ICO Criminal Offences Data: UK Business Rules Under the DPA 2018

If your business recruits staff, runs background checks, provides regulated services, or deals with security and safeguarding, you may come across information about someone’s criminal history.

That’s where the rules on criminal offence data come in. In the UK, this type of information is treated as particularly sensitive, and the way you collect, store, share and use it is tightly controlled under the UK GDPR and the Data Protection Act 2018 (DPA 2018).

The tricky part is that many small businesses handle this kind of data without realising it. It’s not just “DBS certificates” or “criminal record checks”. It can also be:

• a note in an email saying someone has a prior conviction
• a WhatsApp message about an allegation
• a staff incident report referring to suspected theft
• CCTV footage gathered to investigate misconduct

Let’s break down what counts as criminal offence data, when you’re allowed to process it, and what practical steps you can take to stay compliant (and avoid an expensive headache later).

What Counts As Criminal Offence Data (And Why It’s Different)

Under UK data protection law, criminal offence data includes personal data relating to:

• criminal convictions (including spent and unspent convictions, depending on what you’re allowed to ask for and why)
• criminal offences (including alleged offences)
• related security measures (for example, cautions, charges, or information about ongoing investigations)

In plain English: if the information suggests a person has committed an offence, been accused, investigated, cautioned, prosecuted or convicted, you’re likely handling criminal offence data.

Common “Small Business” Examples

Here are some examples we regularly see in small and growing businesses:

• Recruitment: requesting a DBS certificate for certain roles or asking candidates to disclose convictions (where lawful and relevant).
• Workplace investigations: a manager documents suspected fraud, theft, harassment, or an assault involving staff or customers.
• Client onboarding: screening customers (for example, in finance, security, care, or regulated industries).
• Security and surveillance: using CCTV and then reviewing footage for suspected criminal behaviour.

The key point is this: criminal offence data has a higher compliance bar. Even if you’re good at general GDPR compliance, you can still get caught out if you treat criminal offence data like ordinary HR records.

What The ICO Expects: The Legal Framework Under The DPA 2018

When people search for ICO criminal offence data, what they’re usually trying to understand is: “What does the regulator actually require?”

The starting point is:

• UK GDPR sets the general rules around processing personal data (lawfulness, fairness, transparency, data minimisation, security, retention, etc).
• Data Protection Act 2018 adds additional restrictions specifically for criminal offence data.

Under UK GDPR Article 10, you generally can’t process criminal offence data unless it is done under the control of official authority (for example, certain public bodies) or the processing is authorised by UK law and you have the required safeguards in place. For most businesses, this means you must be able to point to a DPA 2018 “authorisation” condition that fits what you’re doing.

In practice, you’ll usually need:

• a lawful basis under UK GDPR (such as legal obligation, legitimate interests, or performance of a contract), and
• an additional DPA 2018 condition that authorises the processing of criminal offence data, and
• appropriate safeguards (like limited access, documented retention periods, and strong security controls)

This is where many businesses slip up: they identify a UK GDPR lawful basis, but they don’t address the extra DPA 2018 “authorisation” conditions and safeguards for criminal offence data.

Do You Need Consent?

Not always, and often consent is not the best option in a business setting.

Consent must be freely given and easy to withdraw. In employment and recruitment contexts, consent can be problematic because there’s an imbalance of power (meaning the individual might not feel they can say no).

Instead, many businesses rely on other lawful bases (like legal obligation or legitimate interests) plus a suitable DPA 2018 condition.

If you’re collecting personal data more broadly from customers or website users, you should also make sure your Privacy Policy clearly explains what you collect, why you collect it, who you share it with, and how long you keep it.

When Can Your Business Lawfully Process Criminal Offence Data?

There isn’t one universal “permission slip” that covers all businesses.

Whether you can lawfully process criminal offence data depends on why you’re processing it, what role you have (employer, service provider, controller/processor), and what safeguards you put in place. In many cases, you’ll also need an Appropriate Policy Document under the DPA 2018 (particularly where you’re relying on certain Schedule 1 conditions).

Here are common situations where processing may be justified (but you should still get advice for your specific setup):

1) Recruitment And Employment Checks

If you’re hiring into roles where a criminal record check is genuinely relevant (for example, work with children/vulnerable adults, security roles, certain financial roles), you might need to process criminal offence data to make lawful hiring decisions.

Practical tips:

• Only request checks when they’re necessary and proportionate for the role.
• Don’t “over-collect” by asking every candidate for full criminal history as a default.
• Limit access internally (often HR + decision-maker only).
• Set a retention period (for example, don’t keep DBS certificate copies indefinitely “just in case”, and follow any relevant guidance on how long to keep them).

If you’re formalising your HR foundations, it also helps to ensure your employment documents clearly reflect how you handle staff information, including disciplinary and investigation processes. Your Employment Contract and handbook/policies typically play a role here.

2) Workplace Investigations And Incident Reports

Sometimes your business must investigate conduct that could involve criminal behaviour (theft, violence, harassment, fraud).

Even if a matter never goes to the police, internal records may still contain criminal offence data because they relate to alleged offences.

In these cases, you should focus on:

• purpose limitation: only use the data for the investigation/decision-making you’ve identified
• data minimisation: document what you need, not rumours or unrelated history
• confidentiality: keep the investigation circle tight and documented

If your investigation involves monitoring staff devices or accounts, it’s important to have a written Acceptable Use Policy so expectations and boundaries are clear from the start.

3) CCTV, Access Control And Security Measures

CCTV footage isn’t automatically criminal offence data. But it can become criminal offence data if you use it to identify or investigate suspected criminal conduct.

If you use CCTV at work or at your premises, you’ll want to think about:

• clear signage and transparency
• where cameras are located (avoid intrusive areas)
• who can access footage
• how long footage is kept
• what happens if footage is used in disciplinary action or shared with police

Where audio is involved, the risk level increases and your compliance steps need to be even tighter. This is a common stumbling point, so it’s worth reading up on CCTV with audio issues before you switch anything on.

And if you’re still working through whether surveillance is appropriate at all, the basics of workplace cameras can help you sense-check what’s reasonable and how to document it.

Compliance Checklist: How To Handle Criminal Offence Data Safely In Practice

Even if you have a lawful basis and a DPA 2018 condition, you still need to “do GDPR properly” day-to-day. The regulator’s expectations are practical: show that you’ve thought about the risks and built safeguards into your operations.

Here’s a sensible compliance checklist for small businesses dealing with ICO guidance on criminal offence data.

1) Document Your Purpose (Be Specific)

Write down:

• why you’re collecting the criminal offence data
• who it relates to (candidate, employee, customer)
• how it will be used to make decisions
• who will have access

This helps you avoid scope creep (“we collected it for recruitment… now we’re sharing it with unrelated teams”).

2) Collect The Minimum You Need

Criminal offence data is not “nice to have”. It should only be processed where it’s genuinely necessary.

For example, if a role doesn’t legally require a DBS check and doesn’t involve heightened safeguarding risk, you should be very cautious about requesting criminal history disclosures “as standard”.

3) Tighten Access Controls

Limit access to people who truly need it. In a small business, that might be:

• the owner/director
• HR (if you have it)
• the relevant manager making the hiring or disciplinary decision

Use role-based permissions, and avoid storing sensitive records in shared drives where they can be accessed casually.

4) Set Retention Periods (And Actually Follow Them)

One of the fastest ways to create risk is to keep criminal offence data for too long.

Set clear retention rules, such as:

• DBS information is handled carefully (for example, avoid keeping certificate copies unless you have a clear, lawful reason, and securely dispose of it when it’s no longer needed)
• investigation records are retained for a defined period aligned to your HR and legal needs
• CCTV footage is automatically deleted after a set number of days unless required for an active investigation

Retention should be written into your privacy documentation and internal procedures.

5) Manage Third Parties Properly

If another business processes criminal offence data on your behalf (for example, a recruitment provider, HR platform, background screening service, or IT provider), you should have the correct contractual protections in place.

That often means a Data Processing Agreement setting out what the provider can do, how they secure the data, and what happens if there’s a breach.

6) Train Your Team (So They Don’t Accidentally Create Criminal Offence Data)

Sometimes the issue isn’t that you intended to collect criminal offence data. It’s that a staff member records unnecessary details in an email, CRM note, or Slack message.

A basic training prompt can go a long way, such as:

• “Only record what’s necessary, factual, and relevant to the business purpose.”
• “If you’re unsure whether information is sensitive, ask before saving or sharing it.”

Common Mistakes Small Businesses Make With Criminal Offence Data

Because the rules are technical, most issues aren’t caused by bad intent. They usually come from moving quickly and not realising a process has drifted into “high-risk data” territory.

Here are common pitfalls to watch out for:

Asking Blanket Questions In Recruitment

“Do you have any convictions?” can be an overreach depending on the role. Even if you think it’s helpful, you should be sure it’s lawful, relevant, and proportionate (and that you’re only asking what you’re allowed to ask for in that context).

Storing DBS Or Criminal History Data In The Wrong Place

Keeping a scanned DBS certificate in an open HR folder or emailing it around the business is a frequent compliance problem.

Using CCTV Footage Without Clear Rules

Having cameras is one thing. Using footage to investigate suspected wrongdoing (and potentially sharing it externally) can turn it into criminal offence data and increase your obligations.

Recording Calls Or Meetings Without Thinking About Data Protection

If you record conversations with staff, customers or suppliers, and the discussion includes allegations or admissions of criminal conduct, you may be processing criminal offence data.

Even where recording might be lawful in principle, you still need to think about transparency, purpose, and retention. If call recording is part of your operations, it’s worth understanding the risks around recording conversations in a business context.

Not Being Ready For A Subject Access Request (SAR)

If someone makes a subject access request, they may be entitled to access personal data you hold about them, including certain investigation records.

This can be uncomfortable if you’ve got messy notes, informal accusations, or unnecessary personal commentary stored across different systems. Having a clear process for subject access requests helps you respond lawfully and calmly.

Key Takeaways

• ICO criminal offence data is personal data about criminal convictions, offences, allegations, investigations, or related security measures, and it’s subject to stricter controls than “standard” personal data.
• Under UK GDPR (including Article 10) and the Data Protection Act 2018, businesses generally need a lawful basis and UK-law authorisation via a relevant DPA 2018 condition, along with strong safeguards (and, in many cases, an Appropriate Policy Document).
• Small businesses commonly process criminal offence data through recruitment checks, workplace investigations, incident reports, and CCTV/security processes (sometimes without realising it).
• To stay compliant, focus on practical steps: document your purpose, minimise what you collect, restrict access, set retention periods, and manage third-party processors properly.
• Common risk areas include over-collecting in recruitment, storing sensitive documents insecurely, unclear CCTV practices (especially with audio), and being unprepared for subject access requests.

If you’d like help tightening up your data protection compliance, reviewing your policies, or putting the right documents in place for handling criminal offence data, you can reach us at 08081347754 or team@sprintlaw.co.uk for a free, no-obligations chat.