UCAS is removing the first question in its application form about unspent criminal convictions.
Up until now, applicants using UCAS Apply have been asked to declare whether they have any relevant unspent criminal convictions (with “relevant” defined as prescribed unspent convictions). In addition, applicants to certain professional courses exempt from the Rehabilitation of Offenders Act 1974 have been asked to disclose any criminal convictions, including non-filtered spent convictions. UCAS will be removing the first of these questions as part of the application process for the 2019 entry cycle, with the second question remaining available for certain professional programmes. This change will affect courses starting from September 2019.
UCAS has explained that the removal of the first question is due, in part, to changes in data protection law.
This article considers how the General Data Protection Regulation (GDPR) has changed the landscape and climate for criminal convictions disclosure for non-professional courses.
Sector practice to-date
It has been common practice in the sector to-date for providers to request information about criminal convictions from applicants to non-professional courses, relying on the first of the above UCAS questions and following up with requests for further information where an individual has ticked the box in response to the question. Some providers have gone further and placed an obligation on registered students to disclose relevant convictions on an on-going basis.
Criminal convictions disclosure questions have always been intrusive and raised multiple legal issues for providers to balance. These include those in the areas of:
- natural justice,
- contract and consumer law,
- rehabilitation of offenders and human rights legislation,
- equality and discrimination,
- duty of care,
- and issues under data protection law.
In broad terms, the common rationale for requesting such information has been to assist providers to discharge their duty of care to students and staff by using this information to identify, assess and mitigate risks in the context of serious criminal offending and thereby seek to maintain a safe environment, with risk assessments being undertaken fairly and transparently under published processes.
In addition, and in terms of fair admissions, it has also been common practice that disclosure by an applicant of a criminal conviction would not automatically mean that their application would not be considered by the provider.
So what’s changed post-GDPR?
In one sense, nothing. The wording in the GDPR relating to criminal convictions or offences mirrors that contained in the Data Protection Directive. However, in the Data Protection Act 1998, the UK legislature took a wide interpretation of what was permissible, as did the regulator (the Information Commissioner’s Office) and the sector. In particular, consent (often taken to be implied by a response to a voluntary question) was sometimes relied upon as a basis for processing this data. The definition of consent under GDPR now makes this much more difficult.
Article 10 GDPR prohibits the processing of personal data relating to criminal convictions and offences unless that processing is authorised by member state law providing for appropriate safeguards for the rights and freedoms of data subjects. In turn, UK member state law – the Data Protection Act 2018 (DPA) – permits such processing only if it meets a condition in Part 1, 2 or 3 of Schedule 1 DPA.
Providers should remember that, in addition to compliance with Schedule 1 DPA, the processing must also meet one of the conditions of Article 6 GDPR in order to be lawful.
How is criminal convictions and offences data defined?
Section 11 DPA defines criminal convictions and offences data as including personal data relating to:
- the alleged commission of offences by an individual,
- proceedings for an offence committed, or alleged to have been committed, by an individual, or
- the disposal of such proceedings including sentencing.
What’s the starting point for providers now?
The starting point for providers now is: why they are requesting information from applicants and students about criminal convictions. Put another way: what is the purpose for which the provider is collecting and assessing such information?
Providers may wish to consider these questions not only in respect of admission to courses but also in respect of the provision of accommodation. These different contexts are likely to raise similar, but not identical, considerations. Providers should tailor their assessments to the relevant context.
Providers should ensure they have a working knowledge of the conditions set out in Parts 1 – 3 of Schedule 1 DPA in order to determine whether the purpose for which they are intending to collect and assess such information falls under a condition. These conditions are specific, prescriptive and exhaustive. Their relevance to what it is that providers are seeking to achieve by requesting criminal convictions disclosure will need careful consideration.
Disclosure of criminal convictions data is very privacy intrusive. Given the increased scrutiny which providers are now likely to face post-GDPR, they should ensure they are able to demonstrate, if challenged, that any requirement for applicants or students to provide such information, and for the provider to process it, is necessary and proportionate. There is unlikely to be a sector-wide one-size-fits-all justification and providers will need to consider their own unique circumstances, taking legal advice where appropriate.
Guidance from the Information Commissioner’s Office (ICO) states that organisations should determine their condition for lawful processing of offence data before they begin the processing and that this is documented. Indeed, providers are required to disclose the lawful basis for processing in their fair processing notices to be provided to applicants and students. Most conditions require that processing is ‘necessary’; If a provider can reasonably achieve the same objective without the processing, it won’t have a lawful basis.
A provider may wish to consider carrying out a more formal data protection impact assessment on its processing. Depending on the scale, this may even be a mandatory requirement under Article 35 GDPR.
It’s important not to work backwards, by finding a condition for processing which might work and retrofitting the process. In order truly to comply with the GDPR, a provider must consider what its actual objective is and what harm it is seeking to avoid. It must also determine whether asking for this information can actually assist in that endeavour, or if it could achieve the same end by different means.
Similar constraints will arise in respect of professional courses and providers should undertake a similar approach to that recommended above for those courses too. It should be easier, however, for a provider to point to the application of a condition in Schedule 1 for professional courses.
Can an individual give their consent to a provider processing their criminal convictions data?
Consent by an individual to processing is included in the list of conditions potentially available in Schedule 1, but providers should exercise caution if looking to rely on this condition. This is because arguments could be raised, depending on the circumstances, that an individual was unable to give their consent freely to the processing. This might be, for example, because consideration of their application and any potential offer of a place on a course was conditional on them providing that consent. For consent to be valid, there must also be a valid opportunity for the individual to withhold their consent, so any questions would need to be voluntary, with no consequences (perceived or real) for failing to answer. The form of consent will also be important – for example, it should not be buried in other terms.
What are the penalties for providers for getting it wrong?
In addition to potential complaints or appeals by an applicant or student under internal processes, a provider which strays outside the above privacy framework faces the risk of an individual bringing a civil claim in the courts, as well as potential regulatory action by the ICO. The GDPR provides that individuals may bring claims for material or non-material damage where there has been a breach, and the ICO’s power to impose monetary penalties has substantially increased, up to a maximum of 4% of worldwide annual turnover or €20 million.
Perhaps equally as troubling is the risk of reputational damage. Providers may rightly be concerned that failing to ask questions about applicants’ backgrounds could open them up to criticism if it transpires that there had been an issue that could have been addressed. However, collecting sensitive data about applicants (and registered students) is a multi-faceted issue. Providers should think about how asking for criminal convictions data sits with their equality and diversity obligations and widening participation agendas. This includes considering how a publicised decision that they had asked for more information than was required might play to wider audiences that are concerned with the socio-economic diversity of tertiary education and societal rehabilitation of offenders.
An holistic approach
Providers should take an holistic approach to GDPR and DPA compliance. This includes ensuring, for example, they have in place appropriate security measures to protect the processing of such information. It also requires that the information is kept for no longer than is necessary for the purpose for which it is being processed.
Privacy law considerations are not the only legal aspects to which providers should have regard when managing the area of criminal convictions disclosure fairly and lawfully. Providers should ensure they understand all their legal obligations in this area and know how to balance those obligations. They must also ensure that staff across different functions are aware of the implications of these obligations for their day-to-day roles. This includes not only in respect of course admission and accommodation provision, but also in relation to:
- drafting and implementing student terms and conditions
- undertaking disciplinary and fitness to practise investigations and hearings
- the provision of pastoral support
- and dealing with allegations of sexual harassment and assault.
This information is for guidance purposes only and is not a substitute for taking legal advice. Eversheds Sutherland (International) LLP can take no responsibility for actions taken based on the information it contains.
© Eversheds Sutherland 2018. All rights reserved.