The practice of employers forcing employees or applicants to exercise subject access rights has been described by the UK’s Information Commissioner’s Office (‘ICO’) as a “clear perversion of an individual’s own rights”. It is now set to become a thing of the past in the UK and Ireland, as both jurisdictions bring laws into effect to make the practice a criminal offence.

In Ireland, provisions of the Data Protection Act 1988 and Data Protection (Amendment) Act 2003 that outlaw the practice were triggered in July 2014. In addition to the employer-employee relationship, these provisions apply to any person who engages another person to provide a service. The provisions have always been included in the Acts, but have not been brought into force until now.

In June 2014, the UK’s Ministry of Justice released guidance stating that similar provisions will come into force as of 1 December 2014. Employers that attempt to force people to use their subject access rights will be committing a criminal offence, punishable by a potentially unlimited fine. The ICO has indicated that it clearly intended to enforce the provision in one of its blogs, stating that “the war is not yet won but a significant new weapon is entering the battlefield. We intend to use it to stamp out this practice once and for all.”

These developments come against a backdrop of similar regulatory changes in the United States, where the long-standing “Ban the Box” movement continues to challenge the use of criminal conviction questions on job application forms. In addition, Maryland became the first state in 2012 to ban employers from asking employees and job applicants to disclose their social media passwords. Similar legislation has now been introduced or is pending in 28 states nationwide.

In light of these developments, employers should review their procedures to ensure that they do not fall foul of this update.