Criminal record checks and GDPR: What UK employers need to know

Veremark
24 Apr
,
min read
Share this article
Contents
Example H2
Example H3
Example H4

Criminal record checks and GDPR: What UK employers need to know

Asking candidates about their criminal record is one of the most sensitive things you can do in a hiring process — and one of the most tightly regulated.

Under UK GDPR and the Data Protection Act 2018, criminal offence data is in a category of its own. It’s not just personal data. It’s restricted data — and mishandling it, even with good intentions, could lead to legal risk.

If your company runs DBS checks or collects any criminal record information, here’s what you need to know to stay compliant.

Why criminal record data is treated differently

Criminal offence data is classed as “special category data” under Article 10 of UK GDPR and further governed by Section 10 of the Data Protection Act 2018.

That means two things:

  1. You need a lawful basis under Article 6 of UK GDPR
  2. You also need a separate legal condition under Schedule 1 of the DPA 2018

Unlike other types of data, you can’t rely on consent alone. Criminal checks must be legally necessary, relevant to the role, and backed by proper documentation.

What lawful basis should you use?

For most employment-related checks, the standard approach is:

  • Article 6(1)(f): Legitimate interests — i.e. the organisation has a legitimate reason to verify criminal history for risk or compliance purposes

Alongside:

  • Schedule 1, Part 1, Paragraph 1 of the DPA 2018 — processing for employment, social security, and social protection purposes

This combination allows employers to collect and process criminal record data in limited, proportionate cases — but not as a catch-all policy.

For regulated industries, you may also rely on other conditions, such as legal obligations under sector-specific laws (e.g. in healthcare or finance).

When can you ask for a criminal check?

You can only request a check when the nature of the role justifies it — and only the type of check that is legally permitted for that role.

That means:

The Information Commissioner’s Office (ICO) warns against carrying out checks “just in case” or using a one-size-fits-all policy for all roles. The collection must be specific, necessary, and proportionate.

What should you document internally?

If you’re requesting criminal checks, you need to show that you’ve thought through:

  • Why the check is needed (e.g. safeguarding, fraud prevention, legal requirement)
  • Which level of check is being used, and whether the role is eligible
  • How the results will be stored, accessed, and deleted
  • What information the candidate receives, and how their rights are protected

The ICO expects organisations to maintain a Criminal Offence Data Policy and include these checks in their Record of Processing Activities (ROPA).

If you’re not sure where to start, their employment practices guidance outlines what should be in place.

How long can you keep a DBS certificate?

In most cases, no longer than 6 months.

The DBS Code of Practice recommends destroying the certificate as soon as it is no longer needed. If you need to keep any record, it should be minimal — for example:

  • Certificate number
  • Type of check (e.g. Basic, Standard)
  • Result summary (e.g. “clear” or “content”)
  • Date received and date removed

There are exceptions for regulated industries that require longer retention, but those should be backed by clear legal justification.

Common mistakes to avoid

Here are the patterns the ICO frequently flags:

  • Storing certificates indefinitely without a clear reason
  • Requesting higher-level checks for roles that are not legally eligible
  • Relying on consent as the only legal basis (which is not sufficient)
  • Failing to inform candidates what will be checked and why
  • Not documenting how and why checks are used internally

These are all avoidable — and often a matter of internal alignment between HR, compliance, and data protection teams.

How to stay compliant

  • Only collect what you are legally entitled to — and no more
  • Map your lawful basis and DPA condition clearly
  • Provide written notice to candidates, including how the data will be used and stored
  • Keep access restricted, and retention periods short
  • Review internal policies at least annually — especially if laws or DBS guidance change

Remember, if you're not sure whether a check is legally justified, the safest course is to pause — not proceed.

Want the full picture? Download the guide now.

A Practical Guide to UK Criminal Record Checks for Employers

Criminal record data is one of the most sensitive parts of your hiring process. To help you get it right, we’ve broken down:

  • Check eligibility and role types
  • Spent vs. unspent convictions
  • Interpreting DBS results fairly
  • Storing and documenting data lawfully

Everything in one place — clear and written for hiring teams.

Share this article
Related tags
Background Checks
Background Checks for Financial Institutions
Background Checks for HR Staffing and Recruitment Firms
Background Checks for IT Tech Companies
Background screening software and tech

Read More

Why the increase in fraud highlights the need for deeper background checks

Adam Burgess
,
6
min read

What Shows Up On A Background Check, And How They Help Make Informed Hiring Decisions

Lorraine Bunag
,
6
min read

New Background Check Laws in 2024: Update for Employers

Lorraine Bunag
,
7
min read

What criminal record checks can UK employers legally request?

Veremark
,
min read

Basic, Standard, or Enhanced DBS: What’s the difference — and when can you request them?

Veremark
,
min read

What does ‘spent’ mean on a criminal record? Here’s what employers need to know

Veremark
,
min read

Popular Packages

Get started
*Local currency price is indicative. Please note all prices within the Veremark platform are listed in US $.

FAQs

No items found.

FAQs

What background check do I need?

This depends on the industry and type of role you are recruiting for. To determine whether you need reference checks, identity checks, bankruptcy checks, civil background checks, credit checks for employment or any of the other background checks we offer, chat to our team of dedicated account managers.

Why should employers check the background of potential employees?

Many industries have compliance-related employment check requirements. And even if your industry doesn’t, remember that your staff have access to assets and data that must be protected. When you employ a new staff member you need to be certain that they have the best interests of your business at heart. Carrying out comprehensive background checking helps mitigate risk and ensures a safer hiring decision.

How long do background checks take?

Again, this depends on the type of checks you need. Simple identity checks can be carried out in as little as a few hours but a worldwide criminal background check for instance might take several weeks. A simple pre-employment check package takes around a week. Our account managers are specialists and can provide detailed information into which checks you need and how long they will take.

Can you do a background check online?

All Veremark checks are carried out online and digitally. This eliminates the need to collect, store and manage paper documents and information making the process faster, more efficient and ensures complete safety of candidate data and documents.

What are the benefits of a background check?

In a competitive marketplace, making the right hiring decisions is key to the success of your company. Employment background checks enables you to understand more about your candidates before making crucial decisions which can have either beneficial or catastrophic effects on your business.

What does a background check show?

Background checks not only provide useful insights into a candidate’s work history, skills and education, but they can also offer richer detail into someone’s personality and character traits. This gives you a huge advantage when considering who to hire. Background checking also ensures that candidates are legally allowed to carry out certain roles, failed criminal and credit checks could prevent them from working with vulnerable people or in a financial function.

Transform your hiring process

Request a discovery session with one of our background screening experts today.

Speak to an expert

A practical guide to UK criminal record checks for employers

Criminal record checks: What most UK employers get wrong

Think your process is compliant? It might not be.

In the UK, requesting the wrong criminal check — or misusing the results — can expose your company to legal risk, delay hiring, or lead to unfair rejections. Yet even well-meaning teams get critical parts of the process wrong.

This resource offers practical clarity:

  • What you can and cannot legally request
  • How to handle and store results under UK GDPR
  • What actually shows up on a certificate — and what to do with it
  • When PVG applies (and how it differs from DBS)
  • The mistakes that cost time, trust, and compliance

Built for HR, compliance, and hiring teams that want to get this right — every time.

To go deeper on any of these points, we’ve also written a series of short explainers to help you make sense of the UK criminal check process from start to finish:

Get your own copy!