We’ve learnt from the Information Commissioners Office that section 56 of the Data Protection Act 1998 will be brought into force on the 10th March 2015.
This means that “enforced subject access” will finally become a criminal offence. As we explained back in June 2014 when this was first announced, this is an important development for people with convictions.
Although it doesn’t prevent employers and others from getting access to criminal records through legitimate means (such as a basic disclosure through Disclosure Scotland or a standard/enhanced check through the Disclosure & Barring Service, depending on the job) what section 56 does do is prevent the use of significant amounts of sensitive personal data that can be disclosed as part of a subject access request.
In the past, we’ve come across examples where employers, insurers, education providers and housing providers have required people provide copies of their police record by applying to the police and paying £10 for a subject access request. This type of request discloses all information held on the Police National Computer, including convictions and cautions that are spent, as well as allegations or other ‘local police information’. The introduction of section 56 on the 10th March 2015 will enable a clearer message to be given to any organisation that is found to be undertaking this type of practice.
We will be making some more details available once the changes come into force. In the meantime, the ICO has draft guidance available on their website about what this will mean in practice.