If you asked a series of people whether they would prefer to hire a financial accountant who had previously committed fraud, or employ a financial accountant who hadn’t committed fraud, we’d suggest that most people would probably choose the latter.
Perhaps this is why many organisations in the UK make carrying out DBS checks on their employees or prospective employees part of their recruitment or ongoing employment processA series of actions or steps taken in order to achieve a particular end.. However, few consider the data protection consequences of doing such a thing. The UK GDPRThe UK General Data Protection Regulation. Before leaving the EU, the UK transposed the GDPR into UK law through the Data Protection Act 2018. This became the UK GDPR on 1st January 2021 when the UK formally exited the EU. offers extra protection to any personal dataInformation which relates to an identified or identifiable natural person. concerning criminal convictions and offences, which means, similar to special category dataTypes of personal data listed in Article 9(1) GDPR that are considered sensitive and thus require extra protection. Article 9(1) lists data relating to: • racial or ethnic origin • political opinions • religious or philosophical beliefs • trade union membership • genetic data • biometric data • health • sex life • sexual orientation Where these types of personal..., there are additional considerations with regard to processing, as it can pose significant risks to individuals’ rights and freedoms.
In this blog we will be looking at how organisations can remain UK GDPR compliant while conducting DBS checks, along with any other considerations they should be aware of.
Like with any personal data processing under the UK GDPR, organisations must identify a lawful basis for requesting a DBS check from a prospective or actual employee. In most cases organisations conducting such checks will be doing so under the lawful basis of Legal Obligation. For example, in the case of individuals that work with children or vulnerable people, or for some senior roles in FCA regulated organisations.
If there is no such legal obligation, this does not prevent you from carrying out DBS checks, but you will have to identify an alternative lawful basis, such as Legitimate InterestsLegitimate interests is one of the six lawful bases for processing personal data. You must have a lawful basis in order to process personal data in line with the ‘lawfulness, fairness and transparency’ principle. or Public Task. It is worth noting, however, that due to the higher risk nature of criminal convictions data, if relying on Legitimate Interests it will be harder to demonstrate how business interests outweigh the risk to individuals’ rights in the balancing assessment that is required.
Another thing to be aware of is that, in addition to a lawful basis, you must also identify an additional condition for processing. Although this sounds similar to the requirements for processing special category data, it is in fact different. Whilst to process special category data you must identify an Article 9 condition for processing, for data relating to criminality, you must meet one of the conditions listed in Schedule 1 of the UK’s Data Protection Act 2018The Data Protection Act 2018 is a United Kingdom Act of Parliament which updates data protection laws in the UK (and supersedes the Data Protection Act 1998), and implemented the GDPR into UK legislation., unless the processing is under the control of official authority.
Where you rely on a lawful basis other than legal obligation (where it is automatically considered necessary and proportionate), you need to ensure that requesting criminal offence data is a necessary and proportionate way of achieving the purpose for which you are collecting this information. An example of this may be choosing to only DBS check employees who may be working on site alone, rather than all staff even if some are always supervised; or only DBS checking individuals of a certain level of authority or above, who may be in more of a position to cause harm to the business if they were to be employed inappropriately.
Another example of how you can ensure these checks are proportionate is by considering the type of DBS check you require. There are three different types of DBS checks:
These different types present varying levels of intrusions into an individual’s life, and so making sure you have a policy of only undertaking the least intrusive check necessary to achieve your aim is vital. For example, a basic check for a paralegal may be sufficient vs an enhanced check for a fully qualified Barrister.
In order to demonstrate that these checks are necessary and proportionate, it is recommended that a Data Protection Impact AssessmentA formal documented assessment which allows decision-makers to identify, manage and mitigate any data protection risks associated with a project. (DPIA) be conducted – you can read our how-to guide for DPIAs here.
The Information Commissioner’s OfficeThe United Kingdom’s independent ‘supervisory authority’ for ensuring compliance with the UK GDPR, Data Protection Act 2018, the Privacy and Electronic Communications Regulations etc. (ICOThe United Kingdom’s independent supervisory authority for ensuring compliance with the UK GDPR, Data Protection Act 2018, the Privacy and Electronic Communications Regulations etc.) Employment Practice Code recommends that once a DBS check has been completed and checked by an organisation, it should be securely disposed of as soon as is practicable. Instead of keeping the DBS check itself, you should merely keep a record that the check was conducted and whether it produced a satisfactory or unsatisfactory result. It is recommended that a retention period is implemented of no more than 6 months for DBS checks, which should be stipulated in your organisation’s retention scheduleA catalogue of an organisation's information assets, aligned to an appropriate retention period for that asset type..
Depending upon which Schedule 1 condition you rely upon, you may be legally required to have an Appropriate Policy Document. This document (sometimes called a Special Category Data Policy) explains why you are collecting the criminal offences data; how you comply with the key principles listed in Article 5 UK GDPR when processing the personal data; and its retention period and erasure policy.
Finally, in order to comply with the principle of Transparency, like with any other personal data processing, you must ensure that the processing of criminal offence data is outlined in your employee and job applicant privacy notices. Where DBS checks are only required for certain roles, this should also be specified. Furthermore, where an offer of employment is contingent on a DBS check being carried out, this should be made explicitly clear so as not to mislead the candidate and they can make an informed decision about whether they would like to go ahead with their application or submit any objections.
Whilst there are many factors that need to be taken in to account when deciding whether to implement DBS check requirements in your organisation, the take home message should be that, providing you have a clear justification for doing so, you can process this type of personal data. It must be remembered however, that due to the sensitivity of such data, the bar is set much higher in terms of justification.
So, to put it bluntly, you might not want to work with an ex-fraud, but if there is no genuine reason for insisting on a DBS check, you should not be requiring all staff to do one on the off chance they may be one.
If you or your organisation needs help with ensuring compliancy while conducting DBS checks, please contact us here, or by using the form below.
Fill in your details below and we’ll get back to you as soon as possible