From Blog

New offences in relation to enforced subject access requests

As of today, it will be a criminal offence for employers to require employees (or prospective employees) to obtain subject access requests in relation to criminal offences and convictions and share that information with the employer (or prospective employer).

Whilst the relevant section has been in the Data Protection Act for some time (some 17 years), its implementation has been delayed. The change in law accompanies reforrms introduced last year in relation to the criminal records checking process.

Many organisations carry out some form of pre-employment screening. This can cover checks that all employers are required to carry out by law and specific checks required in various regulated sectors (for example, financial services or working with children).

Historically, some employers have carried out these checks by requiring prospective employees to exercise their right of subject access under the DPA in relation to various organisations and then providing a copy of that response to the employer.

The new offences will mean that employers will no longer be able to circumvent the formal criminal records check system by getting access to cautions or to convictions which the law considers to be “spent”, or only disclosable in relation to certain occupations.

Employers should review their recruitment and screening procedures to ensure that they comply with the new law.

Provision of services

The new offences do not just apply to employers.

They also apply to contracts for the purchase of services. The Information Commissioner’s Office (ICO) gives the example of a shop owner commissioning a builder to carry out some work, but requiring the builder to make a subject access request to the Prison Service to confirm whether or not he has been in prison. That would be an offence under the new rules.

The rules also apply in the reverse scenario – making provision of a subject access request a condition of the supply of goods, facilities and services. The ICO gives the example of an insurer requiring a prospective customer to provide a subject access request prior to agreeing to provide him or her with insurance. Again, this would be an offence under trhe DPA.


To assist organisations in reviewing their policies and procedures, the ICO has published a guidance note on the new offences.

Brodies can help you review your policies and procedures to ensure that they comply with the law. If you would to discuss how we can help you please get in touch or contact your usual Brodies contact.

The post New offences in relation to enforced subject access requests appeared first on Brodies Blog.

View original article