Employers and service providers beware: enforced subject access requests are now a criminal offence

Employers and service providers beware: enforced subject access requests are now a criminal offence

As of 10 March 2015, it is a criminal offence for any person or organisation to require an individual to submit a ‘subject access request’ in order to gain access to his or her personal data which would have been inaccessible if not for the individual’s request.

Known as a ‘subject access request’, an individual has long had the right to access data held about himself or herself under the Data Protection Act 1998 (DPA). However, there has been increasing concern that the right is being misused by employers in order to obtain information about an employee’s criminal history, for example (known as an ‘enforced subject access request’).

Section 56 of the DPA, which has laid dormant for more than 15 years, is now in force and makes ‘enforced subject access requests’ a criminal offence with wide-ranging implications:

For employers, the new offence means that a potential or existing employee cannot be required make a subject access request to provide the employer with personal information, such as police records. This will affect organisations previously choosing to use enforced subject access requests to check individuals’ criminal records rather than using the established legal route.

For the providers of goods, facilities or services, the new offence means it is unlawful to require an individual to make a subject access request (with the aim of supplying the data to the provider) as a condition of the provision or receipt of a service, e.g. a pre-condition to providing insurance cover. The restriction applies whether or not payment is made so it also affects services provided on a voluntary basis.


If an individual or organisation is found to be in breach of section 56, they will be committing a criminal offence. Consequences of breach may include:

  • Individual criminal record;
  • Criminal prosecution for individuals or organisations (including possible personal liability of individuals working at offending organsiations);
  • An unlimited fine (minimum of £5,000);
  • Reputational damage (the Information Commissioner’s Office (ICO) has the power to ‘name and shame’ offenders).

Going Forward

This new offence does not affect an employer’s ability to use statutory procedures to conduct detailed standard and enhanced checks (formerly known as ‘CRB checks’), if appropriate. Employers wishing to check an employee’s criminal record should follow the prescribed statutory regime. Checks are conducted through the Disclosure and Barring Service in England and Wales, Disclosure Scotland in Scotland and through Access Northern Ireland in Northern Ireland.

Be aware that the information obtained will be sensitive personal data, the processing or control of which imposes additional responsibilities under the DPA.

If you or your organisation carries out background checks on individuals, it is advisable to review your current practices to ensure you do not fall foul of the law.

For further information on any of the issues raised here, please contact Nathaniel Lane, Solicitor in the Technology, Media & Communications team at nathaniel.lane@michelmores.com