Up until this week, employers could require potential or existing employees, or people offering their services in a self-employed capacity, to use their subject access rights under the Data Protection Act 1998 (DPA) to provide and supply results from certain records (e.g. details of convictions and cautions) as a condition of employment or engagement (commonly known as “enforced subject access”).
Individuals providing results under this method risked providing greater information than would otherwise be available through the criminal records disclosure regime. For instance an employer could find out about an individual’s spent and unspent convictions whereas a basic disclosure request would only show details of unspent convictions.
Although this practice has been frowned upon for many years, in order to prevent ‘rogue’ employers from obtaining such wider information, this practice has now become a criminal offence, punishable by an unlimited fine (from 10 March 2015). It will now be an offence to impose such a requirement on someone in connection with their recruitment, continued employment or contract for the provision of services, where such a requirement is imposed as a condition of providing or offering to provide goods, facilities or services.
Unless the requirement can be demonstrated to be in the public interest, or is required by law, information on past convictions previously sought via an “enforced” subject access request (whether directly from the individuals concerned or via a third party) will now need to be lawfully obtained through a recognised criminal record check.
The Information Commissioner’s Office has published new guidance on enforced subject access.
Of course, a valid subject access request from an employee to an employer remains unaffected by this change. Often employees make subject access requests to gain access to the personal data the employer holds on them. This usually involves requesting disclosure of internal emails and memos. This can be a damaging exercise for the unwary employer if not handled properly, not only because the Information Commissioner is strict about the 40 day deadline in which to respond, but also the nature and volume of information that is disclosed. Employers should be mindful of the various restrictions on what data should be disclosed and the exemptions from which they can benefit protect their business interests and the personal data of other individuals.
If you have received a subject access request and would like advice on how to handle it, please feel free to get in touch. Remember you only have 40 days from receipt to respond!