In September 2014 we reported on the UK’s intention to stamp out a practice commonly known as “enforced subject access requests”. This concerned the previously dormant section 56 of the UK Data Protection Act 1998 (‘DPA’), which, following an announcement from the Ministry of Justice, was implemented on March 10, 2015. Under this section, it is now a criminal offence for an entity to require an individual to submit a subject access request under section 7 of the DPA for his or her own protected personal data that the entity would otherwise be unable to access.
This will prevent employers from requiring a candidate or current employee to use his or her subject access rights under the DPA to obtain and then provide certain records to the employer as a condition of employment. By way of an example, this will affect those organisations that had been using enforced subject access requests submitted to the police to check individuals’ criminal and other protected records but choose not to use the established legal system.
Section 56 also has a second limb, affecting the provision of goods, services and facilities to the public. Under section 56 (2) a person concerned with the provision of goods, facilities or services to the public must not make the provision of goods and services conditional on an individual making a subject access request and providing their records. Since the restriction applies whether or not there is payment for the goods and services, this also affects volunteered services.
Going forward, if an organisation is interested in accessing criminal records, it will have to request a criminal records check. Bear in mind that once this information is processed, the organization will then be a data controller for sensitive personal data with all the compliance responsibilities found under the DPA.
The ICO recommends that if it is necessary to conduct a criminal records check, then detailed standard and enhanced checks can be done through the appropriate statutory procedures - the Disclosure and Barring Service in England and Wales, Disclosure Scotland in Scotland and Access Northern Ireland in Northern Ireland – which were formally known as ‘CRB checks.’
In England and Wales, committing an offence under section 56 of the DPA can carry an unlimited fine and the ICO has stated that it intends to actively prosecute those who continue to enforce subject access requests, to both protect individuals and encourage the use of the DBS. Further guidance on how not to fall foul of section 56 can be found in the ICO’s guide on enforced subject access.