September

The Financial Conduct Authority (FCA) and Prudential Regulation Authority (PRA) have expanded their current 'Senior Managers and Certification Regime' to include a wider range of regulated firms.  This regulation, which sets out clearly defined conduct rules for senior managers, aims to protect consumers and replaces the existing ‘Approved Persons Regime’.

The objective is to raise standards across the industry and ensure that each individual takes responsibility for their actions. For certain firms, they must adhere to the ‘enhanced tier’ which means that every function of the business has an allocated and responsible senior manager.  Organisations must also produce and maintain a ‘responsibilities’ map.  The regulation comes into force on 9^th December 2018.

In response to demand from the financial services sector, there is also a plan from the FCA to create a new 'Directory for Financial Services Workers'. This directory will be  a public register and will assist Financial Services register/directory checks:

https://www.fca.org.uk/publications/consultation-papers/cp18-19-introducing-directory

Anyone working in a controlled function and any person with a significant interest in the business should be included, for example, persons with significant control as defined by Companies House.  These inclusions are currently open to consultation and within the PDF there is a link to a response page where anyone can offer their opinion: 

https://www.fca.org.uk/cp18-19-response-form.  

Identity checks for all checks
The Disclosure and Barring Service (DBS) has just updated their identity checking guidelines for all levels of checks. The guidelines now officially confirm that live video link can be used as an alternative to face to face checks, however, the original documents must still be examined during the video link.

New documents have been added to the identity document groups including Irish Passport Cards and Positive Verification Notices. In addition, passports no longer need to be seen when certain Residence Cards and Immigration Status Documents are presented. We are working hard to update the document groups on our platform before the 3rd December deadline.

Eligibility for standard and enhanced checks
The DBS has also launched new guidance to help organisations assess eligibility for standard and enhanced criminal checks. There have been no changes to eligibility rules. The new documents have been launched to make it easier to understand the current rules. The new guidance documents (one for standard and one for enhanced) can be found in the Help Guides library (you will need to log in first).

Osborne and Clarke give insight: Pre-GDPR, it became common practice for many UK businesses to carry out criminal convictions checks on their prospective employees as a matter of course, and to require their suppliers to do the same. UK businesses now need to carefully consider whether they can justify processing criminal convictions data under the GDPR where there is no actual legal requirement to carry out a criminal record check.

Processing of criminal convictions personal data under the GDPR and DPA

Article 10 of the GDPR states that any employer who is processing criminal convictions personal data can only do so where a lawful basis exists to justify that processing and national law permits that processing (and puts in place appropriate safeguards).

Lawful basis

As with the processing of any types of personal data, there still needs to be a lawful basis for processing criminal convictions data. Consequently, where there is no strict legal obligation for a business to carry out criminal convictions screening, there still needs to be careful consideration as to whether they can rely on another lawful basis.

For example, where an employer is seeking to rely on legitimate interests, it must conduct further analysis to assess (among other issues) if its interests are enough to outweigh the intrusion on an employee’s privacy.

The DPA conditions

The DPA (under section 10(5)) has introduced further conditions that businesses must meet (in addition to the requirements of the GDPR) and again, businesses must assess and be able to justify whether a specific condition applies.

There is no condition which permits any employers to carry out blanket criminal conviction checks as part of its recruitment process and so the conditions will need to be reviewed on a case-by-case basis depending on the purpose of the processing.

For instance, businesses may process criminal convictions data (in accordance with the GDPR) where there is a ‘regulatory requirement’ and this includes ‘requirements forming part of general accepted principles of good practice’ in relation to the relevant area, as well as those set out in law. This is likely to be a relevant condition for a business which is authorised by the Financial Conduct Authority.

The issue of employee consent

Where alternative conditions do not exist there remains scope for businesses to rely on consent, both under the GDPR and the DPA, to carry out criminal record screening. However, there may well be difficulties in obtaining consent in such scenarios.

For example, there will always remain a risk that obtaining consent from an employee (or prospective employee) raises issues given that the imbalance of power in the employer / employee relationship arguably negates real consent for fear of reprisals (we explore those issues in our earlier article here).

Further, businesses also need to be wary that any consent mechanism, and any consent obtained, meets the enhanced requirements of the GDPR – for example, for consent to be freely given an individual should be entitled to refuse consent without being prejudiced as a result.

However, absent any other available conditions, in practice consent is likely to be the only viable means of justifying the processing of criminal convictions data for a number of businesses (including in an employment context).

What should businesses do next?

Any UK business which routinely conducts criminal convictions screening will need to reconsider some of their basic screening and recruitment practices or risk being in breach of the GDPR and/or the DPA. With guidance from the Information Commissioner’s Office on this area still outstanding, analysis carried out should be kept under review and updated where appropriate.

Aside from recruitment practices, businesses should also be assessing the impact of these issues on other aspects of their business. For example, service providers who are under obligations from clients to undertake criminal screening of their own employees as a condition of being appointed to an account will need to carefully consider whether those activities remain lawful under the new regime.

Whatever the outcome of any further analysis, the format, positioning, provision and content of privacy notices relating to the use of criminal convictions data takes on new significance for all businesses (particularly where consent is required). Therefore, businesses will need to make sure their own employee privacy policies set out their adopted approach to criminal convictions data in a concise, transparent, intelligible and easily accessible form