Charities are of course concerned to ensure that their trustees, employees and volunteers (collectively referred to in this article as "staff") are suitable for their roles and that prospective staff are vetted appropriately. One part of this process that sometimes causes confusion is criminal records checks and the extent to which they can and should be carried out. There is often a tendency to try and 'err on the side of caution' and carry out as extensive checks as possible. However, there are legal restrictions on access to criminal records information and GDPR and the Data Protection Act 2018 have created additional requirements in relation to processing this type of data. Separately, a criminal conviction does not automatically mean someone is unsuitable for a role and, particularly for some charities, those with experience of the criminal justice system can bring valuable knowledge to the organisation. Conversely, the law prohibits certain individuals from working with vulnerable adults and/or children and some types of charity will be required to carry out criminal records checks to avoid falling foul of safeguarding legislation. It is a complex area.
When can charities access criminal records information?
The law seeks to strike a balance between an individual's right to a 'clean slate' and ensuring that organisations can access criminal records information where the nature of the role demands it. There is a distinction between 'spent' and 'unspent' convictions: most convictions become 'spent' after a certain amount of time has passed (although convictions for the most serious offences never do) and once a conviction is spent then the individual can only be required to disclose it in certain circumstances, including where they work in certain 'eligible' roles. 'Unspent' convictions are not protected in the same way and individuals can in principle be asked about them in relation to any role.
Organisations may access criminal records information by asking individuals to voluntarily disclose this, or alternatively might decide to seek a criminal records check (where permitted). Checks are administered by the Disclosure and Barring Service (DBS). An organisation's ability to access the checks depends on the nature of the role for which the check is being sought.
Types of criminal records check
There are four types of criminal records checks: basic, standard, enhanced and enhanced with barred lists.
- Basic checks reveal only unspent convictions and cautions, so may not reveal older and/or less serious offences. They can generally be applied for in relation to any role and indeed historically many organisations required basic checks for all roles, but data protection considerations mean that such blanket policies are now rarely advisable. However, organisations could consider basic checks where the role is not eligible for a higher level check but involves sensitive matters, e.g. direct access to charity funds.
- Standard checks reveal spent and unspent convictions, cautions, reprimands and warnings. They are only available for specific roles set out in the relevant legislation, broadly involving positions of trust or authority, such as lawyers, accountants, vets and those working in the justice system.
- Enhanced checks reveal the same information as standard checks, plus additional information deemed 'relevant' by police authorities. They are only available for specific roles set out in the relevant legislation, including certain types of work with children or vulnerable adults. In charities, where employees/volunteers are working with vulnerable groups and eligible for enhanced checks, the trustees are also eligible. The Charity Commission recommends that where trustees are eligible, these checks are carried out.
- Enhanced with barred list checks reveal the same information as enhanced checks, plus whether an individual has been barred from working with children or vulnerable adults. They are only available for specific roles set out in the relevant legislation, including specific types of work with children or vulnerable adults.
It is unlawful for someone to apply for a higher level check if they know the role in question is not eligible, so you should be satisfied the role qualifies before seeking such a check.
Conversely, simply because a role is eligible for a check, does not generally mean there is a legal requirement to carry one out, although there may be good reasons for doing so. A key exception is where a role involves certain types of 'regulated activity' with children or vulnerable adults, in which case an enhanced with barred lists check is required, because it is a criminal offence to knowingly allow a barred individual to carry out prohibited activities. If you are unsure, we recommend seeking legal advice.
Where a charity decides to seek criminal records information, either by asking individuals to self-disclose or seeking a criminal records check, it may obtain and therefore process criminal records data. GDPR and the Data Protection Act 2018 (DPA 2018) created some new rules in respect of this type of information. Broadly, the law requires the organisation to have both a lawful basis for processing the data under GDPR and an additional condition for processing the data under the DPA 2018.
In relation to GDPR, the most relevant basis will often be legitimate interests, although where an enhanced with barred lists check is required it may be possible to rely on legal obligation. If legitimate interests is used, the charity should carry out a legitimate interests assessment prior to carrying out the processing. The ICO website has further guidance.
In relation to the DPA 2018, there are a number of potentially applicable conditions for processing, including legal rights/obligations in relation to employment, preventing unlawful acts and safeguarding. There is also a condition that may apply to non-profit organisations where the processing relates to specific groups. The DPA 2018 generally requires that organisations have a compliant policy in place before the processing can be justified.
Sometimes organisations assume they can rely on obtaining an individual's consent to the processing to satisfy data protection law. However, consent must be freely given, which means that if an individual would be denied employment/volunteering or subject to other adverse consequences if they refused the check (which will often be the case), consent is not an appropriate basis to use.
The new requirements mean that having a policy of criminal records checks for all staff may not be compliant with data protection legislation. Therefore, if your charity has such a policy in place then it may be sensible to revisit this.
Policies, procedures and other information
It is important to be clear internally on your charity's policy regarding criminal records checks. For example, when will you carry out checks, why are you carrying them out, how will you deal with data protection and what will you do if a criminal record is revealed?
In some situations it may be possible to refuse to engage or dismiss an individual because of a criminal record, but this is not always the case and if such a situation arises we recommend taking legal advice.
If you are considering carrying out criminal records checks, you will also need to make sure you provide the appropriate information in relation to this. Key things to consider include:
- having in place a policy on ex-offender recruitment, including information on when criminal records checks are required and how the charity approaches any information revealed regarding criminal convictions
- where a criminal records check is required for a role, it is important to inform prospective candidates as part of the application process. Checks should usually only be carried out once the candidate has been selected, to avoid obtaining criminal records information for too many individuals (as this is unlikely to be justified under data protection law). You can always make an offer of appointment subject to satisfactory results from the checks
- privacy policies relating to candidates and staff should inform them if criminal records data will be processed and the basis on which this is done
- you will generally need to have in place a policy to comply with the DPA 2018, including how the charity will comply with GDPR and information on retention and erasure of data
- data should not be retained for any longer than necessary and should be securely destroyed when no longer required. Depending on the circumstances, it may be better to simply record whether the check was satisfactory or unsatisfactory
The bigger picture
Criminal records checks are only one tool for ensuring that prospective and existing staff are suitable for their roles and should form part of a broader matrix regarding recruitment and monitoring. Interviews and references are obviously important, as well as appraisals and procedures for monitoring performance. For charity trustees (and senior managers) there are a number of other checks to consider, details of which can be found in the Charity Commission's guidance CC30: Finding New Trustees.