The law on criminal convictions data – a complex area

Prior to the GDPR, personal data relating to criminal convictions in the UK was treated as ‘sensitive personal data’ and subject to the same regime as, for example, health data or data relating to ethnicity. That wasn’t always the case across the EU as a number of other European countries prior to GDPR treated criminal data as a separate category from other sensitive data. Now, under the GDPR, separate measures apply specifically to personal data relating to criminal convictions and offences or related security measures (Article 10 data). This is distinguished from special category data (which is the bulk of the old sensitive personal data categories) which is regulated under Article 9. In the UK, the Data Protection Act 2018 (the DPA) makes clear this includes data relating to the alleged commission of offences and proceedings for an offence or alleged offence, including the disposal of any proceedings (including sentencing). The definition is therefore fairly wide.

As for all data processing, controllers processing Article 10 data must have a lawful basis for doing so. In other words, they must comply with a lawful basis under Article 6. In addition, they must also have either official or legal authority (under European or Member State law) for the processing.

The DPA authorises the processing of Article 10 data if certain conditions are met, including where it is necessary for employment or safeguarding purposes; or where it is necessary to comply with a regulatory requirement. Not-for-profit bodies with a political, philosophical, religious or trade union aim are also permitted to process such data, subject to certain limitations. A comprehensive register of criminal convictions can only be kept if a controller has official authority to do so.

Careful analysis should be undertaken to ensure that any condition relied upon is satisfied and the correct lawful basis identified, and controllers must record both the condition(s) and lawful base(s) relied upon. Controllers must also have in place an ‘appropriate policy document’ in relation to the Article 10 data, explaining their procedures for complying with the six general principles for data processing under the GDPR and their retention and erasure procedures, including an indication of how long the data will likely be retained. The requirement for an appropriate policy document is a new feature under the DPA and the ICO has provided a template appropriate policy document on its website. However, this requirement can be met by relying on other documents that are part of an organisation’s data protection compliance framework – an organisation does not have to implement a standalone document if the requirements are dealt with in other policies.

The UK’s recent departure from the EU has not affected these requirements.

ICO consultation

The ICO is conducting a survey to find out if gaps exist in controllers’ awareness and understanding of this legal framework, and wants to hear from controllers who process Article 10 data. The survey specifically asks about the key challenges controllers face when processing Article 10 data, and what might assist them in furthering their understanding of the relevant requirements. The ICO has so far only published limited guidance on Article 10 data, and it can therefore be difficult for controllers to know which conditions (in the DPA) may apply to them and whether they have legal authority for the processing.

The survey will inform the ICO’s future work, such as the development of guidance or events.  As detailed guidance in this area is anticipated but yet to be published, this is a good opportunity for controllers to potentially influence the content of the guidance and make it helpful for them. Given the complexity of the law in this area, it is welcome that stakeholder views are being sought and we would encourage all organisations that regularly use Article 10 data to complete the survey (takes around 15 minutes to complete!). Details of how to do so can be found here on the ICO’s website. The deadline for responses is Friday 28 February.

If you would like advice on processing Article 10 data, or on any other aspect of data protection law, please contact Victoria Hordern on [email protected] or another member of the Bates Wells data privacy team.