Application of Article 10 of the GDPR to the Financial Services’ Sector in the UK

July 27, 2017

of the GDPR, which will apply from 25 May 2018, sets out that ‘Processing
of personal data relating to criminal convictions and offences or related
security measures based on
Article 6(1) shall be carried
out only under the control of official authority or when the processing is
authorised by Union or Member State law providing for appropriate safeguards
for the rights and freedoms of data subjects. Any comprehensive register of
criminal convictions shall be kept only under the control of official

Article 10 effectively places a prohibition on the
processing of criminal convictions and offences by the private sector
(including financial services’ organisations) unless those organisations are
given official authority to process that data, or there is an amendment to UK
law. There is no definition of ‘criminal convictions’ or ‘criminal offences’
under the GDPR, therefore it is important to set out how criminal records are
processed in the UK as at the date of writing.

Processing of Criminal Records in the UK

The comprehensive register of criminal convictions is held
on the Police National Computer (PNC), which was originally introduced in
England and Wales in 1974 as a stolen vehicles database, in order to assist the
police service to identify vehicles that had been stolen or were of interest to
them. Over the years that have elapsed since its introduction the PNC has
evolved into a system which collects from and provides information to the wider
criminal justice system, not just the police. PNC now holds data relating to
any person who has been arrested for a ‘recordable’ criminal offence and also
holds details of anyone who has been issued a fixed penalty ticket for a
‘recordable’ offence, but who may not have been arrested. It also holds data on
individuals who have been prosecuted by non-police prosecuting authorities,
such as local councils, the Probation Service, Her Majesty’s Revenue and
Customs and many more, for ‘recordable’ offences such as evasion of council
tax, benefit fraud, breaches of probation orders, etc. which are offences not
prosecuted by the police service but which are ‘recordable’.

The meaning of ‘recordable’ offence stems from ministerial
powers provided by s 27(4) of the
Police and Criminal Evidence Act 1984
(PACE). Section 27(4) of PACE
provides that: ‘The Secretary of State may by regulations make provisions for
recording in national police records convictions for such offences as are
specified in the regulations’.

The National Police Records (Recordable Offences)
Regulations 1985 originally set out which offences are deemed
‘recordable’.  These Regulations refer to
the recording of ‘conviction data’ only, but were revoked and replaced by the
National Police Records (Recordable Offences) Regulations 2000 (SI 2000/1139),
which comprehensively detail which offences merit entry onto PNC and extended
the powers to cover not only conviction data but the recording of formal police
cautions and reprimands and final warnings issued to young offenders.

Formal police cautions are issued under powers granted to
the police by Home Office Circular 18/1994, which was revised by Home Office Circular
30/2005. Reprimands and final warnings are the juvenile equivalent of a caution
and are issued under powers provided to the police by s 65 of the Crime and
Disorder Act 1998. These types of ‘disposal’ of an offence are a mechanism for
the criminal justice system to deal quickly with less serious offences, to free
up the time of the criminal courts so that they may concentrate their efforts
on more serious offences and to reduce the likelihood of people subjected to
this type of sanction re-offending.

The National Police Records (Recordable Offences)
Regulations 2000 were further amended by the National Police Records
(Recordable Offences) (Amendment) Regulations 2016 (SI 2016/1006)
with effect from 14 November 2016.

As a result of the National Police Records Regulations, the
PNC is able to provide front-line police officers, statutory partner agencies,
such as the Borders and Immigration Authority, local councils and the criminal
and civil court systems with information about individual’s antecedent criminal
history. It is also used as the main source of information for pre-employment
vetting by the Disclosure and Barring Service (DBS) in order to check that
potential new employees’ criminal history does not make them unsuitable to work
in the position they have applied for.

Implications of Article 10 for the financial services’

The direct application of Article 10 to the UK will mean
that, if read literally, much of the processing of criminal records and
offences by the financial services’ sector (whether or not required to meet
regulatory obligations) will be prohibited without amendment to UK law.  The financial services’ sector, in various
ways, is required to capture and process criminal records and offences about
customers and employees in the course of its regular activities but also to
protect organisations and clients from fraud (amongst other things).  Many of the regulated activities of these
organisations require processing of criminal convictions and offences to
prevent and detect: money laundering, sanctions’ breaches, financial crime,
corruption, fraud, insider trading, market manipulation, and breach of

The existing provisions of the UK Data Protection Act
provide for the circumstances under which the financial services’ sector can
collect and disclose criminal convictions and offences, as well as alleged
offences, under UK law, particularly if acting on a suspicion.  

One could read the provisions of Article 10 as applying only
to databases that process criminal convictions and offences as opposed to the
processing of individual records, but the point of this article is to highlight
the need for UK law to derogate from the provisions under Article 10 such that
financial services’ organisations can continue to comply with regulatory
obligations and protect customers.

Helen Woollett is Global Head of Privacy at Barclays

Simon Brown is Assistant Vice President, Data Privacy at