Employers who request that potential or current employees obtain information on their criminal record history through “subject access requests” under section 7 of the Data Protection Act 1998 risk committing a criminal offence. Section 56 of the Data Protection Act came into force on 10 March 2015 and makes such “enforced subject access requests” illegal, except in the rare circumstances a request is required by law or in the public interest. In England and Wales employers found to have breached the provision face an unlimited fine.
Individuals have rights to records of personal information held on them through section 7 but subject access requests on criminal records have caused the Information Commissioner’s Office (ICO) concern as they can provide greater detail than other types of checks and do not distinguish between spent and unspent convictions.
ICO guidance explains employers can still check criminal records where possible and necessary through other means. Checks can be carried out through Disclosure Scotland (for basic checks in England and Wales) and through the Disclosure and Barring Service (for standard and enhanced checks in England and Wales).
Employers are not the only ones caught by these changes. Section 56 prevents any person from requiring another person, or a third party, to make a subject access request for their criminal record information as a pre-condition to providing them with, or offering to provide them with, goods, facilities or services. For example, an insurance company would likely breach section 56 if they refused to provide insurance to an individual unless they made a subject access request for their criminal record.