Alex is Sprintlaw’s co-founder and principal lawyer. Alex previously worked at a top-tier firm as a lawyer specialising in technology and media contracts, and founded a digital agency which he sold in 2015.
Contents
If your business ever touches information about criminal allegations, investigations or convictions, you’re handling “criminal offence data” under UK privacy law. That brings extra rules, stronger safeguards and, if you get it wrong, sharper regulatory risks with the ICO.
The good news: most small businesses can stay compliant with a clear process, the right paperwork and a bit of planning. In this guide, we break down what counts as criminal offence data, when you can process it lawfully, the documents you must have in place, and what the ICO can do if you slip up.
What Counts As Criminal Offence Data?
“Criminal offence data” is a specific category under Article 10 of the UK GDPR and the Data Protection Act 2018 (DPA 2018). It covers any personal data relating to:
- Criminal convictions and offences
- Allegations, investigations or proceedings (even if no conviction results)
- Security measures or penalties linked to suspected or proven offences
That means it isn’t limited to a DBS certificate. Notes from an incident report about suspected theft, a disciplinary record referencing an ongoing investigation, or a screening result that flags sanctions or watchlists can all fall into this category.
Key point: criminal offence data is not “special category data” (that’s things like health or race), but it is protected in a similar, heightened way. You generally can’t process it unless you meet strict conditions and put additional safeguards in place.
When Can A Business Lawfully Process Criminal Offence Data?
To handle criminal offence data lawfully, you need all three of the following:
- A valid UK GDPR lawful basis (e.g. legitimate interests, performance of a contract, legal obligation)
- A specific condition for processing criminal offence data under Article 10 and the DPA 2018 (usually a Schedule 1 condition)
- Appropriate safeguards, typically an Appropriate Policy Document (APD) and retention schedule
Let’s look at each in plain English.
1) Choose A Lawful Basis
You still need one of the standard UK GDPR bases to process personal data (including criminal offence data). For many SMEs, that’s typically:
- Legitimate interests – for proportionate background checks or to protect your business from fraud or theft
- Legal obligation – where a law requires checks (for example in regulated sectors)
- Performance of a contract – limited situations where the processing is necessary to enter into or perform an employment or services contract
Consent is rarely appropriate here because it’s hard to make it genuinely freely given in an employment or vetting context.
2) Pick A DPA 2018 Schedule 1 Condition
Article 10 says you can only process criminal offence data under the control of official authority or where domestic law provides specific safeguards. For most private sector businesses, this means relying on a Schedule 1 condition in the DPA 2018, for example:
- Employment, social security and social protection (Sch. 1, Part 1) – often used for DBS checks where legally required and appropriate
- Preventing or detecting unlawful acts (Sch. 1, Part 2) – proportionate steps to prevent fraud or theft
- Protecting the public against dishonesty, malpractice or other seriously improper conduct (Sch. 1, Part 2)
- Regulatory requirements or safeguarding of individuals at risk (Sch. 1, Part 2) – relevant in certain sectors
- Legal claims (Sch. 1, Part 2) – where criminal offence data is necessary for actual or prospective legal proceedings
Each condition has nuances, and some require that you reasonably can’t get consent, or that the processing is strictly necessary and proportionate. This is where a short, practical justification note helps you evidence your reasoning.
3) Put The Safeguards In Place (APD + Retention)
For many Schedule 1 conditions, you must have an Appropriate Policy Document (APD) that explains:
- Your lawful basis and chosen Schedule 1 condition
- Retention periods and how you decide them
- Security measures and access controls
- How you uphold data protection principles (minimisation, accuracy, storage limitation, integrity and confidentiality)
You’ll also need a clear retention schedule. In practice, that often means holding the bare minimum (for example, a “pass/fail” note rather than a full DBS record) and deleting underlying documents as soon as you no longer need them.
Common Business Scenarios Involving Criminal Offence Data
Many SMEs don’t routinely process criminal offence data - but it crops up more than you might expect. Here are typical scenarios and the compliance lens to use.
Pre-Employment Vetting And DBS Checks
If you’re recruiting for roles that handle money, vulnerable people or sensitive data, you might consider background checks. You should only conduct checks that are lawful and proportionate to the role. Be mindful that many roles do not qualify for standard or enhanced DBS checks.
Where you rely on a permitted check, you’ll likely use the “employment, social security and social protection” or “preventing or detecting unlawful acts” condition and keep an APD. Keep records light: where possible store only the decision (e.g. “suitable/unsuitable”), not the entire certificate.
Before you go down this road, make sure your process aligns with UK employment law and privacy rules. Our guide on free background checks for employers explains what’s permissible.
Security Incidents And Theft Investigations
Retailers, hospitality venues and trades often face internal or external theft. Incident reports, witness statements, and CCTV tied to suspected offences can contain criminal offence data. Rely on a suitable Schedule 1 condition (commonly “preventing or detecting unlawful acts”) and ensure your CCTV and video policies align with UK GDPR transparency and minimisation principles.
Third-Party Screening Providers
If a supplier or HR platform processes vetting information for you, they are usually your processor. You’ll need a robust Data Processing Agreement that sets out security, instructions, sub-processing and deletion obligations. Where screening results are shared between organisations, you may also need a Data Sharing Agreement.
Insurance Claims, Legal Disputes And Fraud Prevention
Criminal offence data might appear in claim files or litigation bundles. The “legal claims” condition can apply here, provided the processing is necessary and proportionate. Limit access to a need-to-know basis and set shorter retention periods for raw materials like police reports or charge details.
Sanctions And Financial Crime Screening
Some sectors undertake sanctions or politically exposed person checks, which can reveal allegations or enforcement histories. Use a suitable Schedule 1 condition, document your necessity assessment and make sure your processor contracts and deletion routines are tight.
Mandatory Safeguards And Documentation
Once you identify that criminal offence data is in scope, put these building blocks in place.
Appropriate Policy Document (APD)
Draft a short APD covering your condition(s), retention and security measures. Keep it practical, align it with your actual processes and review it annually or whenever your processing changes.
Privacy Notices
Tell people, in plain English, that you may process criminal offence data, why, the lawful basis/condition, who you share it with, and how long you keep it. This should appear in your employee or applicant notices and your external Privacy Policy if customer or visitor data is in scope.
Records Of Processing And DPIAs
Update your Record of Processing Activities to flag criminal offence data categories, recipients and retention periods. Where the processing is likely to be high risk (e.g. large-scale screening or use of biometrics alongside offence data), complete a Data Protection Impact Assessment (DPIA) and record mitigations.
Processor Contracts And Sharing Protocols
If a vendor handles screening data, ensure you have a compliant Data Processing Agreement. If you regularly exchange such data with another controller (for instance, a group company), a Data Sharing Agreement can clarify roles, security and retention.
Security And Access Controls
- Role-based access: only HR or a designated manager sees underlying results
- Minimisation: store “pass/fail” outcomes where feasible; avoid keeping raw certificates
- Encryption and secure storage: both in transit and at rest
- Deletion routines: automatic reminders to review and remove source materials
- Training: make staff aware of the higher bar for this data
Incident Response Readiness
Have a clear playbook if a breach occurs. An up-to-date Data Breach Response Plan helps you triage incidents, assess risk, notify affected individuals (where required) and report to the ICO within 72 hours if necessary.
Practical Compliance Toolkit
Many SMEs bundle these elements into a simple framework with policies, notices, and registers. Our Data Protection Pack is designed to cover these foundations in one place so you’re protected from day one.
ICO Enforcement, Offences And Penalties: What Risks Do You Face?
The ICO can use a range of powers if your handling of criminal offence data goes wrong, from audits and enforcement notices to significant fines. Some behaviours are also criminal offences under the DPA 2018.
Civil Enforcement And Fines
If you process criminal offence data without a valid basis or condition, fail to keep it secure, or ignore transparency and minimisation rules, the ICO can issue warnings, reprimands, enforcement notices and administrative fines. The maximum fines depend on the breach type, but mishandling sensitive data typically attracts higher regulatory scrutiny.
Criminal Offences Under The DPA 2018
These offences can apply regardless of data category, but are particularly relevant when sensitive information is involved:
- Knowingly or recklessly obtaining, disclosing or retaining personal data without the controller’s consent (e.g. “blagging” or snooping)
- Re-identifying individuals from anonymised data without authority
- Altering, blocking, destroying or concealing personal data after a subject access request (“SAR”) to prevent disclosure
- Failing to comply with an ICO information notice, assessment notice or enforcement notice
Individuals can be prosecuted for these offences, and businesses face reputational damage and related civil liability. Make sure your team understands that casual “just email me the DBS” culture is unacceptable and could be unlawful.
Subject Access Requests And Criminal Offence Data
People have the right to access their personal data, including criminal offence data you hold about them. You’ll need a clear process to log, verify and respond in time. Start with a realistic timetable based on the standard one-month limit in our guide to SAR deadlines, and be aware of possible SAR exemptions that might apply (for example, where disclosure would prejudice the prevention or detection of crime). Document your decision-making if you rely on an exemption.
Data Protection Fee
Most UK businesses must pay the ICO’s data protection fee unless exempt. Non-payment can lead to penalties. If you’re unsure whether you need to pay, check the common ICO fee exemptions.
Practical Compliance Checklist For SMEs Handling Criminal Offence Data
Here’s a step-by-step way to bring your processes up to scratch:
- Map your data flows: identify where criminal offence data appears (recruitment, security, claims, vendor platforms).
- Define your purpose and necessity: be clear why the data is strictly needed for the role or task.
- Select your lawful basis and Schedule 1 condition(s): record your reasoning in a short note.
- Draft your APD: set out conditions relied upon, retention periods, security and training measures.
- Update privacy notices: ensure staff/applicant notices and your public-facing Privacy Policy explain what you collect and why.
- Tighten retention: prefer “pass/fail” outcomes over raw certificates; set deletion reminders for source documents.
- Lock down access: use role-based permissions; encrypt storage; avoid sending documents over unsecured channels.
- Sort your contracts: put a Data Processing Agreement in place with any vetting or HR platforms; consider a Data Sharing Agreement where you share results with another controller.
- Complete a DPIA for high-risk processing: document risks and mitigations.
- Train your team: cover do’s and don’ts, SAR handling, and the consequences of unauthorised access or disclosure.
- Prepare for incidents: implement a tested Data Breach Response Plan.
- Review annually: revisit your APD, vendor contracts and retention schedule to ensure they still fit your processing.
Key Takeaways
- Criminal offence data includes any information about allegations, investigations, offences or convictions - not just DBS certificates.
- You need a lawful basis and a DPA 2018 Schedule 1 condition to process it, plus an Appropriate Policy Document and tight retention rules.
- Keep processing proportionate: store decisions rather than full records where possible, and restrict access on a need-to-know basis.
- If vendors handle vetting or screening, have a compliant Data Processing Agreement and clear deletion instructions.
- Be SAR-ready: understand timelines and potential exemptions, and record your decisions.
- The ICO can issue significant fines, and some behaviours (like unauthorised disclosure or destroying data after a SAR) are criminal offences under the DPA 2018.
- Putting simple, well-drafted policies and processes in place now is the easiest way to protect your business and demonstrate compliance.
If you’d like help setting up your APD, tightening your notices and contracts, or sense-checking your vetting process, our team can assist. You can reach us on 08081347754 or team@sprintlaw.co.uk for a free, no-obligations chat.
