Data protection remains a vital issue in the construction industry as elsewhere. Shadow business secretary Chuka Umunna recently called for contractors who misused the data of prospective employees to establish a fund to compensate employees who were blacklisted.
The Data Protection Act 1998 has wide-ranging consequences for all employers. As well as the risk of fines and civil action, businesses in breach of the Act could be subject to serious disruption dealing with an investigation.
In July 2009, following an investigation by the Information Commissioners Office, Ian Kerr of The Consulting Association was fined £5,000 for breaching the Act.
The power of the ICO
The ICO is responsible for administering the provisions of the Act. It has the power to bring criminal prosecutions, enforce compliance with the Act through the use of ‘enforcement notices’, audit organisations and impose monetary penalties.
The ICO found that The Consulting Association held a database with details on 3,213 construction workers and traded their personal details for profit.
It was revealed that the database was used by more than 40 construction companies and included information about construction workers’ personal relationships, trade union activity and employment history.
In addition to taking action against the company that operated the database, which resulted in a fine, the ICO also issued enforcement notices against 14 of the construction companies that had obtained employee details illegally, requiring them to refrain from further using the employees’ details and ensuring in future that any personal data relating to recruitment obtained from third parties is provided to the employees in accordance with the Act.
The Act is back in the news following calls from Liberty and the GMB union for further action to be taken. Mr Umunna is now calling for compensation to be provided to the employees too.
What can employers do to reduce the risk of problems?
First of all, the Act requires all organisations processing personal data to notify the Information Commissioner of their data processing activities unless they fall within one of the exemptions set out in the Act.
Such exemptions are limited, and do not exempt organisations from complying with the remainder of the Act.
Steps that employers can take include:
- Make sure your organisation knows what personal information is held about employees and why.
- Consider if all the information held is exempt from notification or whether your organisation be registered with the ICO.
- Who in your business understands how personal information held is used? Who is responsible for it?
- Is your HR department aware of the Data Protection Act and its implications? Ensure that your employment policies and procedures comply with the Act.
- Is information held sufficiently secured?
- Ensure any checks carried out with third parties on employees are with parties that comply with ICO guidance and the Data Protection Act.
- Eliminate collection of irrelevant or excessive personal information on employees or prospective candidates.
- Treat information regarding agency, contract and temporary staff in the same was as employee information.
Do not assume that the ICO is a toothless organisation that will not take enforcement action; it has the power to serve monetary penalty notices of up to £500,000, as well as prosecute.
The publicity and adverse impact on reputation also represent serious damage to a business.
Shelley Thomas is head of information governance at Hill Dickinson. Michael Woolley is a partner at the firm and Moya Clifford is a professional support lawyer.