Subject Access Request – an end to the ‘back door’ criminal record check.

Up until this week, employers could require potential or existing employees, or people offering their services in a self-employed capacity, to use their subject access rights under the Data Protection Act 1998 (DPA) to provide and supply results from certain records (e.g. details of convictions and cautions) as a condition of employment or engagement (commonly known as “enforced subject access”).

Individuals providing results under this method risked providing greater information than would otherwise be available through the criminal records disclosure regime. For instance an employer could find out about an individual’s spent and unspent convictions whereas a basic disclosure request would only show details of unspent convictions.

Although this practice has been frowned upon for many years, in order to prevent ‘rogue’ employers from obtaining such wider information, this practice has now become a criminal offence, punishable by an unlimited fine (from 10 March 2015). It will now be an offence to impose such a requirement on someone in connection with their recruitment, continued employment or contract for the provision of services, where such a requirement is imposed as a condition of providing or offering to provide goods, facilities or services.

Unless the requirement can be demonstrated to be in the public interest, or is required by law, information on past convictions previously sought via an “enforced” subject access request (whether directly from the individuals concerned or via a third party) will now need to be lawfully obtained through a recognised criminal record check.

The Information Commissioner’s Office has published new guidance on enforced subject access.

Of course, a valid subject access request from an employee to an employer remains unaffected by this change. Often employees make subject access requests to gain access to the personal data the employer holds on them. This usually involves requesting disclosure of internal emails and memos. This can be a damaging exercise for the unwary employer if not handled properly, not only because the Information Commissioner is strict about the 40 day deadline in which to respond, but also the nature and volume of information that is disclosed. Employers should be mindful of the various restrictions on what data should be disclosed and the exemptions from which they can benefit protect their business interests and the personal data of other individuals.

If you have received a subject access request and would like advice on how to handle it, please feel free to get in touch. Remember you only have 40 days from receipt to respond!


Advice for house hunters #SolicitorChat with The Law Society
14th January, 2021

Purchasing a property is likely to be one of the biggest transactions you will make in your life and the process can be complicated. Thomas Healy answered a few questions…

To injunct or not to injunct?
14th January, 2021

The possibility of an immediate costs order on an interlocutory injunction application to enforce restrictive covenants against a former employee, has for some time been a material factor.

Making a Will in 2021 #SolicitorChat with The Law Society
7th January, 2021

2020 produced many unexpected events and Michael Brierley discussed how you can help protect yourself from the unexpected by making a Will with The Law Society and other firms for…

A note from Neale Andrews
5th January, 2021

In line with the latest Government guidance and to ensure the safety of our clients and staff, we are for the greater part operating the firm remotely. However, we have…