Simon Brown and Helen Woollett explore and deplore the potential effect of Article 10 on the capacity of organisation concerned with financial services to monitor for fraud and other breaches of law
Article 10 of the GDPR, which will apply from 25 May 2018, sets out that ‘Processing of personal data relating to criminal convictions and offences or related security measures based on Article 6(1) shall be carried out only under the control of official authority or when the processing is authorised by Union or Member State law providing for appropriate safeguards for the rights and freedoms of data subjects. Any comprehensive register of criminal convictions shall be kept only under the control of official authority.’
Article 10 effectively places a prohibition on the processing of criminal convictions and offences by the private sector (including financial services’ organisations) unless those organisations are given official authority to process that data, or there is an amendment to UK law. There is no definition of ‘criminal convictions’ or ‘criminal offences’ under the GDPR, therefore it is important to set out how criminal records are processed in the UK as at the date of writing.
Processing of Criminal Records in the UK
The comprehensive register of criminal convictions is held on the Police National Computer (PNC), which was originally introduced in England and Wales in 1974 as a stolen vehicles database, in order to assist the police service to identify vehicles that had been stolen or were of interest to them. Over the years that have elapsed since its introduction the PNC has evolved into a system which collects from and provides information to the wider criminal justice system, not just the police. PNC now holds data relating to any person who has been arrested for a ‘recordable’ criminal offence and also holds details of anyone who has been issued a fixed penalty ticket for a ‘recordable’ offence, but who may not have been arrested. It also holds data on individuals who have been prosecuted by non-police prosecuting authorities, such as local councils, the Probation Service, Her Majesty’s Revenue and Customs and many more, for ‘recordable’ offences such as evasion of council tax, benefit fraud, breaches of probation orders, etc. which are offences not prosecuted by the police service but which are ‘recordable’.
The meaning of ‘recordable’ offence stems from ministerial powers provided by s 27(4) of the Police and Criminal Evidence Act 1984 (PACE). Section 27(4) of PACE provides that: ‘The Secretary of State may by regulations make provisions for recording in national police records convictions for such offences as are specified in the regulations’.
The National Police Records (Recordable Offences) Regulations 1985 originally set out which offences are deemed ‘recordable’. These Regulations refer to the recording of ‘conviction data’ only, but were revoked and replaced by the National Police Records (Recordable Offences) Regulations 2000 (SI 2000/1139), which comprehensively detail which offences merit entry onto PNC and extended the powers to cover not only conviction data but the recording of formal police cautions and reprimands and final warnings issued to young offenders.
Formal police cautions are issued under powers granted to the police by Home Office Circular 18/1994, which was revised by Home Office Circular 30/2005. Reprimands and final warnings are the juvenile equivalent of a caution and are issued under powers provided to the police by s 65 of the Crime and Disorder Act 1998. These types of ‘disposal’ of an offence are a mechanism for the criminal justice system to deal quickly with less serious offences, to free up the time of the criminal courts so that they may concentrate their efforts on more serious offences and to reduce the likelihood of people subjected to this type of sanction re-offending.
The National Police Records (Recordable Offences) Regulations 2000 were further amended by the National Police Records (Recordable Offences) (Amendment) Regulations 2016 (SI 2016/1006) with effect from 14 November 2016.
As a result of the National Police Records Regulations, the PNC is able to provide front-line police officers, statutory partner agencies, such as the Borders and Immigration Authority, local councils and the criminal and civil court systems with information about individual’s antecedent criminal history. It is also used as the main source of information for pre-employment vetting by the Disclosure and Barring Service (DBS) in order to check that potential new employees’ criminal history does not make them unsuitable to work in the position they have applied for.
Implications of Article 10 for the financial services’ sector
The direct application of Article 10 to the UK will mean that, if read literally, much of the processing of criminal records and offences by the financial services’ sector (whether or not required to meet regulatory obligations) will be prohibited without amendment to UK law. The financial services’ sector, in various ways, is required to capture and process criminal records and offences about customers and employees in the course of its regular activities but also to protect organisations and clients from fraud (amongst other things). Many of the regulated activities of these organisations require processing of criminal convictions and offences to prevent and detect: money laundering, sanctions’ breaches, financial crime, corruption, fraud, insider trading, market manipulation, and breach of confidentiality.
The existing provisions of the UK Data Protection Act provide for the circumstances under which the financial services’ sector can collect and disclose criminal convictions and offences, as well as alleged offences, under UK law, particularly if acting on a suspicion.
One could read the provisions of Article 10 as applying only to databases that process criminal convictions and offences as opposed to the processing of individual records, but the point of this article is to highlight the need for UK law to derogate from the provisions under Article 10 such that financial services’ organisations can continue to comply with regulatory obligations and protect customers.
Helen Woollett is Global Head of Privacy at Barclays
Simon Brown is Assistant Vice President, Data Privacy at Barclays