ICO blog: Prosecution of construction blacklist used strongest powers we had
By David Smith
29 August 2012
The construction blacklist has again been in the headlines recently, with Liberty and the GMB trade union both writing to the ICO in an effort to better understand what further action can be taken to help those people listed on the database.
For those not familiar with the case, the blacklist was a database of personal details of construction workers, including personal relationships, trade union activity and employment history. The list was used by construction companies to avoid employing ‘troublesome’ workers.
An ICO investigation in 2008 closed the list down. The construction companies proven to have used and supplied info to the list were issued with enforcement notices demanding they stopped the practice, and Ian Kerr, the man who ran the database on behalf of The Consulting Association, was fined £5,000 for failing to notify as a data controller.
It was disappointing to us that we could not issue more substantial penalties, but these were the maximum legal powers available to us at the time. We have since been given the power to issue civil monetary penalties up to £500,000, but these can only be issued where a breach of the Data Protection Act has taken place after April 2010. We’ve received no reliable evidence that unlawful processing of personal data continued after this date, and so the stronger penalties do not apply in this case.
Liberty is calling for stronger action against those involved in the list. Their concern is understandable - and I’m sure that, were it possible, any prosecution of individuals involved in such a shameful practice would be popular – but the fact remains that the ICO used the strongest powers we had available to us at the time. We’re always keen to hear what Liberty has to say, and we are arranging to meet with them on this, but at this stage we see no grounds on which we could justify reopening our investigation.
The ICO’s focus since 2009 has been on helping those who feature on the list. To complement our helpline, we set up a ‘fast-track’ service to allow anyone who suspected they were on the list to find out if they were, and get a copy of any information held about them.
So far 616 people have formally requested to find out whether they were on the list, of which 194 were listed and have been passed details of their personal information.
You can find out more information on how you can make a request for your data if you believe you may have featured on the list.
There have been calls, most recently by the GMB trade union, for us to proactively contact people listed on the database. The reality is that this is simply not possible. The blacklist contains the personal data, and in some cases the sensitive personal data, of 3,213 individuals, but the content and quantity of information about each person varies enormously. Some of the information is incomplete (one person is listed as being born “in 1975 approximately”), some is in the form of poor-quality, handwritten notes and some is extremely dated, with one last known address listed for the 1970s.
This makes it difficult to confidently identify some of the people listed in the database, and impossible to identify others. We might end up causing a more serious breach of privacy by sending sensitive personal information to the wrong person at the wrong address.
We appreciate that the GMB union is working closely with many of those affected, and we are keen to assist this process where we can. With that in mind, we have offered the GMB a solution that will allow their lawyers to view some of the information we hold, once a confidentiality agreement is signed, in order to identify which of their members are on the list. The GMB will then contact those individuals, who can then make a subject access request either directly to the ICO or through the GMB to obtain the full information held about them.
Several years after the list was closed down, it is understandable that it continues to prompt strong feelings. The list involved persistent and serious breaches of the Data Protection Act. There should be absolutely no doubt that we treated these with the utmost seriousness. In many respects, the case shows the importance of having a regulator who can properly investigate data protection issues. Perhaps more importantly, it underlines the importance of that regulator having stronger powers, like those we hold today: if the breach was repeated now, the outcome would be likely to be substantially different.
29 August 2012