Personnel Today
  • Home
    • All PT content
  • Email sign-up
  • Topics
    • HR Practice
    • Employee relations
    • Learning & training
    • Pay & benefits
    • Wellbeing
    • Recruitment & retention
    • HR strategy
    • HR Tech
    • The HR profession
    • Global
    • All HR topics
  • Legal
    • Case law
    • Commentary
    • Flexible working
    • Legal timetable
    • Maternity & paternity
    • Shared parental leave
    • Redundancy
    • TUPE
    • Disciplinary and grievances
    • Employer’s guides
  • AWARDS
    • Personnel Today Awards
    • The RAD Awards
  • Jobs
    • Find a job
    • Jobs by email
    • Careers advice
    • Post a job
  • Brightmine
    • Learn more
    • Products
    • Free trial
    • Request a quote
  • Webinars
  • Advertise
  • OHW+

Personnel Today

Register
Log in
Personnel Today
  • Home
    • All PT content
  • Email sign-up
  • Topics
    • HR Practice
    • Employee relations
    • Learning & training
    • Pay & benefits
    • Wellbeing
    • Recruitment & retention
    • HR strategy
    • HR Tech
    • The HR profession
    • Global
    • All HR topics
  • Legal
    • Case law
    • Commentary
    • Flexible working
    • Legal timetable
    • Maternity & paternity
    • Shared parental leave
    • Redundancy
    • TUPE
    • Disciplinary and grievances
    • Employer’s guides
  • AWARDS
    • Personnel Today Awards
    • The RAD Awards
  • Jobs
    • Find a job
    • Jobs by email
    • Careers advice
    • Post a job
  • Brightmine
    • Learn more
    • Products
    • Free trial
    • Request a quote
  • Webinars
  • Advertise
  • OHW+

General Data Protection RegulationFinancial servicesCriminal recordsLatest News

How to navigate managers regime, GDPR and criminal records checks

by David Palmer and David Lorimer 10 May 2019
by David Palmer and David Lorimer 10 May 2019

There are major data privacy implications of criminal records checks made necessary by the Senior Managers and Certification Regime, an issue that will affect about 50,000 firms in the financial services sector from 9 December 2019 onwards. David Palmer and David Lorimer examine how compliance and HR teams can help meet businesses’ obligations under both the GDPR and SMCR.

One of the largest compliance issues on the horizon for compliance and HR teams is the extension of the Senior Managers and Certification Regime (SMCR) to all financial services firms authorised by the Financial Conduct Authority (FCA) in December 2019. There is a lot of tension between one important aspect of the SMCR – criminal records checks – and the requirements of the GDPR but there are practical steps that firms can take to safely navigate their obligations under both regimes.

What is the SMCR?

The SMCR currently applies to all UK-incorporated banks, building societies, credit unions and Prudential Regulation Authority-regulated investment banks and insurers. On 9 December 2019, the SMCR will be expanded to cover firms that are currently regulated (solely) by the FCA. This will include about 50,000 asset managers, brokers and consumer credit firms. The SMCR is designed to ensure that individuals in the financial services sector take greater responsibility for their actions and to make it easier to hold them to account.

GDPR

A third of HR teams not deleting expired personal data

GDPR: Compliance cheat sheet for HR departments

The GDPR came into force on 25 May 2018 and was designed to protect the personal data of individuals. It imposes a considerable administrative burden on in-house compliance and HR teams. This is especially so when there is a conflict between the requirements of the GDPR and a firm’s other legal obligations. It can be difficult to get the right balance.

Non-compliance with the GDPR can result in fines of up to €20m or 4% annual global turnover, whichever is higher. Enforcement action would also cause significant reputational damage, inevitably.

Criminal records checks

Under the SMCR, firms have to satisfy themselves that individuals applying for, or holding, senior manager or certified person roles are fit and proper to carry out their roles both at the point of recruitment and annually thereafter. Part of a firm’s assessment of fitness and propriety includes considering an individual’s honesty, integrity and reputation. In doing so, firms must have regard to whether the person has been convicted of a criminal offence.

The GDPR, and the UK’s Data Protection Act 2018 (DPA), recognise that criminal records data has a special significance. While criminal records data is not “special category” or “sensitive” personal data under those statutes, greater care needs to be taken when collecting, storing and using such data to make hiring and other employment decisions. Firms will need a “legal bases” under the GDPR and a valid “condition” under the DPA for the use of criminal records information. Although the concepts of “legal bases” and “conditions” overlap, the legal obligations relating to them are separate.

Set out below are the GDPR considerations related to criminal records checks for senior managers and certified persons.

1. Senior managers

Under the SMCR, the FCA requires firms to carry out criminal record checks for spent and unspent convictions of individuals who are to perform senior management functions. This provides firms with a legal basis for the carrying out of relevant criminal background checks, namely that doing so is necessary to comply with a legal obligation on them, and a linked condition under the DPA.

2. Certified persons

The FCA does not require a criminal records check to be carried out for individuals carrying out certification functions, although the FCA has stated that firms may still choose to do so. In our experience, many firms that are currently subject to the SMCR require candidates for certified function roles to provide a basic disclosure check. This will disclose details of unspent convictions.

Because this kind of checking isn’t connected to a legal or regulatory obligation, most firms in practice rely on one of the following legal bases:

  • that the checking is in the firm’s legitimate interests. Note that reliance on this basis triggers a requirement to balance those interests against the individual’s privacy rights – and to evidence that balancing; or
  • that it is done with the individual’s consent. However, data protection authorities have cast significant doubt on whether employees and candidates can validly consent.

Firms are prohibited from requiring those applying for or holding certification functions from providing details of spent convictions. Specialist legal advice should be sought with regards to managing the legal risks if an individual’s unspent convictions come to light at any point.

Forward planning

To demonstrate compliance with the GDPR, we recommend that firms should take three steps with regards to criminal records checks.

First, firms should carry out a data protection impact assessment. This will act as a record of how the firm created a framework for handling criminal records data. The impact assessment should include details of:

  1. The “legal basis” and “condition” the firm will use to process criminal records data.
  2. The level of criminal record check to be carried out (for example, a standard disclosure check for senior managers and a basic disclosure check for certified function roles).
  3. The length of time criminal records information should be retained (generally speaking no longer than is necessary).
  4. How criminal records information will be secured so that only staff who have a “need to know” can access it.

Although it sounds like (and can be) a resource-consuming exercise, the impact assessment is a mandatory requirement in many instances, and is always helpful in demonstrating a firm’s efforts to comply with the GDPR as part of its accountability records, especially if the Information Commissioner’s Office ever comes calling.

Latest HR job opportunities on Personnel Today

Browse more human resources jobs

The second step that is required under the DPA is that firms should develop and roll out an appropriate policy relating to the collection and use of criminal records. The policy must cover issues such as the employer’s approach to securing the information, how it will comply with subject rights (for example, access requests) and guidance on retention and deletion of data.

Sign up to our weekly round-up of HR news and guidance

Receive the Personnel Today Direct e-newsletter every Wednesday

OptOut
This field is for validation purposes and should be left unchanged.

The final key step here is that firms should amend their “records of processing” insofar as they relate to the criminal records collection and use, to record the condition and basis relied on and to capture the firm’s approach to retention of these kinds of records.

Successfully navigate your obligations

A firm’s failures to comply with the GDPR’s red tape can have a very large negative impact on its fortunes. Of course, it is worth remembering that huge fines under the GDPR are expected to only be applied to the most egregious of cases. As set out above, with a little bit of forward planning, a firm can navigate its obligations under the SMCR with regards to criminal records checks and also satisfy its obligations under the GDPR.

senior managers regime
David Palmer and David Lorimer

David Palmer and David Lorimer are solicitors at Fieldfisher, specialising in employment law

previous post
How to become an HR business partner
next post
Future jobs will require the human touch, says Amber Rudd

You may also like

M&S pauses hiring as it deals with cyber...

2 May 2025

Remote working may have triggered jump in employee...

17 Apr 2025

AI Act comes into force in EU: how...

2 Aug 2024

Complaints about subject access requests rise 13.5%

31 May 2024

Employee data breaches up 41%

14 May 2024

Sharing staff data in a mental health emergency

1 Mar 2024

Serco forced to stop biometric attendance monitoring

27 Feb 2024

Amazon fined €32m for ‘excessive’ employee monitoring

24 Jan 2024

NI Police Federation angered at release of staff...

9 Aug 2023

Use monitoring tech only with employees’ consent, MPs...

8 Aug 2023

  • 2025 Employee Communications Report PROMOTED | HR and leadership...Read more
  • The Majority of Employees Have Their Eyes on Their Next Move PROMOTED | A staggering 65%...Read more
  • Prioritising performance management: Strategies for success (webinar) WEBINAR | In today’s fast-paced...Read more
  • Self-Leadership: The Key to Successful Organisations PROMOTED | Eletive is helping businesses...Read more
  • Retaining Female Talent: Four Ways to Reduce Workplace Drop Out PROMOTED | International Women’s Day...Read more

Personnel Today Jobs
 

Search Jobs

PERSONNEL TODAY

About us
Contact us
Browse all HR topics
Email newsletters
Content feeds
Cookies policy
Privacy policy
Terms and conditions

JOBS

Personnel Today Jobs
Post a job
Why advertise with us?

EVENTS & PRODUCTS

The Personnel Today Awards
The RAD Awards
Employee Benefits
Forum for Expatriate Management
OHW+
Whatmedia

ADVERTISING & PR

Advertising opportunities
Features list 2025

  • Facebook
  • Twitter
  • Instagram
  • Linkedin


© 2011 - 2025 DVV Media International Ltd

Personnel Today
  • Home
    • All PT content
  • Email sign-up
  • Topics
    • HR Practice
    • Employee relations
    • Learning & training
    • Pay & benefits
    • Wellbeing
    • Recruitment & retention
    • HR strategy
    • HR Tech
    • The HR profession
    • Global
    • All HR topics
  • Legal
    • Case law
    • Commentary
    • Flexible working
    • Legal timetable
    • Maternity & paternity
    • Shared parental leave
    • Redundancy
    • TUPE
    • Disciplinary and grievances
    • Employer’s guides
  • AWARDS
    • Personnel Today Awards
    • The RAD Awards
  • Jobs
    • Find a job
    • Jobs by email
    • Careers advice
    • Post a job
  • Brightmine
    • Learn more
    • Products
    • Free trial
    • Request a quote
  • Webinars
  • Advertise
  • OHW+