DATA PROTECTION - 19.11.2020

ICO’s new guidance on criminal offence data

In November 2020 the Information Commissioner’s Office (ICO) released new guidance on the processing of criminal offence data. Does it apply where an employee is only suspected of committing a criminal offence?

Criminal offence data

The GDPR sets out an employee’s legal rights in relation to the processing of their personal data. It also grants additional protection to all personal data which relates to “criminal convictions and offences or related security measures” .

Sensitive data

The Information Commissioner’s Office (ICO), which is the body that’s responsible for enforcing the GDPR , collectively refers to this type of data as “criminal offence data” , although that’s not a term which is specifically used in the GDPR .

All criminal offence data is classed as “sensitive personal data” and is subject to special rules.

Greater care

There is also an automatic presumption that data controllers, such as employers, will treat criminal offence data with much greater care.

That’s because collecting, using and processing it is more likely to interfere with an individual’s fundamental rights, e.g. their right to privacy.

New guidance

At the beginning of November 2020 the ICO released detailed guidance on criminal offence data and its processing (see The next step ). It applies in the employment setting, so you must have regard to it. As you would expect, it’s deemed relevant where an employee is known to have committed a criminal offence.

Known convictions

This information might come into your possession because an employee is convicted of a criminal offence whilst in your employment.

But what about where an employee is alleged to have committed a crime, for example they are under police investigation, or you suspect them of committing a crime in your workplace?

Wide application

An example here might be that you suspect an employee is stealing money from the till, or goods from your workplace, and you compile evidence of the employee’s shifts and what has gone missing.

The ICO’s guidance confirms that it has a wide application and must be taken into account where there are suspected criminal offences, unproven allegations and/or criminal proceedings.

Tip. The guidance explains when criminal offence data can be lawfully collected, how it should be processed and when this activity is authorised. Anyone who is responsible for data protection in your business should download and read a copy as soon as possible.

Tip. The guidance also points out that data controllers must not maintain a central register of known criminal offences. In the employment setting this could be a list of employees that drive on work-related business who have motoring convictions.

The ICO’s guidance applies where a criminal offence is committed, alleged or there’s an investigation. It must also be followed if an employee is suspected of committing a criminal offence at work, e.g. theft. By law, you cannot maintain a central register of criminal offences, e.g. a list of employees who have motoring convictions.

© Indicator - FL Memo Ltd

Tel.: (01233) 653500 • Fax: (01233) 647100

Calgarth House, 39-41 Bank Street, Ashford, Kent TN23 1DQ

VAT GB 726 598 394 • Registered in England • Company Registration No. 3599719