top of page

2. Recruitment procedures and policy development

Review the security, expiry, and data management of criminal conviction information

Implement best practices for handling sensitive data, such as conviction disclosures (including DBS certificates), and ensure compliance with relevant regulations. Develop strategies for limiting access to this data, separating it from HR files, handling over-disclosures, and deleting data when convictions become spent.

What does success look like?

  1. Improved security and data management practices

  2. Compliance with relevant data protection regulations

  3. Strategies for handling sensitive conviction data

  4. Appropriate data expiry practices.

How would Offploy do it?

  • Review the company Data Protection/GDPR policy to ensure that it is fit for purpose to handle sensitive information around disclosures received during recruiting. Information about convictions is particularly sensitive as its unplanned release could have significant consequences for the company and the individual. Such information must be stored securely and have very limited distribution.

  • Destroy disclosure information received from unsuccessful applicants following conclusion of the recruitment process. There is no requirement to hold such information after time has elapsed for any appeal to be submitted and it must be destroyed completely, possibly by burning or use of a cross-cut shredder.

  • Ensure disclosure information received from successful applicants is stored securely and separately from routine HR records. You may decide to hold such information for a period of time, dependent on the individual, the role or the offence. However, it must be held in a separate and secure system and not available with the rest of the routine HR files. Some companies use a coded mark on a folder to indicate that there is a further confidential element to the files held which may be viewed by a limited number of staff in specified circumstances.

  • Arrange for periodic review of disclosures received from successful candidates to decide whether they should be retained, returned or destroyed. You will need to consider destruction or return of disclosures made when a conviction becomes “spent” in law as you will have no right to hold onto the information, unless it is for a “regulated” role e.g, schools, hospitals etc. Destruction is one option in such circumstances but you could offer to return a hard-copy disclosure to the employee so that they have the evidence that they did legally disclose when asked.

Examples in Practice

The Information Commissioner's Office has specific advice here:

Criminal offence data | ICO

What is criminal offence data? | ICO

Nothing to see here... yet.

We're still putting the finishing touches on our new Employing With Conviction Guide.

But wait, there's more!

We've got even more content designed to support your journey into hiring people with convictions, exclusively for Offploy Members.

Sign up to unlock:

Longer, more in-depth video content

Downloadable templates, expert-written copy-and-pastable content and example documents

Comment directly on our Guide pages


This is a new service that we're constantly working to improve. Please notify us of any bugs or errors here.

bottom of page