Could action taken by the ICO in 2009 still have a part to play if construction industry blacklisting has continued? (acknowledgement: Tim Turner made some of these points back in January this year)
In 2009 the Information Commissioner prosecuted Ian Kerr, the then chief officer of a body called the Consulting Association. The Consulting Association had been holding a blacklist of people within the construction industry seen as “troublemakers” (a blacklist inherited from the Economic League, as detailed in Tim Turner’s superb post on the subject) and making this information available to clients on payment of a fee. The fall-out from this continues to this day, with, on the one hand civil claims being pursued, for what I understand to be common law “unlawful means conspiracy” and defamation, and on the other hand, the reports that the Information Commissioner’s Office (ICO) has been asked by Business Secretary, Vince Cable, to investigate allegations that the practice has continued to this day, on major construction projects like the Olympic Park and Crossrail (by the way, the extraordinary testimony of Gail Cartmail of Unite, in that last link, is essential reading).
The ICO’s prosecution of Kerr was for the relatively minor (and relatively rarely enforced) offence under the Data Protection Act 1998 (DPA) of failing to register with the ICO for his processing of personal data. No other sanction was, apparently, open to the ICO at the time. This was because the current regime of civil Monetary Penalty Notices (MPNs) for serious contraventions of the DPA had not then commenced.
As Chris Pounder pointed out at the time, there is even a query, applying the strict definitions of “data” in section 1(1), whether a blacklist held solely on paper, and arranged in, say, date order (rather than by reference to individuals), is even caught by the DPA. If not, then enforcement by the ICO would not be possible. This is because “data” broadly applies only to electronically-processed information or information held as part of a filing system structured by reference to individuals or criteria relating to individuals. One hopes that any alleged blacklisters haven’t made a habit of reading Chris’s blog and subsequently exploited a loophole that remains open.
Putting to one side this “loophole” point, it is likely that any processing of personal data which unfairly and unlawfully deprived someone of employment would constitute a serious contravention of the DPA, probably causing substantial damage and distress, and thus potentially attracting an MPN. An MPN is a relatively powerful weapon in the ICO’s armoury, and in my opinion one that has been used well to drive up data protection standards and drive home the importance of data security. Whether a huge construction firm would notice a (maximum) £500,000 penalty is another matter.
And, of course, none of the money paid under an MPN goes to the victim of a serious DPA contravention (it goes to the government consolidated fund). However, it is open to a data subject in such circumstances to bring a claim in the county court under section 13 of the DPA. Compensation is available if specific damage can be shown, and, if damage can be shown, further compensation for distress can follow. It is not clear to me whether the current claims from the 2009 events contain DPA claims, but the fact that they are being reported primarily as claims for tortious conspiracy suggests that even if so, they are subsidiary to the latter.
However, there is one further sanction which Tim Turner alludes to, which might possibly be in play. When the ICO prosecuted Kerr it also took steps to close down the practice, by issuing DPA enforcement notices against fourteen construction companies who had been proved to have used the list or supplied information: Balfour Beatty Civil Engineering Limited; Balfour Beatty Construction Northern Limited; Balfour Beatty Construction Scottish & Southern Limited; Balfour Beatty Engineering Services (HY) Limited; Balfour Beatty Engineering Services Limited; Balfour Beatty Infrastructure Services limited; CB&I UK Limited; Emcor Engineering Services Limited; Emcor Rail Limited; Kier Limited; NG Bailey Limited; Shepherd Engineering Services Limited; SIAS Building Services Limited; Whessoe Oil & Gas Limited. An example of one of the enforcement notices is archived here. It required the company broadly to
Refrain from using, disclosing or otherwise processing any personal data obtained from Mr Kerr
but also to
Ensure that if any personal data relating to recruitment is obtained from a source other than the data subject, the data subject is, in so far as is practicable, provided with the information specified in paragraph 2(3) at Part II of Schedule 1 to the [DPA] in accordance with the First Data Protection Principle.
Ensure that if any personal data relating to recruitment is disclosed to a third party for use in connection with the recruitment of workers, the data subject is, in so far as is practicable, provided with the information specified in paragraph 2(3) at Part II of Schedule 1 to the [DPA] in accordance with the First Data Protection Principle.
The notices do not appear to have been effective only for a fixed period, so one is to assume that they remain effective*. If any of the firms upon which they were served have sinced breached the terms of the notice they could potentially have committed an offence under section 47(1) of the DPA. That offence is triable either-way, and anyone found guilty is liable on summary conviction, to a fine not exceeding £5000, or on conviction on indictment, to an unlimited fine. And, by section 61 of the DPA, where, as here, the notices were served on bodies corporate, the bodies’ directors and some other officers can also be guilty of the offence of failing to comply with an enforcement notice if the offence is proved to have been committed with their consent or connivance or to be attributable to their neglect.
One wonders if the ICO’s 2009 enforcement proceedings may still have some part to play.
UPDATE: 15 August 2013
*The ICO has confirmed to me that they have no record of any of the Enforcement Notices being cancelled or varied, nor of any applications to cancel or vary being received. The ICO considers that the Enforcement Notices are still effective.