Enforced Subject access requests illegal from 10th March
Published 25 February 2015
It has been announced that on 10th March 2015 the Data Protection Act 1998 (Commencement No. 4) Order 2015 (SI 2015/312), which will implement section 56 of the Data Protection Act 1998, will come into force.
Section 56 of the DPA will significantly restrict, by way of criminal offence, organisations from requesting that individuals use their subject access rights to obtain information (typically criminal records) about themselves for the use by the requesting organisation.
The rationale is that criminal records should be properly obtained through the Disclosure and Barring Service (DBS), where release of such records is subject to the restrictions and permissions of rehabilitation of offenders legislation. Prior to the ban on enforced subject access, organisations had been free to request individuals obtain the data directly from the police (or other organisations holding a full criminal record of the requesting individual). The data obtained can typically contain both spent and pending convictions, neither of which would be discloseable to an organisation requesting basic disclosure from the DBS.
Such requests have been typically made by employers for applicants for jobs and by the insurance industry, which has often required that policyholders/claimants obtain criminal records through subject access to the police and other bodies. The webinar and related guidance addressed this directly and states that the proper route for insurers obtaining information of this kind was from DBS Scotland. Insurers are permitted to make a basic check (with the consent of the data subject) but are not permitted to undertake a standard or enhanced check. The ICO stated that parliament had put in place the DBS checking system, with its accompanying rules, to govern access to an individual's criminal record, and that subject access should not be a way of circumventing these rules.
There is an exemption from this ban, if requiring the subject access is "in the public interest". Although we predict that many financial services companies will think it is in the public interest to obtain details of individual convictions, beyond those obtainable through basic disclosure, for the prevention of fraud etc. the ICO has made it clear that it could think of no example falling within this exemption.
To view the enacting order, please click here.
To view the ICO's guidance, please click here.
What action could be taken to manage risks that may arise from this development?
Ensure criminal records are being obtained through the DBS (employees) and Disclosure Scotland (basic disclosure for policyholders / claimant).