Section 56 of the Data Protection Act 1998 (“DPA”), dormant since the DPA came into force, is expected to be implemented shortly. The anticipated commencement date of 1 December 2014 is still to be confirmed and may change.
The implementation of Section 56 will make it a criminal offence for any person (including organisations) to require an individual to submit a subject access request (under the DPA) to specific third parties, in order for that person to obtain protected personal data of the individual that they would otherwise have no access to. This practice is commonly referred to as “enforced subject access requests”.
Therefore, the objective of Section 56 is to stop excessive access to protected records which would not normally be available save to individuals as their own personal data, or to those limited persons legally entitled to make specific searches for such details.
This change will impact current practices in many sectors (and particularly in the area of aerospace and defence) where organisations want to check individuals’ criminal and other protected records without obtaining Standard or Enhanced Checks (what used to be referred to as CRB Checks), and/or Barred List details from the Disclosure and Barring Service (the “DBS Checks”).
The new restriction will likely affect practices that are common throughout the diversified industrials sector, particularly in relation to the employment of individuals or contracting individuals for the provision of individual services.
Due to the sensitivities involved in the products/services offered by companies in the diversified industrials sector (whether this be in relation to the provision of national defence or the intellectual property vested in parts or machinery) many employers rely on enforced subject access requests to obtain background information on prospective (and even existing) employees. In most circumstances, such organisations do not fall within any of the permitted categories which would enable them to require employees to undertake DBS Checks. Therefore obtaining information via a subject access request was a viable alternative.
To a lesser extent, the issue may also arise in situations where an organisation provides an offer or provision of goods, services, or facilities to the public (including the affected person), even if unpaid, where this is on the condition that such protected details be supplied. This would also impact volunteered services.
The practice of employers, providers and contractors who obtained such details when not entitled to make a direct application, by getting an individual to make a subject access request to the Disclosure and Barring Service, must stop when section 56 comes into force. It will also not be possible to get such details (which include spent convictions and may include additional details, such as cautions and current charges) by making an individual apply to other relevant bodies, such as the police.
Further, the prohibition on enforced subject access requests will apply whether the details are obtained direct from the relevant individual, or via a third party. Employers, providers and contractors should bear in mind that they will be responsible for any collection and use of personal data by their data processors (such as third party agents engaged to request information from individuals).
Section 56 creates a criminal offence if breached and applies to England & Wales, Scotland and Northern Ireland (although slightly different access regimes and providers apply in Scotland and Northern Ireland). Breach carries the risk of a criminal prosecution, criminal record and fine which (depending upon where prosecution takes place in the United Kingdom) may range from £5,000 to an unlimited amount. Senior staff involved may also face personal criminal liability.
In addition, offenders will need to be aware of the likely press interest in breaches and reputation damage. This is especially the case since the Information Commissioner’s Office has already indicated an intention to be proactive in the stamping out of enforced subject access requests and to prosecute those who breach section 56 once in force. It has also confirmed that it will be applying a robust interpretation of section 56.
What can we do to prepare?
For some organisations, the loss of ability to conduct enforced subject access requests will require a significant change in established practice and mindset. Other organisations, however, may not be fully aware of what practices are in place and may wish to conduct an audit exercise to ensure compliance with the new law.
We recommend that organisations review their current approach to checks (whether carried out internally, by service providers on their behalf or as a result of contractual obligations or expectations) so that they can adjust their approach to what records are required and how they are obtained if necessary. This may also require contracts, application forms, related privacy notices, consents and authorisations to be revised.
As noted above, some checks (e.g. DBS Checks which are legally required or permitted) will still be possible but in the future, it will be important to ensure that those checks which will trigger the offence are no longer carried out.
Regardless of section 56, details about individuals can only be collected in full compliance with the other provisions of the DPA – and these are more onerous where criminal, sensitive, personal data is involved.