The recent news that the Information Commissioner ("the ICO") has raided and will take action against “The Consulting Association”, a firm which sold workers’ confidential data to clients in the construction industry, is a timely reminder of your obligations under the Data Protection Act ("the DPA").
This stark reminder of the ICO's powers is a reminder to all data processors to ensure that you process data held by your business lawfully and that your data protection policies and procedures comply with current guidance. You should also ensure that you are never responsible for processing data unlawfully, as this is an offence under the DPA and can bring significant and damaging exposure to your business. The intervention by the ICO highlights a number of important data protection issues and raises the issue of potential claims from individuals whose data is held on an illegal database.
REMINDER OF DATA PROTECTION PRINCIPLES
- Personal data shall be processed fairly and lawfully in accordance with DPA principles with particular additional restrictions on the processing of sensitive personal data.
- Personal data shall be obtained for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes.
- Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed.
- Personal data shall be accurate and, where necessary, kept up-to-date.
- Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or purposes.
- Personal data shall be processed in accordance with the rights of data subjects under the DPA.
- Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, and damage to, personal data.
- Personal data shall not be transferred to a country or territory outside of the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.
ICO RAIDS COMPANY FOUND TO BE PROCESSING DATA UNLAWFULLY
Press reports state that The Consulting Association created and managed a database which was used by construction companies to vet individuals for employment and included information about individuals’ employment history, trade union activities and personal relationships. It also contained opinions about individuals, including comments such as “lazy and a trouble stirrer” and “ex Shop Steward, definite problems. No go”.
ICO CONFIRMS IT WILL PROSECUTE FOR BREACHES OF THE DATA PROTECTION ACT
The ICO has confirmed that it will prosecute the owner of The Consulting Association for breaches of DPA. It is also considering taking regulatory action against the construction companies which have used the database. This could include unlimited fines if, for example, enforcement notices are not complied with, or if it can be proved that the criminal offences of the failure to notify the Information Commissioner about processing or unlawful obtaining or disclosure of personal data have been committed.
WIDESPREAD RISKS ARISE FROM UNLAWFUL DATA PROCESSING
If you have subscribed to this database or obtained data unlawfully from other sources or data providers, or if you have passed on data which was unlawfully obtained you should consider the potential risks that may arise and seek advice. Some key issues to be aware of arising from obtaining and processing data unlawfully are:
- Breach of the DPA: The data on the database was allegedly obtained, held and processed unlawfully, i.e. without the consent of the individuals concerned, which constitutes a breach of DPA principles and potentially an offence under the DPA. The ICO has the power to impose unlimited fines on both The Consulting Association and the users of the database.
- Failure to register: Any company holding data as a data controller will commit an offence under the DPA if it fails to register with the ICO.
- Discrimination: Passing on data obtained on individuals may lead to claims of discrimination. For example, an individual may discover that a previous employer made discriminatory comments about him or her, e.g. on grounds of race, sex or disability and claim against the employer. That individual could also bring discrimination claims against a potential employer who refused to employ the individual as a result of discriminatory information held about the individual on a database. Compensation for discrimination claims is uncapped.
- Protection from detriment: If information about trade union membership or activities is processed under the DPA, employees may bring claims in the Employment Tribunal on the grounds that they have been disadvantaged for participating in such activities. Also, data about union membership is classed as sensitive personal data under the DPA and has extra obligations attached to it.
- Spent convictions – additional duties: Information about spent convictions may also be included in databases of this nature, and could be used as a reason to refuse an individual employment, in breach of the Rehabilitation of Offenders Act 1974. Data about criminal convictions is also classed as sensitive personal data and has additional obligations attached to it under the DPA.
- Claims in the Civil Courts: Individuals may have causes of action in the civil courts if a former employer has written something untrue about them which could damage their reputation or cause them loss if it prevented them from finding new work.
TAKE ADVICE IF YOU HAVE CONCERNS ABOUT YOUR COMPANY'S USE OF DATA
As legal action is now underway against the Consulting Association, companies who have used the database or are holding data from the database are advised to (i) immediately cease to use it and (ii) take steps to ensure that they preserve and protect any information given to or received from the database.