On 10 March 2015, a previously dormant provision of the Data Protection Act 1998 (DPA) will come into force, rendering it a criminal offence to conduct “enforced subject access requests”. In an employment context, enforced subject access requests arise most commonly where an employer requires a prospective employee to apply to the Disclosure and Barring Service (DBS) personally, by way of a subject access request, and then to disclose the search results. In this way, employers have been able to obtain extensive information regarding the criminal records of employees, job applicants or contractors, including any spent convictions, which they would not otherwise be able to obtain.
Although the implementation of this provision will not change the existing mechanism for seeking criminal record checks in the UK, such as by the Disclosure and Barring Service (DBS) for England and Wales, it may impact upon some institutions’ current practices. Institutions may therefore need to review their approach to obtaining criminal and other relevant data to avoid the risk of committing a criminal offence when checking and vetting candidates, employees and contractors.
Institutions already familiar with the DBS system, will be aware of the job-types for which criminal record-checks are available and the information which those checks provide. It is already a criminal offence to submit an application to the DBS in respect of roles for which checks are not available and institutions must, of course, continue to comply with normal data protection requirements on the collection of sensitive criminal personal details in any event.
Although institutions can ask employees, job applicants or contractors whether they have any criminal convictions, unless the role such an individual would take falls within the Exemptions Order (which will effectively mean where they will be carrying out ‘regulated activity’), the institution cannot insist upon disclosure of convictions which are deemed expired or “spent”. Neither can they verify independently the veracity of the individual’s response through DBS where the role falls outside of the specified categories of employment. Enforced subject access requests have, up to now, enabled all employers to access criminal records information (spent and unspent) in respect of roles falling outside the scope of DBS.
What will change on 10 March 2015?
A criminal offence under the DPA will be committed if, as a precondition of recruitment, continued employment or engagement, a job applicant, employee or contractor is required to obtain and supply “relevant records” of cautions, criminal convictions and certain social security records. This could result in a potentially considerable financial penalty, adverse publicity and reputational damage for an institution. Moreover, “any director, manager, secretary or similar officer” could find themselves personally liable.
The principles of the Rehabilitation of Offenders Act 1974 and of allowing those with convictions to rehabilitate and move on with their lives have sat uncomfortably with enforced subject access requests for some time, notably because it is perceived that they undermine not only the rehabilitation of offenders provisions but, also, the established DBS system and the fundamental right of individuals to privacy and to protect their personal data. Nonetheless, the dividing line between protecting an employee’s past and what an employer needs to know legitimately has proved and remains a contentious one and some employers may find this further tightening of data protection enforcement an unwelcome curb upon their recruitment practices.