Employers who carry out ‘back-door’ criminal record checks on potential employees could face criminal charges after it is finally outlawed.

There is a well-established lawful process for checking criminal records, but some rogue employers have tried to bypass that by demanding prospective employees use their rights under the DPA to see information held about them.

This ‘enforced subject access’ bypasses the legal criminal record check process, overriding safeguards that only allow for checks and disclosure of information appropriate to the role being applied for.

The practice will be outlawed from the 10 March, when a provision in the DPA is finally implemented after a 17 year wait. This makes it a criminal offence to require an individual to make a subject access request to get information about their convictions and cautions and provide that information to a person.

While the offence will often be linked to a job application, the law applies to any enforced subject access request required before entering into a contract for goods, facilities or services. This means it could also affect landlords or insurance companies, for instance.

An individual providing the results of a subject access request, rather than using the formal criminal record check system, runs the risk of sharing more information than they need to. This is because a subject access request requires all personal information to be disclosed (subject to some exemptions), and so could include cautions and spent convictions, which may not be shared in a formal criminal record check if they would be irrelevant to the reason for the check.

Jonathan Bamford, ICO’s Head of Strategic Liaison, said: “Enforced subject access request is a practice that, at its worse, costs people jobs.

“We have a clear system in this country for employers to make criminal record checks, with checks and balances to ensure that an appropriate amount of detail is provided based on the job being applied for. Circumventing that process means a minor offence someone committed twenty years ago could stop them getting a job now. This undermines legal safeguards around rehabilitation.

“I’ve been involved in negotiations to see this practice outlawed for almost 20 years. It’s been a long road, but this law change is a sensible and proportionate step that stops people’s rights being abused and laws protecting them undermined.”

The ICO has published guidance setting out the offence, which is created under section 56 of the Data Protection Act:

In England and Wales, the Disclosure and Barring Service provides information for employers  on making criminal record checks:

In Scotland, this role is carried out by Disclosure Scotland and in Northern Ireland the information is provided to employers by AccessNI.


Notes to Editors

  1. The Information Commissioner’s Office upholds information rights in the public interest, promoting openness by public bodies and data privacy for individuals.
  2. The ICO has specific responsibilities set out in the Data Protection Act 1998, the Freedom of Information Act 2000, Environmental Information Regulations 2004 and Privacy and Electronic Communications Regulations 2003.
  3. The ICO is on Twitter, Facebook and LinkedIn. Read more in the ICO blog and e-newsletter.Our Press Office page provides more information for journalists.
  4. Anyone who processes personal information must comply with eight principles of the Data Protection Act, which make sure that personal information is:

  • Fairly and lawfully processed
  • Processed for limited purposes
  • Adequate, relevant and not excessive
  • Accurate and up to date
  • Not kept for longer than is necessary
  • Processed in line with your rights
  • Secure
  • Not transferred to other countries without adequate protection


If you need more information, please contact the ICO press office on 0303 123 9070 or visit the website at: www.ico.org.uk.