Introduction to the Code of Practice
Who does this code apply to? Page 3
Disclosure Offences Page 4
What happens if the Code is breached? Page 5
Registered Body Obligations
Registration details. Page 6
Application process Page 6
Verification of identity Page 7
Data handling Page 7
Suitability policy Page 8
Payment of fees Page 9
Eligibility Page 10
Compliance requests Page 11
General Page 11
Data Protection Act 2018 Page 12
INTRODUCTION TO CODE OF PRACTICE
AccessNI was established in April 2008 to provide criminal record certificates. There are specific legal requirements around the provision of such certificates set out in Part V of the Police Act 1997(1). Section 122(2) of that Act requires the Minister of Justice to publish a Code of Practice in connection with the use of information provided to, or the discharge of any function by Registered Bodies.
WHO DOES THIS CODE APPLY TO?
This Code of Practice applies to all organisations registered with AccessNI under section 120(3) of the Police Act 1997. These are known as Registered Bodies. This includes those Registered Bodies that provide an umbrella function to non-registered organisations. The Code covers any information provided by AccessNI and made available to the Registered Body by AccessNI or an applicant.
AccessNI will seek to ensure compliance with the Code through a full range of assurance management processes, including scheduled visits to the premises where Registered Bodies discharge their functions and video conference and telephone audits.
NB: All applicants for an AccessNI check should be made aware of this Code of Practice and provided with a copy on request.
The Code of Practice does not apply to other third parties.
(1) Link to : Part V of the Police Act 1997
(2) Link to : Section 122 of the Police Act – Code of Practice
(3) Link to : Section 120 of the Police Act – Registered Persons
DISCLOSURE OFFENCES: SECTIONS 123 AND 124 OF THE POLICE ACT 1997(4)
Although disclosure certificates are provided directly to the applicant, Registered Bodies have access to personal information about applicants in the following circumstances:-
in respect of applications submitted for countersigning;
where certificates are provided to them by their employees or applicants for
positions, including volunteers; or
from the on-line case tracking function provided by AccessNI through the NIDirect
Recipients of disclosure information as set out in the applicant’s disclosure certificate must note that it is an offence to disclose information contained within an AccessNI certificate:-
to any person who is not a member, officer or employee of the Registered Body or their client (where the Registered Body provides an umbrella function) unless a relevant legal exception applies; or
to any member, officer or employee where it is not related to that employee’s duties.
The only exceptions to this are where:-
the Registered Body has the written consent of the applicant;
the information is provided to a Government Department;
the information is provided to any person who has specific legislative powers that enable them to see or obtain such information; or
the information is provided to a person to whom the Registered Body or their client has a statutory obligation to provide such information.
(4)Link to : Section 123 of the Police Act – Offences : falsification
Link to : Section 124 of the Police Act – Offences : disclosure
It is also an offence to:-
Knowingly make a false statement for the purpose of obtaining, or enabling another person to obtain, a certificate.
An offence may also occur where information provided through the case tracking system is used inappropriately.
Registered Bodies believed to have committed an offence will be liable to prosecution, suspension and/or de-registration.
WHAT HAPPENS IF THE CODE IS BREACHED?
The Police Act 1997 (Criminal Records) (Registration) Regulations 2007, as amended, set out Conditions of Registration (Regulation 7)(5). Regulation 7(h) requires Registered Bodies to comply with this Code of Practice.
Failure to comply with Conditions of Registration can result in refusal by AccessNI to issue disclosure certificates, the suspension and/or cancellation of registration.
Failure to comply with requirements set out in the Data Protection Act 2018 may also result in enforcement action from the Information Commissioner’s Office (ICO).
Registered Bodies must report promptly to AccessNI any suspected malpractice in relation to this code or any suspected offences in relation to the misuse of disclosure certificates.
5 Link to : Conditions of Registration (Regulation 7)
REGISTERED BODY OBLIGATIONS
The Police Act 1997 (Criminal Records) (Registration) Regulations 2007 set out the obligations a Registered Body must meet in order to retain its registration with AccessNI.
AccessNI maintains a register of all persons and organisations who wish to ask the exempted question under the Rehabilitation of Offenders (Exceptions) Order (Northern Ireland) 1979(6) and countersign applications for disclosure certificates. Registered Bodies must:-
Keep AccessNI informed of changes to signatories and organisational changes such as name, address, contact details etc;
Maintain accounts online, through the NIDirect website and delete either the Registered Body’s account or that of individual Lead Signatory or Counter Signatories when no longer required; and
Add to the register at least one other Signatory, in addition to the Lead Signatory.
Registered Bodies must:-
Submit applications for an AccessNI certificate in the format determined by AccessNI.
Ensure that applications for AccessNI certificates are completed accurately and that all data fields as determined by AccessNI as mandatory are completed in full.
Ensure that any applications submitted electronically are made on the NIDirect system.
(6) Please note there is no single consolidated version of this legislation available
Ensure that log-in and password details for the NIDirect system, provided by AccessNI, are not shared with anyone that is not a registered signatory. Where details are shared this must be solely for the purpose of countersigning applications.
VERIFICATION OF IDENTITY
Registered Bodies must:-
Verify the identity of the applicant prior to the submission of an application for an AccessNI certificate by following the current guidelines issued by AccessNI.
Ensure that the applicant details on the disclosure application match those on the identity documentation.
Ensure that any person undertaking identity verification checks on their behalf follows the current guidelines issued by AccessNI.
Make sure lead or counter signatories do not validate or countersign their own applications for any AccessNI certificate.
In line with the Data Protection Act 2018, Registered Bodies must:-
Handle all information provided to them by AccessNI, as a consequence of applying for an AccessNI certificate, in line with the obligations under Data Protection Act 2018. The principles of the Data Protection Act 2018 are set out at Annex A of this document.
Handle all information provided to them by their employee (or potential employee) for an AccessNI application in line with the obligations under Data Protection Act 2018.
Ensure that where a certificate, or a copy of a certificate, is obtained from an applicant that it is not retained longer than is required for the specific purpose of taking a decision on that applicant’s suitability. (Please note that information
disclosed on AccessNI certificates is regarded under the Data Protection Act as ‘sensitive personal data’ in that it consists of information as to the commission or alleged commission of any offence).
Ensure that a result received as part of an application submitted electronically is not reproduced in such a way that it infers that it is a certificate issued by AccessNI.
(For those bodies providing an umbrella function) ensure that any third parties they deal with in respect of disclosures are aware of the Data Protection Act 2018 and provide them with guidance on secure handling and storage of information. For Data Protection purposes, information passed to a Registered Body by AccessNI remains the responsibility of the Registered Body even if passed to a third party.
Ensure business continuity and disaster recovery measures are in place and comply with Data Protection requirements.
In particular, comply with security requirements of the Data Protection Act 2018.
AccessNI also requires Registered Bodies to have a written policy on the secure handling of information provided by AccessNI and make it available to individuals at the point of requesting the person to complete an AccessNI application.
Where AccessNI considers that a Registered Body may be in breach of the obligations set out in this section, it may report this to the Information Commissioner’s Office (ICO).
Failure to comply with Data Protection Act requirements could result in enforcement action from the ICO.
Registered Bodies must:-
Have a written policy on the suitability of ex-offenders for employment in relevant positions that should not unfairly discriminate on the basis of conviction or other information disclosed. This policy should be available upon request to potential applicants and, in the case of those carrying out an umbrella function, should be made available to their clients.
Ensure that all applicants for relevant positions or employment are notified in advance of the requirement for a criminal record check through AccessNI.
Notify all potential applicants of the possible effect of a criminal record history on the recruitment and selection process and any recruitment decision.
Discuss the content of the Disclosure with the applicant before withdrawing any offer of employment.
PAYMENT OF FEES
Registered Bodies must:-
Pay all registration fees in line with time periods set out in Regulations 7(a), (b) and
(c) of the Police Act 1997 (Criminal Records) (Registration) Regulations (Northern Ireland) 2007.
Pay all fees related to criminal records check applications submitted after any decision by AccessNI to suspend registration or deregister the organisation.
Correctly apply the definition of a volunteer, as set out in Regulation 4(d) of the Police Act 1997 (Criminal Records) (Disclosure) Regulations (Northern Ireland 2008), as amended7, to each criminal records check application to ensure that the individual is eligible for an application at no fee.
(Where performing an umbrella function on behalf of others) publish all fees, in relevant documentation, associated with the processing and countersigning of criminal records check applications.
(Where performing an umbrella function) notify AccessNI in writing of these fees or any change to the fees associated with the processing and countersigning of criminal records check applications.
( 7) Link to : AccessNI volunteer definition
Eligibility for AccessNI checks is set out in the following legislation:-
Standard checks – to be eligible for a Standard level AccessNI certificate, the position must be included in the Rehabilitation of Offenders (Exceptions) (Northern Ireland) Order 1979 (the ROO Exceptions Order).
Enhanced checks – to be eligible for an Enhanced level AccessNI certificate, the position must be included in both the ROO Exceptions Order and Regulation 9 in the Police Act 1997 (Criminal Records) (Disclosure) Regulations (Northern Ireland) 2008, as amended(8).
Enhanced checks with children’s and/or adults’ barred list – to be eligible to request a check of the barred lists, the position must be specifically listed in Regulation 9A and/or 9B of the Police Act 1997 (Criminal Records) (Disclosure) Regulations.
Registered Bodies must:-
Use all reasonable endeavours to ensure that they only submit applications in accordance with the legislative provisions which provide eligibility criteria for relevant positions or employment.
Ensure that before countersigning an AccessNI application to be submitted they have assessed the role to be eligible under current legislation, correctly requested the correct level of check, and correctly requested the appropriate barring list information.
Ensure they are legally entitled to request any AccessNI certificate applied for.
(8)Link to : Regulation 9 in the Police Act 1997 (Criminal Records) (Disclosure) Regulations (Northern Ireland) 2008, as amended
10 | P a g e
Registered Bodies must co-operate in full and in line with the timescales in current procedures when AccessNI enquiries are made in relation to:-
Compliance with the obligations under this Code.
Implementing the suspension or de-registration of a Registered Body where non-
compliance is established in line with current procedures.
In order to ensure the veracity of the disclosure process AccessNI will, from time to time, issue instructions, advice and guidance (including details of legislative change) to Registered Bodies. These communications will be issued to the email address of Registered Persons as held on their NIDirect account.
Registered Bodies must comply with all instructions and legislative provisions issued in AccessNI circulars and guidance literature. Failure to do so may constitute a breach of this Code of Practice.
11 | P a g e
DATA PROTECTION ACT 2018
You must have a valid lawful basis in order to process personal data.
There are six available lawful bases for processing. No single basis is ’better’ or more important than the others – which basis is most appropriate to use will depend on your
purpose and relationship with the individual.
1. Most lawful basis require that processing is ‘necessary’. If you can reasonably achieve the same purpose without the processing, you won’t have a lawful basis.
2. You must determine your lawful basis before you begin processing, and you should document it. Take care to get it right first time – you should not swap to a different lawful basis at a later date without good reason.
3. Your privacy notice should include your lawful basis for processing as well as the purposes of the processing.
4.If your purposes change, you may be able to continue processing under the original lawful basis if your new purpose is compatible with your initial purpose (unless your original lawful basis was consent).
5. If you are processing special category data you need to identify both a lawful basis for general processing and an additional condition for processing this type of data.
6. If you are processing criminal conviction data or data about offences you need to identify both a lawful basis for general processing and an additional condition for processing this type of data.
12 | P a g e