"enforced subject access requests" become a Criminal Offence - Data Protection Act Section 56

Pending changes to section 56 of the data protection act has significant implications for all businesses and organisations.  

The expected implementation date for, the currently dormant,  Section 56 is December 2014 although this may change. It will make “enforced subject access requests” a criminal offence. 

Enforced subject access requests typically arise the in recruitment checking and vetting process or the supply of restricted products and services.  

That is to say where any person requires someone to exercise their subject access rights under the Data Protection Act (DPA), by submitting a request for their personal data (for specific protected records) to certain data controllers, and to share the results. 

Section 56 is designed to stop excessive access to protected records which would not normally be available except to individuals as their own personal data, or to those limited persons legally entitled to make specific searches for such details.

Section 56 will significantly impact upon organisations who want to check an individuals’ criminal and other protected records, much of which detail will be regulated as sensitive personal data under the DPA in any event.

And this new restriction will cover both employment and the provision of goods, facilities and services to the public.


The employment clauses cover checks required whether during the recruitment process or during employment and covers not just contracted employees but also office holders, even if unpaid.  This also extends to engaging non-employees under contracts for services.


The provision of goods, facilities and services limb encapsulates situations where the offer or provision of goods, services, or facilities to the public (including the affected person), even if unpaid, is on condition that such protected details be supplied. This will also impact upon volunteered services.

And the restriction applies whether the details are obtained direct from the relevant individual, or via a third party.  Employers, providers and contractors should also bear in mind that they will be responsible for any collection and use of personal data by their data processors.  

Those organisations already obliged or clearly permitted by law to obtain Standard or Enhanced Checks (and where relevant including Barred List information) from the Disclosure and Barring Service in relation to specific authorised roles may continue to request such checks and details. 

It is already a criminal offence to request such details without legal entitlement and the Information Commissioner has said that applications are likely to be kept under close review.

In short, the practice of employers, providers and contractors who obtained such details when not entitled to make a direct application, by getting an individual to make a subject access request to the Disclosure and Barring Service, must stop when section 56 comes into force. 

It will also not be possible to get such details (which include spent convictions and may include additional details, such as cautions and current charges) by making an individual apply to other relevant bodies, such as the police.

Breaches of Section 56 will carry the risk of a criminal prosecution, criminal record and fine which (depending upon where prosecution takes place in the United Kingdom) may range from £5,000 to an unlimited amount. Senior staff involved may also face personal criminal liability.

Add the above to all the other significant changes to employment law and data protection and update training for Managers and HR specialists is recommended. 

Concrew Training is pleased to offer such training. Please contact us for more information