Dashboard
Dashboard Make a document Ask a lawyer Get guidance Home
Dashboard Member settings
Logout
Help
Help Contact us
Explore
Make documents Ask a lawyer Start a business new Sign documents Get guidance About us Pricing
Sign up Sign in
Help
Help Contact us

Criminal offence data for DPIAs

13 min read

Last reviewed or updated 13/01/2026

Written and reviewed by experts
Written and reviewed by experts
This guide was created, edited, and reviewed by editorial staff who specialise in translating complex legal topics into plain language.

Make your Data protection impact assessment (DPIA)

Get started

What are DPIAs?

DPIAs are processes designed to help organisations identify and minimise the data protection risks associated with a project. Organisations must carry out a DPIA whenever the data processing is likely to result in a high risk to individuals. For more information, read Processing high-risk personal data and DPIAs.

What is criminal offence data?

Infographic defining what criminal offence data is

Criminal offence data is personal data that relates to criminal convictions and offences or related security measures. This includes information about:

  • criminal activity

  • allegations (including unproven allegations)

  • investigations

  • proceedings

  • personal data of victims and witnesses of crime

  • personal data about penalties

  • conditions/restrictions placed on someone as part of the criminal justice process

  • civil measures that may lead to a criminal penalty if not adhered to

For more information, read the Information Commissioner’s Office’s (ICO) guidance on criminal offence data.

When can an organisation process criminal offence data?

Organisations can only process criminal offence data if they have a lawful basis (or ‘lawful ground’) for the processing. This means that at least one of the 6 grounds for processing (eg consent or public interest) is met. 

It is important to note that employers should not rely on consent as their lawful basis for processing if they need to carry out Disclosure and Barring Service (DBS) checks on potential employees, as this would not constitute valid consent under the UK General Data Protection Regulation (GDPR). However, employers must obtain potential employees' consent before conducting DBS checks on them. For more information on this, read Compliance for DPIAs.

Even after a lawful basis for processing has been established, criminal offence data can only be processed if the processing is either carried out under the control of an official authority or authorised by domestic law.

Infographic noting that for data processing to be necessary, it must be more than just useful

Processing under the control of an official authority

If the processing of criminal offence data is carried out under the control of an official authority, no further authorisation under UK law is needed

It’s important to note that organisations can only keep a comprehensive register of criminal convictions if the register is ‘under the control of official authority’. Public bodies (and private bodies given public sector tasks) may have such official authority to process criminal offence data set out in the law. A body claiming official authority is responsible for identifying the specific law granting it the authority to process criminal offence data. Further, if the body wishes to maintain a comprehensive register of criminal convictions, it needs to consider whether it has sufficient official authority to do so.

For example, the DBS, courts, and DVLA have specific official authority to process criminal offence data they hold, in addition to keeping a comprehensive register.

Processing authorised by domestic law

Where there is no official authority to process criminal offence data, any processing of criminal offence data must be authorised by UK law. This means that one of the 28 conditions outlined in the Data Protection Act 2018 (DPA) must be met.

Organisations will need to identify which of the conditions for processing criminal offence data most closely reflects their purpose. Reference must be made to the detailed provisions of each condition to demonstrate that the condition applies to the specific situation. If an organisation’s purpose for processing is not covered by any of the conditions, the criminal offence data cannot be processed, regardless of how good the reason for processing is.

Most of the 28 conditions rely on the organisation demonstrating that the processing is necessary for a specific purpose. Being ‘necessary’ doesn’t mean that the processing has to be absolutely essential, but it must be more than useful or habitual. It must also be a targeted and proportionate way of achieving the purpose. The processing is not necessary if the organisation can reasonably achieve the same purpose by less intrusive means and if it can do so by using data unrelated to criminal offences.

What are the conditions for processing criminal offence data authorised by domestic law?

To demonstrate that the processing is authorised by domestic (ie UK) law, organisations need to meet at least one of the 28 conditions set out in Schedule 1 of the DPA. The 28 conditions are as follows:

Employment, social security, and social protection

This condition is met if the processing is necessary for performing (or exercising) obligations (or rights) imposed (or conferred) by law on the organisation or the data subject (ie the individual the data relates to) in connection with employment, social security, or social protection. Read Compliance for DPIAs (specifically the associated conditions in the ‘Employment, social security and social protection’ section) for more information on what this means.

Health or social care purposes

This condition is met if the processing is necessary for health or social care purposes. Read Compliance for DPIAs (specifically the associated conditions in the ‘Health or social care’ section) for more information on what this means.

Public health

This condition is met if the processing is necessary for reasons of public interests in the area of public health and is either carried out:

  • by or under the responsibility of a health professional, or

  • by another person who, in the circumstances, owes a duty of confidentiality under an enactment or rule of law

Read Compliance for DPIAs (specifically the associated conditions in the ‘Public health’ section) for more information on what this means.

Research

This condition is met if the processing is:

Read Compliance for DPIAs (specifically the associated conditions in the ‘Archiving, research and statistics’ section) for more information on what this means.

Statutory and government purposes

This condition is met if the processing is necessary for the exercise of a function:

  • given to a person by an enactment or rule of law, or

  • of the Crown, a Minister of the Crown, or a government department

Administration of justice and parliamentary purposes

This condition is met if the processing is necessary for:

  • the administration of justice, or

  • the exercise of a function of either House of Parliament

Preventing or detecting unlawful acts

This condition is met if the processing is:

  • necessary for the purposes of the prevention or detection of an unlawful act, and

  • carried out without the data subject’s consent in order not to prejudice those purposes

Protecting the public against dishonesty

This condition is met if the processing is necessary for the exercise of a protective function. This is an action intended to protect members of the public against:

  • dishonesty, malpractice, or other seriously improper conduct

  • unfitness or incompetence

  • mismanagement in the administration of a body or association, or

  • failures in services provided by a body or association

The processing must also be carried out without the data subject’s consent in order not to prejudice the exercise of that function.

Regulatory requirements

This condition is met if the processing is necessary to comply with (or assist others to comply with) a regulatory requirement involving a person taking steps to establish whether another person has:

  • committed an unlawful act, or

  • been involved in dishonesty, malpractice, or other seriously improper conduct

In these circumstances, the organisation cannot reasonably be expected to obtain the consent of the data subject to the processing.

Journalism, academia, art, and literature

This condition is met if the processing:

  • consists of the disclosure of personal data for journalistic, academic, artistic, or literary purposes

  • is carried out in connection with any of the following (whether alleged or established):

    • a person's commission of an unlawful act

    • a person’s dishonesty, malpractice, or other seriously improper conduct

    • a person’s unfitness or incompetence

    • mismanagement in the administration of a body or association, or

    • a failure in services provided by a body or association

  • is carried out with a view to the publication of the personal data by any person, and

  • the organisation reasonably believes that the publication of the personal data is in the public interest

Preventing fraud

This condition is met if the processing is necessary to prevent fraud or a particular kind of fraud, and:

  • the personal data is disclosed by a member of an anti-fraud organisation

  • the personal data is disclosed in accordance with arrangements made by an anti-fraud organisation, or

  • the personal data is processed after being disclosed by a member of or in accordance with arrangements made by an anti-fraud organisation

An anti-fraud organisation is any body corporate, unincorporated association, or other person that enables or facilitates any sharing of information to prevent fraud or a particular kind of fraud, or which has the prevention of fraud or any kind of fraud as its purpose (or one of its purposes).

Suspicion of terrorist financing or money laundering

This condition is met if the processing is necessary to make a disclosure in good faith under the:

  • Terrorism Act 2000 - this is disclosure between certain entities within the regulated sector in relation to the suspicion of a commission of a terrorist financing offence or to identifying terrorist property

  • Proceeds of Crime Act 2002 - this is disclosure within the regulated sector in relation to suspicions of money laundering

Counselling

This condition is met if the processing is:

  • necessary to provide confidential counselling, advice, or support, or another similar service provided confidentially, and

  • carried out without the consent of the data subject for one of the following reasons:

    • in the circumstances, the data subject cannot consent to the processing

    • in the circumstances, the organisation cannot reasonably be expected to obtain the data subject’s consent to the processing, or

    • the processing must be carried out without the data subject’s consent because obtaining such consent would prejudice the provision of the confidential (counselling) services

Safeguarding of children and individuals at risk

This condition is met if the processing is:

  • necessary to protect:

    • an individual from neglect or physical, mental, or emotional harm, or

    • the physical, mental, or emotional wellbeing of an individual

  • related to an individual over 18 and at-risk (eg because they have care/support needs or are experiencing neglect) or under 18, and

  • carried out without the consent of the data subject for one of the following reasons:

    • in the circumstances, the data subject cannot consent to the processing

    • in the circumstances, the organisation cannot reasonably be expected to obtain the data subject’s consent to the processing, or

    • the processing must be carried out without the data subject’s consent because obtaining such consent would prejudice the protection of the individual

Elected representatives responding to requests

This condition is met if the processing is:

  • carried out: 

    • by an elected representative (eg a member of the House of Commons, the Mayor of London, or a police and crime commissioner) or a person acting with the authority of such a representative

    • in connection with the discharge of the elected representative’s functions, and

    • in response to a request by an individual that the elected representative take action on behalf of the individual, and

  • necessary for the purposes of (or in connection with) the action reasonably taken by the elected representative in response to that request

Where the request is made by someone other than the data subject, the above conditions are met only if the processing must be carried out without the data subject’s consent for one of the following reasons:

  • in the circumstances, the data subject cannot consent to the processing

  • in the circumstances, the elected representative cannot reasonably be expected to obtain the data subject’s consent to the processing

  • obtaining the data subject’s consent would prejudice the action taken by the elected representative, or

  • the processing is necessary for the interests of another individual, and the data subject has withheld consent unreasonably

Disclosure to elected representatives

This condition is met if the:

  • processing consists of the disclosure of personal data:

    • to an elected representative (eg a member of the House of Commons, the Mayor of London, or a police and crime commissioner) or a person acting with the authority of such a representative, and

    • in response to a communication to the organisation from that representative, which was made in response to a request from an individual

  • personal data is relevant to the communication’s subject matter, and

  • disclosure is necessary for responding to that communication

Where the request to the elected representative is made by someone other than the data subject, the above conditions are met only if the disclosure must be made without the data subject’s consent for one of the following reasons:

  • in the circumstances, the data subject cannot consent to the processing

  • in the circumstances, the elected representative cannot reasonably be expected to obtain the data subject’s consent to the processing

  • obtaining the data subject’s consent would prejudice the action taken by the elected representative, or

  • the processing is necessary for the interests of another individual, and the data subject has withheld consent unreasonably

Informing elected representatives about prisoners

This condition is met if the:

  • processing is of personal data about a prisoner for the purpose of informing a member of the House of Commons, a member of the National Assembly for Wales, or a member of the Scottish Parliament about the prisoner, and

  • member is under an obligation not to further disclose the personal data

Publication of legal judgments

This condition is met if the processing:

  • consists of the publication of a judgment (or other decision of a court or tribunal), or

  • is necessary for the purposes of publishing such a judgment (or decision)

Anti-doping in sport

This condition is met if the processing is necessary for the purposes of:

  • measures designed to eliminate doping (including measures to identify or prevent doping) that are undertaken by (or under the responsibility of) a body/association responsible for eliminating doping in a sport, at a sporting event, or in sport generally, or

  • providing information about doping, or suspected doping, to such a body/association

Standards of behaviour in sport

This condition is met if the processing:

  • is necessary for the purposes of measures designed to protect the integrity of a sport or a sporting event, and 

  • must be carried out without the data subject’s consent so as not to prejudice those purposes

‘Measures designed to protect the integrity of a sport or a sporting event’ means measures to protect a sport or sporting event against:

  • dishonesty, malpractice, or other seriously improper conduct, or

  • failure by someone participating in the sport or event (in any capacity) to comply with behaviour standards set by a body/association with responsibility for the sport or event

Consent

This condition is met if the data subject has explicitly consented to the processing. Read Compliance for DPIAs (specifically the ‘Explicit consent’ section) for more information on what this means.

Vital interests

This condition is met if processing is necessary to protect the vital interests of an individual and the data subject is incapable of giving consent (physically or legally). Read Compliance for DPIAs (specifically the ‘Vital interests’ section) for more information on what this means.

Not-for-profit bodies

The processing is carried out in the course of the body’s legitimate activities (with appropriate safeguards), and:

  • the processing relates only to the members (or former members) of the body or to persons who have regular contact with it in connection with its purposes, and

  • the personal data is not disclosed outside that body without the consent of the data subjects

Read Compliance for DPIAs (specifically the ‘Not-for-profit bodies’ section) for more information on what this means.

Manifestly made public by the data subject

This condition is met if the processing relates to personal data that is manifestly made public by the data subject themselves. Read Compliance for DPIAs (specifically the ‘Made public by the data subject’ section) for more information on what this means.

Legal claims

This condition is met if the processing is:

  • necessary for, or in connection with, any legal proceedings (including prospective legal proceedings)

  • necessary for the purpose of obtaining legal advice, or

  • otherwise necessary for the purposes of establishing, exercising, or defending legal rights

Read Compliance for DPIAs (specifically the ‘Legal claims or judicial acts’ section) for more information on what this means.

Judicial acts

This condition is met if the processing is necessary when a court or tribunal is acting in its judicial capacity. Read Compliance for DPIAs (specifically the ‘Legal claims or judicial acts’ section) for more information on what this means.

Administration of accounts used in the commission of indecency offences involving children

This condition is met if the personal data being processed is about a conviction or caution for an offence listed below:

  • the taking (or permitting to be taken) of indecent photographs of children

  • the distribution or showing of indecent photographs of children

  • the publishing (or causing to be published) of any advertisement likely to be understood as conveying that the advertiser distributes/shows indecent photographs of children

  • the possession of indecent photographs of children, or

  • incitement to commit an offence under any of the above provisions

Further, the processing must be necessary for the purpose of administering an account relating to the payment card (including credit, charge, and debit cards) used in the commission of the offence or cancelling that payment card.

Insurance

This condition is met if the processing:

  • would, but for the requirements for the processing to be of a category of personal data revealing racial/ethnic origin, religious/philosophical beliefs, genetic data/data concerning health, or trade union, meet: 

    • the ‘insurance condition’ (see Substantial public interest for DPIAs, specifically the ‘Insurance’ section, for more information), or

    • the ‘insurance condition’, apart from being able to expressly demonstrate that the processing is necessary for reasons of substantial public interest

 

For more information on processing criminal offence data, see the ICO’s guidance on the conditions for processing criminal offence data. Note that for some of the above conditions, an Appropriate policy document (APD) must be in place at the time of processing. For more information, read Appropriate policy documents (APDs) for data protection.

If you have any questions or require assistance, Ask a lawyer. Consider using our GDPR compliance service to ensure your business complies with all relevant data protection laws.

Written and reviewed by experts
Written and reviewed by experts
This guide was created, edited, and reviewed by editorial staff who specialise in translating complex legal topics into plain language.

At Rocket Lawyer, we believe legal information should be both reliable and easy to understand—so you don't need a law degree to feel informed. We follow a rigorous editorial policy to ensure all our content is helpful, clear, and as accurate and up-to-date as possible.

About this page:

  • this guide was written and reviewed by Rocket Lawyer editorial staff
  • this guide was last reviewed or updated on 13 January 2026

Related Guides

Data protection principles

9 min read

Compliance for DPIAs

11 min read

Substantial public interest for DPIAs

13 min read

Ask a lawyer

Get quick answers from lawyers, easily.
Characters remaining: 600
Rocket Lawyer Legal Pros

Try Rocket Lawyer FREE for 7 days

Get legal services you can trust at prices you can afford. As a member you can:

Create, customise, and share unlimited legal documents

RocketSign® your documents quickly and securely

Ask any legal question and get an answer from a lawyer

Have your documents reviewed by a Legal Pro

Get legal advice, drafting and dispute resolution HALF OFF* with Rocket Legal+

Your first business and trade mark registrations are FREE* with Rocket Legal+

Try it free for 7 days
*Learn more about Rocket Legal+

**Subject to terms and conditions.

Follow us