In early 2018, Kabir was offered a job working as a Sales Consultant for an IT company based in Wales. As part of the terms and conditions of his employment, Kabir was told that he would need a basic criminal record check which would be carried out by a DBS Responsible Organisation (RO).
Although Kabir had been convicted of an offence in 2014 which had resulted in a community order, this was spent under the Rehabilitation of Offenders Act and Kabir had not disclosed it to his employer. He was not concerned therefore about the basic check as he knew that his certificate would come back ‘blank’.
Two weeks later, Kabir was asked to attend a meeting with one of his senior managers who confirmed that they had received his basic criminal record. They also told him that they would be revoking his job offer as he had failed to disclose a conviction which had appeared on the basic certificate. Kabir asked for a copy of the certificate, certain that a mistake had been made.
It was at this point that Kabir contacted the our helpline for further advice.
After reviewing the certificate, we were able to confirm that the request for his basic certificate had been made to Disclosure Scotland rather than the Disclosure and Barring Service (DBS). We explained that as of 1st January 2018, Disclosure Scotland were responsible for carrying out basic checks for anybody applying for a job in Scotland, whilst the DBS undertook checks for individuals working in England and Wales. Disclosure Scotland produce certificates using Scottish law whilst the DBS use English law.
Although Kabir’s community order was spent in England and Wales after 2 years, in Scotland it would take five years before it was spent, which was the reason why it had been disclosed on his certificate. We suggested that Kabir apply to the DBS for his own basic certificate (which would come back without the conviction being shown). Once he’d received this, he should then appeal the company’s decision to revoke the job offer.
Kabir took our advice and appealed the organisations decision, providing them with a copy of his new DBS basic certificate. After 2.5 months, the organisation contacted Kabir to confirm that the decision to dismiss him had been upheld.
Kabir contacted Unlock again and asked whether we could help him resolve the matter.
We wrote several times to the organisation highlighting that Kabir’s conviction was spent under the Rehabilitation of Offenders Act and should be disregarded. We explained that in our opinion there had been a breach of the Data Protection Act as the company had:
- Obtained information relating to a spent conviction, and
- Processed the information unlawfully by using it as a reason to disadvantage Kabir.
Two months later the organisation responded to us stating:
“We acknowledge and appreciate that the previous criminal convictions are spent in England and Wales, the checks nevertheless revealed the fact that Mr xxx has had criminal convictions and that is a material consideration in connection with a decision to employ him. Ultimately, he was considered unsuitable for the role as a result and the dismissal was made.”
We referred the case to the Information Commissioners Office (ICO) who, having considered our complaint ruled that:
“The organisation has acknowledged that the incorrect organisation was used to obtain this information. However, as it is still taking your client’s spent conviction into account and refusing to reinstate him in his job, we are of the view that they have infringed upon Principles (a) and (c) of the General Data Protection Regulations.”
The ICO wrote to the organisation providing advice and guidance to ensure that a similar situation did not occur in the future.
They also confirmed to Kabir that under Articles 79 and 82 of the GDPR, individuals have the right to take proceedings to court if they believe their information rights have been infringed.
“If a court is satisfied that the individuals rights have been infringed and an individual has suffered material or non-material damage (such as distress) as a result of an infringement, they may also be able to receive compensation from the controller or processor.”
Kabir is currently seeking legal advice regarding a claim for compensation.
Lessons
There have been several failings in this case initially with the Responsible Organisation requesting information from Disclosure Scotland when it should have requested this through the DBS and then his employer taking this excessive information into account when making an employment decision.
Principle (a) of the GDPR requires that the processing of data must be fair and cannot be against the law. In this case, the employer has taken into account a spent conviction (obtained inappropriately) which is unlawful under the Rehabilitation of Offenders Act. As a result, this makes the processing of this data unlawful under data protection law.
Principle (c) requires organisations to ensure that the personal data they are processing is adequate, relevant and limited to what is necessary. Kabir’s employers were unable to demonstrate why it was proportionate to obtain information relating to a spent conviction nor why it continued to process this data.
Links
Notes about this case study
This case study relates to Unlock’s case work.
Names and details have been changed to protect the identity of those involved.