Section 56 of the Data Protection Act 1998 (“DPA”), dormant since the DPA came into force, is expected to be implemented shortly. The anticipated commencement date of 1 December 2014 is still to be confirmed and may change.
The implementation of Section 56 will make it a criminal offence for any person (including organisations) to require an individual to submit a subject access request (under the DPA) to specific third parties, in order for that person to obtain protected personal data of the individual that they would otherwise have no access to. This practice is commonly referred to as “enforced subject access requests”.
Therefore, the objective of Section 56 is to stop excessive access to protected records which would not normally be available save to individuals as their own personal data, or to those limited persons legally entitled to make specific searches for such details.
This change will impact the current practices of organisations operating in the TMT sector, where such organisations want to check individuals’ criminal and other protected records but cannot legally obtain Standard or Enhanced Checks (what used to be referred to as CRB Checks) and/or Barred List details from the Disclosure and Barring Service (“DBS Checks”).
The new restriction bites in two areas. First, in relation to “employment” and secondly, in relation to the provision of goods, services and facilities to the public.
The employment limb captures checks required whether during the recruitment process or during employment and covers not just contracted employees but also office holders, even if unpaid. This also extends to engaging non-employees under contracts for services.
Due to the sensitivities involved in the products/services offered by companies in the TMT sector (particularly in respect of protecting intellectual property or when providing services to clients in sensitive or regulated sectors) many employers rely on enforced subject access requests to obtain background information on prospective (and even existing) employees. In most circumstances such organisations do not fall within any of the permitted categories which would enable them to require employees to undertake DBS Checks. Therefore obtaining information via a subject access request was a viable alternative.
Likely to be of less relevance to the TMT sector (but still important to note), the public provision limb captures situations where the offer or provision of goods, services, or facilities to the public (including the affected person), even if unpaid, is on condition that such protected details be supplied. This also impacts volunteered services.
The prohibition applies whether the details are obtained direct from the relevant individual, or via a third party. Employers, providers and contractors should also bear in mind that they will be responsible for any collection and use of personal data by their data processors.
The practice of employers, providers and contractors who obtain such details when not entitled to make a direct application, by getting an individual to make a subject access request to the Disclosure and Barring Service, must stop when section 56 comes into force. It will also not be possible to get such details (which include spent convictions and may include additional details, such as cautions and current charges) by making an individual apply to other relevant bodies, such as the police.
Section 56 creates a criminal offence if breached and applies to England & Wales, Scotland and Northern Ireland (although slightly different access regimes and providers apply in Scotland and Northern Ireland). Breach carries the risk of a criminal prosecution, criminal record and fine which (depending upon where prosecution takes place in the United Kingdom) may range from £5,000 to an unlimited amount. Senior staff involved may also face personal criminal liability.
In addition, offenders will need to be aware of the likely press interest in breaches and reputation damage. This is especially the case since the Information Commissioner’s Office has already indicated an intention to be proactive in the stamping out of enforced subject access requests and to prosecute those who breach section 56 once in force. It has also confirmed that it will be applying a robust interpretation of section 56.
What can we do to prepare?
For some organisations, the loss of ability to conduct enforced subject access requests will require a significant change in practice and mindset. Other organisations, however, may not be fully aware of what practices are in place and may wish to conduct an audit exercise to ensure compliance with the new law.
We recommend that organisations review their current approach to checks (whether carried out internally, by service providers on their behalf or as a result of contractual obligations or expectations) so that they can adjust their approach to what records are required and how they are obtained if necessary. This may also require contracts, application forms, related privacy notices, consents and authorisations to be revised.
Some checks will still be possible but in the future it will be important to ensure that those checks which will trigger the offence are no longer carried out.
Regardless of section 56, details about individuals can only be collected in full compliance with the other provisions of the DPA – and these are more onerous where criminal, sensitive, personal data is involved.