UK GDPR, that consent would not be considered to be freely given and it could not be withdrawn. In such circumstances, it is therefore not valid as a condition for processing.
An appropriate policy document is a short document outlining your compliance measures and retention policies for special category and criminal offence data. The DPA 2018 says you must have one in place for some of the criminal offence conditions, as a specific accountability and documentation measure.
For details of which conditions this applies to, see the table above: ‘How do the conditions work?’.
It does not have to take any particular form, as long as it briefly outlines:
- the Schedule 1 condition (or conditions) you are relying on;
- your procedures for complying with each of the principles;
- your retention and deletion policies; and
- an indication of the retention period for the specific data.
If you process criminal offence data for a number of different purposes, you do not need a separate policy document for each condition or processing activity. One document can cover them all. You should provide the data subject with sufficient information for them to understand how you are processing their criminal offence data and how long you will retain it for.
We have developed an appropriate policy document template to help you meet this requirement.
If you have carried out a DPIA, you should be able to reuse the material related to necessity and proportionality to inform your appropriate policy document.
You need to retain your appropriate policy document for at least six months after the date you stop the relevant processing, or longer depending on your business needs. You must keep it under review. You do not have to publish it, although it is good practice to do. If we ask to see it, you must provide it to us free of charge.
You also need to include some further details in your general UK GDPR documentation:
- how the processing satisfies a lawful basis;
- your condition for processing criminal offence data; and
- whether you have followed your retention and deletion policies, and if not, why not.