Section 56 Enforced Subject Access: Worth the wait? Jonathan Bamford Head of Strategic Liaison Information Commissioner s Office
Section 56: Key points MoJ commitment to bring into force on the 1 December 2014 but slippage https://www.justice.gov.uk/information-access-rights/data-protection Creates a new criminal offence under the DPA. Triable in either a magistrates or a crown court. Punishable by way of an unlimited fine in England and Wales (different maximums apply in Scotland and Northern Ireland)
Section 56(1): What does the Act say? Section 56(1) A person must not, in connection with (a) The recruitment of another person as an employee, (b) The continued employment of another person, or (c) Any contract for the provision of any services to him by another person, require that other person or a third party to supply him with a relevant record or to produce a relevant record to him.
Section 56(2): What does the Act say? Section 56(2): A person concerned with the provision (for payment or not) of goods, facilities or services to the public or a section of the public must not, as a condition of providing or offering to provide any goods facilities or services to another person, require that other person or a third party to supply him with a relevant record or provide a relevant record to him.
Section 56: Scope of the offences Section 56(1): Section 56(1)(a) and (b) cover circumstances related to the recruitment or continued employment of employees. Employee is defined in section 56(10) and includes anyone who works under a contract of employment or holds any office. Section 56(1)(c) covers contracts for the provision of goods, facilities or services to the data controller by another person. The requirement must be made in connection with any of these matters This makes this section broad in scope.
Section 56: Scope of the offences Section 56(2) Section 56(2) covers the provision of goods, facilities or services by a person to the public or a section of the public. The person imposing the requirement must be concerned with the provision of the goods, facilities or services in question. Goods facilities and services is not defined in the DPA, so should be given its natural meaning. Goods will typically refer to the provision of tangible products, facilities and services cover the provision of things such as overdrafts (facilities) or insurance (service). 56(2) is narrower than 56(1) The requirement must be imposed as a condition of providing or offering to provide the goods, facilities or services.
Section 56: Other key terms Relevant record: Defined in section 56(6) as being any record which: Has been or is to be obtained from specified data controllers by a data subject by way of a subject access request and Contains information relating to any specified matter in relation to that data controller (including a statement that no personal data relating to that matter is being processed (s.56(9)) Includes a copy of such a record or part of such a record BUT does NOT include any record to the extent that it relates only to category (e) personal data. (Section 56(6A))
Section 56: Other key terms Require Important term as it is the imposition of a requirement which is the offence. Require has a variety of natural meanings, including to make compulsory or to make necessary. We take a wide view of what would constitute a requirement to cover: Any circumstance where the data subject is given no choice but to make a subject access request. (make a SAR or else ) It can also cover circumstances where a data subject is asked or invited to make a SAR. The consequences to the individual of not making a SAR, be they actual, likely or perceived, will be an important consideration in determining the existence of a requirement.
Section 56: Defences Section 56(3) provides for two defences: Where the imposition of the requirement was required or authorised by or under any enactment, by any rule of law or by order of a court, or In the particular circumstances the imposition of the requirement was justified as being in the public interest. BUT The imposition will not be in the public interest simply because it would assist with the prevention or detection of crime (section 56(4)).
Section 56 Case Studies: Richard is applying to work at a well known toy store. On the application form it asks him to declare if he has any convictions or cautions. Beneath this, it asks if he would be prepared to make a request for a copy of his Police National Computer (PNC) record and provide them with the results. It has a tick box for yes and a tick box for no. Richard has no criminal convictions or cautions and so ticks yes. Is this an enforced subject access? The information requested would be a relevant record as it is information about Richard s convictions/cautions (even though no information is held) and it is to be obtained by Richard making a SAR. The likely effect of Richard ticking no is that his application will not be processed In effect he has no real option but to tick yes. This is sufficient for it to be a requirement. The requirement is made in connection with the recruitment of Richard as an employee This would be an offence under section 56(1)(a).
Section 56: Case Studies Jonathan is making a claim on his home insurance. After he submits his claim, his insurance company contacts him and asks him to obtain a copy of his PNC record. They advise him that failing to do so may result in him receiving a reduced pay-out and may adversely affect his premiums next year. Is this enforced subject access? The insurance company is concerned with the provision of services to the public. The information to be obtained is a relevant record to be obtained by Jonathan in response to a SAR. If Jonathan does not make the SAR he faces the prospect of a lower pay-out and/or higher premiums This would be sufficient for there to be a requirement. BUT Jonathan will be insured regardless of whether he makes the SAR or not. The provision of the service is not conditional on the SAR being made. This would not be an offence.
Section 56: Case Studies Jenny has applied to a local housing association in order to get a property. Prior to accepting her application, the housing association asks Jenny to obtain a copy of her prison record and records of her national insurance contributions. Is this enforced subject access? The information requested is a relevant record The table includes information relevant to social security contributions and prison records. It is to be obtained by Jenny in response to a SAR. Jenny is not being offered a choice in this case although even if she were given the option of saying no, it is likely then that her application would be refused. This is a requirement. The housing association are concerned with the provision of goods, facilities and services to the public. Her ability to get housing from the association is dependent on her making the SAR The requirement is a condition of the provision of service/facility.
Section 56: Enforced Subject Access Section 56 will come into force soon and will make it an offence to require an individual to make a subject access request for certain information, such as their criminal convictions. The ICO takes a wide view of what constitutes a requirement. In most cases it will be the circumstances in which the potential requirement was imposed, as well as the likely or actual impact on the individual of not making the request, which will determine whether a requirement actually exists or not. The offence is triable either way and is punishable by way of an unlimited fine in England and Wales. For more information, see our detailed guidance on our website: http://ico.org.uk/for_organisations/data_protection/subject_access_requests/ Enforced-SAR
Keep in touch Subscribe to our e-newsletter at www.ico.org.uk or find us on /iconews @iconews