The Information Commissioner’s Office (the “ICO”) has conducted a dawn raid on a business which operated a covert database containing details of 3,213 workers in the construction industry (the “Database”). Subscribers included over 40 construction companies, publicly named by the ICO, who used the database to vet prospective employees, without their knowledge or consent.
The Database included personal and sensitive personal data (as defined by European Directive 95/46/EC on the processing of personal data), such as construction workers’ employment history, personal relationships, trade union activity and political affiliations. Some of the notes on individuals included descriptions such as “ex-shop steward, definite problems,” “Irish ex-Army, bad egg” and “active communist.”
It appears that Ian Kerr, owner of a firm called Consulting Association, operated the Database for fifteen years and that construction firms paid annual subscription fees of £3,000 for access and £2.20 per individual request for details.
The ICO served an Enforcement Notice on Mr. Kerr ordering him to stop using the Database within seven days and to refrain from destroying the data. Mr. Kerr now faces legal action by the ICO. Neither Mr. Kerr nor his business was registered as data controllers under the UK Data Protection Act 1998 (“DPA”); it is a criminal offence in the UK to process data as a controller without being registered. It is not clear how Mr. Kerr obtained the details he held in his database but the ICO has already indicated that Mr. Kerr appears to have breached the first data protection principle, requiring fair and lawful processing. There is a separate offence in the UK of unlawfully obtaining personal data. It is not clear whether there is evidence to support such a prosecution. The case raises serious concerns about pre-employment vetting practices. The Employment Practices Code, published by the ICO, states that certain criteria must be met to ensure the legitimate vetting of employees. Essentially, pre-employment vetting should be used only when “there is no less intrusive and reasonably practicable alternative” and it should only be carried out “at as late a stage as is practicable in the recruitment process.” Organisations are encouraged to be open with candidates about the type of vetting which may be undertaken.
In addition to prosecuting Kerr, the ICO is considering what regulatory action to take against the construction firms who subscribed to the Database (some of which include UK household names, such as AMEC and Balfour Beatty). The ICO has publicly named these companies, in part so that individuals may access their data. In the UK, individuals have the right to request access to data held about them and to request that it be corrected.
The Trades Union Congress and the building workers’ union (UCATT) have called on the government to introduce legislation to make blacklisting illegal. This raises wider issues for debate. For now, the ICO has made it clear that business leaders need to take their obligations under the DPA seriously. To this end, the ICO will shortly be empowered to impose monetary penalties for serious breaches of the DPA. The legislation has been passed and is widely expected to take effect from the autumn of 2009. Conduct such as the secret creation and sale of information from a blacklist would undoubtedly attract a hefty fine under the new regime.