The Information Commissioner’s Office (ICO) has ruled that the Disclosure and Barring Service breached the Data Protection Act after failing to stop the collection of information about low level convictions that was no longer required for employment checks.
The error occurred after the service failed to update its application form and continued to include the question ‘Have you ever been convicted of a criminal offence or received a caution, reprimand or warning?’. The form did not make clear that applicants did not need to include minor and historic offences due to a change to the Rehabilitation of Offenders Act, which came into force in May 2013.
In September 2013, the ICO received a complaint from Unlock, an independent charity providing advice services for people with criminal convictions, that they were receiving a significant number of calls about the problem. The charity highlighted the case of two individuals who answered the question positively, not realising that the information they provided was no longer required under the legislation. The two people subsequently had their offers of employment withdrawn.
ICO Head of Enforcement, Stephen Eckersley, said: “The Rehabilitation of Offenders Act is fundamental to the work carried out by the Disclosure and Barring Service. The fact that the service failed to keep their application form up-to-date with changes to the law is not only a source of embarrassment, but has also resulted in the sensitive personal data of two individuals being disclosed unnecessarily.
“We are pleased that the service has now taken action to correct this error. This case highlights the need for organisations to make sure they review their policies and update them in line with recent changes to the law.”
The Disclosure and Barring Service has signed an undertaking committing the organisation to improving the way it looks after people’s information by reviewing and updating its existing guidance to applicants to explain what information will be passed to their prospective employer. The organisation has already updated its form so that the service complies with law by not collecting data no longer required.