Subject Access Request – an end to the ‘back door’ criminal record check.

Up until this week, employers could require potential or existing employees, or people offering their services in a self-employed capacity, to use their subject access rights under the Data Protection Act 1998 (DPA) to provide and supply results from certain records (e.g. details of convictions and cautions) as a condition of employment or engagement (commonly known as “enforced subject access”).

Individuals providing results under this method risked providing greater information than would otherwise be available through the criminal records disclosure regime. For instance an employer could find out about an individual’s spent and unspent convictions whereas a basic disclosure request would only show details of unspent convictions.

Although this practice has been frowned upon for many years, in order to prevent ‘rogue’ employers from obtaining such wider information, this practice has now become a criminal offence, punishable by an unlimited fine (from 10 March 2015). It will now be an offence to impose such a requirement on someone in connection with their recruitment, continued employment or contract for the provision of services, where such a requirement is imposed as a condition of providing or offering to provide goods, facilities or services.

Unless the requirement can be demonstrated to be in the public interest, or is required by law, information on past convictions previously sought via an “enforced” subject access request (whether directly from the individuals concerned or via a third party) will now need to be lawfully obtained through a recognised criminal record check.

The Information Commissioner’s Office has published new guidance on enforced subject access.

Of course, a valid subject access request from an employee to an employer remains unaffected by this change. Often employees make subject access requests to gain access to the personal data the employer holds on them. This usually involves requesting disclosure of internal emails and memos. This can be a damaging exercise for the unwary employer if not handled properly, not only because the Information Commissioner is strict about the 40 day deadline in which to respond, but also the nature and volume of information that is disclosed. Employers should be mindful of the various restrictions on what data should be disclosed and the exemptions from which they can benefit protect their business interests and the personal data of other individuals.

If you have received a subject access request and would like advice on how to handle it, please feel free to get in touch. Remember you only have 40 days from receipt to respond!

Insights.

Post-Termination Restrictions: Supreme Court to the Rescue
18th July, 2019

Céline Winham considers recent Supreme Court case which clarifies enforcement of post-termination restrictions in contracts of employment

What is “independent legal advice”?
17th July, 2019

Fiona McAllister explains the mystery of when and why independent legal advice is required.

Bullying and harassment in the workplace
9th July, 2019

Céline Winham explains what exactly bullying and harassment at work is, what it can mean and your rights.

Perceiving is Believing
4th July, 2019

Céline Winham looks at a recent case and explains that employers must be careful not to make assumptions about the current and future effects of any employee’s medical condition.