Criminalising enforced subject access
Enforced subject access will shortly become illegal. Enforced subject access typically occurs where a person wishes to see another individual’s criminal record, but chooses not to use the established legal system operated by Disclosure Scotland, the Disclosure and Barring Service and Access Northern Ireland.
Section 56 of the Data Protection Act 1998 (DPA) will finally take effect on 1 December 2014. This means it will be a criminal offence for an employer or a third party to require someone to make a subject access request to access information about their convictions and cautions and provide that information to someone else as a condition of employment, or as part of a contract for the provision of services. A subject access request entitles an individual to know what personal information is being processed in relation to them.
Employers will no longer be able to require job applicants to use their subject access rights to obtain details of the applicant’s criminal record as a condition of their employment. Service recipients will also be prevented from requiring someone to use their right of subject access to provide them with such information in connection with the provision of services to them. This will, for example, apply to individuals given the opportunity to do voluntary work who are asked to use their subject access right to provide the relevant organisation with details of their criminal record.
The coming into force of Section 56 of the DPA will prevent the right of subject access from being abused. The Information Commissioner’s Office identified the misuse of this right by employers and others as undermining the rehabilitation of offenders and other related initiatives. To date someone providing the results of a subject access right to a prospective employer risked providing greater information than would otherwise be available through the criminal records disclosure regime.
From 1 December 2014 a requirement for a job applicant to produce details of a criminal record via a subject access request, or as a condition of providing services, will now constitute a criminal offence. Penalties on conviction will range from a maximum £10,000 fine (or an unlimited fine if heard under solemn procedure) in the Sheriff Court in Scotland, an unlimited fine in England and Wales, and a £5,000 (summary) or unlimited (on indictment) fine in Northern Ireland.
Unless the requirement can be demonstrated to be in the public interest, or is required by law, information on past convictions previously sought via a subject access request will now need to be obtained through a recognised criminal record check. This can be appropriately and lawfully achieved through Disclosure Scotland, the Disclosure and Barring Service (DBS), or Access Northern Ireland.
More information can be found here.
MacRoberts advises clients on all aspects of data protection compliance.