top of page
Search

5 Core Areas of Compliance UK Employers Can’t Afford to Ignore in Recruitment

  • Writer: Jacob Hill
    Jacob Hill
  • Jan 13
  • 6 min read

Most employers think criminal record compliance starts with a hiring decision. It doesn’t.

It starts the moment you ask the question, yet 84% of UK organisations still don’t have the criminal records policy required by law.


Getting this wrong has real consequences: 

  • ICO fines of up to £17.5 million or 4% of revenue

  • Criminal penalties of up to two years imprisonment for inappropriate DBS checks, and significant safeguarding liability. 


However, getting it right isn't as complicated as it might sound.


Criminal record compliance isn’t a single check or policy. It’s built across five core areas that determine whether your recruitment process is lawful, defensible, and fair.


1) Not Asking the Question Legally and Appropriately


Not all roles allow you to ask about criminal convictions. The Rehabilitation of Offenders Act 1974 protects spent convictions for most roles, which means only roles exempt from the Act, typically those involving regulated activity with vulnerable groups or positions of trust, can ask about spent convictions. For non-exempt roles, you're limited to asking only about unspent convictions.


Despite this legal framework, 60% of large UK employers ask about criminal records on application forms. 


The challenge is that many organisations use generic application forms that ask all candidates about spent convictions regardless of role type, or phrase questions too broadly without clarifying "unspent."


A statue holding scales

Getting the question right


Start by confirming whether the role is exempt from the Rehabilitation of Offenders Act. Does it involve regulated activity with children or vulnerable adults, access to particularly sensitive data, or a legally mandated level of DBS clearance?


For non-exempt roles, your question must be precise and limited: Do you have any unspent criminal convictions?


For exempt roles, you may only ask about unprotected convictions (convictions that are not filtered from Standard or Enhanced DBS checks). You must clearly explain why that level of disclosure is required and reference the Rehabilitation of Offenders Act on your application forms.


Ask the wrong question, and you’re exposing your organisation to ICO enforcement action, which could lead to a fine of up to £17.5 million or 4% of company turnover, whichever is higher.


Learn more about the legal framework and your obligations as an employer in our comprehensive guide to employing someone with a criminal record.


2) Not Setting Data Destruction Timelines for Spent Convictions


If you're processing unspent conviction data for a non-regulated role, that data becomes obsolete once the conviction is spent. GDPR's data minimisation principle requires you to delete data you no longer have a lawful basis to hold.


The scale of this issue is considerable. One in four working-age adults, 12.6 million people, have records on the Police National Computer.


Where organisations typically go wrong


Many organisations retain application forms containing conviction data without any clear policy on when that data should be reviewed or destroyed. They fail to track rehabilitation periods, don’t know when convictions become spent, and make no distinction between successful and unsuccessful candidates.


For unsuccessful candidates, you'll likely need to destroy conviction data within no longer than six months, unless you have a specific lawful basis to retain it longer. 


For employees, stored conviction data should be reviewed at least annually and deleted once it is spent and the role is no longer exempt.


Holding spent conviction data without a lawful basis violates GDPR principles, exposing you to ICO enforcement notices and potential fines.


3) Not Over-Checking: Conducting the Appropriate DBS Level


Employers from England, Wales, Jersey, Guernsey, and the Isle of Man conducted 7.37 million DBS checks in 2023/24. That's substantial, but many employers don’t realise that the Police Act 1997 restricts each DBS check level to specific role types. 


You cannot simply choose to conduct a "more thorough" check because it feels safer. Conducting a DBS check above the legally permitted level for a role is a criminal offence, carrying a maximum penalty of £5,000 and/or a maximum 6-month prison sentence.


The three DBS levels have clear legal boundaries:

  • Basic DBS checks are available for any role and show unspent convictions only.

  • Standard DBS checks are only available for specific roles listed in the Rehabilitation of Offenders Act 1974 (Exceptions) Order 1975, typically roles involving regular contact with vulnerable groups or positions of trust in licenced sectors. 

  • Enhanced DBS checks are reserved for roles in regulated activity, meaning those working closely with children or vulnerable adults, plus other prescribed roles.


The most common mistake


The most frequent error is requiring Enhanced DBS for all hires because "it's more thorough" or assuming that, because your sector generally works with vulnerable people, all roles automatically qualify for Enhanced checks. Only those in regulated activity qualify, and regulated activity has specific frequency and intensity thresholds. An office manager in a children's charity with no direct contact with children doesn't qualify for Enhanced DBS, despite the organisational context.


The National Audit Office has found that "[the] government does not know how many people have been prevented from working" due to inappropriate checks. No systematic monitoring exists, so employers must carefully self-police their compliance.


Map each role against the legal eligibility criteria for Standard or Enhanced DBS. Default to basic unless you can clearly evidence the role meets eligibility for higher levels. When you're uncertain, seek guidance from the DBS or legal advice, as assumption carries criminal risk. 


For detailed guidance on DBS check levels, eligibility criteria, and compliance requirements, see our complete guide to recruitment and DBS checks here.


4) Not Under-Checking: Ensuring Adequate Safeguarding


Over-checking carries criminal penalties. Under-checking carries responsibility when things go wrong. Employers have a duty of care to service users, customers, employees, and vulnerable people. 

When appropriate checks aren’t carried out, the consequences can include corporate charges following serious harm, regulatory enforcement by bodies such as Ofsted or the CQC, civil claims for negligent hiring, and lasting reputational damage.


The scale of under-checking issues becomes clear when you look at regulated sectors. Nearly four out of ten schools failed Ofsted in 2023 on safeguarding arrangements, which were failing only in that area. 

This shows that safeguarding failures, often linked to inadequate checking and record-keeping, remain a significant issue even in heavily regulated sectors such as education.


Finding the right balance


Employers may assume a Basic DBS is "good enough" when the role legally requires Enhanced, fail to update risk assessments when job responsibilities change to include vulnerable groups, or attempt to cut costs by avoiding DBS checks that should be conducted.


If a DBS check is required for a role, it should ideally be repeated periodically, with how often depending on the role's risk level. This should be coupled with a policy that requires employees to disclose new arrests, charges, or convictions.


5) Not Having a Criminal Records Policy


The Information Commissioner's Office states explicitly: if you process criminal record data, you must have a policy governing that processing. This isn't optional guidance, it's a compliance requirement under GDPR's accountability principle. Yet only 16% of UK organisations have such a policy.


A compliant criminal records policy needs to cover:

  • Your lawful basis for processing criminal record data

  • Which roles require disclosure, and at what DBS level

  • How conviction information is assessed using objective, role-related criteria

  • Who can access criminal record data and under what controls

  • Retention and destruction timelines, including review points

  • The technical and organisational safeguards protecting this data

  • How spent and unspent convictions are handled differently

  • Training requirements for anyone involved in recruitment or data handling

  • Your commitment to fair and proportionate decision-making

  • How employees who gain a new conviction can expect to be treated fairly and consistently


What organisations get wrong


Most organisations have no policy at all. Others rely on informal guidance about “what to do if someone discloses”, which falls far short of GDPR-compliant data processing. Some policies ignore criminal records data requirements entirely, or they are never embedded in training.


What a compliant criminal records policy looks like


A compliant criminal records policy covers both safeguarding and data protection, is approved at a senior level, and is accessible to hiring managers and HR teams. It should be referenced wherever conviction questions appear and be reviewed at least annually.


Done correctly, a policy does more than satisfy regulators. It demonstrates accountability to the ICO, supports consistent decision-making, reassures candidates, creates a defensible audit trail, and reduces the risk of discrimination and enforcement action.


Concerned about potential challenges when hiring people with convictions? Our comprehensive guide addresses common concerns and provides practical solutions.


Compliance Creates Opportunity


These five areas aren’t standalone checklists. Together, they form a compliance framework that protects candidates, vulnerable people, and your organisation. Getting this right isn’t about creating barriers to employment; it’s about building lawful, fair, and defensible recruitment processes.


Start by auditing your current practices against these five areas and prioritising the highest-risk gaps, particularly inappropriate DBS checks or criminal record data processed without a governing policy.

 

Update or develop a criminal records policy that addresses all five areas, train hiring managers on compliant practice, and review your approach regularly as legal and regulatory expectations evolve.


At Offploy, we help employers build compliant, inclusive frameworks for recruiting people with convictions, from policy development to risk assessment training. 


Explore our free employers' toolkit for practical guidance and to learn more about how we can support your organisation.


 
 
bottom of page