The Data Protection Act 1998 (DPA) regulates the collection and use of personal information and is intended to prevent unnecessary data collection and processing. The DPA applies to computerised and non-computerised information on individuals.
The DPA is a very useful piece of legislation when it comes to how organisations should process, handle and store details of criminal records.
According to the Data Protection Act 1998, personal information is any data that relates to a living individual who can be identified from that data. Information is also ‘personal’ if a ‘data controller’ either already has, or is likely to secure information that can be merged to identify an individual. For example, just having someone’s name often cannot identify a specific individual, but once it is possible to match a specific name with a postcode, telephone number or National Insurance number, the information would become ‘personal’.
Personal information also includes any expression of opinion about an individual and any indication of the intentions of an organisation holding data, or any other person, in respect of that individual. In other words, what a professional thinks about a service user and what they recommend in respect of that individual service user is personal data once it is recorded.
Sensitive information is defined in the 1998 DPA in the following terms:
- racial or ethnic origin;
- political opinions;
- religious beliefs or other beliefs of a similar nature;
- membership of a trade union (within the meaning of the M1 Trade Union and Labour Relations (Consolidation) Act 1992);
- physical or mental health or conditions;
- sexual life;
- commission or alleged commission of any offence; or
- any proceedings for any offence committed or alleged to have been committed by the data subject, the disposal of such proceedings or the sentence of any court in such proceedings.
The DPA’s principles apply equally to all sharing of data that is individually identifiable personal data, but it can have allow differing standards of privacy and acceptability (see below). The DPA covers the sharing of both formal case record data and, on a practical basis, to the sharing of working knowledge, because that working knowledge will include some information and opinion, about an identifiable individual that has been recorded in accessible records. Information is not subject to the DPA if it is anonymised.
The sharing of information about an individual between two or more organisations for whom that individual is a current common case, i.e. when for an example an offender manager makes a referral to an ETE or housing provider, and makes a necessary disclosure of information about an an individual, that sharing of information is subject to the DPA.
The DPA covers all sharing of individually identifiable information about individuals between organisations. There is no ‘list’ of which information about people with criminal convictions can or cannot be shared between organisations within the legislation; the legislation always applies.
While the DPA applies in all cases it does not prohibit sharing of information about criminal records between organisations. The widely held myth that the DPA is a simply an inflexible barrier has arisen for two understandable reasons. First, the legislation is complex. Second, there are some respects in which it is opaque, because the operational detail of various arrangements for sharing information have not been tested in the courts.
Criminal convictions and data protection
Employers (and others) must ensure that they remain within the framework of the data protection legislation when using vetting, especially as the Information Commissioner’s Office (“ICO”) is now empowered to issue fines of up to £500,000 where there are serious breaches.
Any information about criminal charges or convictions will be sensitive personal data which enjoys enhanced legal protection and therefore an employer will generally need to gain the individual’s explicit consent before processing it.
The ICO’s Employment Practices Code and Supplementary Guidance provides useful advice and although this is not mandatory, these may be used by employers in defence to any complaint made to the ICO by an individual.
The following good practice suggestions from the ICO to employers are relevant to pre-employment vetting:
- It should only be used where there are particular and significant risks involved to the employer, clients, customers e.g. where a government worker has regular access to highly classified information.
- Do not use vetting as a means of general intelligence gathering. Ensure that the extent and nature of information sought is justified and that it is clearly focused on data that will have a significant bearing on the employment decision.
- Consider whether pre-employment vetting is justified for each of the jobs for which it is currently used and whether the information required could be obtained in a less intrusive way
- Where practical, obtain relevant information directly from the applicant and, if necessary, verify it rather than undertake pre-employment vetting.
- Tell applicants early in the recruitment process that vetting will take place and how it will be conducted but carry out pre-employment vetting as late as possible in the recruitment process. Ideally, only the people selected for the job should be submitted to comprehensive pre-employment vetting.
- If information received will lead to the applicant not being appointed, make sure the applicant is told this. Put in place a mechanism for providing this feedback allowing the applicant to respond and then take this response into account when making the recruitment decision.
- Where substantial personal information has been collected about an applicant and is to be retained, ensure there is a process in place to inform them of this and of how the information will be used.
- Consider carefully which information contained on an application form is to be transferred to the worker’s employment record. Do not retain information that has no bearing on the on-going employment relationship.
- Ensure that personal data received during the recruitment process are securely stored or are destroyed. For example, manual records should be kept securely in a locked filing cabinet and electronic files should be password protected.
- Establish and adhere to retention periods for recruitment records that are based on a clear business need. For example, that no recruitment record is held beyond the statutory period in which a claim arising from the recruitment process may be brought unless there is a clear business reason for exceeding this period.
Insurance and data protection
Whilst the Rehabilitation of Offenders Act 1974 sets out that spent convictions cannot be used to disadvantage an individual (such as increasing the premium or refusing to cover), it does not oblige insurers to remove details of convictions from their records that are spent.
However, the Data Protection Act 1998 requires that personal data isn’t held longer than is necessary for the purpose that it was collected.
In terms of spent convictions, the important question is whether, if insurers are in possession of spent convictions (for example because they were unspent when you took out the policy and they have since become spent, or because you mistakenly disclosed them), whether this information can legitimately serve a purpose to the insurance company? It is up to the insurance company to justify why this information is still necessary for their purposes.
They may well argue that it is important to assess future claims. However, this should only extend to convictions that were unspent at the latest renewal, as each renewal is legally regarded as a new contract. For example, if you took out a policy in May 2008, with a conviction that become spent in December 2008, the insurer would be able to justify holding this information until the next renewal, in May 2009. However, as the conviction is now spent, it should not form part of your renewal policy and should not affect your premium in any way. It is difficult to see how an insurer could argue that ongoing retention of spent convictions after this renewal point is justified under the Data Protection Act.
You are entitled to ask an insurance company to remove data regarding spent convictions. This can be done by serving them a note under s.10 of the DPA asking them not to process this data and remove it from their records (this can be done simply in writing to the insurer making reference to s.10 of the DPA). The insurer should respond within 21 days stating either that the information has been removed, or the reasons why they think they have a right to retain it. Although these notices can often have limited affect, if the insurance company refuses to remove spent conviction data, and you disagree with their reasons for not doing so, you can then complain to the Information Commissioners Office.
How to make a complaint regarding data protection
If you believe that the organisation that you are dealing with is not handling your data as they should do, you can make a complaint to the Information Commissioners Office (ICO). However, you should make sure you exhaust internal mechanisms, such as the organisation’s own complaints process, before making a complaint to the ICO.
By email: If all your supporting evidence is available electronically, you can send your form via email by taking the following steps. Visit the ICO website for more information.
By post: If your supporting evidence is in hard copy, you can print out the form from the ICO website and post it to them with your supporting evidence. The address to send it to is Customer Contact, Information Commissioner’s office, Wycliffe House, Water Lane, Wilmslow, SK9 5AF.
By telephone: If you are unsure about what supporting evidence you will need to send to the ICO, are not able to provide the information they need, or are unable to complete a form, you can contact their Helpline on 0303 123 1113.