The Information Commissioner's Office (ICO) has announced enforcement action against the owner of a database containing the details of over 3,000 construction workers. The database appears to have been used by over 40 construction companies to vet individuals for employment. The information apparently included information such as workers' personal relationships, trade union activity as well as people's employment history.
The information was seized by the ICO during a raid at Droitwich, West Midlands. The ICO says that Ian Kerr, the owner of the Consulting Association, has been running the database for over 15 years. The ICO has served an Enforcement Notice ordering Mr Kerr to stop using the system. Effectively, this shut down the business as of Friday 6 March. He now faces prosecution by the ICO for breaching the Data Protection Act.
"The Law" v. "Legitimate Interests"?
Nick Graham, of Denton Wilde Sapte, was interviewed on BBC Radio 4 "World at One" on Friday 6 March on this issue and explained that collection and use of personal information requires the person responsible to inform the individual and provide an opportunity to correct any inaccuracies. So if, for example, someone were identified as a troublemaker when in fact they had simply "blown the whistle" on a breach of health and safety law, they would want to make sure that the record properly reflects the facts. It is then the data controller's obligation to ensure that the records are corrected.
The story also raises the question that data controllers surely have a legitimate right to check out their prospective employees. In some areas (for, example, financial services) employers are being encouraged by regulators to vet their staff to help protect against ID fraud and cyber crime risk. However, there are, at present, relatively few ways for large employers to vet their staff in this way without risking a breach of the Data Protection Act. It is a difficult tightrope to tread.
If you are a large employer, we suggest you consider the following:
- Should you be vetting your employees?
- What information is currently available and what are the data sources?
- Are the sources of data "legitimate" - for example, are the data provided with the consent of the relevant individuals?
- Are any notes kept on staff for such purposes? Is this transparent and do employees have the opportunity to correct any inaccuracies?
This is not the first time a company has offered database services to allow employers to vet employees. If such databases are used in your organisation, they need to be checked for DPA compliance. Use of data which has been unlawfully obtained is a breach of the DPA and may expose you to enforcement action and bad PR.