Blacklists and data protection: head to head

The construction industry ‘blacklist’ has raised the hackles of just about everyone involved with recruitment – not least those individuals listed who may have been denied a working wage because of it. But is it always wrong to use a staff register? And how can HR make sure it stays on the right side of the law?

Ben Willmott,
Senior public policy adviser
Chartered Institute of Personnel and Development




Michael Gorrill,
Head of the Regulatory Action Division
Information Commissioner’s Office




Q What lessons can HR draw from the construction industry blacklist?

Ben Willmott The recent case of private detective Ian Kerr, who allegedly sold information about construction workers to building companies, shows that the Information Commissioner’s Office (ICO) has the power to take strong action where there’s evidence that organisations are breaking their data protection obligations.

It also illustrates why it is so important that employers understand their responsibilities and potential liabilities under data protection law. Hopefullyit will not only help raise awareness among those in breach of the law, but also encourage them to improve their approach.

Michael Gorrill We have taken action against Kerr because he hadn’t notified the ICO that he was processing this data. That is very important to note, because we keep a public register of organisations that are processing personal information, to enable people to make contact with the data controllers and ask ‘what do you hold on me?’ Privacy rights were clearly affected because Kerr hadn’t notified the ICO and because the system itself was covert.

Q What does this case say about data protection regulations?

Willmott The Data Protection Act makes it very clear that to lawfully process sensitive personal data, including information on racial or ethnic origin, political opinions, religious belief, trade union membershipor anything relating to physical or mental health, you need to have the explicit consent of the individual concerned. You also haveto be able to justify your use of the data. The guidance and the law in this area is very straightforward. There should be no ambiguity and there is no excuse for getting it wrong.

Gorrill The Data Protection Act is really about processing information fairly. Keeping a database of this sort is clearly unlawful but, crucially, it is also not fair. Individuals must know if information is being stored about them. Creating a database about individuals, who may or may not have done something, without their knowledge – something they can’t challenge, which is having an effect on their lives – is clearly something we take seriously because it can have such a detrimental effect.

Q Is it ever OK to use a staff register or database?

Willmott The processing of sensitive personal information, including details of union membership, is unlawful except in a limited number of circumstances where, for example, the individual involved has given their consent. You might be able to justify the use of data without consent if it was vital to child protection. But to all intents and purposes, other than through a set of very limited circumstances that are very clearly laid out, blacklists of any sort are unlawful.

Gorrill You have to notify the ICO that it is something you are doing, you have to tell the individuals that you are keeping information about them and might share it with other organisations, and individuals have to be able to challenge it to make sure that what you are keeping is accurate. Then that is fair. There are certain individuals, who commit criminal offences, that you might not want to work in similar organisations in other parts of the country, but you still have to tell them that you are keeping the information or passing it onto other organisations.

Q Should the ICO be given stronger powers to seek out similar illegal data records?

Willmott Let’s not complicate things. Let the ICO use the powers it already has under the existing data protection legislation to ensure this area is dealt with consistently and firmly. Employers that ignore their legal obligations already risk reputational damage and potential prosecution in the courts.

Gorrill We’d like powers to inspect organisations without their consent. In cases like this, where we are informed of a clear breach of data protection regulations, it would be good for the ICO to go into a company premises without consent and make an inspection. If we could do that and uncover more databases like this it would be better for everyone concerned. This is a power that the ICO is currently lobbying for in Parliament.

Q Should firms be equally concerned about accessing the information stored on social networking sites?

Willmott Social networking sites bring personal data into the public domain, but employers should be very careful about how they use them. The wider point is that if you’re basing your recruitment decisions on an internet trawl and a picture of someone running naked down Putney High Street, then you are really not going to be recruiting in a good way. Best practice in recruitment is all about bringing in people who have the best skills, qualifications and capabilities to meet the skills shortages in your organisation – not looking at what someone might have said in the past.

Gorrill It is very difficult to stop firms from looking at social networking sites, as once the information is in the public domain it is essentially the same as picking up a newspaper. Obviously, some employers won’t resist the temptation to have a look if there’s something on there that might help them make a decision about whether to employ somebody or not. The key difference is that in the case of social networking sites the individual is putting the information into the public domain themselves. So ultimately it is up them to monitor it. Once it’s in the public domain they are essentially saying that whoever wants it can have it.

Have your say

Roger Byard, partner and head of employment team, Cripps Harries Hall
A key principle of the Data Protection Act (DPA) is that personal data about an employee should not be obtained, held or passed on by an employer without their consent. A worker who can show they have suffered loss because of a breach of the DPA can recover compensation. It will always be difficult for a rejected candidate to prove they were not offered a job because of information on the internet or because their name was on a blacklist. However, when making a recruitment decision, employers should rely on their own assessment of the candidate and the candidate’s CV.

Simon Bond, partner, Challinors Solicitors
It may be seen as hugely advantageous to know as much as possible about prospective and existing employees. But there are dangers in relying on registers and blacklists. First, there is the possibility of a defamation action if an employee feels their reputation and employment prospects have been damaged by an untrue or unfair inclusion on a blacklist. There are also potential claims for unfair dismissal and discrimination – the blacklist used by the construction industry described one worker as “Irish ex-army, bad egg”, a comment that could clearly give rise to a claim for racial discrimination.

Andrew Sharpe, partner, Lansons
Ian Kerr, trading as The Consulting Association, was in breach of the First Data Protection Principle. Under the terms of an enforcement notice, his business has been shut down. However, he is only being prosecuted for the offence of not being notified as a data controller to the ICO. So while he may be fined a maximum of £5,000 and his clients possibly served with enforcement notices, they will not be prosecuted for their part in this illegal vetting. This shows the current weakness in the powers of the ICO. However, it is shortly to be given fining powers – possibly up to a maximum of 10% of [a company’s] annual turnover.

David Whincup, partner, Hammonds
Employers are increasingly using social networking sites to find information about new employees. Although that information is not necessarily for public consumption, the person did at least put it there or knows about it. On the other hand, the information on a covert blacklist is not put there by the individual, they may not know about it and it is not necessarily true. That makes a significant difference to an employer’s ability to rely on it.

The Data Protection Act

Public awareness of data protection issues is at an all-time high, largely on the back of some high-profile public sector gaffes. But it’s not just the public who are getting up to speed.

Over 90% of firms now know that individuals have the right to see information held about them, to have a breach of the Data Protection Act (DPA) investigated and assessed, and the right to correct inaccurate information.

About 95% of firms agree that the DPA is needed, while 61% believe it adds value to their business and 83% believe it improves customers’ trust. Just 13% believe the DPA is a burden on their organisation, with 4% describing it as a waste of resources.

Private sector organisations are more aware of security than public authorities, with 61% rating it as the main principle of the DPA, compared with 48% of the latter.

Large public organisations are most likely to receive personal information requests from the public, with 36% receiving more than 50 requests in 2008.

Source: Information Commissioner

The bigger picture

The Information Commissioner’s Office (ICO) has acted swiftly on the construction industry blacklist. Yet that is just one small part of its work.

In 2008, the ICO received more than 10,250 complaints relating to the Data Protection Act. By 1 December 2008, it had resolved 8,920 cases, with 1,100 resulting in a formal decision notice. Well over half were closed informally following an investigation and negotiation. A third were either ineligible, incomplete or so obvious that the ICO dealt with them easily and quickly.

In about 30% of cases the ICO upheld a requester’s complaint in full. About 25% of complaints were rejected and around 45% partly upheld – usually because the complainant was entitled to some information, but not all.

Either side can appeal against an ICO decision notice, without cost, to the information tribunal. Yet fewer than 30% of “losers” appeal.

Of those who do appeal, the original decision is upheld in more than 80% of cases.

Source: Information Commissioner

Comments are closed.