0370 270 6000

already registered?

Please sign in with your existing account details.

need to register?

Register to access exclusive content, sign up to receive our updates and personalise your experience on brownejacobson.com.

Privacy statement - Terms and conditions

enforced subject access requests now a criminal offence

13 March 2015

Since 10 March 2015 it has been a criminal offence, under s. 56 of the Data Protection Act 1998, to require individuals to make enforced subject access requests (SAR) whereby individuals’ provide personal information (including criminal records and cautions) to secure employment, goods, services or facilities.

The aim is to ensure such information is obtained through the Disclosure and Barring Service, shielding individuals from excessive disclosure of personal data that certain third parties may have no legitimate access to.

Enforced SARs remain permissible under rule of law or court order or if it is justifiable in the public interest. ICO guidance states “extremely strong justification” is needed to rely on the latter exception. For example the prevention or detection of crime would not benefit from the public interest defence due to the existence of formal criminal record checking procedures.

Organisations should ensure information related to individuals’ convictions and cautions is obtained through legitimate procedures as the offence can lead to an unlimited fine.

related opinions

Anti-social media - but when is it work related?

As the use of social media continues to increase, its overlap with working life is becoming more and more prevalent.

View blog

IR35 changes - six months and counting...

In his 2018 Autumn Budget, the then Chancellor, Phillip Hammond, announced a significant change to the way liability for IR35 breaches will be dealt with for private sector companies from April 2020.

View blog

Court of Appeal confirms all employment tribunal judgments must be published on the register, except in national security cases

Under the ET Rules, all judgments and accompanying written reasons must be published on a pubic register which the general public can access online.

View blog

Marriott International: a look behind the ICO’s £99m fine and what this means for corporate acquisitions

Last month, the Information Commissioner’s Office (ICO) announced notice of its intention to fine (NOI) Marriott International, Inc. £99m for infringements of the GDPR.

View blog

mailing list sign up



Select which mailings you would like to receive from us.

Sign up