ICO’s new guidance on criminal offence data
Criminal offence data
The GDPR sets out an employee’s legal rights in relation to the processing of their personal data. It also grants additional protection to all personal data which relates to “criminal convictions and offences or related security measures” .
The Information Commissioner’s Office (ICO), which is the body that’s responsible for enforcing the GDPR , collectively refers to this type of data as “criminal offence data” , although that’s not a term which is specifically used in the GDPR .
All criminal offence data is classed as “sensitive personal data” and is subject to special rules.
There is also an automatic presumption that data controllers, such as employers, will treat criminal offence data with much greater care.
That’s because collecting, using and processing it is more likely to interfere with an individual’s fundamental rights, e.g. their right to privacy.
At the beginning of November 2020 the ICO released detailed guidance on criminal offence data and its processing (see The next step ). It applies in the employment setting, so you must have regard to it. As you would expect, it’s deemed relevant where an employee is known to have committed a criminal offence.
This information might come into your possession because an employee is convicted of a criminal offence whilst in your employment.
But what about where an employee is alleged to have committed a crime, for example they are under police investigation, or you suspect them of committing a crime in your workplace?
An example here might be that you suspect an employee is stealing money from the till, or goods from your workplace, and you compile evidence of the employee’s shifts and what has gone missing.
The ICO’s guidance confirms that it has a wide application and must be taken into account where there are suspected criminal offences, unproven allegations and/or criminal proceedings.
Tip. The guidance explains when criminal offence data can be lawfully collected, how it should be processed and when this activity is authorised. Anyone who is responsible for data protection in your business should download and read a copy as soon as possible.
Tip. The guidance also points out that data controllers must not maintain a central register of known criminal offences. In the employment setting this could be a list of employees that drive on work-related business who have motoring convictions.