Employers who force prospective employees to obtain a Subject Access Request from the police detailing any criminal history or investigation will soon themselves be committing a criminal offence.
The Ministry of Justice recently announced that on 1 December 2014, section 56 of the Data Protection Act 1998 ("DPA") will come into force across the UK. It will make it a criminal offence for employers to demand prospective employees obtain Subject Access Request ("SAR") reports.
Some employers are concerned that s56 will make it an offence to undertake Disclosure & Barring Service ("DBS", the new name for the Criminal Records Bureau) checks on prospective employees. This is not the case. In fact it is designed to encourage the use of these and to prevent enforced SARs.
The correct procedure to obtain criminal records of prospective employees is via the disclosure service provided by DBS or the Scottish equivalent, Disclosure Scotland ("DS"). Whilst these services were in the process of being developed, employers could demand that applicants made SARs directly to the police and pass on the report.
The purpose of s56 was to close this loophole once the DBS/DS system had become fully operational. For that reason s56 was inserted into the DPA but not enacted with the rest of the provisions. It applies only to records obtained by the individual from the police using their s7 SAR rights. SAR reports contain far more information than would be revealed under a DBS/DS check, such as police intelligence and spent convictions. As a result the practice is frowned upon by the authorities: the police SAR form states enforced SARs are exploitative and contrary to the spirit of the DPA, and the Information Commissioner's Office ("ICO") guidance on employment has long advised against it using stern wording ("Do not force applicants…" !).
The only exemptions to s56 are situations when the report is justified as being in the public interest or when required by law; the s28 national security exemption does not apply.
There has been no specific guidance released on s56. However, it is clear from the Written Ministerial Statement which announced the change in March 2014 and the ICO release which followed it that the section is being brought into force to close the loophole. ICO has publically stated it intends to prosecute infringers under the offence so as to encourage the correct use of the DBS/DS procedure and prevent enforced SARs. s56 does nothing to prevent employers requesting DBS/DS checks on prospective employees in the usual way.
What this means in practice is that any employer who demands a potential employee to file an SAR with the police and provide the results will be committing a criminal offence and there is a potentially unlimited fine for infringement. Instead, employers should utilise the DBS procedure (DS if in Scotland) for the purpose of background criminal checks. This sneaky backdoor route to obtaining far more sensitive personal data than employers are entitled to – often harming the individual's job prospects in the process – will be shut for good. Non-compliant employers should take note.
Update 19 November 2014
In an informative webinar on this subject yesterday, ICO mentioned a delay in the commencement date. When I queried this the official response was: "a technical issue encountered when finalising arrangements for introduction means there will be a delay to the date for commencing Section 56 of the Data Protection Act. The Government is working to urgently resolve this issue. There is no exact date as yet."
Update 27 February 2015
The Government has since passed the necessary commencement order and so s56 will come into force from 10 March 2015.
Sign up to our email digest