Employers who carry out ‘back-door’ criminal record checks on potential employees could face criminal charges after it is finally outlawed.
Some rogue employers have tried to bypass legal process for checking criminal records by demanding prospective employees use their rights under the Data Protection Act (DPA) to see information held about them.
This ‘enforced subject access’ bypasses the legal criminal record check process, overriding safeguards that only allow for checks and disclosure of information appropriate to the role being applied for.
The practice has been outlawed from 10 March, when a provision in the DPA has finally been implemented after a 17-year wait. This makes it a criminal offence to require an individual to make a subject access request to get information about their convictions and cautions and provide that information to a person.
While the offence will often be linked to a job application, the law applies to any enforced subject access request required before entering into a contract for goods, facilities or services. This means it could also affect landlords or insurance companies, for instance.
An individual providing the results of a subject access request, rather than using the formal criminal record check system, runs the risk of sharing more information than they need to. This is because a subject access request requires all personal information to be disclosed (subject to some exemptions), and so could include cautions and spent convictions, which may not be shared in a formal criminal record check if they would be irrelevant to the reason for the check.
The ICO (Information Commissioner’s Office) has published guidance setting out the offence, which is created under section 56 of the Data Protection Act.