Profile Image Verifile
| Criminal Record Checks | Financial Services
May 10, 2019
Blog Article Image

How to navigate managers regime, GDPR and criminal records checks

There are major data privacy implications of criminal records checks made necessary by the Senior Managers and Certification Regime, an issue that will affect about 50,000 firms in the financial services sector from 9 December 2019 onwards. David Palmer and David Lorimer examine how compliance and HR teams can help meet businesses’ obligations under both the GDPR and SMCR.

One of the largest compliance issues on the horizon for compliance and HR teams is the extension of the Senior Managers and Certification Regime (SMCR) to all financial services firms authorised by the Financial Conduct Authority (FCA) in December 2019. There is a lot of tension between one important aspect of the SMCR – criminal records checks – and the requirements of the GDPR but there are practical steps that firms can take to safely navigate their obligations under both regimes.

What is the SMCR?

The SMCR currently applies to all UK-incorporated banks, building societies, credit unions and Prudential Regulation Authority-regulated investment banks and insurers. On 9 December 2019, the SMCR will be expanded to cover firms that are currently regulated (solely) by the FCA. This will include about 50,000 asset managers, brokers and consumer credit firms. The SMCR is designed to ensure that individuals in the financial services sector take greater responsibility for their actions and to make it easier to hold them to account.

Criminal records checks

Under the SMCR, firms have to satisfy themselves that individuals applying for, or holding, senior manager or certified person roles are fit and proper to carry out their roles both at the point of recruitment and annually thereafter. Part of a firm’s assessment of fitness and propriety includes considering an individual’s honesty, integrity and reputation. In doing so, firms must have regard to whether the person has been convicted of a criminal offence.

The GDPR, and the UK’s Data Protection Act 2018 (DPA), recognise that criminal records data has a special significance. While criminal records data is not “special category” or “sensitive” personal data under those statutes, greater care needs to be taken when collecting, storing and using such data to make hiring and other employment decisions. Firms will need a “legal bases” under the GDPR and a valid “condition” under the DPA for the use of criminal records information. Although the concepts of “legal bases” and “conditions” overlap, the legal obligations relating to them are separate.

Set out below are the GDPR considerations related to criminal records checks for senior managers and certified persons.

1. Senior managers

Under the SMCR, the FCA requires firms to carry out criminal record checks for spent and unspent convictions of individuals who are to perform senior management functions. This provides firms with a legal basis for the carrying out of relevant criminal background checks, namely that doing so is necessary to comply with a legal obligation on them, and a linked condition under the DPA.

2. Certified persons

The FCA does not require a criminal records check to be carried out for individuals carrying out certification functions, although the FCA has stated that firms may still choose to do so. In our experience, many firms that are currently subject to the SMCR require candidates for certified function roles to provide a basic disclosure check. This will disclose details of unspent convictions.

Because this kind of checking isn’t connected to a legal or regulatory obligation, most firms in practice rely on one of the following legal bases:

  • that the checking is in the firm’s legitimate interests. Note that reliance on this basis triggers a requirement to balance those interests against the individual’s privacy rights – and to evidence that balancing; or
  • that it is done with the individual’s consent. However, data protection authorities have cast significant doubt on whether employees and candidates can validly consent.

Firms are prohibited from requiring those applying for or holding certification functions from providing details of spent convictions. Specialist legal advice should be sought with regards to managing the legal risks if an individual’s unspent convictions come to light at any point.

Forward planning

To demonstrate compliance with the GDPR, we recommend that firms should take three steps with regards to criminal records checks.

First, firms should carry out a data protection impact assessment. This will act as a record of how the firm created a framework for handling criminal records data. The impact assessment should include details of:

  1. The “legal basis” and “condition” the firm will use to process criminal records data.
  2. The level of criminal record check to be carried out (for example, a standard disclosure check for senior managers and a basic disclosure check for certified function roles).
  3. The length of time criminal records information should be retained (generally speaking no longer than is necessary).
  4. How criminal records information will be secured so that only staff who have a “need to know” can access it.

Although it sounds like (and can be) a resource-consuming exercise, the impact assessment is a mandatory requirement in many instances, and is always helpful in demonstrating a firm’s efforts to comply with the GDPR as part of its accountability records, especially if the Information Commissioner’s Office ever comes calling.

Read More
Profile Image Verifile
May 10, 2019
Blog Article Image

Verifile wins two SME Business Awards

We’re delighted to have won two awards at this year’s SME Luton & Bedfordshire Business Awards. We were named as both Best Enterprising Business and Bedford Business of the Year.
The winner of the Bedford Business of the Year Award is expected to be exceptional across all aspects of running a successful SME. The Enterprising Business award focuses on businesses that show outstanding initiative, boldness and imagination, as well as sound management practices within their business.  
The judges commented that “Verifile is a company that will be needed more and more” and that “This business has shown enterprise in many aspects including client services, ethical suppliers and employee wellbeing. A fantastic sounding business”.


With this win, we are also delighted to announce that Verifile was put forward to the national awards final at Wembley Stadium in December for the UK’s Best Enterprising Business.  It’s an excellent event that we are proud to be part of, and we’d like to extend our congratulations to all the other winners and runner up businesses.
The Verifile team is working extremely hard to help our clients avoid the perils of hiring the wrong person, reducing fraud and creating transparency within the modern workforce. Winning these awards together with winning the Queen’s Award last month is recognition to these superb efforts and the results they bring.
Verifile’s Founder and CEO, Eyal Ben-Cohen said: “We are absolutely excited and delighted to have won this award it is a great testament to a fine team for all the hard work they put in over the years of making Verifile such a big success.”
We’d like to use this opportunity to thank all the Verifilians out there; our amazing clients, our partners and our colleagues.

Read More
Profile Image Verifile
| Media & Entertainment | Media Searches
May 9, 2019
Blog Article Image

Get your social media policy in place, fast!

The latest in a recent spate of high-profile news stories involving celebrities and their social media activities, has highlighted the need for all employers to address, or at least be aware of, employee’s past and current social media usage. It is essential that you make sure a policy is in place to help formulate decisions, where necessary.  While the vast majority of people would not condone the content of the racist and homophobic Tweets behind the controversy, there is a noticeable undertone of understanding around the circumstances as to how some of the posts came into circulation. 

The BBC’s firing of radio DJ Danny Baker in response to the public’s backlash caused by his ‘racist’ tweet is the latest example of how costly an ill-advised posting on a social media platform can be. Baker immediately deleted his “gag pic of the little fella in the posh outfit” as soon as he was made aware of the seemingly obvious connotations that he had presumably overlooked, but this kind of damage cannot be undone.

Social media Tweets, posted when she was a teenager and using racist language widely used in the hip-hop music she was listening to at the time, but utterly unacceptable in any other environment, cost 24-year old Shila Iqbal her highly-coveted role as an actress on British soap opera Emmerdale. Few would doubt Iqbal’s assertion that she would have instantly deleted those posts had she known that they were still in the public domain six years later and would never use that language now as a professional and adult actress.

Israel Folau is undoubtedly one of the world’s greatest rugby players and also a devout Christian.  Folau’s presumably well-intentioned Tweet urging people to turn to Jesus and to repent their Sins to avoid going to Hell, quoting three verses from the bible would have surely gone unnoticed had the picture accompanying the post not contained an image designed to shock. The ‘Warning’ poster listed homosexuals alongside drunks, adulterers, liars, fornicators, thieves, atheists and idolaters. Folau frequently uses social media to spread his religious beliefs, and some of his posts have led to intense debate over the years. With Folau now having been found guilty of committing a high-level code of conduct breach, this post looks set to cost him a multi-million-dollar contract and his rugby career, and will hopefully teach many millions of people around the world an incredibly valuable lesson.

Social Media Screening is not a new tool in the background screening arsenal. However, it is undoubtedly the most topical and fastest-growing service.  Many are not yet convinced about the importance or value of social media checks, but it is highly likely that they will become as widely accepted and adopted as criminal record checks and employment references over the next decade.  They have recently been recognised as being “good practice” by the FCA as part of annual checks on all staff.

A huge issue and challenge to overcome is that many HR professionals and prospective line managers are already conducting social media screening, but in many cases, this has damaging implications for employers.  While you may be having a quick look at someone’s profile to see if there are any positive signs or red flags, it is impossible to “un-see” something that may create unintentional bias. 

By using a third party to undertake the checks, you can ensure that the candidate’s sensitive personal information is protected; that applicant/employee consent is obtained; and that only employment-related business and reputational risks are identified and revealed, ready to help with your decision-making process alongside results of other background screening investigations.
And by having a Social Media Policy in place, you can set clear guidelines and expectations for both employees and applicants about how they conduct themselves online, regardless of whether they are posting on their personal accounts or acting on your behalf promoting your organisation. A Social Media Policy should not discourage activity, nor drive users to hide behind anonymous profiles, but encourage them to clean up any previous mistakes or indiscretions and act responsibly and professionally now that your organisation’s reputation is on the line.

See our Media and Entertainment industry page for further details and contact us to discuss how our Social Media Insight checks can improve your employment screening policies.

Read More