Summary - Section 56 of the Data Protection Act 1998 (“DPA”), dormant since the DPA came into force, is expected to be implemented shortly. The anticipated commencement date of 1 December 2014 is still to be confirmed and may change.
This will make “enforced subject access requests” a criminal offence. This arises in checking and vetting and is where any person requires someone to exercise their subject access rights under the DPA, by submitting a request for their personal data (for specific protected records) to certain data controllers, and to share the results. The objective is to stop excessive access to protected records which would not normally be available save to individuals as their own personal data, or to those limited persons legally entitled to make specific searches for such details.
This change will impact current practices in many sectors where organisations want to check individuals’ criminal and other protected records, much of which detail will be regulated as sensitive personal data under the DPA in any event.
The new restriction bites in two areas. First, in relation to “employment” and secondly, in relation to the provision of goods, services and facilities to the public.
The employment limb captures checks required whether during the recruitment process or during employment and covers not just contracted employees but also office holders, even if unpaid. This also extends to engaging non-employees under contracts for services.
The public provision limb captures situations where the offer or provision of goods, services, or facilities to the public (including the affected person), even if unpaid, is on condition that such protected details be supplied. This also impacts volunteered services.
The prohibition applies whether the details are obtained direct from the relevant individual, or via a third party. Employers, providers and contractors should also bear in mind that they will be responsible for any collection and use of personal data by their data processors.
Those already obliged or clearly permitted by law to obtain Standard or Enhanced Checks (and where relevant including Barred List information) from the Disclosure and Barring Service in relation to specific authorised roles may continue to request such checks and details. It is already a criminal offence to request such details without legal entitlement and applications are likely to be kept under close review.
The practice of employers, providers and contractors who obtained such details when not entitled to make a direct application, by getting an individual to make a subject access request to the Disclosure and Barring Service, must stop when section 56 comes into force. It will also not be possible to get such details (which include spent convictions and may include additional details, such as cautions and current charges) by making an individual apply to other relevant bodies, such as the police.
Section 56 creates a criminal offence if breached and applies to England & Wales, Scotland and Northern Ireland (although slightly different access regimes and providers apply in Scotland and Northern Ireland). Breach carries the risk of a criminal prosecution, criminal record and fine which (depending upon where prosecution takes place in the United Kingdom) may range from £5,000 to an unlimited amount. Senior staff involved may also face personal criminal liability.
In addition, offenders will need to be aware of the likely press interest in breaches and reputation damage. This is especially the case since the Information Commissioner’s Office has already indicated an intention to be proactive in the stamping out of enforced subject access requests and to prosecute those who breach section 56 once in force. It has also confirmed that it will be applying a robust interpretation of section 56.
What can we do to prepare?
For some organisations, the loss of ability to conduct enforced subject access requests will require a significant change in practice and mindset.
We recommend that organisations review their current approach to checks (whether carried out internally, by service providers on their behalf or as a result of contractual obligations or expectations) so that they can adjust their approach to what records are required and how they are obtained if necessary. This may also require contracts, application forms, related privacy notices, consents and authorisations to be revised.
Some checks will still be possible but in the future it will be important to ensure that those checks which will trigger the offence are no longer carried out.
Regardless of section 56, details about individuals can only be collected in full compliance with the other provisions of the DPA – and these are more onerous where criminal, sensitive, personal data is involved.