Aim of this guidance
This guidance is primarily designed for employers, as that is where the majority of examples of ‘enforced subject access’ take place. However, this guidance, and the offence of ‘enforced subject access’, applies to any individual or organisation. That means it also applies to organisations such as volunteer recruiters, insurers, colleges, universities and housing associations.
Why this is important
This guidance explains a process known as ‘enforced subject access’. This became a criminal offence on the 10th March 2015. This guide focuses on what you as an employer should do if you currently use or carry out subject access requests. The guide does not go into detail about how the legislation works, as this is covered in guidance by the Information Commissioners Office (ICO).
An enforced subject access request reveals more details than what an individual would have to disclose. For example, the information might include spent convictions under the Rehabilitation of Offenders Act, or minor cautions that would no longer be disclosed on an enhanced check. Both the ICO and the Disclosure and Barring Service have expressed concern that enforced subject access requests are an abuse of an individuals’ rights and undermine public policies.
What is ‘enforced subject access’?
This is the practice where you require an individual to obtain a copy of their police record, for example, as part of an application process for a job. For some employers, this has been a condition of employment.
As you will see in the example below, a subject access displays significantly more personal information than what you are legally entitled to be in possession of.
What you need to do
You should check the policies and practices that you have in place. If you use ‘enforced subject access’ as a way of obtaining criminal record information, you should stop this practice immediately, otherwise you risk committing a criminal offence which carries an unlimited fine. You should consult the ICO guidance and ensure that your policies do not breach section 184 of the Data Protection Act 2018 (previously section 56 of the Data Protection Act 1998). The ICO has indicated that it intends to prosecute those who continue to make enforced subject access requests.
What types of checks can be done
Depending on the nature of the work involved, there may be alternative practices available to you. For example, if you recruit employees or volunteers, you may look at using an official criminal record check towards the end of your recruitment process. Depending on the situation, this may be a basic, standard or enhanced level check.
The ICO have also shared a webinar that the ICO held on the 18th November 2014 – this is available to watch below:
Good practice tips
- Do not ask individuals to obtain a copy of their police record as part of your recruitment process
- If your recruitment process involves a formal criminal record check, be clear with the applicant whether it’s a basic, standard or enhanced level check.
Frequently asked questions
- There is more information about checking criminal records here
- For further advice about this guidance, please contact us.
Has this been useful?
You can let us know by:
- Writing a comment on this page (see below)
- Sending your feedback directly to us
- Emailing us at email@example.com
Is there anything wrong with this guidance? Let us know – email firstname.lastname@example.org.