Enforced subject access requests illegal under the Data Protection Act | EEF

Enforced subject access requests illegal under the Data Protection Act

Subscribe to Business Support news feeds


It is now a criminal offence for an employer to require a job applicant or existing employee to provide information about their potential criminal record by way of a subject access request.

There are many circumstances when employers legitimately need to check the criminal record of job applicants or employees. The usual way of doing this is via the Disclosure and Barring Service (DBS) or Disclosure Scotland. However, some employers require individuals to make a subject access request about their criminal record to the police and then show the report to them. This is known as an enforced subject access request.

Enforced subject access requests may result in employees and job applicants disclosing more information than they need to, for example the report might refer to police intelligence or spent convictions, which individuals are generally not obliged to disclose under the Rehabilitation of Offenders Act.   

S56 Data Protection Act (in force from 10 March 2015) protects individuals by making such enforced subject access requests a criminal offence. Employers who break the law face potentially unlimited fines.

However, employers can still apply for a criminal record check via the normal disclosure regime. Employers can make:

  • basic checks which would divulge unspent convictions from Disclosure Scotland (despite its name, this body is responsible for basic checks for all of Great Britain);

  • standard checks, which would include spent and certain unspent convictions, cautions, reprimands and final warnings from the DBS for England and Wales (or Disclosure Scotland for Scotland); and

  • enhanced checks from the DBS (or Disclosure Scotland for Scotland) which disclose all of the information held in a standard check plus certain relevant information held by the police on an individual. Enhanced checks are required to check the records of people who work with or come into contact with children or vulnerable adults.

The Information Commissioner has published guidance on enforced subject access.

How we can help

This is just one way in which the Data Protection Act applies to the recruitment process and employee records.  To help you navigate the huge volume of data protection legislation and guidance which applies to employers, we are running a series on National Seminars in May 2015, which take a common sense look at how to achieve Data Protection compliance in your HR processes. Click here for more information.


Legal Compliance Lead

Other articles from this author >
Online payments are not supported by your browser. Please choose an alternative browser or make payments through the 'Other payment options' on step 3.