Information Security and Data Protection Newsletter - December 2014
Published 11 December 2014
1 December 2014 should have been a milestone in UK data protection law. Fourteen and a half years since the UK Data Protection Act ("DPA") came into force and effect, on 1 December 2014, the final provision: s.56 was due to become law.
S.56 of the DPA prohibits organisations from requiring that individuals use their subject access rights to obtain information (typically criminal records) about themselves and hand it over to the organisation. S.56 of the Data Protection Act 1998 ("DPA") prohibits organisations from requiring that individuals use their subject access rights to obtain information (typically criminal records) about themselves and hand it over to the organisation. The rationale for the ban is that criminal records should be properly obtained through the Criminal Records Bureau, now the Disclosure and Barring Service (DBS), where release of such records is subject to the restrictions and permissions of rehabilitation of offenders legislation.
Prior to the ban on enforced subject access, organisations had been free to request individuals obtain the data directly from the police or other organisations holding a full criminal record of the requesting individual, utilising an individual's subject access rights under s.7 DPA. The data obtained can typically contain both spent and pending convictions, neither of which would be discloseable to an organisation requesting basic disclosure from the DBS. Employers and insurers were therefore obtaining additional information about individuals, which was contrary to law and policy governing rehabilitation of offenders.
The view from the ICO, who held a webinar and released guidance at the end of November prior to the 1 December go live date, seemed to be that insurers and employers have been deliberately using this route to obtain spent and pending convictions and not pay the £25 fee for basic disclosure from the DBS (subject access fees being only £10). Having discussed this with many clients, this was not generally true. Many organisations were simply not aware that basic criminal record histories could be obtained, albeit still requiring data subject consent, from DBS Scotland (which applies throughout the UK and not just Scotland).
On 28 November 2014, the Ministry of Justice released an update on its website advising that there would "be a delay to the proposed date for commencement of S56 of the DPA because of a technical issue encountered when finalising arrangement for introduction". The 14.5 year delay on the ban coming into force was for the DBS to make arrangements for the issuing of basic disclosure certificates. We can only assume that this further delay is that there is still an issue with obtain basic disclosure certificates from DBS Scotland and the ban will not be brought into place until any such issues are ironed out.
We wonder which will get there first: the new data protection regulation which will rewrite UK data protection law, currently being debated behind closed doors under the Italian presidency, or the final section of the DPA! In all likelihood, s.56 will get there first and we therefore advise any clients obtaining criminal records through use of subject access rights, amend their internal procedures and investigate practical ways of obtaining the information from the DBS.
All this and more in this month's update. Colleagues can sign up to the alerter here.