May

British schools around the world will be required to use a system that provides comprehensive background checks of UK teachers working overseas.

The Council of British International Schools (Cobis) has said that it will expect all its member schools – covering 75 countries – to use the International Child Protection Certificate (ICPC) to vet its British employees. Many schools previously relied on police checks, as well as written and verbal references.
 
For more information on checks required for th education sector click here

There are major data privacy implications of criminal records checks made necessary by the Senior Managers and Certification Regime, an issue that will affect about 50,000 firms in the financial services sector from 9 December 2019 onwards. David Palmer and David Lorimer examine how compliance and HR teams can help meet businesses’ obligations under both the GDPR and SMCR.

One of the largest compliance issues on the horizon for compliance and HR teams is the extension of the Senior Managers and Certification Regime (SMCR) to all financial services firms authorised by the Financial Conduct Authority (FCA) in December 2019. There is a lot of tension between one important aspect of the SMCR – criminal records checks – and the requirements of the GDPR but there are practical steps that firms can take to safely navigate their obligations under both regimes.

What is the SMCR?

The SMCR currently applies to all UK-incorporated banks, building societies, credit unions and Prudential Regulation Authority-regulated investment banks and insurers. On 9 December 2019, the SMCR will be expanded to cover firms that are currently regulated (solely) by the FCA. This will include about 50,000 asset managers, brokers and consumer credit firms. The SMCR is designed to ensure that individuals in the financial services sector take greater responsibility for their actions and to make it easier to hold them to account.
 

Criminal records checks

Under the SMCR, firms have to satisfy themselves that individuals applying for, or holding, senior manager or certified person roles are fit and proper to carry out their roles both at the point of recruitment and annually thereafter. Part of a firm’s assessment of fitness and propriety includes considering an individual’s honesty, integrity and reputation. In doing so, firms must have regard to whether the person has been convicted of a criminal offence.

The GDPR, and the UK’s Data Protection Act 2018 (DPA), recognise that criminal records data has a special significance. While criminal records data is not “special category” or “sensitive” personal data under those statutes, greater care needs to be taken when collecting, storing and using such data to make hiring and other employment decisions. Firms will need a “legal bases” under the GDPR and a valid “condition” under the DPA for the use of criminal records information. Although the concepts of “legal bases” and “conditions” overlap, the legal obligations relating to them are separate.

Set out below are the GDPR considerations related to criminal records checks for senior managers and certified persons.

1. Senior managers

Under the SMCR, the FCA requires firms to carry out criminal record checks for spent and unspent convictions of individuals who are to perform senior management functions. This provides firms with a legal basis for the carrying out of relevant criminal background checks, namely that doing so is necessary to comply with a legal obligation on them, and a linked condition under the DPA.

2. Certified persons

The FCA does not require a criminal records check to be carried out for individuals carrying out certification functions, although the FCA has stated that firms may still choose to do so. In our experience, many firms that are currently subject to the SMCR require candidates for certified function roles to provide a basic disclosure check. This will disclose details of unspent convictions.

Because this kind of checking isn’t connected to a legal or regulatory obligation, most firms in practice rely on one of the following legal bases:

• that the checking is in the firm’s legitimate interests. Note that reliance on this basis triggers a requirement to balance those interests against the individual’s privacy rights – and to evidence that balancing; or
• that it is done with the individual’s consent. However, data protection authorities have cast significant doubt on whether employees and candidates can validly consent.

Firms are prohibited from requiring those applying for or holding certification functions from providing details of spent convictions. Specialist legal advice should be sought with regards to managing the legal risks if an individual’s unspent convictions come to light at any point.

Forward planning

To demonstrate compliance with the GDPR, we recommend that firms should take three steps with regards to criminal records checks.

First, firms should carry out a data protection impact assessment. This will act as a record of how the firm created a framework for handling criminal records data. The impact assessment should include details of:

1. The “legal basis” and “condition” the firm will use to process criminal records data.
2. The level of criminal record check to be carried out (for example, a standard disclosure check for senior managers and a basic disclosure check for certified function roles).
3. The length of time criminal records information should be retained (generally speaking no longer than is necessary).
4. How criminal records information will be secured so that only staff who have a “need to know” can access it.

Although it sounds like (and can be) a resource-consuming exercise, the impact assessment is a mandatory requirement in many instances, and is always helpful in demonstrating a firm’s efforts to comply with the GDPR as part of its accountability records, especially if the Information Commissioner’s Office ever comes calling.

We’re delighted to have won two awards at this year’s SME Luton & Bedfordshire Business Awards. We were named as both Best Enterprising Business and Bedford Business of the Year.
 
The winner of the Bedford Business of the Year Award is expected to be exceptional across all aspects of running a successful SME. The Enterprising Business award focuses on businesses that show outstanding initiative, boldness and imagination, as well as sound management practices within their business.  
 
The judges commented that “Verifile is a company that will be needed more and more” and that “This business has shown enterprise in many aspects including client services, ethical suppliers and employee wellbeing. A fantastic sounding business”.

 

With this win, we are also delighted to announce that Verifile was put forward to the national awards final at Wembley Stadium in December for the UK’s Best Enterprising Business.  It’s an excellent event that we are proud to be part of, and we’d like to extend our congratulations to all the other winners and runner up businesses.
 
The Verifile team is working extremely hard to help our clients avoid the perils of hiring the wrong person, reducing fraud and creating transparency within the modern workforce. Winning these awards together with winning the Queen’s Award last month is recognition to these superb efforts and the results they bring.
 
Verifile’s Founder and CEO, Eyal Ben-Cohen said: “We are absolutely excited and delighted to have won this award it is a great testament to a fine team for all the hard work they put in over the years of making Verifile such a big success.”
 
We’d like to use this opportunity to thank all the Verifilians out there; our amazing clients, our partners and our colleagues.