UK Forced Data Access Illegal As of Dec. 1

The practice of employers forcing current employees (applying for new positions internally) or prospective employees to obtain and disclose the results of a data access request from the police is now a criminal offense in the UK as of Dec. 1, 2014.

It has been increasingly common for employers to ask employees to make a data access request, since the rules on background checks were changed. This change in the law seeks to temper the power of employers to demand to see criminal records and force candidates to disclose old or irrelevant convictions. It was always an arbitrary power. It struck fear into the hearts of some candidates because they may have thought that, for example, a disorderly behaviour conviction from their University days could cast a shadow over their future employment prospects.

In the UK, an employer conducting background checks will process a significant amount of personal data, likely including whether a job candidate has a criminal record. This is particularly common in some positions such as in financial services or working with children. The request by an employer for any prior convictions is lawful, subject to a person's consent, but only where relevant for the position in question. To date, employers may have been tempted to access data beyond what they could usually access ' such as for spent convictions (where a person has not reoffended and is rehabilitated) or cautions (a formal warning where an adult has admitted an offense, used by the police to resolve a case where full prosecution is not considered appropriate). Forcing a person to obtain this information by making an official “subject access request” (under UK data protection law) is now outlawed. Ireland also now has a similar provision in place.

If an employer does need disclosure of any relevant employee convictions, it will have to obtain this by going through the so-called “disclosure and barring service process” with the the Disclosure and Barring Service (http://bit.ly/1F7kSZH). The body in charge of the process in Scotland is Disclosure Scotland (http://bit.ly/1uX534A).

The new change comes under an amendment to the Data Protection Act 1998. Section 56 says that any employer or recruiter that does demand such a record as a condition of employment will be guilty of an offense. So employers could find themselves in court if they do breach this powerful new provision.

The sanction for this offense is a fine of up to '5,000 (approximately U.S. $7,842) in the Magistrate's Court (the lower criminal court in England and Wales) or an unlimited fine in the Crown Court (the higher criminal court). The Information Commissioner's Office in the UK has been keen to stress that it will enforce this offence.

In the United States

In the United States, the situation is somewhat different. The key law is the Fair Credit Reporting Act, which President Richard Nixon signed into law in 1970. This is a federal law, which says that employers must follow a procedure if they want to use a commercial agency to check someone's criminal record on their behalf. First, the written consent of the candidate must be sought. Second, if the search is conducted and the employer intends to refuse the candidate for the post based on his criminal record they have certain obligations that include:

• Providing the candidate with details of the findings of the background check;
• Providing the candidate with a copy of the report they are relying on;
• Telling the candidate that they intend to take adverse action based on the report; and
• Allowing the candidate the chance to dispute the report.

If an employer breaks these rules, it can be sued for compensation under the Act. Lawsuits under the Act have become big business in recent years, including a case against Kmart in 2013, which was settled for $3 million after allegations that Kmart did not comply with the Act's authorization requirements.

Additional Due Dilgence

Employers should therefore ensure that they have adapted their recruitment policies accordingly. They also need to do additional due diligence on those who help them with the recruitment process. It is increasingly common for employers to outsource some or all of this process. If employee background checks or the whole recruitment process are provided by a third party, a corporation will need to make sure that its providers know of the new rules and follow them. As well as fines and civil penalties, breach of these laws in the UK or the U.S. could lead to reputational damage and could also reduce the pool of candidates available. These extra consequences may turn out to be even more severe than the criminal penalties.

Andr' Bywater is a commercial lawyer and Patrick O'Kane is a compliance lawyer with Cordery Compliance in London, where they focus on regulatory compliance, processes and investigations. Reach them at Andre.Bywater@Cordery%20Compliance.com and [email protected], respectively.

The practice of employers forcing current employees (applying for new positions internally) or prospective employees to obtain and disclose the results of a data access request from the police is now a criminal offense in the UK as of Dec. 1, 2014.

It has been increasingly common for employers to ask employees to make a data access request, since the rules on background checks were changed. This change in the law seeks to temper the power of employers to demand to see criminal records and force candidates to disclose old or irrelevant convictions. It was always an arbitrary power. It struck fear into the hearts of some candidates because they may have thought that, for example, a disorderly behaviour conviction from their University days could cast a shadow over their future employment prospects.

In the UK, an employer conducting background checks will process a significant amount of personal data, likely including whether a job candidate has a criminal record. This is particularly common in some positions such as in financial services or working with children. The request by an employer for any prior convictions is lawful, subject to a person's consent, but only where relevant for the position in question. To date, employers may have been tempted to access data beyond what they could usually access ' such as for spent convictions (where a person has not reoffended and is rehabilitated) or cautions (a formal warning where an adult has admitted an offense, used by the police to resolve a case where full prosecution is not considered appropriate). Forcing a person to obtain this information by making an official “subject access request” (under UK data protection law) is now outlawed. Ireland also now has a similar provision in place.

If an employer does need disclosure of any relevant employee convictions, it will have to obtain this by going through the so-called “disclosure and barring service process” with the the Disclosure and Barring Service (http://bit.ly/1F7kSZH). The body in charge of the process in Scotland is Disclosure Scotland (http://bit.ly/1uX534A).

The new change comes under an amendment to the Data Protection Act 1998. Section 56 says that any employer or recruiter that does demand such a record as a condition of employment will be guilty of an offense. So employers could find themselves in court if they do breach this powerful new provision.

The sanction for this offense is a fine of up to '5,000 (approximately U.S. $7,842) in the Magistrate's Court (the lower criminal court in England and Wales) or an unlimited fine in the Crown Court (the higher criminal court). The Information Commissioner's Office in the UK has been keen to stress that it will enforce this offence.

In the United States

In the United States, the situation is somewhat different. The key law is the Fair Credit Reporting Act, which President Richard Nixon signed into law in 1970. This is a federal law, which says that employers must follow a procedure if they want to use a commercial agency to check someone's criminal record on their behalf. First, the written consent of the candidate must be sought. Second, if the search is conducted and the employer intends to refuse the candidate for the post based on his criminal record they have certain obligations that include:

• Providing the candidate with details of the findings of the background check;
• Providing the candidate with a copy of the report they are relying on;
• Telling the candidate that they intend to take adverse action based on the report; and
• Allowing the candidate the chance to dispute the report.

If an employer breaks these rules, it can be sued for compensation under the Act. Lawsuits under the Act have become big business in recent years, including a case against Kmart in 2013, which was settled for $3 million after allegations that Kmart did not comply with the Act's authorization requirements.

Additional Due Dilgence

Employers should therefore ensure that they have adapted their recruitment policies accordingly. They also need to do additional due diligence on those who help them with the recruitment process. It is increasingly common for employers to outsource some or all of this process. If employee background checks or the whole recruitment process are provided by a third party, a corporation will need to make sure that its providers know of the new rules and follow them. As well as fines and civil penalties, breach of these laws in the UK or the U.S. could lead to reputational damage and could also reduce the pool of candidates available. These extra consequences may turn out to be even more severe than the criminal penalties.

Andr' Bywater is a commercial lawyer and Patrick O'Kane is a compliance lawyer with Cordery Compliance in London, where they focus on regulatory compliance, processes and investigations. Reach them at Andre.Bywater@Cordery%20Compliance.com and [email protected], respectively.