Ban the Box is an international campaign set up by civil rights groups and advocates for ex-offenders. It is aimed at persuading employers to remove the question that asks if applicants have a criminal record from their job application forms. This is supposed to enable ex-offenders to display their qualifications and skills before being asked about their criminal records. The campaign believes that the harder it is for ex-offenders to find a job, the more likely they are to reoffend.
The campaign has garnered support worldwide and has been mandated in some US states and cities. However, it is not without its critics. Ban the Box can put companies in a difficult position where they may be seen as discriminatory for not hiring an individual with criminal convictions once the application process is complete. In addition, there are practical implications, especially for smaller organisations, who may interview candidates they cannot hire, wasting both time and money. This delay in the recruitment process may also result in suitable applicants losing interest or finding another job in the meantime.
Campaign aside, there are also data protection implications for requesting information on criminal convictions. Pre-GDPR, it became common practice for many UK businesses to carry out criminal convictions checks on their prospective employees as a matter of course. Businesses now need to carefully consider whether they can justify processing criminal convictions data under the GDPR where there is no actual legal requirement for them to do so.
Where an employer wishes to process personal data relating to criminal convictions or offences, they must have a lawful ground for doing so. This is most likely to be where the employee has consented to the processing, where the processing is necessary to comply with a legal obligation or where the processing is necessary for the employer’s legitimate interests. However, the story does not end there.
Once a lawful ground for processing has been identified, unless an employer has official authority to process this data, they must also be permitted to do so under the Data Protection Act 2018. This stipulates that a further condition must be met before an organisation can process criminal conviction data. The most relevant condition in an employment context is likely to be that processing is necessary in connection with performing obligations or rights in connection with employment or the individual has given their consent. The requirement in relation to employment will not automatically be met in all employment relationships; it is likely to only apply if there is a legal requirement to vet employees for the role. Additionally, consent in an employee/employer context may not be considered freely given if the employee will be refused the position unless they agree to the processing of criminal conviction data.
What to do next?
The ICO advises that criminal record checks should only be obtained once the successful candidates have been chosen. Employers should therefore be asking themselves whether checks are necessary for the role and at what stage in their recruitment process they will ask for the information to be disclosed. If they decide that criminal record checks are justified, this should be clearly stated to applicants and set out in their data protection policy.
We are regularly advising clients on this issue, including helping clients navigate the relevant conditions in the DPA. If you would like to discuss this (or any issue relating to the GDPR and the DPA further), please contact one of your dedicated employment solicitor.