Context
The ICO has issued a guide on the processing of criminal offence data to help firms to comply with the rules in practice. Criminal offence data is personal data relating to criminal convictions and offences relating to security measures. Security measures are not defined but are likely to include personal data about penalties, conditions, or restrictions placed on an individual as part of the criminal justice process.
It covers data which is obviously about a specific criminal conviction or trial and also any other personal data relating to criminal convictions and offences. ‘Relating to’ covers any personal data which is linked to criminal offences or which is specifically used to learn something about an individual’s criminal record or behaviour.
Recital 75 to the GDPR explains that this type of personal data merits specific protection. This is because use of this data could create significant risks to the individual’s fundamental rights and freedoms. However, this type of data is treated differently to other types, e.g. special category data, which are considered particularly sensitive and risky in terms of fundamental rights and freedoms.
This is because the interests of society at large and the need to protect the public from criminal activity are likely to mean that it is possible to justify the use of criminal offence data in a wider variety of circumstances, despite the potential impact on individual rights.
Key points to note
- The rules apply if a firm is processing criminal offence data under the general data processing regime set out in GDPR and Part 2 of the DPA 2018 i.e. if the firm is not processing for law enforcement purposes
- The rules cover suspicion or allegations of criminal activity and not just confirmed criminal convictions
- The rules also cover the absence of criminal convictions. The fact that a person has no criminal convictions is personal data ‘relating to’ criminal convictions
- Schedule 1 of the DPA 2018 sets out 28 potential conditions for processing criminal offence data https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/criminal-offence-data/what-are-the-conditions-for-processing/
- Firms must always ensure that their processing is generally lawful, fair and transparent and complies with all the other principles and requirements of the GDPR
- If firms are processing criminal offence data, this means they must still identify a lawful basis for their processing, in the same way as for any other personal data
- Firms must complete a DPIA for any type of processing which is likely to be high risk. This means firms are more likely to need to do a DPIA for criminal offence data, and be aware of the possible risks
- It is important firms ensure that they collect and retain only the minimum amount of criminal offence data and can justify why this specific type of data is needed
- Firms should consider whether there needs to be additional security measures in place for criminal offence data
- Firms need to include information about categories of data in their privacy notice and other privacy information for individuals and ensure that records are maintained
- Firms should have in place an appropriate policy document outlining the compliance measures and retention policies for special category and criminal offence data. It should outline the Schedule 1 condition(s) relied upon; procedures for complying with principles; retention and deletion policies. The ICO has provided a template https://ico.org.uk/media/for-organisations/documents/2616286/appropriate-policy-document.docx