Enforced data subject access requests are now unlawful
A new criminal offence has come in to force this month to prevent employers forcing job applicants and employees to reveal their criminal records history without going through the correct channels.
The new offence aims to prevent what are known as “enforced subject access requests”. Under the Data Protection Act 1998, an individual has the right to access personal data relating to him or herself which is held by a third party. This is generally accessed by the individual submitting a data subject access request to the organisation or third party in question.
In the employment context, employers may wish to check a job applicant or employee’s criminal history, and their ability to do so will not change. However, they can now only do so in accordance with the correct legal channels – that is, by applying to the Disclosure and Barring Service (“DBS”), Disclosure Scotland or Access Northern Ireland. The amount of information and the details that will be provided in relation to an individual’s history depend on the type of check required (basic, standard or enhanced) and the nature of the job in question. In many cases, for example, spent convictions (where the requisite period of time has elapsed since conviction) do not show up on DBS checks.
However, it is thought that employers have in some cases been circumventing the legal requirements and forcing employees or prospective employees to reveal their criminal history by requiring the individual to submit a data subject access request to law enforcement agencies or the courts. Submitting such a request would require the recipient of the request to disclose all of the information it holds on the individual, who may then be compelled to hand this over to the employer. This would result in information and detail being revealed that would not necessarily show up in a DBS check; furthermore, if the role in question did not in fact merit the employer carrying out a DBS check, the employer would not necessarily be entitled to any details regarding the individual’s criminal record history at all.
For an offence to be committed, it is enough for the employer to require the enforced request to be made: the offence does not rely on anything being revealed, so even a request that resulted in a response confirming that the individual has no criminal record would be covered. The ambit of the offence also spreads beyond the employment context, to cover the situation where a party requires a third party to submit a subject access request as a condition for supplying goods, services or facilities. The Information Commissioner’s Office has published guidance on the offence, which includes the example of a shop owner who requires a builder to disclose whether he has ever been in prison, by submitting a subject access request to the Prison Service, before engaging him to build an extension to the shop. This would now be covered by the new offence.
The penalty for committing this offence in England and Wales is an unlimited fine (with certain limits applying in Scotland and Northern Ireland) so employers are advised to ensure that any requests for criminal records are carried out legitimately in accordance with the new law.
For further advice and assistance please call to speak to one of the employment law team on 024 7623 1000
Askews Legal LLP – Solicitors in Coventry.