From 10 March 2015, section 56 of the Data Protection Act 1998 will prevent employers from requiring potential or existing employees, or people offering their services in a self-employed capacity, to use their subject access rights under the Act to provide certain records (e.g. details of convictions and cautions) as a condition of employment or engagement (commonly known as “enforced subject access”). Section 56 also prohibits contracts requiring certain records as a condition for providing or receiving a service, for example as a pre-requisite to obtaining insurance cover. In either case, the prohibition does not apply where the requirement is necessary by law or is in the public interest – though the latter is likely to be difficult to prove in practice.
The prohibitions contained in Section 56 are intended to prevent employers obtaining wider information via an enforced subject access request under the Data Protection Act 1998 than via an established route such as the Disclosure and Barring Service (which will be unaffected by the implementation of Section 56). For example, a subject access request made to the Police is likely to yield information on an individual’s spent and unspent convictions whereas a basic disclosure request made to Disclosure Scotland (the body that handles basic disclosure requests, irrespective of where the individual lives in Great Britain) would only show details of unspent convictions.
Requiring people to make enforced subject access requests will be a criminal offence from 10 March 2015, punishable by a fine. In England and Wales, the maximum penalty on summary conviction in the Magistrates’ Court is £5,000 (to be unlimited at a date to be confirmed). On indictment in the Crown Court, the fine can be unlimited. In Scotland, the maximum fine available in the Sheriff Court is £10,000.Most
employers will be unaffected by the implementation of Section 56 but those that currently make use of subject access requests to obtain information about potential or existing employees and self-employed contractors (whether directly from the individuals concerned or via a third party) will need to revise their procedures – or risk a potentially substantial fine.
The Information Commissioner’s Office has published guidance on enforced subject access.