It was exactly one year ago today, on the same date that the changes to the Rehabilitation of Offenders Act 1974 (ROA) came into effect, that the government announced its intention to implement section 56 of the Data Protection Act 1998 (DPA). This makes it a criminal offence to require a person (or a third party) to obtain a copy of their criminal record outside of the formal disclosure schemes already in place, namely through the Disclosure and Barring Service (DBS), Disclosure Scotland and Access Northern Ireland. This practice is commonly referred to as an enforced subject access request.
This change in the law aims to prevent organisations from gaining ‘back door’ access to excessive and ‘unsanitised’ criminal record information including spent and protected cautions and convictions, community resolution orders and other out-of-court disposals, as well as details of arrests, charges and other personal sensitive information such as the person in question being a victim of crime. It has been a long time coming and I believe it is likely to have a greater impact than many realise.
Some may assume that enforced subject access is not a widespread problem and they will not understand the fanfare; initially when the Information Commissioner’s Office (ICO) told Nacro of the government’s plans I have to admit – I was not overly excited.
As a legal officer at Nacro, I have encountered many organisations carrying out illegal DBS checks (formerly CRB checks) over the years, but it has been relatively rare for me to come across an employer (or other organisation) trying to bypass the formal routes for carrying out a criminal record check through an enforced subject access request. Of course I knew it did happen and it was enough of a problem for many police forces to highlight in their guidance on subject access requests that it was unlawful to carry out such a request for employment purposes.
However, a recent advocacy case did actually involve an enforced subject access request. An anonymous allegation was made against a public sector employee who had an unblemished, exemplary work record. The allegation suggested that this employee, whose role involved regulated activity with children and vulnerable adults, posed a risk due to their criminal record.
When they applied for the role the employee had provided a written disclosure statement detailing a conviction for fraud and other offences which had taken place more than 15 years earlier. At the time, the employer had carried out an enhanced DBS with barred list check which had revealed the employee’s full criminal record. The certificate also included police intelligence about an incident which resulted in the employee receiving a police caution for assault, but none of the information provided was consistent with the allegation made against the employee. The employer had therefore carried out all the necessary and legal background checks at the time of employment.
Nevertheless, as a result of the allegation, the employer insisted that the employee obtain copies of their criminal record from the police and the courts in order to obtain all of the background information that led to the fraud conviction. I successfully challenged the employer’s ‘attempted’ subject access request and they eventually had to rely on carrying out a new, updated DBS check which no longer included police intelligence.
Since, the ICO’s announcement last year, I have learnt that enforced subject access requests are much more prevalent than I initially imagined and I have come across a whole host of organisations that have now had to update their policies and practices to avoid breaking the law. Such organisations include government agencies, housing associations, education providers, insurance companies, banks and other financials institutions, television companies and those that recruit offenders released on temporary licence or subject to probation supervision.
A recent example of this took place when I met with the Department for Education (DfE), the ICO and other key stakeholders about updating the Childcare Disqualification Regulations 2009 statutory guidance. I worked alongside the DfE as a result of this meeting; the guidance has since been updated and published on 26 February 2015 and now makes it clear that employers ’should not request…copies of a person’s criminal record obtained directly from the police, prison, probation service or courts, as this would be considered an enforced subject access request – which from 10 March 2015 will be a criminal offence.’ I hope that other organisations learn from the DfE’s example and adapt their policies and practices accordingly to ensure that they are not breaking the law.
What the changes to the law mean in practice
- Enforced subject access requests involve obtaining criminal record information from the police, prison, probation service or the courts as opposed to the DBS, Disclosure Scotland and Access Northern Ireland. These are now illegal.
- An individual does not actually have to carry out an enforced subject access request for the organisation to commit an offence – simply having a policy which allows for such a request is breaking the law.
- Those providing advisory services (e.g. employment support or advocacy) to someone with a criminal record should also be careful to avoid making enforced subject access requests. Some services have done this to work out when/if cautions or convictions become spent under the ROA, qualify for filtering or to write a disclosure statement.
Organisations that wish to know about managing criminal record information and avoiding any legal pitfalls that the new legislation may present can contact Nacro’s Employer Advice Serviceon 0845 600 3194 or firstname.lastname@example.org for advice, support, training and consultancy services. You can also follow us on Twitter @Nacro_.