Can Employers Carry Out Criminal Records Checks Under UK GDPR?


The General Data Protection Regulation has been a hot topic for businesses since its introduction, establishing rules around the collection and processing of personal data of individuals within the European Union. After Brexit, the UK adopted its own version of this, known as the UK GDPR. A common question arising from these regulations is: Can employers in the UK carry out criminal records checks on potential or existing employees?


What is the UK GDPR?

UK GDPR, in essence, mirrors the EU GDPR but operates within the boundaries of the UK. It emphasises data subjects’ rights, the responsibilities of data processors and controllers, and the importance of data protection principles. Any information that is processed about an individual, including about their criminal convictions, is subject to these rules.


Criminal Records Checks Under UK GDPR

Processing personal data related to criminal convictions and offences is not allowed unless it’s under the control of official authority or when the processing is authorised by law providing appropriate safeguards for the rights and freedoms of data subjects.

In the context of employment:

  1. Legitimate Basis: Employers must have a legitimate basis for processing this data. This can be to comply with employment laws, ensure the safety of other employees, or meet specific obligations relevant to particular roles (e.g., roles involving vulnerable individuals).
  2. Data Protection Impact Assessment (DPIA): If employers are considering regular checks, especially at scale, they may need to conduct a DPIA to identify and minimise the data protection risks.
  3. Proportionality: Criminal record checks should be proportional. This means that employers should only seek details relevant to the role in question. For instance, a one-off minor conviction years ago might not be relevant to a job being applied for.
  4. Disclosure & Barring Service (DBS) Checks: In the UK, many employers use DBS checks to investigate the criminal history of potential employees. There are three levels of DBS checks – Basic, Standard, and Enhanced. The type of role determines the level of check. Notably, only certain jobs are eligible for Standard or Enhanced checks, such as roles in healthcare or with children.


Employee Consent

You can ask employees if they will voluntarily disclose whether they have unspent convictions. They may also agree to a basic criminal record check through the Disclosure and Barring Service. However, the issue of employee consent for criminal records checks is particularly delicate.


While UK GDPR outlines consent as one potential lawful basis for processing personal data, in an employment context, the power imbalance between employer and employee might mean that consent is rarely, if ever, ‘freely given’. This dynamic complicates its validity as a basis for processing sensitive data, such as criminal records. Consequently, employers seeking to conduct criminal records checks may need to rely on other legitimate bases defined within the UK GDPR, like legal obligation or legitimate interest. This situation exemplifies the imperative of navigating the fine line between ensuring workplace safety and security and upholding an individual’s data protection rights. Employers should thus approach the issue with caution, ensuring transparency and compliance with the broader legal landscape.



Employers in the UK may be able to carry out criminal records checks under the UK GDPR. However, it’s surrounded by specific stipulations and conditions. Employers must ensure they have a legitimate reason, apply checks proportionately, and handle the data with the utmost care and security.

Always consult with legal professionals or specialists when considering criminal records checks. This ensures compliance with UK GDPR and other related legislation.


Contact Us

Privacy Preference Center