Data Protection Act 1998 section 56: Enforced Subject Access – What you need to know Section 56: What you need to know From the 1 December 2014 it will be a criminal offence to require an individual to make a subject access request for information related to their criminal past. The offence relates to circumstances relevant to the employment of an individual or the provision of goods, facilities or services to an individual. It is punishable by way of an unlimited fine in England and Wales. Different statutory maximums apply in Scotland and Northern Ireland depending on where the offence is tried. Section 56(1): What does the Act say? Section 56(1): ‘A person must not, in connection with – (a) The recruitment of another person as an employee, (b) The continued employment of another person, or (c) Any contract for the provision of any services to him by another person, require that other person or a third party to supply him with a relevant record or to produce a relevant record to him.’ Section 56(2): What does the Act say? Section 56(2): ‘A person concerned with the provision (for payment or not) of goods, facilities or services to the public or a section of the public must not, as a condition of providing or offering to provide any goods facilities or services to another person, require that other person or a third party to supply him with a relevant record or provide a relevant record to him.’ Section 56: Scope of the offences Section 56(1): • Designed to cover all areas of employment and only needs to be ‘in connection with’ any of the matters mentioned. • 56(1)(a) & (b) cover the process of recruiting employees or checks as part of continued recruitment. • 56(1)(c) – ‘any contract for provision of services to him…’ covers situations such as contractors. Section 56: Scope of the offences Section 56(2) • Covers persons concerned with the provision of goods facilities or services to the public. • Goods, facilities and services is not defined but will include things such as insurance. • ‘in connection with’ v ‘as a condition of’ – Section 56(2) is slightly narrower in scope than 56(1) Section 56: Other key terms Require • Require has a variety of natural meanings, including ‘to make compulsory’ or ‘to make necessary’. We take a wide view of what would constitute a ‘requirement’ to cover: • Any circumstance where the data subject is given no choice but to make a subject access request. (make a SAR or else…) • It can also cover circumstances where a data subject is ‘asked’ or ‘invited’ to make a SAR. • The consequences to the individual of not making a SAR, be they actual, likely or perceived, will be an important consideration in determining the existence of a requirement. Section 56: Other key terms Relevant record: Defined in section 56(6) as being any record which: • Has been or is to be obtained from specified data controllers by a data subject by way of a subject access request and • Contains information relating to any specified matter in relation to that data controller (including a statement that no personal data relating to that matter is being processed (s.56(9)) • BUT does NOT include any record to the extent that it relates only to category (e) personal data. (Section 56(6A)) Section 56: Defences Section 56(3) provides for two defences: • Where the imposition of the requirement was required or authorised by or under any enactment, by any rule of law or by order of a court, or • In the particular circumstances the imposition of the requirement was justified as being in the public interest. • BUT – The imposition will not be in the public interest simply because it would assist with the prevention or detection of crime (section 56(4)). Section 56 examples: Richard is applying to work at a well known toy store. On the application form it asks him to declare if he has any convictions or cautions. Beneath this, it asks if he would be prepared to make a request for a copy of his Police National Computer (PNC) record and provide them with the results. It has a tick box for ‘yes’ and a tick box for ‘no’. Richard has no criminal convictions or cautions and so ticks yes. Is this an enforced subject access? • The information requested would be a relevant record as it is information about Richard’s convictions/cautions (even though no information is held) and it is to be obtained by Richard making a SAR. • The likely effect of Richard ticking no is that his application will not be processed – In effect he has no real option but to tick yes. This is sufficient for it to be a ‘requirement’. • The requirement is made in connection with the recruitment of Richard as an employee • This would be an offence under section 56(1)(a). Section 56 examples: Jonathan is seeking to volunteer at a local after school care association. As part of the volunteer agreement, it says that Jonathan must make a subject access request for copies of his PNC record and provide a copy of the response to them. Is this enforced subject access? • The provision of volunteering opportunities is considered to be caught by the provision of goods, facilities and services. The after school care association is therefore ‘concerned with’ the provision of goods, facilities and services to a section of the public. • The information to be obtained is of a specified matter (convictions and cautions from the PNC) to be obtained in response to a SAR. It is a relevant record. • Although not explicitly stated, if he does not make the SAR it is likely that Jonathan will not be allowed to volunteer. This is sufficient for there to be a requirement. In addition, since his ability to volunteer is dependant on him making the SAR, the requirement is a condition of him receiving the goods, facilities and services in question. • This would be an offence under section 56(2). Section 56 examples: Jenny has applied to a local housing association in order to get a property. Prior to accepting her application, the housing association asks Jenny to obtain a copy of her prison record and records of her national insurance contributions. Is this enforced subject access? • The information requested is a relevant record – The table includes information relevant to social security contributions and prison records. • It is to be obtained by Jenny in response to a SAR. • Jenny is not being offered a choice in this case although even if she were given the option of saying no, it is likely then that her application would be refused. This is a requirement. • The housing association are concerned with the provision of goods, facilities and services to the public. • Her ability to get housing from the association is dependent on her making the SAR – The requirement is a condition of the provision of service/facility. Guidance Guidance is available at the following link: www.ico.org.uk/enforced Keep in touch Webinar video and presentation slides available from ico.org.uk/webinars