0343 611 2727
Employer RegisterIndividual ApplicationI have a User ID

Understanding Consent Under UK Law for Criminal Record Checks

DBS

Learn why consent is legally required for criminal record checks in the UK, what valid consent looks like under UK GDPR, and how employers should collect and manage it correctly.

Understanding Consent

Criminal record checks play an important role in safer recruitment, helping employers make informed hiring decisions while protecting vulnerable groups and sensitive roles. However, because criminal record information is highly sensitive personal data, UK law places strict requirements on how it can be collected and used — with consent being a key part of the process.

For employers, recruiters, and HR professionals, understanding what valid consent looks like under UK law is essential. Getting it wrong can lead to legal penalties, data protection breaches, and reputational damage. For individuals, consent ensures transparency and fairness throughout the background checking process.

This article explains why consent is required, what counts as valid consent, and how employers can collect it correctly when carrying out criminal record checks in the UK.

What Is Consent in the Context of Criminal Record Checks?

In simple terms, consent means that an individual has clearly agreed to their criminal record being checked, fully understanding what information will be accessed and why.

Under the UK General Data Protection Regulation (UK GDPR), criminal record data is classed as special category data, meaning it is subject to stronger legal protections than most personal information. Employers cannot lawfully carry out a criminal record check without the individual’s knowledge and agreement.

Consent must be an active choice. Silence, inaction, or assumptions do not count. The individual must take a clear step to confirm they agree, such as signing a consent form or completing a digital application.

Why Is Consent Legally Required?

Criminal record information can have a significant impact on a person’s employment prospects, reputation, and privacy. Because of this, UK law requires that individuals are treated fairly and transparently.

Several legal frameworks govern consent for criminal record checks, including:

  • UK GDPR
  • Data Protection Act 2018
  • Regulations issued by the Disclosure and Barring Service (DBS)

Together, these laws ensure that criminal record checks are only carried out when there is a genuine legal justification and when the individual understands and agrees to the process.

Employers who fail to obtain proper consent risk serious consequences, including fines from the Information Commissioner’s Office (ICO), legal claims, and loss of trust from candidates and employees.

What Counts as Valid Consent?

Not all consent is created equal. For consent to be valid under UK law, it must meet several strict criteria.

Freely Given

The individual must not feel pressured or forced into agreeing. Consent should not be a condition of employment unless the check is genuinely necessary for the role.

Specific

Consent must relate clearly to a criminal record check. Vague or general permission to “process data” is not sufficient.

Informed

The individual must understand what type of check is being carried out, what information may be disclosed, and how the results will be used.

Unambiguous

There must be a clear affirmative action, such as ticking a box, signing a form, or submitting an online application.

Employers should be cautious about relying on consent hidden within lengthy contracts or policies. Consent should always be clearly presented and easy to understand.

When Is Consent Not Enough on Its Own?

While consent is essential, it does not automatically make a criminal record check lawful.

Employers must also ensure that:

  • The role is eligible for a criminal record check
  • The correct level of check is used (Basic, Standard, or Enhanced)
  • There is a lawful basis for processing criminal record data

For example, not all roles are eligible for Standard or Enhanced DBS checks. Carrying out a higher-level check without proper justification is unlawful, even if the individual has given consent.

Employers must always match the level of check to the responsibilities of the role.

How Should Employers Collect Consent?

Collecting consent properly is just as important as obtaining it.

Best practice for employers includes:

  • Requesting consent in writing or digitally, rather than verbally
  • Clearly explaining:
  • The type of criminal record check being carried out
  • Why the check is required for the role
  • What information may be disclosed
  • Who will see the results
  • How long the information will be stored

Consent should be collected before the check begins, and records of consent should be securely stored for audit and compliance purposes.

Using a reputable DBS provider can help ensure that consent is collected in a compliant and transparent way.

Can an Applicant Refuse Consent?

Yes — individuals have the right to refuse consent for a criminal record check.

If consent is refused, employers must consider whether the check is genuinely necessary for the role. In some cases, refusal may mean the individual cannot proceed in the recruitment process, particularly where a check is legally required.

However, employers must act proportionately and avoid blanket decisions. Automatically rejecting candidates without considering the context can increase the risk of discrimination claims and unfair hiring practices.

What Happens If Consent Is Withdrawn?

Under UK GDPR, individuals can withdraw their consent at any time.

If consent is withdrawn before a criminal record check is carried out, the employer must stop the process immediately.

If consent is withdrawn after the check has been completed, employers may still be able to retain certain information where there is a legal obligation to do so. However, the data must not be used beyond its original purpose and should be securely deleted once retention periods expire.

Clear retention and deletion policies are essential for compliance.

Common Employer Mistakes to Avoid

Employers often make avoidable errors when handling consent for criminal record checks, including:

  • Assuming consent is automatic once a job offer is made
  • Carrying out checks too early in the recruitment process
  • Using an incorrect level of check
  • Failing to explain how results will be used
  • Storing DBS information for longer than legally permitted

Avoiding these mistakes helps protect both the organisation and the individual.

Best Practice Checklist

Before carrying out a criminal record check, employers should ensure they:

  • Confirm the role is eligible
  • Use the correct level of check
  • Clearly explain the process
  • Obtain explicit consent
  • Store data securely and limit access
  • Delete information in line with retention rules

Conclusion

Consent is not just a formality — it is a legal and ethical requirement when carrying out criminal record checks in the UK. Employers must ensure that consent is clear, informed, and properly recorded, while also ensuring the check itself is lawful and proportionate.

By handling consent correctly, organisations can protect themselves from legal risk, build trust with candidates, and demonstrate a fair and transparent approach to safer recruitment.

Follow us