Data Protection: Enforced Subject Access becomes a criminal offence from10 March 2015


From 10 March the previously common practice of requiring applicants for jobs or services to obtain and hand over information on their criminal records becomes a criminal offence known as enforced subject access.

What is subject access and enforced subject access?

The Data Protection Act 1998 provides a framework for good information handling by various organisations (known as data controllers) of personal information relating to individuals (known as data subjects). Within this framework, data subjects have the right to seek personal information being held about them by an organisation through a subject access request.

This has also been used by employers or providers of goods and services such as insurance companies or housing associations to seek information about a potential employee or client by requiring them to make a subject access request addressed to the police to reveal their criminal record (known as enforced subject access). In effect the practice of enforced subject access has been occurring in particular to have access to criminal records by avoiding the use of the established legal system.

What has changed?

With the Data Protection Act 1998 (Commencement Order No. 4) 2015 coming into force, as of 10th of March it is a criminal offence for a person in connection with employment or any contract for provision of goods, services or facilities to require another person or third party to supply or to reveal a relevant record to him (Section 56). The aim of this section is to stop the excessive use of enforced subject access and ensure protection of personal data.

According to the guidance issued by the Information Commissioner’s Office (ICO) to require, is to be understood as to make it necessary for an individual to make a subject access request, without which the individual would be left in a detrimental position prior to a job, good or service being provided. Relevant record in this case refers to an individual’s personal data including their criminal record where unspent and spent convictions including cautions, reprimands and fines may be revealed.

As such, a person or organisation simply by requiring an individual to make a subject access request is committing a criminal offence, even if the result of the request shows nothing. Such an offence will be prosecuted by the ICO and heard by either the magistrates or crown court in England and Wales and it also carries an unlimited fine.

Certain exceptions exist for a subject access request to be made where this is provided for by other legislation or if the enforced subject access request can be justified as being in the public interest, although there would need to be strong justification, which is supported by clear and specific evidence.

Why the change?

The enforced subject access method for obtaining information about an individual prior to offering employment, goods, services or facilities has been deemed to be an abuse because through this method there is a risk of greater or excessive disclosure. This is because the appropriate channels established by the Police Act 1997 through which only certain types of disclosures are permitted depending on the reasons for the request being made are bypassed. Further, the Rehabilitation of Offenders Act 1974 provides specific rules regarding rehabilitation of offenders who have stayed on the right side of the law. Under the 1974 Act certain cautions or convictions may become spent, as which point the offender is viewed as rehabilitated and would not be under an obligation to declare such convictions when seeking employment, goods or services.

What will be the impact?

The ICO has previously indicated that the practice of enforced subject access request is widespread as it is used by various organisations in employment, as well as in the provision of goods, services and facilities. With this change coming into force, it is likely that the ICO will clamp down using its new powers.

Organisations that have previously used enforced subject access need to ensure they alter their conduct prior to the 10th of March 2015. If enforced subject access requests continue to be required, individuals are likely to face prosecution and fines, as well as reputational damage.

How to prepare for this change?

As the change in the law is just around the corner, organisations need to be aware and inform their employees that the use of enforced subject access requests from the 10th of March 2015 is prohibited. It is important for organisations to review their policies in place specifically in relation to the use of enforced subject access requests, whether this is in recruitment, tenancy applications or otherwise. Organisations may need to change internal procedures, as well as provide training for successful implementation of the necessary changes.

In the social housing sector, providers may have legitimate reasons for requiring access to personal data of potential tenants. Tenancy application procedures will now need to adopt a new approach to obtaining information on past convictions. Applicants will be less likely to volunteer information on convictions in the way that they might disclose health information to obtain adapted housing. There is nothing to stop applications form asking directly, subject to the data protection principle that sensitive personal data (which includes criminal convictions) should only be processed (obtained, stored or disclosed) within strict parameters.

The potential source of information on unspent convictions which could be used without committing the section 56 offence is the Disclosure & Barring Service (DBS) which is the new name for what used to be the Criminal Records Bureau (CRB). There are different levels of DBS search including Basic Disclosure, Standard and Enhanced (with or without list check). The latter two are higher levels, which disclose more information and would only be available in limited circumstances such as employment involving children or vulnerable adults. There is a cost for accessing DBS.

In the social housing sector there are often information sharing arrangements between local authorities, police forces and housing associations to address their overlapping roles in tackling criminal and anti-social behaviour. Those arrangements are unaffected by the activation of section 56 but must be conducted properly in compliance with the Data Protection Act. It would be hard to apply this sort of arrangement to all tenancy applications and their use may have to be reactive if problems start to arise after a tenancy has been started.

For further advice on this change or generally on Data Protection law and practice contact Daniel Milnes at Forbes.

Daniel Milnes

About Daniel Milnes

Dan is a Partner and Head of Contracts & Projects. Dan’s blogs cover the areas in which his specialities lie in commercial, regulatory and governance law which cover a broad range of matters dealing with contracts, projects, corporate and group structures, funding and compliance with a range of legal regimes including data protection. This also involves writing and advising on various forms of commercial contracts including joint ventures, development and construction agreements and intellectual property contracts including IT agreements, sponsorships and other rights licensing arrangements.
This entry was posted in Corporate & Restructuring, Employment Law, Housing Litigation and tagged .