The data raid that discovered a construction worker blacklist has legal implications for the companies and individuals involved

The raid by the Information Commissioner's Office (ICO) on 23 February on the offices of the Consulting Association (TCA) to find a blacklist of workers that was being sold to employers to vet staff has caused considerable disquiet across the industry. Workers and authorities are amazed that so many companies could have breached UK data protection laws.

A prosecution is now being prepared by the ICO against the company that collected the information and its owner Ian Kerr for a failure, first, to notify the ICO that it was processing data and, second, for processing data unfairly and unlawfully. Leaving the fate of Mr Kerr to one side, what are the implications for the companies involved and what about individuals who may have suffered prejudice?

Implications for the companies

The timing of the raid, as far as construction companies are concerned, was fortunate. While section 55 of the Data Protection Act (DPA) allows the ICO to fine companies for misuse of data, the relevant provisions of the Criminal Justice and Immigration Act 2008 have not yet been brought into force. These are expected this summer, but the loss of a USB stick containing information related to police investigations in Edinburgh over the weekend will give pause for thought, as it will remind the government that fines in these situations will apply equally to the public sector. The government has the lion's share of headlines thus far when it comes to losing data.

The ICO is considering issuing enforcement notices against the companies. This can be seen as a final warning, and a clear indication that their practices regarding data protection and processing will be the subject of scrutiny. Policies relating to such matters will need to be put into place, and relevant individuals tasked with ensuring continuing compliance.

The companies may have defences open to them, although they may need to provide good evidence that they obtained the details on potential workers in the reasonable belief that such a course of action was with the consent of those individuals. The Consulting Association may have told them that it had the consent of the individuals to use the data in the manner in which it did.

However, the information on the individuals (such as sensitive information about trade union membership as has been reported) would suggest that neither of these would be a credible defence. With regards to individuals within the companies themselves, whether they have a separate case to answer will depend upon the existence of any protocols relating to data protection and their adherence to the same. This will be a disciplinary matter, however, and not be subject to a direct claim from aggrieved potential workers.

Rights for individuals

The companies concerned can expect to receive a raft of subject access requests from individuals who are concerned that they have been specifically affected. The DPA does allow such access requests to obtain all data processed by the companies. The definition of “processing” includes obtaining data, so in theory individuals do have the right to find out what data the construction companies obtained from TCA. If reports are accurate, however, the paper trail from relevant conversations will be limited, and claimants should expect a struggle to obtain the incriminating evidence they are hoping for.

Claims for distress caused by unlawful processing will need to be pursued through the courts. Previous successful claims have been low, so the costs of bringing such action could diminish the point of doing so. In appropriate cases, the ICO can step in to assist in claims, and given that it is setting up a dedicated facility from 16 March for affected individuals, there is some indication that it may do this. This would necessarily help provide the necessary momentum to take such a case forward.

Will it always be like this?

The law is only effective if the penalties for non-compliance are such that parties are not tempted to ignore or circumvent the law because it is more advantageous to do so. The law is ineffective if the applicable sanctions for non-compliance are such that an analysis of the value of non-compliance can be entertained. Data protection legislation has existed in the UK since 1998, and it is about time that the ICO had suitable powers to ensure enforcement. The scale of fines should be proportionate to the offence, but it must also be meaningful. This would allow companies, as well as their advisers, to be clear about the risks of non-compliance.

Rupert Casey is a partner at City law firm Macfarlanes