Insurers also risk being hit with an unlimited fine

Magnifying glass

Insurers could face an unlimited fine or a criminal conviction if they force a policyholder to request all the personal information held on them from a public authority.

Changes to Section 56 of the Data Protection Act (DPA) mean it is now a criminal offence to require an individual to access and provide information about their convictions and cautions.

The DPA gives individuals the right to make a Subject Access Request (SAR) and find out what personal information is held about them by public authorities, such as the police or the prison service.

But the changes to the law, which came into force earlier this month, have applied wider restrictions to when a company or individual can ask another individual to make that request.

The change was introduced to prevent employers from forcing applicants to make the data request but it will apply to other sectors, such as insurance industry, where an insurer might want an SAR done before they agree to pay a claim or place a quote.

The cost of a request is usually £10, or sometimes free. It is also less expensive than going through the criminal records disclosure service, which can be at least twice as expensive.

DWF partner Paul Holmes warned that the restrictions to the act covered such a wide spectrum of conditions that insurers would find it difficult to escape a conviction or fine if they attempted the request.

Holmes: “It is best to stay away from [asking individuals to make an SAR] unless you have intimate knowledge of the Section 56 because you would have to make sure the SAR was not one of those covered.

“From an insurer point of view it is a training issue, because they need to make sure their staff do not ask someone to [make a SAR] or give the go ahead to an investigator to do it.”

The Information Commissioner’s Office (ICO) said firms can still access an individual’s criminal records through the criminal records disclosure service.

Basic checks will divulge unspent convictions, while standard checks could include spent and certain unspent convictions, cautions, reprimands and final warnings.

The ICO said one of the problems with an SAR was that an individual ran the risk of disclosing more information than would have been shared in a formal criminal record check.

The commissioner’s office added: “Making this type of request is a right set out in the DPA, but there is a distinction between someone doing so of their own volition and somebody being required to make such a request by someone else.”