Employment Update - March 2010
  Job Applicants and Criminal Records

A recent ruling of the Court of Appeal means that employers will be able to access information on old minor convictions when carrying out criminal record checks on potential employees.

Following complaints from five people, the Information Commissioner issued enforcement notices against five Chief Constables to compel the deletion of the old convictions. On appeal, the Information Tribunal ruled that the convictions should be deleted from the police national computer as their retention was an infringement of principles 3 and 5 of the Data Protection Act 1998 – namely that the data held was excessive and being kept for longer than was necessary.

Four of the complaints arose following the disclosure of convictions as a result of a request for information by the Criminal Records Bureau (CRB). The fifth arose following a request by the individual concerned to see information held about her.

The Tribunal’s decision was appealed. The Court of Appeal stressed that the issue here was not the retention of the records per se but the fact that this meant that the information held could therefore be disclosed.

The Court held that providing the purpose for which data is kept is lawful, it can be processed by the data controller for any purpose which was identified when details were provided to the Information Commissioner’s Office for inclusion on the register of data controllers. The register is available to members of the public for inspection so that they can find out how personal information is being processed by data controllers. In this case, one of the purposes identified by the police of retaining old data on the national computer is so that an accurate record of convictions can be supplied to the Crown Prosecution Service, the courts and the CRB. As this record needs to be complete, the retention of the old data could not be said to be excessive nor was it held for longer than was necessary for the purpose.

The Court went on to say that if the police reasonably believed that keeping a record of all convictions, however old or minor, was useful to them, they should not be denied the right to do so. Furthermore, the circumstances in which information on old convictions would be disclosed would be those in which a job applicant would anyway have to answer truthfully if questioned on the subject.

Whilst this decision may be appealed, if left to stand its effect is that the information available when employee checks are made will include historic data. However, this does not change the rules laid down by the Rehabilitation of Offenders Act 1974 as to what is and what is not a spent conviction.

Coming Soon – Fines for Breaches of the Data Protection Principles

The Criminal Justice and Immigration Act 2008 provides the power to impose civil monetary penalties for serious breaches of one or more of the eight principles in the Data Protection Act 1998 (DPA). These principles provide that personal information must be:

  • processed fairly and lawfully;
  • processed only for specified, lawful purposes;
  • adequate, relevant and not excessive;
  • accurate and kept up to date;
  • not kept for longer than is necessary;
  • processed in accordance with the rights of data subjects under the DPA;
  • kept secure from unauthorised or unlawful processing, loss or damage; and
  • not transferred to countries outside the European Economic Area unless adequate safeguards are in place.

Currently, however, the Information Commissioner’s Office (ICO) only has limited powers at its disposal to punish those who contravene the DPA. Whilst the issuing of an enforcement notice is appropriate when a data controller commits a minor breach of the principles, the ICO has long sought the power to impose substantial penalties on those guilty of a more serious breach.

The Government has now published a proposal to give the ICO the power to levy fines up to a maximum penalty of £500,000. Following consultation, a report on its findings will be issued on 11 January 2010.

Fines will be levied only if the ICO is convinced that the breach was deliberate or if the data controller knew, or ought to have known, that there was a risk of contravention of the principles which would be likely to cause substantial damage or distress and the data controller failed to take preventive action.

Draft guidance showing the criteria the ICO intends to use, and the circumstances it will take into account when issuing civil monetary penalties, is available here.

Employers must take their data protection responsibilities seriously and ensure that the right policies and procedures and suitable technology and training arrangements are in place. We can advise you on developing and enforcing policies which fully comply with the DPA.

.

Information on this website does not consitute legal advice.  Reading this material is not a substitute for taking advice from a solicitor.
BELL PARK KERRIDGE IS A TRADING NAME OF BELL PARK KERRIDGE LIMITED INCORPORATED IN ENGLAND AND WALES
Registered Office: Clifford Court | Cooper Way | Parkhouse | Carlisle | Cumbria | CA3 0JG
Directors: James Bell, LLB and Duncan Carter, LLB
Company No. 06816636  |  VAT No. 734 715 431