Back to Blog

Employee Criminal Records – Updated Guidance

Finding out that a job applicant has a criminal record can often be a fatal blow to the decision to hire somebody. Inevitably, having a criminal record carries with it a stigma and, as the charity Unlock states “it’s a sad irony that a criminal record only becomes a problem when someone decides to get on in life; a criminal record check is not required to sell drugs or join a gang, but it is to get a job or go to university.”

There are rules around when criminal records checks should be undertaken and what employers can do if and when they find out an applicant has a criminal record. In practice, however, it often forms part of the standard application procedure, with candidates assuming that they have to provide the information asked for, whether that is through self-disclosure or agreeing to have a DBS (Disclosure and Barring Service) check carried out.

Employers should be aware of two recent updates on undertaking criminal records checks and how this might impact on their practices.

Updated guidance from the ICO

Earlier this month the Information Commissioner published new guidance on the processing of criminal offence data, from a data privacy perspective. The guidance outlines that special conditions apply for criminal offence data, not only because it may be regarded as sensitive, but because use of this data could create significant risks to the individual’s fundamental rights and freedoms. The focus of the guidance is on data controllers ensuring that they have a legal basis for processing data that is applicable to their specific circumstances, and that the processing they carry out is reasonable and proportionate given their specific situation.

As we have often cautioned since the implementation of the GDPR, relying on consent as a lawful basis to process data has its limitations. From a recruitment perspective, as in this context, it can be difficult to show that consent was freely given. The ICO reiterates that the fact that consent is required for a DBS check does not mean that that consent will be a valid lawful basis for data privacy purposes.

The guidance reminds employers that they will likely need an appropriate policy in place where they process criminal data, and that they may need to carry out a data protection impact assessment where their processing is ‘high risk’.

New DBS filtering rules

New rules coming which came into effect on 28 November 2020 will have an impact on the information that will be disclosed as part of a standard or enhanced DBS check:

  • there will no longer be a requirement for youth cautions, reprimands and warnings to be automatically disclosed; and
  • the multiple conviction rule has been removed, meaning that if an individual has more than one conviction, regardless of offence type or time passed, each conviction will be considered against the rules individually, rather than being automatically disclosed. 

The changes have come about following a legal challenge in 2019 where the Supreme Court found that the DBS ‘filtering’ system – the process by which the DBS decides what offences should be disclosed and designed to filter out old and minor criminal offences from disclosure – didn’t go far enough and was disproportionate.

The problem with the old filtering system was that it didn’t take account of what might have been a stupid mistake in youth as there was no discretion over age or seriousness of the offence; a criminal record can dog someone’s life for decades due to the stigma attached. In relation to the multiple conviction rule, it didn’t take account of the fact that, in many cases, it was inevitable that someone had more than one conviction. For example, stealing a car is likely to mean that a person is charged with both theft and driving without insurance.

What should employers be doing?

  • If you process criminal data about candidates or employees, make sure you have an appropriate policy in place which sets out what information you will collect and what you will do with it. Ideally your policy document will demonstrate that carrying out these checks is not a barrier to employment, rather that you are just trying to take proper steps in your recruitment processes;
  • Consider whether you need to carry out a data protection impact assessment. The ICO says this is likely to be needed if you plan to process criminal offence data on a large scale, or to determine access to a product, service, opportunity or benefit. If in doubt, we recommend you carry out a DPIA;
  • Read the new DBS guidance– it includes suggested wording for inclusion in application forms where you ask candidates to self-disclose and a disclaimer to candidates reminding them of what they are (and aren’t) obliged to disclose;
  • Think about your recruitment process – you should only ask an individual to provide details of convictions and cautions that you are legally entitled to know about, so think carefully about whether you genuinely need to know whether someone has a criminal record in relation to the role you are recruiting for;
  • If you do carry out a criminal records check on a candidate, consider allowing that individual to give context to the offence disclosed, rather than just simply writing off the candidate. You could also carry out a risk assessment to identify whether the information disclosed is likely to pose a risk and whether you can mitigate that risk.
  • Speak to us if you need help navigating the new guidance – we can help you create the right policies and procedures to ensure that you don’t fall foul of the rules.

If a chat about any of the issues raised here would be helpful or if you would like to soundboard any HR or employment law issue don’t hesitate to reach out to our team for a free consultation or contact us at

Share this post

Leave a Reply

Your email address will not be published. Required fields are marked *

Back to Blog