I might be old fashioned, but I think it’s OK for the police to retain those criminal records they need to do their job. So I am not surprised by yesterday’s Appeal Court decision that allowed them to do so, even when there were disclosures of trivial and ancient criminal details for employment purposes.
For example, the Appeal Court considered the case of HP, who in March 1984 was 16 years of age. He stole items from a display in a M&S store and at the Juvenile Court was convicted of theft and fined £15. In 2006, the offence was disclosed on an enhanced disclosure certificate dated when HP had applied for a position as a care officer with Hull City Council. HP was then informed by his employer that an enhanced disclosure certificate had revealed his conviction, which he had not previously disclosed and he was informed by his manager that he may be disciplined.
Shocking isn’t it! I wholly agree that this kind of misuse of personal data in these kinds of circumstances should be stopped.
However, the wrong data controller has been dragged through the Courts. The real problem is not the police processing of such records or making a disclosure to employers, but rather employers using irrelevant criminal detail when making employment decisions.
In theory, employment vetting using criminal records needs the employer to register with the Criminal Record Bureau. To obtain disclosure, the employer must then comply with the CRB’s Code of Practice which has been approved by Parliament, developed after a lengthy public consultation and is intended to reassure job applicants that the vetting process is fair.
Indeed the CRB boasts that it “takes seriously its statutory duties relevant to the rehabilitation of offenders, data protection and human rights legislation. It will therefore seek to ensure strict compliance with the Code through the full range of CRB assurance management processes”.
The Code requires that those who use the CRB’s vetting services to: “have a written policy on the suitability of ex-offenders that is available upon request to potential applicants”; to “notify all potential applicants of the potential effect of a criminal record history on the recruitment and selection process and any recruitment decision”; and to “discuss the content of the Disclosure with the applicant before withdrawing any offer of employment”.
I have found is no evidence that suggests that the CRB has done anything to enforce its own Code of Practice. I have seen no information that suggests to me that employers, subject to the Code, have adhered to its terms. It appears to me that the CRB’s much vaunted Code or Practice could easily be window dressing – nothing more, nothing less.
However, it can be so different as the Code, if implemented and enforced properly, would resolve all the relevant data protection issues. All that needs to happen is the following:
(a) The disclosure of all criminal details to each employer should be by secure electronic means (this includes enhanced criminal intelligence detail).
(b) This form of disclosure would ensure that the employer would be a data controller with respect to the disclosed sensitive personal data.
(c) The failure to apply the CRB Code of Practice can then be enforced as not to comply with its terms is unfair (the CRB actually say the purpose of the Code is to be "fair").
(d) The use of irrelevant criminal personal data by an employer when making an employment decision would constitute a breach of the Third Principle.
Note that the data subject can sue for compensation (if damaged), the Information Commissioner can enforce the Act on the correct target, the police can retain their records, and irresponsible employers who improperly use criminal details can be castigated.
Everybody then would be happy.
Comments
You can follow this conversation by subscribing to the comment feed for this post.