WIREDGOV

The Information Commissioner’s Office (ICO) has ruled that the Disclosure and Barring Service breached the Data Protection Act after failing to stop the collection of information about low level convictions that was no longer required for employment checks.

The error occurred after the service failed to update its application form and continued to include the question ‘Have you ever been convicted of a criminal offence or received a caution, reprimand or warning?’. The form did not make clear that applicants did not need to include minor and historic offences due to a change to the Rehabilitation of Offenders Act, which came into force on 29 May 2013.

In September 2013, the ICO received a complaint from Unlock, an independent charity providing advice services for people with criminal convictions, that they were receiving a significant number of calls about the problem. The charity highlighted the case of two individuals who answered the question positively, not realising that the information they provided was no longer required under the legislation. The two people subsequently had their offers of employment withdrawn.

ICO Head of Enforcement, Stephen Eckersley, said:

“The Rehabilitation of Offenders Act is fundamental to the work carried out by the Disclosure and Barring Service. The fact that the service failed to keep their application form up-to-date with changes to the law is not only a source of embarrassment, but has also resulted in the sensitive personal data of two individuals being disclosed unnecessarily.

“We are pleased that the service has now taken action to correct this error. This case highlights the need for organisations to make sure they review their policies and update them in line with recent changes to the law.”

The Disclosure and Barring Service has signed an undertaking committing the organisation to improving the way it looks after people’s information. This includes reviewing and updating its existing guidance to applicants to explain what information will be passed to their prospective employer. The organisation has already updated its form to ensure that the service complies with existing legislation by not collecting information that is no longer required.

Notes to Editors

1. The Information Commissioner’s Office upholds information rights in the public interest, promoting openness by public bodies and data privacy for individuals.

2. The ICO has specific responsibilities set out in the Data Protection Act 1998, the Freedom of Information Act 2000, Environmental Information Regulations 2004 and Privacy and Electronic Communications Regulations 2003.

3. The ICO is on Twitter, Facebook and LinkedIn, and produces a monthly e-newsletter.

4. Anyone who processes personal information must comply with eight principles of the Data Protection Act, which make sure that personal information is:

• Fairly and lawfully processed
• Processed for limited purposes
• Adequate, relevant and not excessive
• Accurate and up to date
• Not kept for longer than is necessary
• Processed in line with your rights
• Secure
• Not transferred to other countries without adequate protection

5. If you need more information, please contact the ICO press office on 0303 123 9070.