Recruitment blacklists: Are you complying with data protection laws?
"Leaders of businesses really must get the message that they have got to take their data protection responsibilities seriously. They can't flout the law." This was the message from the Information Commissioner's Office (ICO) after a raid at offices in Droitwich last week.
The raid revealed that an a organisation known as the Consulting Association had a hidden database containing personal information of over 3,000 individuals and a list of over 40 companies, many household names, that had been using workers' personal information without their consent.
According to Andy Kimble, Partner at Bond Pearce, it highlights an important issue for all businesses, not just those in the construction sector:
"The Data Protection Act 1998 came into force in March 2000 yet, as the recent ICO raid on the Consulting Association shows, not every organisation is following the rules, particularly when it comes to recruiting workers and using third party databases."
With the construction industry under the spotlight last week, Andrew comments: "The use of third party databases is not limited to the construction industry. What any employer should be aware of before signing up to use a database is that the compliance risk lies with the user, just as much as the provider."
The Consulting Association held the personal information of over 3,213 individuals on a comprehensive card index system. The database was linked to a ring binder containing entries such as names, national insurance numbers and trades. The database also held sensitive personal data like trade union membership, along with other information that could be used to discriminate against people. "It was the sort of information that nobody had a chance to correct or put their side on it." said the ICO. Some information was more than 30 years old.
The ICO described the Consulting Association's database as a system for centralising records in the construction industry. More than 40 major British companies allegedly bought information from, or sent information to the Consulting Association. The ICO stated that "Trading people's personal details in this way is unlawful and we are determined to stamp out this type of activity."
Because the information was held and traded secretly, those workers listed on it had no chance of challenging any inaccurate information. It is possible that workers who raised genuine safety concerns are amongst those who may have been discriminated against; exactly the situation that the ICO works to prevent.
"Businesses need to ensure that the information is being used in a legitimate manner and that there is transparency for the individuals concerned. The danger is that you make assumptions, assuming certain levels of legitimacy, for example, based on other reputable businesses already using the database." Andrew explains.
It appears that the Consulting Association and some companies in the construction industry contravened the Data Protection Act in that data was processed unfairly, was obtained without the individuals concerned knowing the purpose, was irrelevant, excessive, potentially inaccurate and out of date. The data was also processed without reference to the individuals' rights in the employment process.
It is important that organisations comply with all of the obligations contained in the Data Protection Act and conduct recruitment processes fairly.
Andrew advises: "As well as carrying out proper checks with regard to the data obtained from third parties, a company should equally ensure that if they agree to share information with a third party database, that they themselves are compliant with the law on data protection."
"All businesses using third party databases, for recruitment or other purposes, should make sure they have made all the appropriate checks before signing up. Take advice and minimise the risk to your business."
Data Protection: Dos and Don'ts:
- Do remember to register as a data controller with the ICO. Failure to do so can result in a criminal prosecution and a £5,000 fine.
- Don't hold individuals' personal information without their knowledge or (if necessary) consent.
- Don't think that because a database isn't a computer record it's exempt. A paper or card based system can be caught too.
- Do make sure that information held isn't irrelevant and that it is up to date. The Consulting Association held information that was up to 30 years out of date.
- Don't hold sensitive personal information (e.g. information about health or trade union activities) unless it is necessary to comply with specific legislation, the individual has given express consent, or its use is otherwise permitted by the Data Protection Act.
- Do make it clear how and why an individual's personal information is being processed. Make sure that individuals are informed about who their personal information will be shared with.
- Do make sure appropriate security measures are in place to ensure personal data won't get lost, i.e. when transferring data make sure that the transfer process is safe and secure.
- Do only use third party databases for recruitment information if those databases have been compiled legally. Seek guarantees that any information has been collected fairly, with the individual's knowledge and that the information held is accurate and up to date.
- Do ask for help - if in doubt ask for assistance to ensure that your organisation is complying with data protection legislation.
For further advice please contact:
Andrew Kimble
+44 (0)845 4158422
