Unlock, a charity that assists people with criminal convictions, has published new guidance to help employers ensure that their policies and practices on collecting criminal records data during recruitment are compliant with the GDPR and the Data Protection Act 2018. The guidance includes contributions from the Information Commissioner’s Office.

The guidance emphasises that collecting criminal records data during the initial job application stage is unlikely to be compliant with data protection laws as it’s unlikely to be necessary; employers must be able to demonstrate that processing criminal records data is necessary at whatever stage they decide to collect it. The guidance also states that employers should have a policy in place on collecting personal data, which includes a section on the processing of criminal records data. That policy should clearly identify the purpose of collecting criminal records data and the lawful basis for collecting it, explain how long this data will be retained and who it will be shared with and set out job applicants’ legal rights in relation to their information.

Finally, Unlock recommends employers follow a three-stage process to determine if, when and how they should ask about criminal records:

  1. Define the purpose of collecting criminal records data.
  2. Identify a lawful basis for processing and meet a condition of processing.
  3. Set out their privacy policy and data subject rights.