This guidance discusses criminal offence data in detail. Read it if you have detailed questions not answered in the Guide, or if you need a deeper understanding of the rules for processing criminal offence data to help you comply in practice. It is aimed at DPOs and those with specific data protection responsibilities in larger organisations.
If you haven’t yet read the ‘in brief’ page on criminal offence data in the Guide to Data Protection, you should read that first. It introduces the topic and sets out the key points you need to know, along with practical checklists to help you comply.
This guidance is not aimed at ‘competent authorities’ with law enforcement functions who are processing for law enforcement purposes. This falls under the separate law enforcement regime in Part 3 of the DPA 2018. See ICO’s Guide to Law Enforcement Processing (external link).
What is criminal offence data?
The GDPR gives extra protection to ‘personal data relating to criminal convictions and offences or related security measures’. This covers a wide range of information about criminal activity, allegations, investigations and proceedings.
In this guidance, we refer to this data collectively as ‘criminal offence data’, although this is not a term used in the GDPR.
It includes not just data which is obviously about a specific criminal conviction or trial, but also any other personal data ‘relating to’ criminal convictions and offences.
‘Relating to’ should be interpreted broadly. It covers any personal data which is linked to criminal offences, or which is specifically used to learn something about an individual’s criminal record or behaviour. This is consistent with the broad interpretation of ‘relates to’ in other GDPR and DPA 2018 provisions, such as the definition of personal data.
It is not just that this type of information might be seen as more sensitive or ‘private’. Recital 75 to the GDPR explains that this type of personal data merits specific protection. This is because use of this data could create significant risks to the individual’s fundamental rights and freedoms. For example, data about criminal allegations or convictions may have a particular impact on:
- the right to liberty and security;
- the right to a fair trial;
- the right to respect for private and family life;
- freedom to choose an occupation and the right to engage in work; or
- freedom to conduct a business.
The presumption is that you need to treat this type of data with greater care, because collecting and using it is more likely to interfere with these fundamental rights or open someone up to discrimination. This is part of the risk-based approach of the GDPR.
However, this type of data is treated differently to other types, eg special category data, which are considered particularly sensitive and risky in terms of fundamental rights and freedoms. This is because the interests of society at large and the need to protect the public from criminal activity are likely to mean that you can justify the use of criminal offence data in a wider variety of circumstances, despite the potential impact on individual rights.
When processing special category data, many conditions require you to explicitly demonstrate that the processing is necessary for reasons of substantial public interest. This requirement doesn’t apply to criminal offence data.
These rules apply if you are processing criminal offence data under the general processing regime set out in the GDPR and Part 2 of the DPA 2018, ie if you are not processing for law enforcement purposes. You need to comply with these rules if you are a commercial, voluntary or community (third-sector) organisation processing criminal offence data for any purpose (including disclosures to the police or other organisations processing for law enforcement purposes). You also need to comply if you are a public authority without law enforcement functions or if you are processing for non-law enforcement purposes.
These rules do not apply if you are a ‘competent authority’ (external link) with law enforcement functions as defined in Section 30 of the DPA 2018, and are processing for law enforcement purposes. This falls under the separate law enforcement regime in Part 3 of the DPA 2018.
These rules do apply to competent authorities when processing criminal offence data for purposes not related to law enforcement. For example, a police force processing data about its employees’ criminal records for human resources purposes, or sharing data with victim support services, needs to comply with the GDPR.
Yes. This is still personal data ‘relating to’ a criminal offence. These rules are not just about confirmed criminal convictions. Unproven allegations are potentially even more likely to have an unjustified impact on an individual’s interests, rights and freedoms, and so need special protection.
Section 11(2) of the DPA 2018 specifically confirms that criminal offence data includes personal data relating to:
“(a) the alleged commission of offences by the data subject, or
(b) proceedings for an offence committed or alleged to have been committed by the data subject or the disposal of such proceedings, including sentencing.”
A shop manager suspects an employee of stealing money from the till. The manager compiles a report showing the shifts of the individual and collects CCTV footage of them at the till during those shifts.
This personal data is criminal offence data as it relates to the alleged commission of an offence which is as yet unproven.
Yes. The fact that a person has no criminal convictions is personal data ‘relating to’ criminal convictions.
Section 11(2) of the DPA 2018 specifically confirms that criminal offence data includes personal data relating to the disposal of criminal proceedings, which includes information about acquittals.
You should only process specific personal data about whether or not someone has a conviction if you have a valid reason for doing so. This means, for example, that if you process the results of a criminal records check on your employees, you must comply with the rules on criminal offence data, whether or not the check returns any convictions.
A school employs a teacher following a clear criminal records check. They keep this result in their personnel files. This data ‘relates to’ criminal convictions and so collecting and holding it means the school is processing criminal offence data. This applies even though the check does not reveal any convictions.
Yes. Information about a specific crime committed against an identifiable victim is the personal data of the victim and ‘relates to’ criminal offences. This is true whether or not you identify the offender.
There is nothing in the GDPR which limits criminal offence data only to the personal data of offenders (or suspected offenders). Section 11(2) of the DPA 2018 focuses on the offender as data subject to clarify the specific position on allegations and trial data, but this does not limit the application of Article 10 of the GDPR.
Information about victims and witnesses of crime is therefore data relating to criminal offences and is covered by Article 10 of the GDPR.
This is in accordance with national and international policy on victims’ rights, which requires you to give extra protection to this type of personal data. Processing such sensitive data creates significant risks to the privacy and wellbeing of the individuals concerned. Article 10 of the GDPR therefore provides safeguards to support the rights of victims of crime and helps ensure that you can only process their data with good reason.
A police force passes the details of an individual who has been the victim of violent crime to an organisation which provides support to victims of crime. This personal data ‘relates to’ a criminal offence but is not processing for law enforcement purposes. It therefore falls under Article 10 of the GDPR.
The GDPR does not define ‘related security measures’. However, it is likely to include personal data about penalties, conditions or restrictions placed on an individual as part of the criminal justice process, or civil measures which may lead to a criminal penalty if not followed.
Civil proceedings and orders made as a result would not usually fall within ‘related security measures’, unless the penalty for non-compliance carries with it a criminal sanction.
Some examples of related security measures that fall within the scope of Article 10 are:
- police cautions;
- bail conditions;
- information about probation or parole;
- electronic tagging data;
- civil injunctions (where these carry a criminal sanction for non-compliance);
- binding over orders;
- community protection notices (CPNs);
- criminal behaviour orders (CBOs);
- anti-social behaviour orders (ASBOs) in Scotland;
- drinking banning orders (DBOs);
- football banning orders; or
- restraining orders.
What are the rules on criminal offence data?
Article 10 restricts the processing of criminal offence data:“Processing of personal data relating to criminal convictions and offences or related security measures based on Article 6(1) shall be carried out only under the control of official authority or when the processing is authorised by Union or Member State law providing for appropriate safeguards for the rights and freedoms of data subjects.”
So you can only process criminal offence data if the processing is either:
- under the control of official authority (see just below); or
- In the UK, this means you need to meet one of the conditions in Schedule 1 (see below 'What are the conditions for processing?') of the DPA 2018.
Use of criminal offence data, particularly on a large scale, can also affect your other obligations. In particular, it affects the need for documentation, data protection impact assessments (DPIAs) and DPOs - see below for 'What else you need to do'.
Article 10 also sets out a stricter rule on comprehensive registers of convictions:“Any comprehensive register of criminal convictions shall be kept only under the control of official authority.”
Under Article 10, if your processing is carried out ‘under the control of official authority’, you do not need any further authorisation in UK law – that is, you do not need to identify a DPA 2018 Schedule 1 condition for your processing.
In addition, you may only keep a comprehensive register of criminal convictions if this register is ‘under the control of official authority’.
Public bodies, or private bodies vested with public sector tasks, may have ‘official authority’ laid down by law to process criminal offence data. This official authority may derive from either common law or statute. The public body is responsible for identifying the specific law that gives them the official authority to process criminal offence data. If they wish to keep a comprehensive register of criminal convictions, they also need to consider whether they have sufficient official authority to do so.
For example, the DBS, Disclosure Scotland, Access NI, the DVLA and the courts all have a specific official authority to process any criminal offence data they hold, as well as to keep a comprehensive register.
A comprehensive register may remain under the control of official authority, even if a public authority delegates the maintenance of the register to another controller (or data processor). However, this only applies if the controller or processor cannot act autonomously and if the public authority retains a decisive influence over the processing.
A ‘comprehensive register’ of criminal convictions would clearly apply to a full national database of criminal convictions such as the Police National Computer (PNC). However, competent authorities will usually process the PNC under the separate law enforcement regime in Part 3 of the DPA 2018, rather than under the GDPR regime.
It also applies to other official registers or databases which only record a particular type of conviction, if that register has clearly defined parameters and is intended to be comprehensive within those parameters. For example:
- Disclosure and Barring Service (DBS), Disclosure Scotland or Access NI barred lists;
- motoring offences recorded on the DVLA driver register; or
- court records.
We also consider that it applies to any list of individuals which is made available to the public or to interested third parties (whether or not on payment of a fee) and is intended to be used as a centralised or consolidated source of information on convictions.
For example, it would apply to industry ‘blocklists’ – databases of employees shared between different employers and used as a recruitment screening tool – but only to the extent that they related to criminal convictions. Organisations are unlikely to have official authority to maintain a comprehensive register like this, and so in most cases, maintaining an industry blocklist based on criminal offence data will be in contravention of Article 10.
However, it would not apply to records held by an organisation about their own employees.
A company holds a list of individuals with criminal convictions who work in their industry sector because they consider those individuals should not be employed. The company offers access to this ‘blocklist’ to other companies in the same industry. The list is considered to be a ‘comprehensive register of criminal convictions’. However the company does not have the official authority based in law to keep it. This processing is therefore in contravention of Article 10.
A large public authority maintains a landlords register, which contains information about private landlords and letting agents who have been prosecuted or fined. It is a comprehensive register of criminal offence data which a number of councils access.
Because the public authority has official authority to control and maintain this register, they do not require a Schedule 1 condition for processing in order to comply with Article 10.
If you do not have official authority for the processing, it must be authorised by law. In the UK, this authorisation in law is set out in the conditions listed in Schedule 1 of the DPA 2018.
Schedule 1 sets out 28 potential conditions for processing criminal offence data (see below 'What are the conditions for processing?').
Schedule 1 (at paragraphs 5 and 38 to 41) also includes additional requirements for you to keep an appropriate policy document and records of processing in relation to criminal offence data. These requirements apply for some, but not all, of the conditions. For further detail see ‘How do the conditions work?’ (see below 'What are the conditions for processing?').
You must always ensure that your processing is generally lawful, fair and transparent, and complies with all of the other principles and requirements of the GDPR.
Remember that you always need to identify an Article 6 basis for processing, in order for your processing to be lawful.
In addition, in accordance with Article 10, you can only process criminal offence data if you have official authority for the processing, or if you can meet a DPA 2018 Schedule 1 condition.
You need to be able to demonstrate that your processing meets the specific requirements of the relevant conditions. For more detail on each condition, see ‘What are the conditions for processing?’ (see below 'What are the conditions for processing?').
Your lawful basis is not affected. Article 10 rules do not replace or override the usual rules on having a lawful basis for processing. Instead, they operate as an additional layer of conditions on top of the usual rules.
If you are processing criminal offence data, this means you must still identify a lawful basis for your processing, in exactly the same way as for any other personal data. In other words, you must identify both:
- a lawful basis under Article 6; and
- either official authority or a Schedule 1 condition for processing criminal offence data under Article 10.
However, if you are relying on legitimate interests as your lawful basis, you will need to take into account the particular risks associated with criminal offence data in your legitimate interests assessment. You may need to put in place more robust safeguards to mitigate any impact or risks to the individual to demonstrate that the legitimate interests basis applies.
Your choice of lawful basis under Article 6 does not dictate which Schedule 1 condition you must apply, and vice versa. You can choose whichever condition best fits the circumstances, irrespective of your lawful basis.
Of course, in some cases there may be an obvious link between the lawful basis and a particular condition. For example, if consent is your lawful basis , it would make sense to use consent as your condition to process criminal offence data.
However, some of the lawful bases do not have a direct link with a particular condition. This is because the conditions for criminal offence data are designed to be more restrictive and specific. This does not mean that you will never have a condition; just that you need to look at all of them to see if you can identify one that fits the circumstances and justifies that element of your processing.
In particular, even if you are not using consent as your lawful basis for all the data, you can still consider consent as your condition for processing any criminal offence data.
You must do a DPIA for any type of processing which is likely to be high risk. This means you are more likely to need to do a DPIA for criminal offence data, and be aware of the possible risks.
In particular, you must carry out a DPIA if you plan to process criminal offence data on a large scale, or to determine access to a product, service, opportunity or benefit.
If in doubt, we recommend you carry out a DPIA. This will make it easier to ensure you have appropriate safeguards in place and can demonstrate your compliance.
You must always ensure that your processing is generally lawful, fair and transparent, and complies with all the other principles and requirements of the GDPR. Be aware that the particular risks associated with criminal offence data might affect what is considered fair or what you need to do to comply.
In particular, you may need to consider:
- Data minimisation: it is particularly important to make sure you collect and retain only the minimum amount of criminal offence data, and can justify why you need this specific type of data.
- Security measures: one of the considerations for determining the appropriate level of security is the sensitivity of the personal data. You may need to consider whether you need additional security measures for criminal offence data.
- Transparency: you need to include information about categories of data in your privacy notice and other privacy information for individuals. If you are processing criminal offence data, you should make this clear (unless an exemption applies).
- Documentation: you must keep records if you process criminal offence data. You must also identify whether you need an ‘appropriate policy document’ (see below 'What are the conditions for processing?') under the DPA 2018. If so, your general documentation must include your Schedule 1 condition for processing the data, how you satisfy a lawful basis for that processing, and specific details about whether you have followed your retention and deletion policies; and if not, why not.
- Data protection officer (DPO): you must appoint a DPO if your core activities (in other words, your primary business objectives) require large scale processing of criminal offence data.
- UK representative: if you are not established in the UK but you offer services to or monitor individuals in the UK, and you process criminal offence data on a large scale, you will need to designate a representative in the UK. You may need a representative even for occasional small-scale processing of criminal offence data, unless you can show that it is low risk.
What are the conditions for processing?
The 28 conditions which are available for the processing of criminal offence data are set out in paragraphs 1 to 37 Schedule 1 of the DPA 2018. Some Schedule 1 conditions apply only to special category data and so are not included here.
- Employment, social security and social protection
- Health or social care purposes
- Public health
- Statutory and government purposes
- Administration of justice and parliamentary purposes
- Preventing or detecting unlawful acts
- Protecting the public against dishonesty
- Regulatory requirements relating to unlawful acts and dishonesty
- Journalism in connection with unlawful acts and dishonesty
- Preventing fraud
- Suspicion of terrorist financing or money laundering
- Safeguarding of children and individuals at risk
- Elected representatives responding to requests
- Disclosure to elected representatives
- Informing elected representatives about prisoners
- Publication of legal judgments
- Anti-doping in sport
- Standards of behaviour in sport
- Vital interests
- Not-for-profit bodies
- Manifestly made public by the data subject
- Legal claims
- Judicial acts
- Administration of accounts used in commission of indecency offences involving children
You should identify which of these conditions appears to most closely reflect your purpose. This guidance gives you some general advice on how the conditions work, but you always need to refer to the detailed provisions of each condition (external link) in the legislation itself to make sure you can demonstrate it applies.
Remember that if none of the conditions apply, you may only process criminal offence data if you have official authority (see above 'What does ‘under the control of official authority’ mean?') to do so.
The conditions outlined in Schedule 1 do not all apply to both criminal offence data and special category data. There are many conditions which apply to both types of data, but some apply only to special category data, and others only to criminal offence data. The conditions also have different requirements and some are applied differently, depending on the nature of the data.
Note the conditions at paragraphs 29 to 34 are similar to the conditions for processing special category data which are listed in Article 9 of the GDPR. However, instead of being listed in Article 10 of the GDPR, they are outlined in Schedule 1 of the DPA 2018. This means there is further consistency in the conditions for Articles 9 and 10.
It is also important to be aware that the conditions do not necessarily work in the same way with respect to special category and criminal offence data. It is important you are clear what type of data you are processing and which condition applies to that specific data. You must make sure you apply the right provisions.
First you need to be clear about why you need criminal offence data, as most of the conditions are based on the specific purpose for the processing. You can then identify the most relevant condition.
Given the potential risks to individuals’ rights, the conditions are narrowly drawn. You are often required to meet detailed criteria and put in place specific safeguards and accountability measures. Some conditions are also limited to specific types of controllers.
For some of the conditions, you need to justify why you cannot give individuals a choice and get consent for your processing. This is different to the separate rules on having a lawful basis for processing personal data, where there is no preference for consent. Given the risks to individuals, there is more emphasis on obtaining consent for processing criminal offence data. However, this justification is not required for all conditions. Even where it is required, the law acknowledges there may be good reasons why you cannot get valid consent in some cases.
If you are unsure of the most appropriate condition, it can be useful to start by considering whether you could reasonably get consent (see below 'How does consent work?') for your processing. However, consent will not always be appropriate, particularly in the public sector. If there are good reasons why consent would not work, you can then consider the other Schedule 1 conditions. You should focus on your purpose for processing, ensuring that the criminal offence data is actually necessary for that purpose.
If your purpose is not covered by any of the conditions, you cannot process the criminal offence data. It does not matter how good your reason for processing might be. You need to change your plans to avoid using criminal offence data.
The only potential exemption from Article 10 is the public interest exemption for journalism, academia, art or literature. There are no other exemptions from Article 10.
The ICO cannot authorise the use of criminal offence data in the absence of a condition. Adding further conditions is a matter for government and would require new legislation.
In some cases, you must also have an ‘appropriate policy document’ (see below 'What is an appropriate policy document?') in place.
Schedule 1 Condition Justify why no consent Appropriate policy document 1. Employment, social security and social protection N Y 2. Health or social care purposes N N 3. Public health N N 4. Research N N 6. Statutory and government purposes N Y 7. Administration of justice and parliamentary purposes N Y 10. Preventing or detecting unlawful acts Y Y/N* 11. Protecting the public Y Y 12. Regulatory requirements Y Y 13. Journalism, academia, art and literature N N 14. Preventing fraud N Y 15. Suspicion of terrorist financing or money laundering N Y 17. Counselling Y Y 18. Safeguarding of children and individuals at risk Y Y 23. Elected representatives responding to requests Y Y 24. Disclosure to elected representatives Y Y 25. Informing elected representatives about prisoners N Y 25. Publication of legal judgments N Y 27. Anti-doping in sport N Y/N* 28. Standards of behaviour in sport Y Y 29. Consent N/A N 30. Vital interests N N 31. Processing for not-for–profit bodies N N 32. Manifestly made public by the data subject N N 33. Legal claims N N 34. Judicial acts N N 35. Administration of accounts used in commission of indecency offences involving children N Y 37. Insurance Y Y
*Under conditions 10 and 27, you do not need an appropriate policy document to disclose data to the relevant authorities (or prepare to disclose it). However, you still need an appropriate policy document for other processing activities.
Further reading – ICO guidance
For more detail on how the following conditions are likely to work, read our guidance on the equivalent special category condition:
- Employment, social security and social protection
- Vital interests
- Not-for-profit bodies
- Made public by the data subject
- Legal claims and judicial acts
- Health or social care
- Public health
- Archiving, research and statistics
Schedule 1 refers to conditions 6-28 as the ‘substantial public interest’ conditions. These conditions apply both to criminal offence data and to special category data processing.
Each of these conditions outlines their own processing requirements. Some of the conditions assume that processing under that condition is always in the substantial public interest, for example ensuring equality or preventing fraud.
Other conditions, such as preventing or detecting unlawful acts or safeguarding of children and individuals at risk, explicitly require you to demonstrate that the processing is ‘necessary for reasons of substantial public interest’. However, paragraph 36 of Schedule 1 removes this requirement for criminal offence data, although the requirement remains in place for the processing of special category data. So if you are processing criminal offence data only, and not special category data, you can rely on one of the listed conditions without needing to demonstrate that the processing is necessary for reasons of substantial public interest.
Most of the conditions depend on you being able to demonstrate that the processing is ‘necessary’ for a specific purpose. This does not mean that processing has to be absolutely essential. However, it must be more than just useful or habitual. It must be a targeted and proportionate way of achieving that purpose.
The condition does not apply if you can reasonably achieve the same purpose by less intrusive means; and in particular, if you could do so by using data unrelated to criminal offences. This links to the data minimisation principle, which you should consider carefully for criminal offence data.
It is not enough to argue that processing is necessary because it is part of your particular business model, processes or procedures, or because it is standard practice. The question is whether the processing of the criminal offence data is a targeted and proportionate way of achieving the purpose described in the condition.
Condition 29 permits you to process criminal offence data if the individual consents to the processing.
Consent must be freely given, specific, informed, affirmative (opt-in),unambiguous and able to be withdrawn at any time.
You need to be particularly careful if you ask for consent as a condition of accessing a service, or if you are in a position of power over the individual, eg you are a public authority or the individual’s employer.
If you need to process criminal offence data to provide a service to the individual, consent may be available as your condition for processing that data, even if it is a condition of service. However, you must be confident that you can demonstrate consent is still freely given. In particular, the service itself must be genuinely optional for the individual, and the processing needs to be objectively necessary to perform the service and not just included in your terms for other purposes.
Some of the Schedule 1 conditions only apply if there is a good reason why you cannot get valid consent.
As a general rule, for these conditions you should consider first whether you could give individuals a choice and only process criminal offence data with their consent. However, there will often be a good reason why you should not give individuals an upfront choice. For example, you might not want to ask for consent if you were investigating someone and informing them might prejudice your investigation. Alternatively, you may be able to show that you cannot technically get valid consent in the circumstances, but there is a good reason to go ahead anyway. For example, public authorities, employers and other organisations in a position of power may not be able to demonstrate that consent would be freely given.
The details of the conditions vary, so if you do have a reason for not getting consent, or you do not think it would be valid, you must always check the detail of the relevant condition to see exactly what justification you need.
A delivery company wants to perform criminal record checks on their self-employed riders. They also wish to retain the results of this check.
Personal data contained in a criminal record check will be personal data ‘relating to criminal convictions and offences’ and will therefore fall under Article 10, even when the check reveals no convictions.
If the company can demonstrate there is a potential risk of unlawful behaviour in employing riders with a criminal record, they may be able to rely on condition 10 – preventing or detecting unlawful acts.
The company would not be able to use consent as their condition for processing (condition 29). Whilst the company may require consent to carry out the DBS check, this does not mean they can use that consent as their lawful basis for the processing. Under GDPR, that consent would not be considered to be freely given and it could not be withdrawn. In such circumstances, it is therefore not valid as a condition for processing.
An appropriate policy document is a short document outlining your compliance measures and retention policies for special category and criminal offence data. The DPA 2018 says you must have one in place for some of the criminal offence conditions, as a specific accountability and documentation measure.
For details of which conditions this applies to, see the table above: ‘How do the conditions work?’.
It does not have to take any particular form, as long as it briefly outlines:
- the Schedule 1 condition (or conditions) you are relying on;
- your procedures for complying with each of the principles;
- your retention and deletion policies; and
- an indication of the retention period for the specific data.
If you process criminal offence data for a number of different purposes, you do not need a separate policy document for each condition or processing activity. One document can cover them all. You should provide the data subject with sufficient information for them to understand how you are processing their criminal offence data and how long you will retain it for.
The ICO developed an appropriate policy document template (external link, Word document) to help you meet this requirement.
If you have carried out a DPIA, you should be able to reuse the material related to necessity and proportionality to inform your appropriate policy document.
You need to retain your appropriate policy document for at least six months after the date you stop the relevant processing, or longer depending on your business needs. You must keep it under review. You do not have to publish it, although it is good practice to do. If we ask to see it, you must provide it to us free of charge.
You also need to include some further details in your general GDPR documentation:
- how the processing satisfies a lawful basis;
- your condition for processing criminal offence data; and
- whether you have followed your retention and deletion policies, and if not, why not.
Thank you for reading.