Profile information Account settings
Logout
Sign up Log in

Criminal offence data for DPIAs

A lawful basis of processing needs to be established whenever a data protection impact assessment (DPIA) is carried out. This is especially true where criminal offence data is being processed. Read this guide to find out more about processing criminal offence data.

Make your Data protection impact assessment
Get started
Answer a few questions. We'll take care of the rest

A DPIA is a process designed to help organisations identify and minimise the data protection risks of a project. Where the processing (eg obtaining or recording) of personal data (eg names, addresses and information about racial or ethnic origin) is likely to result in a high risk to individuals, a DPIA needs to be completed. For more information, read Data protection impact assessments.

Criminal offence data is personal data that relates to criminal convictions and offences or related security measures. This includes information about:

  • criminal activity

  • allegations (including unproven allegations)

  • investigations

  • proceedings

  • personal data of victims and witnesses of crime

  • personal data about penalties

  • conditions/restrictions placed on someone as part of the criminal justice process

  • civil measures that may lead to a criminal penalty if not adhered to

For more information, read the Information Commissioner’s Office (ICO) guidance.

Organisations can only process criminal offence data if they have a lawful basis for processing. This means that at least one of the six grounds for processing (eg consent or public interest) is met. It is important to note that employers should not rely on consent as their lawful basis for processing if they need to carry out DBS checks on potential employees, as it would not constitute valid consent under the UK GDPR. However, employers must obtain potential employees' consent before carrying out Disclosure and Barring Service (DBS) checks on them. For more information on this, read Compliance for DPIAs.

Even after a lawful basis for processing has been established, criminal offence data can only be processed if the processing is either carried under the control of official authority or authorised by domestic law.

Processing under the control of official authority

If the processing of criminal offence data is carried out ‘under the control of official authority’ no further authorisation under UK law is needed. Moreover, organisations may only keep a comprehensive register of criminal convictions if the register is ‘under the control of official authority’.

Public bodies (and private bodies given public sector tasks) may have such ‘official authority’ to process criminal offence data set out in the law. A body claiming such ‘official authority’ is responsible for identifying the specific law granting them the authority to process criminal offence data. Further, if the body wishes to maintain a comprehensive register of criminal convictions, they will need to consider if they have sufficient official authority to do so.

For example, the DBS, courts and DVLA have specific official authority to process criminal offence data they hold, in addition to keeping a comprehensive register.

Processing authorised by domestic law

Where there is no official authority to process criminal offence data, any such processing must be authorised by UK law. This means that one of the 28 conditions set out in the Data Protection Act 2018 (DPA) needs to be met.

Organisations will need to identify which of the conditions for processing criminal offence data most closely reflects their purpose. Reference will need to be made to the detailed provisions of each condition to demonstrate that the condition applies to the specific situation. If an organisation’s purpose for processing is not covered by any of the conditions the criminal offence data cannot be processed (regardless of how good the reason for processing is).

Most of the 28 conditions rely on the organisation demonstrating that the processing is necessary for a specific purpose. Being ‘necessary’ doesn’t mean that the processing has to be absolutely essential, but it must be more than useful or habitual. It must also be a targeted and proportionate way of achieving the purpose. The processing is not necessary if the organisation can reasonably achieve the same purpose by less intrusive means and if it can do so by using data unrelated to criminal offences.

To be able to demonstrate that the processing is authorised by UK law, organisations need to meet one of the following conditions:

Employment, social security and social protection

This condition is met if the processing is necessary for performing (or exercising) obligations (or rights) imposed (or conferred) by law on the organisation or the data subject (ie the individual the data relates to) in connection with employment, social security or social protection. Read Compliance for DPIAs (specifically the associated conditions in the ‘Employment, social security and social protection’ section) for more information on what exactly this means.

Health or social care purposes

The processing is necessary for health or social care purposes. Read Compliance for DPIAs (specifically the associated conditions in the ‘Health or social care’ section) for more information on what exactly this means.

Public health

The processing is necessary for reasons of public interest in the area of public health and is carried out:

  • by or under the responsibility of a health professional

  • by another person who in the circumstances owes a duty of confidentiality under an enactment or rule of law

Read Compliance for DPIAs (specifically the associated conditions in the ‘Public health’ section) for more information on what exactly this means.

Research

The processing is:

  • ​​necessary for archiving, statistical or research (scientific or historic) purposes

  • carried out in accordance with Article 89(1) of the GDPR (as supplemented by section 19), and

  • in the public interest

Read Compliance for DPIAs (specifically the associated conditions in the ‘Archiving, research and statistics’ section) for more information on what exactly this means.

Statutory and government purposes

The processing is necessary for the exercise of a function:

  • given to a person by an enactment or rule of law

  • of the Crown, a Minister of the Crown or a government department

Administration of justice and parliamentary purposes

The processing is necessary for:

  • the administration of justice

  • the exercise of a function of either House of Parliament

Preventing or detecting unlawful acts

The processing is:

  • necessary for the purposes of the prevention or detection of an unlawful act, and

  • carried out without the data subject’s consent in order to not prejudice those purposes

Protecting the public against dishonesty

The processing is necessary for the exercise of a protective function. This is an action intended to protect members of the public against:

  • dishonesty, malpractice or other seriously improper conduct

  • unfitness or incompetence

  • mismanagement in the administration of a body or association

  • failures in services provided by a body or association

The processing must also be carried out without the data subject’s consent in order to not prejudice the exercise of that function.

Regulatory requirements

The processing is necessary to comply with (or assist others to comply with) a regulatory requirement involving a person taking steps to establish whether another person has:

  • committed an unlawful act

  • been involved in dishonesty, malpractice or other seriously improper conduct

In these circumstances, the organisation cannot reasonably be expected to obtain the consent of the data subject to the processing.

Journalism, academia, art and literature

The processing:

  • consists of the disclosure of personal data for journalistic, academic, artistic or literary purposes

  • is carried out in connection with any of the following (whether alleged or established):

    • a person's commission of an unlawful act

    • a person’s dishonesty, malpractice or other seriously improper conduct

    • a person’s unfitness or incompetence

    • mismanagement in the administration of a body or association

    • a failure in services provided by a body or association

  • is carried out with a view to the publication of the personal data by any person, and

  • the organisation reasonably believes that the publication of the personal data is in the public interest

Preventing fraud

The processing is necessary to prevent fraud or a particular kind of fraud and:

  • the personal data is disclosed by a member of an anti-fraud organisation

  • the personal data is disclosed in accordance with arrangements made by an anti-fraud organisation

  • the personal data is processed after being dislocated by a member of or in accordance with arrangements made by an anti-fraud organisation

An anti-fraud organisation is any body corporate, unincorporated association or other person that enables or facilitates any sharing of information to prevent fraud or a particular kind of fraud or which has the prevention of fraud or any kind of fraud as its purpose (or one of its purposes).

Suspicion of terrorist financing or money laundering

Where the processing is necessary to make a disclosure in good faith under the:

  • Terrorism Act 2000 - this is disclosure between certain entities within the regulated sector in relation to suspicion of commission of terrorist financing offence or to identifying terrorist property

  • Proceeds of Crime Act 2002 - this is disclosure within the regulated sector in relation to suspicions of money laundering

Counselling

The processing is:

  • necessary to provide confidential counselling, advice, support or of another similar service provided confidentially, and

  • carried out without the consent of the data subject for one of the following reasons:

    • where, in the circumstances, the data subject cannot consent to the processing

    • where, in the circumstances, the organisation cannot reasonably be expected to obtain the data subject’s consent to the processing

    • the processing must be carried out without the data subject’s consent because obtaining such consent would prejudice the provision of the confidential (counselling) service

Safeguarding of children and individuals at risk

The processing is:

  • necessary to protect:

    • an individual from neglect or physical, mental or emotional harm

    • the physical, mental or emotional wellbeing of an individual

  • related to an individual under 18 or over 18 and at-risk (eg because they have care/support needs or is experiencing neglect), and

  • carried out without the consent of the data subject for one of the following reasons:

    • where, in the circumstances, the data subject cannot consent to the processing

    • where, in the circumstances, the organisation cannot reasonably be expected to obtain the data subject’s consent to the processing

    • the processing must be carried out without the data subject’s consent because obtaining such consent would prejudice the protection of the individual

Elected representatives responding to requests

The processing is:

  • carried out: 

    • by an elected representative (eg a member in the House of Commons, the Mayor of London or a police and crime commissioner) or a person acting with the authority of such a representative

    • in connection with the discharge of the elected representative’s functions

    • in response to a request by an individual that the elected representative take action on behalf of the individual, and

  • necessary for the purposes of (or in connection with) the action reasonably taken by the elected representative in response to that request

Where the request is made by someone other than the data subject, the above conditions are met only if the processing must be carried out without the data subject’s consent for one of the following reasons:

  • where, in the circumstances, the data subject cannot consent to the processing

  • where, in the circumstances, the elected representative cannot reasonably be expected to obtain the data subject’s consent to the processing

  • where obtaining the data subject’s consent would prejudice the action taken by the elected representative

  • the processing  is necessary in the interests of another individual and the data subject has withheld consent unreasonably

Disclosure to elected representatives

This condition is met if the:

  • processing consists of the disclosure of personal data:

    • to an elected representative (eg a member in the House of Commons, the Mayor of London or a police and crime commissioner) or a person acting with the authority of such a representative, and

    • in response to a communication to the organisation from that representative which was made in response to a request from an individual

  • personal data is relevant to the communication’s subject matter, and

  • disclosure is necessary for responding to that communication

Where the request to the elected representative is made by someone other than the data subject, the above conditions are met only if the disclosure must be made without the data subject’s consent for one of the following reasons:

  • where, in the circumstances, the data subject cannot consent to the processing

  • where, in the circumstances, the elected representative cannot reasonably be expected to obtain the data subject’s consent to the processing

  • where obtaining the data subject’s consent would prejudice the action taken by the elected representative

  • the processing  is necessary in the interests of another individual and the data subject has withheld consent unreasonably

Informing elected representatives about prisoners

This condition is met if the:

  • processing is of personal data about a prisoner for the purpose of information a member of the House of Commons, a member of the National Assembly for Wales or a member of the Scottish Parliament about the prisoner, and

  • member is under an obligation not to further disclose the personal data

Publication of legal judgments

The processing:

  • consist of the publication of a judgment (or other decision of a court or tribunal)

  • is necessary for the purposes of publishing such a judgment (or decision)

Anti-doping in sport

The processing is necessary for the purposes of:

  • measures designed to eliminate doping (including includes measures to identify or prevent doping) which are undertaken by (or under the responsibility of) a body/association responsible for eliminating doping in a sport, at a sporting event or in sport generally

  • providing information about doping, or suspected doping, to such a body/association

Standards of behaviour in sport

The processing:

  • is necessary for the purposes of measures designed to protect the integrity of a sport or a sporting event, and 

  • must be carried out without the data subject’s consent so as not to prejudice those purposes

‘Measures designed to protect the integrity of a sport or a sporting event’ means measures to protect a sport of sporting event against:

  • dishonesty, malpractice or other seriously improper conduct

  • failure by someone participating in the sport or event (in any capacity) to comply with behaviour standards set by a body/association with responsibility for the sport or event

Consent

This condition is met if the data subject has given consent to the processing. Read Compliance for DPIAs (specifically the ‘Explicit consent’ section) for more information on what exactly this means.

Vital interest

The processing is necessary to protect the vital interests of an individual and the data subject is incapable of giving consent (physically or legally). Read Compliance for DPIAs (specifically the ‘Vital interest’ section) for more information on what exactly this means.

Not-for-profit bodies

The processing is carried out in the course of the body’s legitimate activities (with appropriate safeguards), and:

  • the processing relates only to the members (or former members) of the body or to persons who have regular contact with it in connection with its purposes, and

  • the personal data is not disclosed outside that body without the consent of the data subjects

Read Compliance for DPIAs (specifically the ‘Not-for-profit bodies’ section) for more information on what exactly this means.

Manifestly made public by the data subject

The processing relates to personal data which is manifestly made public by the data subject themselves. Read Compliance for DPIAs (specifically the ‘Made public by the data subject’ section) for more information on what exactly this means.

Legal claims

The processing is:

  • necessary for, or in connection with, any legal proceedings (including prospective legal proceedings)

  • necessary for the purpose of obtaining legal advice

  • otherwise necessary for the purposes of establishing, exercising or defending legal rights

Read Compliance for DPIAs (specifically the ‘Legal claims or judicial acts’ section) for more information on what exactly this means.

Judicial acts

The processing is necessary when a court or tribunal is acting in its judicial capacity. Read Compliance for DPIAs (specifically the ‘Legal claims or judicial acts’ section) for more information on what exactly this means.

Administration of accounts used in the commission of indecency offences involving children

This condition is met the processing is of personal data about a conviction or caution for an offence listed below:

  • the taking (or permitting to be taken) of indecent photographs of children

  • the distribution or showing of indecent photographs of children

  • the publishing (or causing to be published) of any advertisement likely to be understood as conveying that the advertiser distributes/shows indecent photographs of children

  • the possession of indecent photographs of children

  • incitement to commit an offence under any of the above provisions

Further, the processing must be necessary for the purpose of administering an account relating to the payment card (including credit, charge and debit cards) used in the commission of the offence or cancelling that payment card.

Insurance

This condition is met if the processing would meet: 

  • the ‘insurance condition’ (see Substantial public interest for DPIAs ‘Insurance’ for more information)

  • the ‘insurance condition’ apart from being able to expressly demonstrate that the processing is necessary for reasons of substantial public interest

but for the requirements for the processing to be of a category of personal data revealing racial/ethnic origin, religious/philosophical beliefs, genetic data/data concerning health or trade union.

 

For some of the above conditions, an Appropriate policy document (APD) must be in place at the time of processing. For more information, read Appropriate policy documents and the ICO’s guidance on processing criminal offence data.

If you have any questions or require assistance, Ask a lawyer.

Make your Data protection impact assessment
Get started
Answer a few questions. We'll take care of the rest