An enforced SAR is when someone requires an individual to make a SAR to gain access to certain information about them (eg their convictions, cautions or health records). They then use this information, for example, as supporting evidence regarding a job application or before entering into a contract for insurance. Forcing an individual to make a SAR in such circumstances is a criminal offence.
An individual applies for a position as a waiter at a restaurant, but is told that they cannot be offered the position until they provide a copy of their criminal record. The employer states that they must make a SAR in order to gain this information and they will only be appointed if it is supplied. The employer is likely to have committed a criminal offence.
An individual makes an application for private health insurance to an insurance provider. The provider agrees to insure the individual but explains that it is a condition of the insurance that the individual must make and provide the results of a SAR for their medical records. The insurance company is likely to have committed an offence.
There are appropriate ways of accessing information such as criminal records and health records, ie through the criminal disclosure regime or under the provisions of the Access to Medical Reports Act 1988 (AMRA). An individual providing the results of a SAR, rather than using such appropriate channels, runs the risk of greater, and sometimes excessive disclosure. This is because a SAR requires the disclosure of all personal information (subject to some exemptions), and does not distinguish, for instance, between spent and unspent convictions.
When does it apply?
It is a criminal offence for an individual or legal person (person 1) to require another person to make and provide the results of a SAR for a ‘relevant record’ in connection with:
an employee’s recruitment by person 1;
the person’s continued employment by person 1; or
a contract for the provision of services to person 1.
The use of the words ‘in connection with’ means that there is a broad scope.
It is also a criminal offence for an individual or legal person (person 2) to require another person to make and provide the results of a SAR for a ‘relevant record’ if:
person 2 is involved in providing goods, facilities or services to the public or a section of the public; and
it is a condition of providing a person with goods, facilities or services.
Providing the opportunity for individuals to do voluntary work is caught by the provision of goods, facilities or services.
An individual applies to do voluntary work with a charity. The charity explains that the individual can work for them but they will first need to exercise their subject access rights and provide the charity with their criminal record before they can start. The charity is likely to have committed an offence.
What is a relevant record?
A ‘relevant record’ is a record which has been, or is to be, obtained by an individual exercising their right of access and:
is a health record;
contains information relating to a conviction or caution; or
contains information relating to a statutory function in relation to that individual.
A ‘health record’:
consists of data concerning health; and
has been made by or on behalf of a health professional (eg a doctor, dentist or nurse) in connection with the diagnosis, care or treatment of the individual it relates to.
‘Information relating to a conviction or caution’:
consists of data processed by the police, the Director General of the National Crime Agency or the Secretary of state, and
relates to a conviction or to a caution issued against an individual.
‘Information relating to a statutory function’:
consists of data processed in connection with certain statutory functions of the Secretary of State, Department for Communities in Northern Ireland, the Department of Justice in Northern Ireland, the Scottish Ministers or the Disclosure and Barring Service; and
prisons and prisoners;
the detention of a person aged under 18 who was convicted of murder or another serious offence;
social security contributions and benefits (for example, statutory sick pay or accident insurance), and the administration of such matters;
jobseeker’s allowance and related schemes;
employment and support allowance on grounds of incapacity or disability;
universal credit (England, Scotland and Wales only);
criminal records history; and
the vetting and barring of those who wish to work with children or vulnerable adults.
An individual applies for a job as an office receptionist. The employer offers the individual the job, on the condition that they exercise their subject access rights and provide the employer with details of their benefits entitlements during a period of unemployment. The employer is likely to have committed an offence.
What does require mean?
A person has ‘required’ another person to make a SAR if they:
know that, in the circumstances, it would be reasonable for the other person to feel obliged to comply with the request; or
are reckless as to whether, in the circumstances, it would be reasonable for the other person to feel obliged to comply with the request.
You should look at a requirement in a wider context than simply an individual not receiving a job if they do not make a SAR. For instance, it would be considered a requirement if an individual would:
be left in a detrimental position by not making a SAR; or
miss out on an incentive by not making a SAR.
An individual applies for a job and is successful. Their potential employer informs them that they will be given the job whether or not they make a SAR for their criminal record. However, the potential employer explains that if they do not make a SAR, their annual salary will be at a reduced rate than that advertised. This would obviously leave the individual in a detrimental position if they did not make a SAR.
The offence is the act of requiring an individual to make a SAR. The requirement is enough, and is not dependent on the withdrawal of the offer of employment or the provision of goods, facilities or services.
Also, you will have required an individual to make a SAR, even if you give them the option that either you will access the information through an appropriate and lawful channel or they should make a SAR.
Are there any exemptions?
It is not a criminal offence for you to require an individual to make a SAR if you can prove that:
it was required or authorised by another piece of legislation, a rule of law or by court order; or
it can be justified as being in the public interest.
Given the importance of the right of access as a core right within the GDPR, there needs to be an extremely strong justification that enforced subject access is in the public interest, supported by clear, specific and cogent evidence. This may be difficult to achieve as there is already clear public policy and laws about criminal record checking and access to medical records.
The defence that an enforced SAR is in the public interest cannot be used when the justifying argument is that the public interest relates to the prevention or detection of crime. This is because Part 5 of the Police Act 1997 defines in what circumstances certain types of criminal records check can be made. Given that the Police Act 1997 outlines the circumstances for criminal records checking, it is not possible to justify enforced subject access on the basis that it would assist with the prevention or detection of crime.
What are the penalties?
An individual who requires someone to make a SAR may be committing a criminal offence. This is an offence which can be heard either by a magistrates court or a crown court, in England, Wales and Northern Ireland. In Scotland it will be heard in a sheriff court.
Committing such an offence in England and Wales can carry an unlimited fine, while in Scotland the fine can be unlimited if heard under solemn procedure or £10,000. In Northern Ireland, the maximum fine if convicted under a summary offence is £5,000, or if convicted on indictment the maximum fine is unlimited (unless expressly limited by statute).