I have just looked at the Undertaking accepted by the Disclosure and Barring Service in March 2014. I think it represents a missed opportunity by the Commissioner to cement the concept of unlawful processing in relation to the First Principle, or to enforce the absence of a Schedule 2/3 criterion that legitimises the processing of personal data, or to reinforce the link between unlawful processing and Article 8 of the Human Rights Act.
As you know, the ICO has taken two cases to the Courts (see references), trying to limit the Police from disclosing old criminal convictions in the context of employment; he lost both. However, with a separate case in January 2013, the Court of Appeal decided that the disclosure of all convictions and cautions in a criminal record certificate, irrespective of the circumstances, contravened Article 8 (Right to Respect for Private and Family Life), of the European Convention on Human Rights (as implemented into UK law by the Human Rights Act).
This judgement followed three cases, one of which was a Mr. T who was born on 3 May 1991. When he was 11 years of age, he received two warnings from the Manchester Police in connection with two stolen bicycles. Apart from these police warnings, the Court found that “he is a man of good character and believed that his warnings were spent. But he was disabused of this in 2008 when (aged 17) he sought a part-time job at the local football club”.
It was cases like this that made the Court of Appeal award Mr. T a declaration that the 1997 Police Act (which set up the vetting arrangements via the Criminal Record Certificate) was incompatible with Article 8. In response to this judgment, the Government changed that law so that the very minor offences related to cautions and warnings did not have to be disclosed after 6 years (assuming that recidivism was absent and the minor offence was not a sex related).
The Disclosure and Barring Service was behind the pace with respect to the change in the law; Question “e55” of its DBS application form still asked applicants “Have you ever been convicted of a criminal offence or received a caution, reprimand or warning”. According to the ICO, the DBS had thus “Collected details that had no need to be collected as a result of the change of the law” and that an “individuals positive response to question e55 was then seen by prospective employers who withdrew their job offers”.
In other words, the DBS vetting procedures had not taken the change of the law fully into account and some data subjects had their job offers taken away.
The Commissioner’s Undertaking is couched in terms in relation to fair processing in that the application form collected details that were not needed. The Commissioner required DBS “to change by 31 March 2014, question e55 of the application form” to “Do you have any convictions, cautions, reprimands or final warnings, which would not be filtered in line with guidance?” (this is a reference to the guidance that identified the types of minor convictions that should not be disclosed).
I would have preferred in the Undertaking had described the First Principle breach in terms of “lawfulness”. In other words, without the change of the wording of question e55, the DBS form would contravene Article 8 of the Human Rights Act by making an unnecessary and unlawful collection of personal data (i.e. unlawful processing), or that there was no Schedule 2 grounds that legitimised the collection of these minor criminal records (e.g. the DBS were collecting personal data that are not necessary for its functions or not necessary for any legal obligation imposed on DDS).
I think that such a step would send a message to any public authority that if it acts outside its statutory remit when processing personal data then it is unlawfully processing such data. This is the issue at the heart of the Snowden revelations about the lawfulness of certain national security data collections, or about the issues about the lawful retention of communications data, or the lawful use of CCTV images by local authorities when it fines motorists for minor traffic infringements at off peak times in order to collect revenue.
The “unlawfulness” message was also central to the Enforcement Notices issued to Southampton City Council (audio CCTV in all taxis) or to Hertfordshire Police (ANPR covering all roads into Royston).
In these cases above, the concept of fairness is irrelevant as the processing is unlawful; any unfair processing has been undertaken by the employer who used an old, inconsequential and minor criminal conviction to debar someone from employment.
R on the application of T, JB and AW v Chief Constable of Greater Manchester, Secretary of State for the Home Department and Secretary of State for Justice; Neutral Citation Number:  EWCA Civ 25 (on 29 January 2013)
Changes in the vetting law introduced by the Rehabilitation of Offenders Act 1974 (Exceptions) Order 1975 (Amendment)(England and Wales) Order 2013 and the Police Act 1997 (Criminal Record Certificates: Relevant Matters)(Amendment)(England and Wales) Order 2013
ICO attempts: Chief Constable of Humberside Police & Ors v The Information Commissioner & Anor  EWCA Civ 1079 and Chief Constable of South Yorkshire Police v The Information Commissioner  EWHC 44 (Admin) (21 January 2011).
Data Protection: CRB could stop misuse of irrelevant criminal data in employment vetting http://amberhawk.typepad.com/amberhawk/2009/10/data-protection-crb-could-stop-misuse-of-irrelevant-criminal-data-in-employment-vetting.html