30/05/2025 – ICO disclosure Case Reference: IC-383634-D4S1
CHECKLIST – TO DETERMINE IF A CASE IS A SECTION 184 OFFENCE
Section 184 of the Data Protection Act 2018 makes it an offence to require a person to use their data rights to obtain and hand over health and criminal records data in connection with employment or the provision of services. The offence only applies in respect of “relevant records” as defined in Schedule 18.
http://www.legislation.gov.uk/ukpga/2018/12/section/184/enacted
Recording a potential s.184 case:
This offence was enacted on 25 May 2018. The Criminal Investigation Team will deal with all allegations of this offence with an identified offence date on or after the 25 May 18 under this legislation.
You should follow the usual service guide process for reporting concerns about this offence to the Criminal Investigation Team. (This is the same for reporting potential criminal breach cases –s.170)
All allegations of this offence will be created and recorded on the CRIMSON system with relevant documents stored on SharePoint.
Checklist:
- IS THERE AN EMPLOYER OR SERVICE PROVIDER? – This is the organisation that has ‘required’ the person to make the request – it doesn’t have to be the organisation itself, it only needs to be a person acting on behalf of an employer or service provider.
- REQUEST TO A PERSON TO USE THEIR DATA RIGHTS? – Has a
person been required to obtain a ‘relevant record’, by making a data subject access right request? (This means a right under Article 15 / 20 GDPR or s.45 / s.94 DPA 2018, as detailed in schedule 18) - OBLIGATION TO COMPLY? – Was the requirement to obtain the right of access request made in such a way so as to make a person feel obliged to comply with it / knowing that in the circumstances, it would be reasonable for the other person to feel obliged to comply with the request?
If you have a case that appears to fit these criteria, you should follow the process set out in the Service Guide and create a Provide Advice item for review by the Criminal Investigations Team which should be emailed to [redacted]
Identifying a Section 184 Case
Section 184 (1) offence- committed by an employer or recipient of services
(1) It is an offence for a person (“P1”) to require another person to provide P1 with, or give P1 access to, a relevant record in connection with-
(a) the recruitment of an employee by P1, (b) the continued employment of a person by P1, or (c) a contract for the provision of services to P1.
The requirement need not be a condition of the employment offer or the contract for the offence to have been committed.
Section 184 (2) offence-committed by the provider of goods, facilities or services
(2) It is an offence for a person (“P2”) to require another person to provide P2 with, or give P2 access to, a relevant record if –
(a) P2 is involved in the provision of goods, facilities or services to the public or a section of the public, and
(b) the requirement is a condition of providing or offering to provide goods, facilities or services to the other person or to a third party.
This prohibits subject access requests being required in commercial transactions between for example credit lenders and the consumer, a landlord and tenant and an insurance company and the insured. It also prohibits subject access requests being required by voluntary groups, clubs, churches and charitable organisations.
“The public” means any person who may be interested in the goods etc. Whereas a “section of the public” means persons in a particular class where there is no selection to enter that class.
Under s.184 it is a criminal offence to make an enforced subject access request (‘SAR’) for a ‘relevant record’ in the recruitment of an employee, the continued employment of a person or a contract for the provision of services (e.g credit lenders and the consumer, a landlord and tenant and an insurance company and the insured).
This provision does not supersede the established legal routes through which background checks can be conducted, for example, Disclosure Barring Service (‘DBS’) checks, and the Access to Medical Reports Act 1988 (‘AMRA’) procedure.
A “relevant record” is defined in schedule 18 DPA 18 as meaning:
(a) a relevant health record (see paragraph 2),
(b) a relevant record relating to a conviction or caution (see paragraph 3), or
(c) a relevant record relating to statutory functions (see paragraph 4).
(2) A record is not a “relevant record” to the extent that it relates, or is to relate, only to personal data which falls within section 21(2) (manual unstructured personal data held by FOI public authorities).
- “Relevant health record” means:-
A health record which has been or is to be obtained by a data subject in the exercise of a data subject access right.
3.”Relevant record relating to a conviction or caution” means:-
A record which —
(a) has been or is to be obtained by a data subject in the exercise of a data subject access right from a person listed in sub-paragraph (2), and (b) contains information relating to a conviction or caution.
4.“Relevant record relating to statutory functions” means:-
A record which –
(a) has been or is to be obtained by a data subject in the exercise of a data subject access right from a person listed in sub-paragraph (2), and (b) contains information relating to a relevant function in relation to that person.
(2) Those persons are—
(a) the Secretary of State;
(b) the Department for Communities in Northern Ireland;
(c) the Department of Justice in Northern Ireland;
(d) the Scottish Ministers;
(e) the Disclosure and Barring Service.
References to a “relevant record” include –
(a) a part of such a record, and
(b) a copy of, or of part of, such a record.
In subsections (1) and (2), the references to a person who requires another person to provide or give access to a relevant record include a person who asks another person to do so –
(a) knowing that, in the circumstances, it would be reasonable for the other person to feel obliged to comply with the request, or
(b) being reckless as to whether, in the circumstances, it would be reasonable for the other person to feel obliged to comply with the request, and the references to a “requirement” in subsections (3) and (4) are to be interpreted accordingly –
Prison information
The Prison Act 1952 deals with the central administration of prisons, the consignment and treatment of prisoners and various offence provisions connected to the prison service.
National Insurance records
Some records of National insurance contributions indicate that an individual has spent a period in custody and identify gaps where contributions have not been made which employers can use to check against a prospective employee’s declared job history.
Safeguarding Vulnerable Groups
Records held under legislation relating to safeguarding vulnerable groups identify individuals who are barred from working with children or vulnerable adults. Such individuals are likely to have been sentenced for offences indicating that they are a risk to children or vulnerable adults.
Empty record
A record which states that a data controller is not processing any personal data relating to a particular matter indicating that the data subject does not have any convictions or cautions, shall be taken to be a record containing information relating to that matter under Schedule 18 para 6 DPA 18. Therefore, a section 184 offence can be committed despite the data controller providing an ‘empty record’ response.
Elements of section 184 offences
The prosecution do not need to prove that the accused knew what they were doing was wrong or unlawful. The only statutory defences are that the requirement was authorised in law or was justified in the public interest. Prevention and detection of crime is not a defence for this offence.
Those engaging in requiring a person to provide a relevant record via a subject access request often provide the individual making the request with a standard subject access request letter which may include phrases such as “as prescribed by employers.”
Section 184 offences are triable either way and any prosecution for such offences will initially be dealt with in the Magistrates Courts, however, may be ultimately dealt with at crown court.
A section 184 offence is designated as a being a RECORDABLE offence which means that any conviction will be recorded on National Police Records.
The courts can also order the forfeiture or destruction of any data connected with these offences under section 196 (4) DPA 18. (Penalties for offences)
Liability of directors- section 198
A Director or person treated as the directing mind of a body corporate can be prosecuted for a section 184 offence in certain circumstances where the offence is committed by the body corporate as opposed to an individual*.
*Section 198 (1) DPA18: “Where an offence under this Act has been committed by a body corporate and it is proved to have been committed with the consent or connivance of or to be attributable to neglect on the part of a director, manager, secretary or similar officer of the body corporate or a person who was purporting to act in such a capacity, is as well as the body corporate, guilty of that offence and be liable to be proceeded against and punished accordingly.”