Last month, we reported that the practice of enforced data subject access requests (DSARs) was to become a criminal offence. The ICO held a webinar on the 18 November looking at the change. They mentioned that it’s possible the 1 December enactment date may slip a little. This has since been confirmed by the MOJ who announced on 28 November that this was due to a technical issue encountered when finalising arrangements for introduction. It would appear however that the intention is still to introduce this change.
Nevertheless, this delay should not lead to complacency. Forced data subject access requests are not good data protection practice, and will often breach other data protection principles without this specific offence.
In this article we go into a little more detail about the offence, but also try to address a common concern. If you can’t get employees to request details of their criminal offences and charges from the police, how can you make sure you have appropriately vetted them?
Basic Disclosure and the Disclosure and Barring Service
The fundamental message is that the appropriate way to find out about criminal convictions, spent or unspent, is through the regime set up for this purpose – what many still call a CRB check, but which is now a service provided by the Disclosure and Barring Service (DBS) if you’re in England, AccessNI in Northern Ireland and Disclosure Scotland in Scotland.
Basic disclosure can be requested through Disclosure Scotland by either organisations or individuals, wherever they are based in the UK. This will only show any unspent convictions. The DBS does not process basic disclosure.
Obtaining disclosure through the DBS, AccessNI or Disclosure Scotland is not making a data subject access request – it is a separate process governed by its own rules. The rights of a data subject under the Data Protection Act 1998 (the DPA) should not be brought into play in order to help companies circumvent these rules.
Organisations who want to see more than simply unspent convictions will need to apply for either a standard or enhanced disclosure, which would then show spent convictions, cautions, sex offender notification requirements and other relevant information held by the relevant police force.
This is a lot of highly sensitive data, and naturally protections are put in place before they can be obtained. Only certain organisations can apply, and even then only for certain roles where obtaining the information is justified.
And this is where, previously, the “trick” of having an individual make a DSAR to the police comes in.
Restrictions on requiring DSARs
The new rules make it an offence to require an individual to provide or produce a relevant record – a record which has or is to be obtained by way of a DSAR to named data controllers (in essence the police and benefits authorities), where the subject matter relates to their criminal or benefits functions.
“Require” is a deliberately wide term. It is intended to capture any circumstance where a choice has been removed from the individual, either openly or by implication. In other words, if the individual reasonably considers that he or she would be at a detriment for saying no, then the request has been “required”. This applies to all requests made “in connection with” (again, a very wide phrase), recruitment, continued employment, or a contract for the provision of services by that person.
There is a slightly more cautious prohibition on those who are providing goods, facilities or services – they may not make the provision of a relevant record a condition of providing the goods and services.
The ICO have informed us that they consider allowing an individual the opportunity to volunteer for an organisation is the provision of a service, and therefore the slightly more cautious restriction applies – you cannot require them to obtain a relevant record and make that a condition of allowing them to volunteer.
The offence is committed as soon as you ask the individual to produce the record – the record may contain no information, or the individual may never obtain it, but if you have asked the question, then you have committed the offence.
Complying with the rest of the DPA
Even if you are permitted to obtain basic, standard or enhanced disclosure, or the data controller you want the data subject to make a request for data from is not one listed (such as an overseas police authority, or even a social media site), and you therefore don’t fall foul of these new restrictions, all data controllers need to ensure that they comply with all of the principles of the DPA.
- ensuring that you do not collect excessive information
- informing the individual of what you are collecting and why – and allowing them access to the information if they ask for it.
- having an appropriate “condition for processing” – most often you’d want to show that collecting the information is in your legitimate business interests – but does it infringe on the rights of the individual? Does it have an adverse affect on their privacy?
- having consent from the individual if the data is sensitive personal data – and information about convictions and charges will be. Is that consent informed? More importantly, is it freely given? If the individual feels that they will be at a detriment if they do not provide it, the answer is probably no.
- keeping that information secure – remember this type of information is protected because it is sensitive. If you collect it you will have an enhanced obligation to keep it secure. A data breach where this information is disclosed would be a key enforcement objective of the ICO.
Now is the time to check that your verification procedures don’t fall foul of the DPA. Remember:
If you want to obtain criminal records information about anyone, the appropriate route is via the DBS, AccessNI or Disclosure Scotland (or Disclosure Scotland for Basic Disclosure from anywhere in the UK).
If you require an individual to make a subject access request:
- to the police or to a benefits agency; and
- it’s connected to their recruitment or employment, or a condition of offering them a volunteering opportunity, services, facilities or goods
then you will be committing an offence, whether or not they obtain the record.
If you collect any information about individuals in relation to verification or otherwise, you must comply with all of the principles of the DPA. Further guidance on verification and vetting can be found in the ICO’s Employment Practices Code and its Supplementary Guidance.
For more information contact Gayle McFarlane who is a lawyer with Cordery in London where their focus is on compliance issues.
Gayle McFarlane, Lexis House, 30 Farringdon Street, London, EC4A 4HH
Office: +44 (0)207 118 2700