At the end of January, the High Court ruled that aspects of the current criminal record checks are unlawful. They produce ‘arbitrary’ results which can mean that in certain circumstances, some crimes normally considered as ‘petty’ are disclosable for life, regardless of the passage of time and the nature of the crime.

In February David Cameron, speaking at a Policy Exchange think-tank in Westminster, announced proposals to shake up the justice system, allowing certain prisoners to be released during the day to go to work, and ex-offenders may not have to disclose their criminal records until much later in the recruitment process.

The case and the proposals bring into the spotlight the application of the law around how employers enquire into candidates’ backgrounds before and during employment. It can be a sensitive subject for employees. If not approached carefully, the consequences of obtaining information incorrectly can be serious.

Employers are experiencing more and more requests from their customers to ensure they have carried out certain types of background checks on their workforce. Indeed, in some industries, criminal record checks are becoming market practice, meaning that having a workforce which is criminal record checked may be a prerequisite to even entering a bidding or selection process.

Most employers know that they cannot carry out a criminal record check without the employee’s consent. This article explores what types of checks employers can make on their workforce, as well as how to obtain consent, and the potential risks of getting it wrong.

What kind of checks can employers make?

Depending on the role in question, employers may undertake the following checks when recruiting:

  • identity
  • immigration status
  • employment history
  • education history
  • criminal records
  • credit checks
  • social media checks
  • medical or health checks

All UK employers must verify the identity and immigration status of all employees, (including overseas nationals) and are required to keep copies of relevant visas and work permits. There are criminal and civil sanctions for a failure to do so. Education and employment history are enquired into routinely, without significant controversy. However, employers are not entitled to ask for any other aspect of this information as of right, and each of the other checks should only be requested if it is strictly relevant to the role and/or it can be justified by an identifiable risk to the company and/or its customers.

This article focuses on carrying out criminal record checks, but there are various issues to consider if undertaking the other checks mentioned above. In particular, employers should be very careful about potential discrimination if asking for medical checks or checking social media.

Criminal Record Checks

In the UK there are three tiers of criminal record requests carried out through the Disclosure and Barring Service (‘DBS’): a criminal conviction certificate (‘CCC’) (previously known as a basic disclosure), a criminal record certificate (‘CRC’) (previously known as a standard disclosure), and an enhanced criminal record certificate (‘ECRC’) (previously known as an enhanced disclosure).

Key legal risks for employers

If there is a reason to ask employees to consent to criminal record checks, this must be handled with sensitivity. Employers will not be able to force employees to agree to criminal record checks, as this could be considered one of the following:

  • enforced subject access requests
  • breaches of data protection legislation
  • constructive and unfair dismissals

CCC’s are the most routinely carried out, and will only disclose convictions which are not ‘spent’. Spent convictions in England and Wales are those which should be effectively ignored after a specified amount of time depending on the offence and sentence imposed. There are only very limited circumstances under which employers may request a CRC or an ECRC (which include details of spent convictions), and these are situations such as where the employee will be in a care role, or working with children/vulnerable adults, or in a regulated profession such as law.

Enforced subject access requests

Previously it was possible for employers to obtain relevant criminal records through use of an individual’s right of access to personal data under the Data Protection Act 1998, normally referred to as a subject access request. This was essentially carrying out a criminal record check through the back door. So, in March 2015 it was made a criminal offence to require employees or a third party to supply such records in connection with recruitment, employment, or any contract for the provision of services.

Data Protection legislation

Any information about criminal charges or convictions will be sensitive personal data under the Data Protection Act 1998 (‘DPA’) which is subject to enhanced legal protection. This means an employer will generally need to gain the individual’s explicit consent before processing the data. Improper processing, accidental or deliberate revealing of criminal record information, and other data activities attract sanctions such as fines and even criminal charges under the DPA. Directors and officers of companies which have committed offences under the DPA may also be individually liable and subject to criminal prosecution in their personal capacity.

To avoid sanctions under the DPA, employers should comply generally with the core data protection principles (e.g. that data should be processed fairly and lawfully, that it should be kept secure, that it should not be kept any longer than necessary etc.). Additionally, guidance from the Information Commissioner’s Office (‘ICO’) suggests that to minimise risks of data protection breaches, employers should explain as early as is reasonably practicable in the recruitment process (i) the nature and (ii) the method of obtaining criminal records information.

Importantly, the ICO considers that employers should not vet workers simply because a client has asked it to do so, unless the employer can satisfy itself that the condition is justified. Therefore, whilst employers may be facing increasing pressure from their customers to carry out criminal record checks, and therefore requiring checks to be carried out is relevant in many business’ strategies to win business, this in itself it is not a defence to data protection challenges. Employers must ensure that they remain within the framework of the DPA, especially as the ICO is now empowered to issue fines of up to £500,000 where there are serious breaches.

Constructive and unfair dismissals

Employees who either have spent convictions, or those who do not consent to criminal record checks must be treated with care. Dismissing an employee on the basis that they have a spent conviction may constitute an automatic unfair dismissal, which will apply regardless of the employee’s length of service. Other types of unfair dismissal may apply, but employees will need at least two years’ service to bring these claims. Regardless of whether an employee has standing to bring such a claim, businesses should also consider the impact of dismissals on the wider workforce and the potential reputational damage.

Threatening an employee with dismissal unless they agree to a criminal record check is obviously not advisable, and could lead to the employee resigning and claiming constructive unfair dismissal. It may be possible to re-allocate employees who do not provide consent to criminal record checks to a role/position where they do not require these checks. However, employers will have to be very careful about which role employees are moved into and how this is managed, because if the reallocation is considered a ‘detriment’ caused by the employee’s lack of consent, this could be a breach of the duty of mutual trust and confidence and the employee may resign in response and claim constructive dismissal.

Employers could seek to defend any dismissal on the basis that the refusal to provide consent is a refusal to follow reasonable instruction, or that the reason for dismissal is redundancy or ‘some other substantial reason’. These are all potentially fair reasons for dismissal. However the tests employers will have to meet in practice to defend these claims will be difficult.

What should employers do?

In view of the recent spotlight on criminal record checks, it is a good idea for employers to update or design their background check policy, detailing clearly what type of checks will be carried out in the recruitment process, and on an ongoing basis.

If employers are experiencing criminal record check requests more frequently, and it is decided that there is an identifiable risk to the business or its customers which justifies a criminal record check, employers should obtain the employees’ consent. This would involve meeting with employees to answer any concerns they may have and obtain their co-operation.