2018

Identity checks for all checks
The Disclosure and Barring Service (DBS) has just updated their identity checking guidelines for all levels of checks. The guidelines now officially confirm that live video link can be used as an alternative to face to face checks, however, the original documents must still be examined during the video link.

New documents have been added to the identity document groups including Irish Passport Cards and Positive Verification Notices. In addition, passports no longer need to be seen when certain Residence Cards and Immigration Status Documents are presented. We are working hard to update the document groups on our platform before the 3rd December deadline.

Eligibility for standard and enhanced checks
The DBS has also launched new guidance to help organisations assess eligibility for standard and enhanced criminal checks. There have been no changes to eligibility rules. The new documents have been launched to make it easier to understand the current rules. The new guidance documents (one for standard and one for enhanced) can be found in the Help Guides library (you will need to log in first).

Osborne and Clarke give insight: Pre-GDPR, it became common practice for many UK businesses to carry out criminal convictions checks on their prospective employees as a matter of course, and to require their suppliers to do the same. UK businesses now need to carefully consider whether they can justify processing criminal convictions data under the GDPR where there is no actual legal requirement to carry out a criminal record check.

Processing of criminal convictions personal data under the GDPR and DPA

Article 10 of the GDPR states that any employer who is processing criminal convictions personal data can only do so where a lawful basis exists to justify that processing and national law permits that processing (and puts in place appropriate safeguards).

Lawful basis

As with the processing of any types of personal data, there still needs to be a lawful basis for processing criminal convictions data. Consequently, where there is no strict legal obligation for a business to carry out criminal convictions screening, there still needs to be careful consideration as to whether they can rely on another lawful basis.

For example, where an employer is seeking to rely on legitimate interests, it must conduct further analysis to assess (among other issues) if its interests are enough to outweigh the intrusion on an employee’s privacy.

The DPA conditions

The DPA (under section 10(5)) has introduced further conditions that businesses must meet (in addition to the requirements of the GDPR) and again, businesses must assess and be able to justify whether a specific condition applies.

There is no condition which permits any employers to carry out blanket criminal conviction checks as part of its recruitment process and so the conditions will need to be reviewed on a case-by-case basis depending on the purpose of the processing.

For instance, businesses may process criminal convictions data (in accordance with the GDPR) where there is a ‘regulatory requirement’ and this includes ‘requirements forming part of general accepted principles of good practice’ in relation to the relevant area, as well as those set out in law. This is likely to be a relevant condition for a business which is authorised by the Financial Conduct Authority.

The issue of employee consent

Where alternative conditions do not exist there remains scope for businesses to rely on consent, both under the GDPR and the DPA, to carry out criminal record screening. However, there may well be difficulties in obtaining consent in such scenarios.

For example, there will always remain a risk that obtaining consent from an employee (or prospective employee) raises issues given that the imbalance of power in the employer / employee relationship arguably negates real consent for fear of reprisals (we explore those issues in our earlier article here).

Further, businesses also need to be wary that any consent mechanism, and any consent obtained, meets the enhanced requirements of the GDPR – for example, for consent to be freely given an individual should be entitled to refuse consent without being prejudiced as a result.

However, absent any other available conditions, in practice consent is likely to be the only viable means of justifying the processing of criminal convictions data for a number of businesses (including in an employment context).

What should businesses do next?

Any UK business which routinely conducts criminal convictions screening will need to reconsider some of their basic screening and recruitment practices or risk being in breach of the GDPR and/or the DPA. With guidance from the Information Commissioner’s Office on this area still outstanding, analysis carried out should be kept under review and updated where appropriate.

Aside from recruitment practices, businesses should also be assessing the impact of these issues on other aspects of their business. For example, service providers who are under obligations from clients to undertake criminal screening of their own employees as a condition of being appointed to an account will need to carefully consider whether those activities remain lawful under the new regime.

Whatever the outcome of any further analysis, the format, positioning, provision and content of privacy notices relating to the use of criminal convictions data takes on new significance for all businesses (particularly where consent is required). Therefore, businesses will need to make sure their own employee privacy policies set out their adopted approach to criminal convictions data in a concise, transparent, intelligible and easily accessible form

People Management reports how Lawyers have sounded fresh warnings about the importance of checking references properly, after a pilot was found by a tribunal to have used a pseudonym for a Star Wars villain on an application form. 

Birmingham Employment Tribunal dismissed Mr N F M’s claims against West Atlantic. However, it allowed the airline’s counterclaims and told the pilot to pay back almost £5,000 in training costs. The pilot had successfully applied for a position with the commercial freight airline operator as a captain. 

But court documents stated that the pilot, who did not attend the tribunal hearing, had “provided a false reference”. The reference on his application “purported to be from Desilijic Tiure”, an alternative name for Star Wars character Jabba the Hutt. 

The tribunal heard that, when West Atlantic discovered this, it confronted the employee, who “initially denied but, ultimately, largely admitted” the false referee. West Atlantic offered him the opportunity to resign on 30 June 2017, which he did. 

The pilot claimed three months’ notice pay, his contractual notice entitlement. West Atlantic counterclaimed for recovery of his training costs, as he had signed an agreement stating that these were repayable if he was terminated within the first six months of his employment. 

The tribunal dismissed the pilot’s claim but allowed West Atlantic’s counterclaim.