The Data Protection Act 1998 (Commencement No. 4) Order 2015 (SI 2015/312) has been made and brings section 56 of the Data Protection Act 1998 (DPA 1998) into force as from 10 March 2015.
Until 10 March 2015, this was the only section in the DPA 1998 not yet in force - although it was created more than 15 years ago. It makes it a criminal offence for an employer to require job applicants and existing employees to obtain a copy of their criminal records by means of a subject access request and supply it to the employer in connection with their recruitment or continued employment (known as enforced subject access). Section 56 also extends beyond the employment context, as it makes it a criminal offence for any person to require another person, or a third party, to make a subject access request for their criminal record information as a pre-condition to providing them with, or offering to provide them with, goods, facilities or services.
The criminal offence carries an unlimited fine in England and Wales, while in Scotland the fine can be unlimited if heard under the solemn procedure or otherwise is limited to £10,000.
The Information Commissioner has long disapproved of the practice of requiring applicants or existing workers to acquire and produce a copy of their criminal record as it can lead to the disclosure of spent and/or ‘protected’ convictions. An ICO press release issued on 9 March described this as a ‘back-door’ practice undertaken by ‘rogue employers’.
The ICO’s Data Protection Employment Practices Code states that, where employers need to protect their business, customers or clients by verifying an individual’s criminal history, they should seek disclosure through the Disclosure and Barring Service.