Important changes to staff checks and vetting
A provision of the Data Protection Act 1998 (DPA) which has lain dormant since the Act came into force, is expected to be implemented. Section 56 DPA will make requiring certain records to be produced an offence. This is where any person requires another person to submit their own request (to specific bodies) for their personal data, a “subject access request” under the DPA, (which contains specific details) and to share the results, a practice known as “enforced subject access requests”.
For some employers, this change will impact significantly upon their current employment practices, particularly in the context of recruitment.
Implementation of section 56 DPA
Section 56 formed part of the original text of DPA but was not implemented with the rest of the Act, which mainly came into force in 2000. This allowed the criminal record checking process and bodies dealing with such checks to be established and, following changes made by the Protection of Freedoms Act 2012 (leading to the Criminal Records Bureau and Independent Safeguarding Authority being replaced by today’s Disclosure and Barring Service, or DBS), the new range of available checks and the bodies who handle them are well established.
It had been announced that this provision would be brought into force on 1 December 2014. However, the commencement order has not yet been finalised and this date may slip. Further briefings will deal with updates on timing.
Criminal and other relevant records
It is by now very well-established that actual or prospective employer access to information regarding past criminal offences of employees, job applicants or contractors should be limited. Regardless of section 56, details about actual or potential employees or contractors can only be collected in full compliance with the other provisions of the DPA – and these will be even more onerous where criminal, sensitive, personal data is involved.
There are already clear differences in what is lawful in this regard between employers whose staff work with children or vulnerable adults, or those in certain specified occupations, compared to other employers. Employers can, of course, ask employees, job applicants or contractors whether they have any criminal convictions. However, they cannot insist upon disclosure of convictions which are deemed expired ie “spent”. Neither can they verify independently the veracity of the individual’s response through DBS, where a role falls outside of the specified categories of employment.
Whilst section 56 has not been in force, employers have been able to access criminal records outside of the DBS regime by requiring individuals to apply to the DBS personally by way of a subject access request and then provide them with the search results. In this way, employers have been able to obtain extensive information regarding the criminal records of employees, job applicants or contractors, including any spent convictions -information to which they would not have had access through DBS.
In the future, whether or not an offence will be committed under section 56 will depend upon a number of factors. These include the type of information being requested and from whom, how it is being obtained via the affected individual, the type of affected individual, the type of person requiring the details to be obtained and provided to them and why they believe they need those details.
When section 56 is fully enabled, enforced subject access requests will no longer be permitted. From that date onwards, if a person connected with recruitment, continued employment, or engagement of a contractor, requires that the job applicant, employee or contractor obtains and supplies “relevant records” of cautions, criminal convictions and certain social security records, this will be a criminal offence under the DPA.
This prohibition will apply during recruitment and employment and will extend, for example, to requests such as asking the individual to make a subject access request to their local police force, or to background check service providers.
Care will still be needed if an employer seeks to obtain the individual’s authority or consent to facilitate the employer making such a request on behalf of the individual, to obtain the details direct. This may still trigger the offence and in any event, even if an individual’s “consent” to provide the details is obtained, the validity of the consent involved may be questionable.
Penalties for employers including individual criminal liability
Once section 56 is in force, employers which breach its terms will commit a criminal offence.
As an offence under the DPA, responsibility for enforcement will lie with the Information Commissioner’s Office or ICO, working with the police and Criminal Prosecution Service. The ICO has already indicated an intention to be proactive in the stamping out of enforced subject access requests and to prosecute those who breach section 56 once in force. It has also confirmed that it will be applying a robust interpretation of section 56.
Employers who fail to comply will face a fine of to £5,000 in the Magistrate’s Court or unlimited fine in the Crown Court. Financial penalty is therefore potentially considerable, not to mention the hidden costs of likely adverse publicity and reputation damage associated with prosecution.
Employers should also be aware that, where a criminal offence is committed under the DPA, section 61 DPA applies and “any director, manager, secretary or similar officer” of the relevant employer will also be at risk of personal criminal prosecution and liability if found to have sufficient individual involvement and responsibility for the corporate offence.
Criminal record-check process
The implementation of section 56 will not change the existing mechanism for seeking criminal record checks in England and Wales, which will continue to be dealt with by the DBS. (Different rules apply for Scotland and Northern Ireland). Employers will (if legally required or entitled to do so) still be able to make 3 levels of requests, for standard, enhanced and enhanced with children’s / adult’s barring list checks, depending upon the specific employment role.
Those already familiar with the DBS system will be aware of the job-types for which criminal record-checks are available. A standards DBS certificate may only be applied for in respect of roles which are listed in the Rehabilitation on Offenders Act (Exceptions Order) 1975 (amended). This list is extensive and includes many positions of authority, trust or of responsibility for the young/vulnerable. As one might expect, many positions within the Financial Services industry are also identified.
Employers who would have conducted enforced subject access requests previously, will need to bear in mind the restrictions of the DBS system and that they will no longer have access to the same level of information in respect of roles falling outside of the DBS search criteria. Those employers, in particular, will need to take care not to exceed their rights and to submit only search types to DBS in respect of roles which meet relevant conditions for that type of search. It is already a criminal offence to submit an application to the DBS for a search for roles which do not meet the relevant conditions for the search requested.
The process for undertaking such checks will also remain the same, namely by seeking the individual to complete a relevant DBS form so that the results can be requested from them by the employer. If the individual has joined the DBS update service, the employer may be able to check the results on line.
One important recent change to note, nonetheless, is the reduction in rehabilitation periods for many convictions. This was effected from 10 March 2014, and has shortened the periods within which offences become spent and, therefore, once spent not disclosable voluntarily (ie outside lawful DBS searches and results) or necessarily able to be taken into account.
Section 56 implications for employers
Inevitably, for some employers, the loss of ability to conduct enforced subject access requests will require a significant change in practice but also mindset. The principles of the Rehabilitation of Offenders Act 1974 and of allowing those with convictions to rehabilitate and move on with their lives, have sat uncomfortably with enforced subject access requests for some time. Critics of this practice, amongst the most notable being the ICO itself, perceive enforced subject access requests to undermine not only the rehabilitation of offenders provisions but, also, the established DBS system and the fundamental right of individuals to privacy and to protect their personal data.
Employers are recommended to review their current approach to checks (whether carried out internally or by service providers on their behalf) so that they can adjust their approach to what records are required and how they are obtained if necessary. This may also require application forms, related privacy notices, consents and authorisations to be revised.
Some checks will still be possible but it will be important to ensure that those checks which will trigger the offence are no longer carried out.
The dividing line between protecting an employee’s past and what an employer needs to know legitimately, has proved and remains a contentious one. Even so, there will be many employers who will find this further tightening of data protection enforcement an unwelcome curb upon their recruitment practices. The critical issue for employers in all cases is to understand what types of roles, duties and functions are relevant to their business and to carry out only such checks as are necessary and authorised. The degree of information is itself prescribed according to job-type, so employers will need to assess what type of check is appropriate.