Home > Legal Library > Article




Join Matindale-Hubbell Connected


New Criminal Offence under the UK Data Protection Act: Requiring a Person to Submit and Reveal the Results of a Subject Access Request




by:
Jonny McDonald
Sarah Pearce
Edwards Wildman Palmer LLP - London Office

 
March 14, 2014

Previously published on March 12, 2014

In his keynote speech at the Information Commissioner’s Office (the “ICO”), annual Data Protection Practitioner Conference in Manchester, England (attended by Edwards Wildman), Minister of State for Justice and Civil Liberties Simon Hughes MP announced that the UK government would shortly outlaw enforced subject access requests.

Enforced subject access requests are the practice of making an individual submit a subject access request (a right under the UK Data Protection Act 1998 (the “DPA”) for individuals to request information held about them by a third party) and then reveal the results.

The practice is of concern primarily in an employment context, where a prospective employer makes this a condition of application for employment and can force a prospective employee to share not only a wider class of personal data than they may otherwise wish to reveal, but also wholly unnecessary sensitive personal data (for example ‘spent’ criminal convictions). The ICO has also stated that it has seen the practice used by a variety of businesses including insurers seeking claims information and even production companies sourcing contestants for television shows!

In an allied announcement by the ICO, it was stated that this change will be made by way of implementing a provision in the DPA that was included in the act but never brought into force, namely section 56, which makes it an offence to require a person to submit and then reveal the results of a subject access request. Contravention of section 56 will, going forward, become a criminal offence. Simon Hughes stated that the provision will be brought into force before the end of 2014.

This is welcome news for those concerned with civil liberties, however, with the ICO facing more reports of data protection law contraventions than ever, it is worth considering whether the regulator will have the resources to properly police this new offence.

Another interesting point coming out of the Data Protection Practitioner Conference, was that the UK Government may not yet have given up on having the proposed Regulation recast as a Directive. The ICO’s comments suggested, in our view, that there is still appetite for a Directive. This comes as a surprise, given that a review of the press release from the most recent meeting of the European Council Justice and Home Affairs committee (which took place on 3 and 4 March 2014) (http://www.consilium.europa.eu/uedocs/cms-data/docs/pressdata/en/jha/141295.pdf) contains no mention of the proposed Regulation being recast as a Directive. One can only speculate upon whether this suggests that the ‘pro-directive’ contingent within the European Council may make a more formal push to have the European Council, Commission and Parliament reconsider a Directive after the European Parliamentary elections in May 2014.



 

The views expressed in this document are solely the views of the author and not Martindale-Hubbell. This document is intended for informational purposes only and is not legal advice or a substitute for consultation with a licensed legal professional in a particular case or circumstance.
 

View More Library Documents By...

 
Author
 
Jonny McDonald
Sarah Pearce
 
Edwards Wildman Palmer LLP Overview