ICO seizes covert database of construction industry workers
An obscure midlands firm was raided last week by the Information Commissioner and has resulted in 40 leading firms now facing investigation because they bought and used illegal data from this company. As a result those companies reputations' are now as muddy as one of their construction sites and almost certainly not because the individuals who sanctioned it knew it was wrong, but rather because they didn't know or didn't care. 

Overall there were no less than six basic breaches of the Date Protection Act, making this one of the most serious cases of its kind sincew the Act came into force. We have listed them below:
1)       Notification – none of the individuals named on the database were ever told their data was being passed to a third party
2)       Fair processing – none of them were told that their data was being used by third parties
3)       Resale – you cannot sell data to a third party unless you have consent
4)       Excessive collection – much of the data collected would be considered excessive even if it remained in the companies who collected it. For         example trade Union affiliation, relationship status, known associates etc.
5)       Non-registration – The Consulting Association not only wasn’t registered it repeatedly denied the existence of the database
6)       The construction companies named not only purchased the data but in many cases also supplied data to the Construction Association.

 Basically the database was a “blacklist” of workers within the construction industry who were considered “troublemakers”. These types of database were very common in the late eighties and early nineties and were one of the main reasons for the EU Directive coming into force in 1994 and thus the passing of the Data Protection Act in 1998.

The Information Commissioner, for the first time, used a seven day enforcement notice – in effect shutting this particular business down because of the seriousness of what it was doing. It has apparently now vacated its premises. The list of companies contains many of the UK’s best-known companies including: Amec Building Ltd; Balfour Beatty; Costain UK Ltd; Kier Ltd; Laing O’Rourk (Laing Ltd); Sir Robert McAlpine Ltd; Skanska (Kavearna/Trafalgar House Plc); Vinci PLC (Norwest Holst Group).

What went wrong?
It is fair to say that all of these companies are aware of the existence of the Data Protection Act 1998 – a cursory look at their websites shows this to be the case. What almost certainly happened here is that the level of education about the basic meaning of the Act either was never undertaken or was so long ago that it is now long-forgotten. To be fair there is so much legislation that companies and their employees have to be aware of that it is no surprise that this happened. At MI we believe there are three vital steps to put in place:

1)       Undertake Annual Data Protection Audits – these serve to remind people of the existence of the Act and can pick up on situations where the Law is being breached. As part of the audit a simple educational reminder will help people remember the potential seriousness of these breaches.

2)       Put in place simple rules for data purchase – a) Never obtain data from any third party who is not registered with the Information Commissioner. You can check registrations at http://www.ico.gov.uk/ESDWebPages/search.asp
b) Always check how the data has been collected to ensure that consent was given for the data to be passed to third parties; c) always demand a warranty and indemnity from the provider that they have complied with the Data Protection Act with regard to third party consent – this should be on the Purchase Order.

3)       Put in simple rules for supplying data to third parties – don’t. No company should be handing over any data on individuals to a third party – be they a data processor or a data controller without careful thought and checks. Again the company should be registered with the ICO; the contract between you and the third party should be explicit about compliance with the Data Protection Act 1998; and the third party should indemnify you for any breaches.

 The new Information Commissioner, Christopher Graham, takes up his post in June and he has already said he will take a more pro-active stance towards both enforcement and education. The Advertising Standards Authority (ASA) where he is currently Chairman has been highly pro-active in publicising breaches of the Data Protection Act and we see no reason why he won’t be even more active at the ICO.

 For more information about Marketing Improvement’s Data Privacy services, please contact Tim Beadle on 0118 989 6951 or email tim.beadle@mieurope.eu