There are major data privacy implications of criminal records checks made necessary by the Senior Managers and Certification Regime, an issue that will affect about 50,000 firms in the financial services sector from 9 December 2019 onwards. David Palmer and David Lorimer examine how compliance and HR teams can help meet businesses’ obligations under both the GDPR and SMCR.
One of the largest compliance issues on the horizon for compliance and HR teams is the extension of the Senior Managers and Certification Regime (SMCR) to all financial services firms authorised by the Financial Conduct Authority (FCA) in December 2019. There is a lot of tension between one important aspect of the SMCR – criminal records checks – and the requirements of the GDPR but there are practical steps that firms can take to safely navigate their obligations under both regimes.
What is the SMCR?
The SMCR currently applies to all UK-incorporated banks, building societies, credit unions and Prudential Regulation Authority-regulated investment banks and insurers. On 9 December 2019, the SMCR will be expanded to cover firms that are currently regulated (solely) by the FCA. This will include about 50,000 asset managers, brokers and consumer credit firms. The SMCR is designed to ensure that individuals in the financial services sector take greater responsibility for their actions and to make it easier to hold them to account.
The GDPR came into force on 25 May 2018 and was designed to protect the personal data of individuals. It imposes a considerable administrative burden on in-house compliance and HR teams. This is especially so when there is a conflict between the requirements of the GDPR and a firm’s other legal obligations. It can be difficult to get the right balance.
Non-compliance with the GDPR can result in fines of up to €20m or 4% annual global turnover, whichever is higher. Enforcement action would also cause significant reputational damage, inevitably.
Criminal records checks
Under the SMCR, firms have to satisfy themselves that individuals applying for, or holding, senior manager or certified person roles are fit and proper to carry out their roles both at the point of recruitment and annually thereafter. Part of a firm’s assessment of fitness and propriety includes considering an individual’s honesty, integrity and reputation. In doing so, firms must have regard to whether the person has been convicted of a criminal offence.
The GDPR, and the UK’s Data Protection Act 2018 (DPA), recognise that criminal records data has a special significance. While criminal records data is not “special category” or “sensitive” personal data under those statutes, greater care needs to be taken when collecting, storing and using such data to make hiring and other employment decisions. Firms will need a “legal bases” under the GDPR and a valid “condition” under the DPA for the use of criminal records information. Although the concepts of “legal bases” and “conditions” overlap, the legal obligations relating to them are separate.
Set out below are the GDPR considerations related to criminal records checks for senior managers and certified persons.
1. Senior managers
Under the SMCR, the FCA requires firms to carry out criminal record checks for spent and unspent convictions of individuals who are to perform senior management functions. This provides firms with a legal basis for the carrying out of relevant criminal background checks, namely that doing so is necessary to comply with a legal obligation on them, and a linked condition under the DPA.
2. Certified persons
The FCA does not require a criminal records check to be carried out for individuals carrying out certification functions, although the FCA has stated that firms may still choose to do so. In our experience, many firms that are currently subject to the SMCR require candidates for certified function roles to provide a basic disclosure check. This will disclose details of unspent convictions.
Because this kind of checking isn’t connected to a legal or regulatory obligation, most firms in practice rely on one of the following legal bases:
- that the checking is in the firm’s legitimate interests. Note that reliance on this basis triggers a requirement to balance those interests against the individual’s privacy rights – and to evidence that balancing; or
- that it is done with the individual’s consent. However, data protection authorities have cast significant doubt on whether employees and candidates can validly consent.
Firms are prohibited from requiring those applying for or holding certification functions from providing details of spent convictions. Specialist legal advice should be sought with regards to managing the legal risks if an individual’s unspent convictions come to light at any point.
To demonstrate compliance with the GDPR, we recommend that firms should take three steps with regards to criminal records checks.
First, firms should carry out a data protection impact assessment. This will act as a record of how the firm created a framework for handling criminal records data. The impact assessment should include details of:
- The “legal basis” and “condition” the firm will use to process criminal records data.
- The level of criminal record check to be carried out (for example, a standard disclosure check for senior managers and a basic disclosure check for certified function roles).
- The length of time criminal records information should be retained (generally speaking no longer than is necessary).
- How criminal records information will be secured so that only staff who have a “need to know” can access it.
Although it sounds like (and can be) a resource-consuming exercise, the impact assessment is a mandatory requirement in many instances, and is always helpful in demonstrating a firm’s efforts to comply with the GDPR as part of its accountability records, especially if the Information Commissioner’s Office ever comes calling.
Latest HR job opportunities on Personnel Today
The second step that is required under the DPA is that firms should develop and roll out an appropriate policy relating to the collection and use of criminal records. The policy must cover issues such as the employer’s approach to securing the information, how it will comply with subject rights (for example, access requests) and guidance on retention and deletion of data.
The final key step here is that firms should amend their “records of processing” insofar as they relate to the criminal records collection and use, to record the condition and basis relied on and to capture the firm’s approach to retention of these kinds of records.
Successfully navigate your obligations
A firm’s failures to comply with the GDPR’s red tape can have a very large negative impact on its fortunes. Of course, it is worth remembering that huge fines under the GDPR are expected to only be applied to the most egregious of cases. As set out above, with a little bit of forward planning, a firm can navigate its obligations under the SMCR with regards to criminal records checks and also satisfy its obligations under the GDPR.