Subject Access Request – an end to the ‘back door’ criminal record check.

Up until this week, employers could require potential or existing employees, or people offering their services in a self-employed capacity, to use their subject access rights under the Data Protection Act 1998 (DPA) to provide and supply results from certain records (e.g. details of convictions and cautions) as a condition of employment or engagement (commonly known as “enforced subject access”).

Individuals providing results under this method risked providing greater information than would otherwise be available through the criminal records disclosure regime. For instance an employer could find out about an individual’s spent and unspent convictions whereas a basic disclosure request would only show details of unspent convictions.

Although this practice has been frowned upon for many years, in order to prevent ‘rogue’ employers from obtaining such wider information, this practice has now become a criminal offence, punishable by an unlimited fine (from 10 March 2015). It will now be an offence to impose such a requirement on someone in connection with their recruitment, continued employment or contract for the provision of services, where such a requirement is imposed as a condition of providing or offering to provide goods, facilities or services.

Unless the requirement can be demonstrated to be in the public interest, or is required by law, information on past convictions previously sought via an “enforced” subject access request (whether directly from the individuals concerned or via a third party) will now need to be lawfully obtained through a recognised criminal record check.

The Information Commissioner’s Office has published new guidance on enforced subject access.

Of course, a valid subject access request from an employee to an employer remains unaffected by this change. Often employees make subject access requests to gain access to the personal data the employer holds on them. This usually involves requesting disclosure of internal emails and memos. This can be a damaging exercise for the unwary employer if not handled properly, not only because the Information Commissioner is strict about the 40 day deadline in which to respond, but also the nature and volume of information that is disclosed. Employers should be mindful of the various restrictions on what data should be disclosed and the exemptions from which they can benefit protect their business interests and the personal data of other individuals.

If you have received a subject access request and would like advice on how to handle it, please feel free to get in touch. Remember you only have 40 days from receipt to respond!


Changes to the Capital Gains Tax Regime
15th October, 2019

Kerry Sawyer looks at the changes expected to be reflected in the Finance Bill 2020 and become UK law in April 2020.

14th October, 2019

Kirstie Collins provides answers to some of the most frequently asked questions when setting up a Limited company.

The Facts, The Whole Facts and Nothing but The Facts
10th October, 2019

Andrew Knorpel considers who should be making the factual findings and who should be evaluating employees’ conduct when undertaking disciplinary investigations and decisions.

An Englishman’s home is his castle but is there room at the inn…
7th October, 2019

Rachel FitzGerald considers the rise of Airbnb and gives consideration to the question of whether you can sublet your property.