The prohibitions contained in Section 56 are intended to prevent employers obtaining wider information via an enforced subject access request under the Data Protection Act 1998 than via an established route such as the Disclosure and Barring Service (which will be unaffected by the implementation of Section 56). For example, a subject access request made to the Police is likely to yield information on an individual’s spent and unspent convictions whereas a basic disclosure request made to Disclosure Scotland (the body that handles basic disclosure requests, irrespective of where the individual lives in Great Britain) would only show details of unspent convictions.
Requiring people to make enforced subject access requests will be a criminal offence from 10 March 2015, punishable by a fine. In England and Wales, the maximum penalty on summary conviction in the Magistrates’ Court is £5,000 (to be unlimited at a date to be confirmed). On indictment in the Crown Court, the fine can be unlimited. In Scotland, the maximum fine available in the Sheriff Court is £10,000.
Most employers will be unaffected by the implementation of Section 56 but those that currently make use of subject access requests to obtain information about potential or existing employees and self-employed contractors (whether directly from the individuals concerned or via a third party) will need to revise their procedures – or risk a potentially substantial fine.
The Information Commissioner’s Office has published guidance on enforced subject access.