HM Insights

New Data Protection Offence: Is your organisation enforcing subject access for criminal record information?

Individuals have the right to ask any organisation if it holds or processes personal data relating to them. They are entitled to know for what purposes it holds the data and for a copy of any such personal data in an intelligible form. This right, under the Data Protection Act 1998 (DPA) is known as subject access.

What is enforced subject access?

Section 56 of the DPA, which came into force on 10 March 2015, makes it a criminal offence for an organisation to require an individual to exercise that subject access right in relation to specified persons and bodies in order to gain access to information about the individuals' convictions and cautions ("criminal record information") and provide that criminal record information – or require that person or body to provide that criminal record information – to another person. The offence is committed even if the subject access request does not yield any results. This new offence is known as "enforced subject access".

When is enforced subject access likely to arise?

Enforced subject access is likely to arise where:

  • an employer requires a prospective employee to make a subject access request with the intention of providing the resulting criminal record information as supporting evidence in connection with an application for employment;
  • an employer requires an existing employee to make a subject access request for criminal record information in connection with their continued employment with the employer;
  • the recipient of services, goods and facilities mandates a prospective supplier to make a subject access request for criminal record information (before entering into the contract) in relation to itself (if a private individual) and / or in respect of all of its / specified employees, who will be involved in the supply;
  • the recipient of services, goods and facilities requires an existing supplier to make a subject access request for criminal record information in connection with the supplier's continued appointment; or
  • an organisation that provides goods, facilities or services to the public (irrespective of whether they are paid for) conditions the provision of the same to a requirement that a recipient or prospective recipient makes a subject access request and either provides, or instructs another party to provide, the providing organisation with the recipient's criminal record information. An organisation that takes on volunteers, an insurance company or a registered social landlord will be regarded as providing goods, facilities or services to the public for this purpose. Indeed, the Information Commissioner's Office (the "ICO") has formerly expressed concern at the prevalence of mandatory subject access requests in the housing sector, in terms of which registered social landlords are routinely requesting applicants for housing to provide criminal record information during the application process.

When is enforced subject access permitted?

There are limited circumstances in which an organisation may justify requiring a person to make a subject access request for criminal record information.

These include where the imposition of the requirement is mandated by statute, law or a court order or it is justified as being in the public interest in the particular circumstances of the case.

The exceptions are to be interpreted narrowly with the offence to be interpreted broadly.

What is penalty for enforced subject access?

The offence carries an unlimited fine in England and Wales and the fine is also unlimited in Scotland if the case is heard with a jury present. If a jury is not present, the fine is limited to £10,000 in Scotland.

Does the law not already provide for access to criminal record information?

The law already provides a means of obtaining access to criminal record information for legitimate purposes (for example, for those working with protected and vulnerable groups) under the Police Act 1997 through the criminal records disclosure regime.

Under this regime, organisations can request basic checks, which divulge unspent convictions, or standard checks, which include spent and certain unspent convictions, cautions, reprimands and final warnings (although details of the latter may be filtered out in some cases). Enhanced checks disclose all of the information held in a standard check and certain relevant information held by the police on an individual. Such requests can be made to:

  • the Disclosure and Barring Service (DBS) in England and Wales for standard and enhanced checks;
  • Disclosure Scotland for Scotland and for basic UK-wide checks; and
  • Access Northern Ireland for Northern Ireland.

The risk of using the DPA subject access regime to obtain access to criminal record information instead of the pre-existing routes is that the former is likely to result in disclosure of excessive personal data and sensitive personal data (criminal records are sensitive personal data for DPA purposes), particularly in relation to spent convictions. This is because a DPA subject access request requires all personal data to be disclosed (subject to exemptions), and does not distinguish, for instance, between spent and unspent convictions in the same manner as the above, pre-existing routes. The enforced subject access provisions therefore seek to prevent this.

What is the impact of enforced subject access for your organisation?

Enforced subject access is most likely to impact your organisations if it has, until now, relied on requiring persons to make subject access requests for their criminal recorded information, but where it has not been legally entitled to require such persons to submit to a disclosure check under the Police Act 1997.

We recommend that you undertake an internal audit of the employee and supplier vetting practices adopted and followed within your organisation or by service providers on behalf of your organisation. If the contracts that your organisation has entered into require it to undertake such checks of its own staff or those of its suppliers or customers then these will need to be revised to take the new provisions into account. This may also extend to revising employment contracts, employment application forms, data protection notices and consent forms to ensure that they are compliant.

Obviously, limited checking is still possible within the narrow scope of the exceptions but it is important that you no longer carry out those checks that constitute, or are likely to constitute, enforced subject access, as the ICO has promised to fervently pursue prosecutions against organisations found to be in breach of the provisions.