Last month the Information Commissioner’s Office (ICO) announced that workers’ personal data concerning trade union activity and employment history has been secretly processed by an organisation and sold to main contractors.
The ICO is considering what action to take and that it is “determined to stamp out this type of activity”.
The key legal principle at stake in this case is the issue of “fairness” – the right of individuals to know what information companies hold about them. Coincidentally the ICO’s action happened just at the time that it has circulated a code of practice and initiated a consultation process on the form of data protection notices to be given to individuals.
The fact that the ICO is initiating that consultation suggests that achieving practical compliance with the data protection law is not straightforward.
The requirements of industry and the rights of the individual are difficult to balance. Workers should not be unfairly prejudiced by secret databases holding information about them, however it is difficult to reconcile some of the ICO’s guidance with commercial reality.
In addition, the ICO’s enforcement action has tended to be rather selective. Other data protection prohibitions (such as prohibitions on international data transfers to countries without “adequate” data protection) are routinely breached by many businesses but little enforcement action has been taken to date.
This is because regulators have been exceedingly slow to clarify what constitutes “adequate” protection and even now, more than 10 years after the Data Protection Act came into force, only a handful of international companies have had the “adequacy” of their arrangements formally approved by the ICO.
Companies live in fear of being the test case for regulatory action - as a regulatory injunction on international data transfers would probably be disastrous from a commercial perspective.
The problem therefore with the data protection regime is that companies are faced with complying with vague concepts like “fairness” and “adequacy”, regulatory guidance is mountainous, compliance costly and enforcement somewhat sporadic.
The ICO has a duty to clamp down on flagrant data protection breaches that may have occurred in this case, but arguably its representatives should not go on national TV to criticise well-known organisations while it is still deciding what if any action to take against them.
Whether or not the law has in fact been broken by all the organisations named remains unclear. The ICO has been quick to protect “privacy rights” but may not have taken sufficient account of practical difficulties with compliance and wider commercial and reputation issues.
However the case makes clear that a proper legal data protection compliance assessment should be carried out before pre-employment checks are initiated.
Lawrence Milner is a partner at Penningtons Solicitors.