What is a DPIA?
A DPIA is a process designed to help organisations identify and minimise the data protection risks of a project. Where the processing (eg obtaining or recording) of personal data (eg names, addresses and information about racial or ethnic origin) is likely to result in a high risk to individuals, a DPIA needs to be completed. For more information, read Data protection impact assessments.
What is criminal offence data?
Criminal offence data is personal data that relates to criminal convictions and offences or related security measures. This includes information about:
-
criminal activity
-
allegations (including unproven allegations)
-
investigations
-
proceedings
-
personal data of victims and witnesses of crime
-
personal data about penalties
-
conditions/restrictions placed on someone as part of the criminal justice process
-
civil measures that may lead to a criminal penalty if not adhered to
For more information, read the Information Commissioner’s Office (ICO) guidance.
Processing criminal offence data
Organisations can only process criminal offence data if they have a lawful basis for processing. This means that at least one of the six grounds for processing (eg consent or public interest) is met. It is important to note that employers should not rely on consent as their lawful basis for processing if they need to carry out DBS checks on potential employees, as it would not constitute valid consent under the UK GDPR. However, employers must obtain potential employees' consent before carrying out Disclosure and Barring Service (DBS) checks on them. For more information on this, read Compliance for DPIAs.
Even after a lawful basis for processing has been established, criminal offence data can only be processed if the processing is either carried under the control of official authority or authorised by domestic law.
Processing under the control of official authority
If the processing of criminal offence data is carried out ‘under the control of official authority’ no further authorisation under UK law is needed. Moreover, organisations may only keep a comprehensive register of criminal convictions if the register is ‘under the control of official authority’.
Public bodies (and private bodies given public sector tasks) may have such ‘official authority’ to process criminal offence data set out in the law. A body claiming such ‘official authority’ is responsible for identifying the specific law granting them the authority to process criminal offence data. Further, if the body wishes to maintain a comprehensive register of criminal convictions, they will need to consider if they have sufficient official authority to do so.
For example, the DBS, courts and DVLA have specific official authority to process criminal offence data they hold, in addition to keeping a comprehensive register.
Processing authorised by domestic law
Where there is no official authority to process criminal offence data, any such processing must be authorised by UK law. This means that one of the 28 conditions set out in the Data Protection Act 2018 (DPA) needs to be met.
Organisations will need to identify which of the conditions for processing criminal offence data most closely reflects their purpose. Reference will need to be made to the detailed provisions of each condition to demonstrate that the condition applies to the specific situation. If an organisation’s purpose for processing is not covered by any of the conditions the criminal offence data cannot be processed (regardless of how good the reason for processing is).
Most of the 28 conditions rely on the organisation demonstrating that the processing is necessary for a specific purpose. Being ‘necessary’ doesn’t mean that the processing has to be absolutely essential, but it must be more than useful or habitual. It must also be a targeted and proportionate way of achieving the purpose. The processing is not necessary if the organisation can reasonably achieve the same purpose by less intrusive means and if it can do so by using data unrelated to criminal offences.
Conditions for processing
To be able to demonstrate that the processing is authorised by UK law, organisations need to meet one of the following conditions:
Employment, social security and social protection |
This condition is met if the processing is necessary for performing (or exercising) obligations (or rights) imposed (or conferred) by law on the organisation or the data subject (ie the individual the data relates to) in connection with employment, social security or social protection. Read Compliance for DPIAs (specifically the associated conditions in the ‘Employment, social security and social protection’ section) for more information on what exactly this means. |
Health or social care purposes |
The processing is necessary for health or social care purposes. Read Compliance for DPIAs (specifically the associated conditions in the ‘Health or social care’ section) for more information on what exactly this means. |
Public health |
The processing is necessary for reasons of public interest in the area of public health and is carried out:
Read Compliance for DPIAs (specifically the associated conditions in the ‘Public health’ section) for more information on what exactly this means. |
Research |
The processing is:
Read Compliance for DPIAs (specifically the associated conditions in the ‘Archiving, research and statistics’ section) for more information on what exactly this means. |
Statutory and government purposes |
The processing is necessary for the exercise of a function:
|
Administration of justice and parliamentary purposes |
The processing is necessary for:
|
Preventing or detecting unlawful acts |
The processing is:
|
Protecting the public against dishonesty |
The processing is necessary for the exercise of a protective function. This is an action intended to protect members of the public against:
The processing must also be carried out without the data subject’s consent in order to not prejudice the exercise of that function. |
Regulatory requirements |
The processing is necessary to comply with (or assist others to comply with) a regulatory requirement involving a person taking steps to establish whether another person has:
In these circumstances, the organisation cannot reasonably be expected to obtain the consent of the data subject to the processing. |
Journalism, academia, art and literature |
The processing:
|
Preventing fraud |
The processing is necessary to prevent fraud or a particular kind of fraud and:
An anti-fraud organisation is any body corporate, unincorporated association or other person that enables or facilitates any sharing of information to prevent fraud or a particular kind of fraud or which has the prevention of fraud or any kind of fraud as its purpose (or one of its purposes). |
Suspicion of terrorist financing or money laundering |
Where the processing is necessary to make a disclosure in good faith under the:
|
Counselling |
The processing is:
|
Safeguarding of children and individuals at risk |
The processing is:
|
Elected representatives responding to requests |
The processing is:
Where the request is made by someone other than the data subject, the above conditions are met only if the processing must be carried out without the data subject’s consent for one of the following reasons:
|
Disclosure to elected representatives |
This condition is met if the:
Where the request to the elected representative is made by someone other than the data subject, the above conditions are met only if the disclosure must be made without the data subject’s consent for one of the following reasons:
|
Informing elected representatives about prisoners |
This condition is met if the:
|
Publication of legal judgments |
The processing:
|
Anti-doping in sport |
The processing is necessary for the purposes of:
|
Standards of behaviour in sport |
The processing:
‘Measures designed to protect the integrity of a sport or a sporting event’ means measures to protect a sport of sporting event against:
|
Consent |
This condition is met if the data subject has given consent to the processing. Read Compliance for DPIAs (specifically the ‘Explicit consent’ section) for more information on what exactly this means. |
Vital interest |
The processing is necessary to protect the vital interests of an individual and the data subject is incapable of giving consent (physically or legally). Read Compliance for DPIAs (specifically the ‘Vital interest’ section) for more information on what exactly this means. |
Not-for-profit bodies |
The processing is carried out in the course of the body’s legitimate activities (with appropriate safeguards), and:
Read Compliance for DPIAs (specifically the ‘Not-for-profit bodies’ section) for more information on what exactly this means. |
Manifestly made public by the data subject |
The processing relates to personal data which is manifestly made public by the data subject themselves. Read Compliance for DPIAs (specifically the ‘Made public by the data subject’ section) for more information on what exactly this means. |
Legal claims |
The processing is:
Read Compliance for DPIAs (specifically the ‘Legal claims or judicial acts’ section) for more information on what exactly this means. |
Judicial acts |
The processing is necessary when a court or tribunal is acting in its judicial capacity. Read Compliance for DPIAs (specifically the ‘Legal claims or judicial acts’ section) for more information on what exactly this means. |
Administration of accounts used in the commission of indecency offences involving children |
This condition is met the processing is of personal data about a conviction or caution for an offence listed below:
Further, the processing must be necessary for the purpose of administering an account relating to the payment card (including credit, charge and debit cards) used in the commission of the offence or cancelling that payment card. |
Insurance |
This condition is met if the processing would meet:
but for the requirements for the processing to be of a category of personal data revealing racial/ethnic origin, religious/philosophical beliefs, genetic data/data concerning health or trade union. |
For some of the above conditions, an Appropriate policy document (APD) must be in place at the time of processing. For more information, read Appropriate policy documents and the ICO’s guidance on processing criminal offence data.
If you have any questions or require assistance, Ask a lawyer.