17 November, 2020
Earlier this month, the Information Commissioner's Office (ICO) published detailed guidance discussing the use of criminal offence data in detail. Data Protection Officers and information governance teams should review the latest guidance to ensure RPs meet the obligations set out in the new guidance.
The GDPR places obligations on organisations to put additional safeguards in place to protect 'personal data relating to criminal convictions and offences or related security measures'. This covers information ranging from criminal activity, allegations, investigations and proceedings. It is important to note that the definition in the GDPR covers not only criminal convictions but suspicions and allegations of criminal behaviour. The ICO guidance confirms that the definition also includes information relating to an absence of criminal convictions (e.g. a clear DBS check).
In accordance with Article 10 of the GDPR, you can only process criminal offence data if you have official authority for the processing or you can meet a condition set out in Schedule 1 of the Data Protection Act 2018. For most RPs, in order to lawfully process criminal offence data, you must identify a lawful basis for processing under Article 6 of the GDPR and a condition for processing set out in Schedule 1 of the DPA 2018.
Many of the conditions set out in Schedule 1 of the DPA 2018 which will be appropriate to RP's processing of criminal offence data (e.g. processing for employment, social security and social protection reasons, protecting the public and safeguarding of children/individuals at risk) require an 'appropriate policy document' as a specific accountability and documentation measure.
An appropriate policy document is a document outlining the measures you have put in place to comply with the GDPR and the DPA 2018 for special category and criminal offence data. The ICO guidance states that the document does not have to take any specific form but must include the following provisions:
RPs should now review this latest guidance from the ICO to ensure they comply with the obligations set out within the guidance. In particular, RPs should check that their Records of Processing Activity set out the correct lawful basis for processing criminal offence data based upon the extensive guidance the ICO has provided in identifying a lawful basis. RPs should also check whether any existing policy documents meet the requirements of an 'appropriate policy document' for processing special category and criminal offence data. If not, a standalone policy dealing with special category and criminal offence data should be drafted in accordance with the guidance published by the ICO.
A copy of the criminal offence data guidance can be found here - https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/criminal-offence-data/
For more information contact Bethany Paliga in our Governance, Procurement & Information department via email or phone on 01254 222347. Alternatively send any question through to Forbes Solicitors via our online Contact Form.