Under section 56 of the Data Protection Act 1998 (DPA), it is now a criminal offence for any person or organisation to require an individual to submit a ‘subject access request’ (i.e. the right for an individual to access any of their personal data held by third parties on payment of a fee, provided certain requirements are met) in order to obtain and provide a copy of their criminal record. This will not prevent employers and others from obtaining access to criminal records through legitimate means (for example, seeking disclosure officially through the Disclosure and Barring Service). The offence was created over a decade and a half ago but has only been brought into force on 10 March 2015.

Wide application

The offence will have a broad application applying in the following contexts.

  • Employment: employers may no longer require an individual to use their subject access rights to provide certain records (such as, police records) during the recruitment process or as a condition of hiring or continued employment.
  • Provision of goods, services and facilities to the public: it is unlawful to contractually require certain criminal records as a condition for providing and receiving a service (for example, in insurance or housing).

The prohibition will apply to details which are obtained directly from the relevant individual or via a third party. In practice, this means that employers, service providers and third parties will also be held liable for any processing of personal data by their data processors.

Where the record is required by law or is justified in the public interest, the prohibitions under section 56 will, by exception, not apply. Guidance published by the Information Commissioner’s Office, the independent regulatory body overseeing the DPA (ICO), provides practical situations. For example, the public interest exception cannot be used to justify the prevention or detection of a crime.

Breach implications

In the event of a breach, the individual or organisation risks a criminal record, a criminal prosecution, a fine (ranging from £5,000 to an unlimited amount) and the potential for senior staff involved to face personal criminal liability.

As with other major data protection breaches, there is also the risk of reputational harm. The ICO has expressed that it will apply the rules strictly and has the power to “name and shame” those in major breach.

Employer health check

Employers and organisations carrying out background checks on behalf of employers should review their current practices for compliance purposes. In practice, this may result in ceasing to make prohibited checks or amending documents used in conjunction with background checks, such as, application forms or consent forms.