In a previous article , we considered the organisations that need to obtain vetting disclosures and provided six top tips for organisations on managing the vetting process. We now take a closer look at the data protection considerations relating to the processing of vetting information and consider whether, and in what circumstances, vetting disclosures may be shared with other organisations.
What application does the GDPR have to vetting?
All organisations established in the EU processing personal data must comply with the General Data Protection Regulation (“GDPR”). The requirements of the GDPR are extensive and include the fair processing of, and the requirement to identify a lawful basis for, processing personal data. If a vetting disclosure also contains personal data “relating to criminal convictions and offences”, controllers must identify an additional ground to process that data under Article 10 of the GDPR and section 55 of the Data Protection Act 2018. Other considerations include that personal data must be collected for specified, explicit and legitimate purposes and retained in a form that permits identification of data subjects for no longer than is necessary. Organisations must comply with all GDPR requirements to ensure the lawful processing of vetting disclosures.
How long can we retain a vetting disclosure?
The vetting legislation does not specify the length of time for which a vetting disclosure can, or must, be retained. Organisations must be satisfied that they have a legal basis to retain vetting disclosures and data subjects should be informed of the retention period to ensure the lawful, fair and transparent processing of their data. In this regard, certain organisations are under a statutory obligation to obtain vetting disclosures and a failure to comply with this requirement is an offence. Therefore, organisations required to obtain such disclosures will wish to retain proof of having obtained the disclosures, given that they could be prosecuted for failing to do so.
Any disclosures will need to be retained in a safe and secure manner.
Can we share a copy of a vetting disclosure?
Organisations must carefully consider any request for the disclosure of a person’s vetting disclosure. Leaving aside data protection considerations, vetting legislation provides that the information contained in a vetting disclosure provided to an organisation must not be (a) used by or (b) disclosed by that organisation “otherwise than in accordance with the Act or as otherwise authorised by law”. A breach of this provision is a criminal offence and the penalties, for a conviction on indictment, include fines of up to €10,000 and/or imprisonment for up to five years. Further, where an offence is committed by a company with the consent, connivance, or wilful neglect of a director/manager, that person may be prosecuted. Therefore, organisations should exercise great caution when considering any request for a copy of a vetting disclosure.
What is a section 12(3A) agreement?
Section 12(3A) of the Act provides that where two or more organisations jointly agree in writing to the employment, contracting, permitting or placement of a person to undertake “relevant work or activities”, it will be a defence in any proceedings brought against an organisation for failing to obtain a vetting disclosure to show that another organisation, party to the agreement, received a disclosure. Whether organisations can rely on this provision will depend on whether a joint written agreement for the employment/contracting etc of the person exists. Further, organisations should note that the provision does not entitle the organisation relying on the provision to obtain or review a copy of the disclosure received by the other organisation. Therefore, it must rely upon the judgment of the other organisation in this regard as to the suitability of the candidate for the role and the relevance of any criminal convictions to that role. For example, one organisation might consider that convictions for driving-related offences would automatically exclude a person from consideration for particular roles, whereas another organisation (perhaps where driving is not part of the role) would not consider these convictions to be relevant. Where an organisation is under a statutory duty to obtain a vetting disclosure, it should balance any identified risks in relying on this provision against a decision to obtain its own vetting disclosure.
Many organisations are facing challenges in complying with vetting obligations in an efficient manner, while also protecting an individual’s privacy and data protection rights. Since a breach of the statutory requirement to obtain vetting disclosures is an offence, organisations should give careful consideration to how they will manage the vetting process. It may be helpful to draft a vetting disclosures policy detailing how to request and manage vetting disclosures and how to store the disclosures, bearing in mind data protection legislation.