Privacy Regulator Says Employers in U.K. Must Follow Approved Criminal Check Plan

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

March 17 —To avoid possible criminal prosecution under newly enforced provisions of the Data Protection Act (1998), employers operating in the U.K. must use the officially approved process described in recently released guidance from the Information Commissioner's Office when gathering the criminal history information of job applicants, an employment attorney told Bloomberg BNA March 17.

As of March 10, companies and other organizations became subject to possible punishment if they require potential employees to obtain and hand over information about past convictions or law enforcement warnings, Piers Leigh-Pollitt, partner at Doyle Clayton Solicitors Ltd said.

Requiring individuals to, in essence, provide their own criminal background clearance information, known as “enforced Subject Access Requests” (SARs), is prohibited under the Ministry of Justice's long-awaited implementation of Section 56 of the Data Protection Act.

The ICO has lobbied for almost 20 years to end enforced SARs, describing them in a March 9 statement as “back door” criminal history checks that undermine “legal safeguards against rehabilitation.”

To avoid fines—which can be assessed by a Magistrates' Court up to 5,000 pounds ($7,377) or by a Crown Court for an unlimited amount—for engaging in enforced SARs, businesses and other organizations that conduct criminal background searches of potential employees must use the U.K.’s Disclosure and Barring Service (DBS).

U.S. companies operating in the U.K. may not be aware of the DBS process and should be careful to understand the newly enforced provisions of the law, Leigh-Pollitt said.

Support from Privacy Regulator 

The DBS, which was created in 2012 by a merger between the Criminal Records Bureau and the Independent Safeguarding Authority, can carry out for a fee various levels of criminal background checks.

An ICO spokesman told Bloomberg BNA March 16 that “using the proper criminal records (DBS) checking regime, including basic checks, would not constitute” the use of the outlawed enforced SARs.

“This is because the individual is not requesting the information under section 7 of the DPA,” which provides the right to access personal data under certain circumstances, “but under the relevant provisions of Part V of the Police Act 1997,” the ICO spokesman said.

The ICO guidance, which was released Feb. 25, updates the office's approach to prohibited enforced SARs and the proper use of the DBS system.

Employers “need to comply with the DBS guidance, which provides certain safeguards for individuals,” the ICO spokesman said, and make sure they understand the process before engaging in new recruitment efforts.

Special Circumstances Require Checks 

Large companies in the U.K. are used to not asking individuals about their criminal records, “so the changes to enforced SARs are probably aimed at much smaller companies,” Leigh-Pollitt said.

In addition, financial services sector companies may be affected as they are required demonstrate to their government regulator, the Financial Conduct Authority, that they employ only “approved persons” for certain positions, he said.

Financial advisers must be found to satisfy the “fit and proper person” test and can do so by applying for standard-level disclosure of information through the DBS, Leigh-Pollitt said.

The DBS also allows checks for health-care professionals, lawyers and accountants, he said.

Other organizations that are required by law to do so can apply for deeper DBS checks for applicants that may be working with vulnerable adults and children, he said.

The ICO's “Updated Guidance on Enforced Subject Access Requests” is available at https://ico.org.uk/media/for-organisations/documents/1042608/enforced-subject-access-s56.pdf.