Firms need to learn from data protection crackdown

All businesses need to be aware of the implications of the recent Information Commissioner’s Office (ICO) investigation against Ian Kerr trading as The Consulting Association.

The ICO found that he was processing personal information on more than 3,200 workers, which he was selling on to construction companies, including 14 firms against which Enforcement Notices have been served.

While Kerr’s activities were illegal and the information commissioner was able to prosecute him for failing to comply with the Data Protection Act 1998 (DPA), there was apparently no such option to proceed directly against the construction companies.

An Enforcement Notice requires organisations to either take or refrain from taking specified steps to ensure they comply with the law. The ICO can prosecute those who commit criminal offences under the DPA, and failure to comply with an Enforcement Notice is a criminal offence.

Deputy information commissioner David Smith highlighted the issue when he said: “Fourteen firms paid for personal details about construction workers without those people knowing. The individuals were denied the opportunity of explaining or correcting what may have been inaccurate personal information about them and which could have jeopardised their employment prospects in the industry.”

As a result of the lessons from this case, it is clear that all business sectors that use personal data as part of hiring and firing decision-making processes need to re-think their strategy and have in place suitable policies and procedures.

The ICO is focusing on compliance by businesses and expecting them to not only “say what they do” through the use of clear privacy notices but also “do what they say” by complying with those notices and the obligations under the eight data protection principles, which include “fair and lawful processing” of personal data.

Businesses should audit their data processing activities to understand and minimise risk.

Robert Bond is a partner and head of intellectual property, technology and commercial at law firm Speechly Bircham