Practical guidance – Police records and enforced subject access requests

Aim of this guidance

This guidance is designed primarily for employers, as recruitment is where most ‘enforced subject access’ happens. However, this guidance, and the offence of ‘enforced subject access’, applies to any individual or organisation, including volunteer recruiters, insurers, colleges, universities and housing associations.

Why this is important?

This guidance explains a process known as ‘enforced subject access’. This became a criminal offence on the 10th March 2015. This guide focuses on what you as an employer should do if you currently use or carry out subject access requests. The guide does not go into detail about how the legislation works, as this is covered in guidance by the Information Commissioners Office (ICO).

An enforced subject access request reveals more details than an individual would have to disclose. For example, the information might include spent convictions under the Rehabilitation of Offenders Act, or cautions that would no longer be disclosed on an enhanced check. Both the ICO and the Disclosure and Barring Service have expressed concern that enforced subject access requests are an abuse of an individuals’ rights and undermine public policies.

In short, police records should not be used as part of ordinary recruitment practices.

What is ‘enforced subject access’?

This is the practice where you require an individual to obtain a copy of their police record, for example, as part of an application process for a job. For some employers, this has been a condition of employment.

As you will see in the example below, a subject access displays significantly more personal information than what you are legally entitled to be in possession of.


What you need to do

You should check the policies and practices that you have in place. If you use ‘enforced subject access’ as a way of obtaining criminal record information, you should stop this practice immediately, otherwise you risk committing a criminal offence which carries an unlimited fine. You should consult the ICO guidance and ensure that your policies do not breach section 184 of the Data Protection Act 2018 (previously section 56 of the Data Protection Act 1998). The ICO has indicated that it intends to prosecute those who continue to make enforced subject access requests.

Types of checks you can do

Depending on the nature of the work involved, there may be alternative practices available to you. For example, if you recruit employees or volunteers, you may look at using an official criminal record check towards the end of your recruitment process. Depending on the situation, this may be a basic, standard or enhanced level check.

Useful resources

We have worked with the ICO, who have produced their own guidance on enforced subject access requests. They are the body that is responsible for taking action against those suspected of breaching the rules. You can download their guidance here.

The ICO have also shared a webinar that the ICO held on the 18th November 2014 – this is available to watch below:

Good practice tips

  • Do not ask individuals to obtain a copy of their police record as part of your recruitment process
  • If your recruitment process involves a formal criminal record check, be clear with the applicant whether it’s a basic, standard or enhanced level check.


Frequently asked questions

No. Employers can still check criminal records through official channels. This change prevents employers exploiting subject access requests and accessing more information than they are entitled to.
The sharing of police records is not illegal. However, the offence of ‘enforced subject access’ includes situations where you request individuals to provide it, as this can be construed as ‘enforced’. There would be additional data protection issues with using or storing any information revealed on a police record. 

More information

  1. There is more information about checking criminal records here
  2. For further advice about this guidance, please contact us.

Has this been useful?

Let us know if this guidance has been useful. Have you used it in your organisation? Has it helped you to change your policy or practice? Please let us know so that we can show the impact of this guidance and continue to help others.

You can let us know by:

  1. Writing a comment on this page (see below)
  2. Sending your feedback directly to us
  3. Emailing us at


This guidance was updated in June 2018

Is there anything wrong with this guidance? Let us know – email

Print Friendly, PDF & Email