The Information Commissioner’s Office (ICO) has seized a database containing details of 3,213 construction workers which was used by over 40 construction companies. The ICO is prosecuting the owner of the database and is considering action against the construction companies that used the data. This note sets out the ICO’s powers and suggests what the companies should do to prepare for this.
What can the ICO do?
The ICO may issue an enforcement notice restraining the companies from processing the data. Failure to comply with an enforcement notice is a criminal offence and there can also be personal liability for company management in some situations.
Alternatively, the ICO may require the company to sign a formal undertaking which sets out specified steps to ensure compliance with the DPA. The ICO usually requires this to be signed by a chief executive, or other senior officer.
What may happen next?
Although the ICO could issue enforcement notices immediately, this is unlikely. The first step in any enforcement will most likely be for the ICO to request further information from the companies concerned.
The ICO usually makes informal requests for information. Companies are generally advised to comply with this, but this may depend on the results of the checking recommended below. If companies are not co-operative, the ICO can require production of information by serving an information notice and has powers to search for and seize materials by warrant.
In any case it will be incumbent on the Company to answer the request faithfully and accurately. Failure to comply with an information notice, or to provide false information, is an offence.
What should companies do to prepare for this?
Take action now to be prepared for the ICO; the ICO can look more favourably on companies who independently implement remedial action.
First, check if the database has been used. If so, check when and how and whether the information is still on file.
Check the format in which any of the data was held. The DPA applies to personal data that is, or is intended to be, stored on a computer. Paper records can be covered, but this depends on how they are structured; if the information has only been recorded in paper files, take advice to see if these are covered.
Check to see what employees and applicants were told about how their personal data would be used. Collate copies of employee handbooks, privacy policies and standard application forms that may contain this information. There is an obligation to tell individuals how their information will be used and, in particular, if information will be shared with third parties.
Consult with a professional legal adviser in this checking; correspondence with legal advisers in connection with potential proceedings under the Act does not have to be produced to the ICO in response to an information notice.
Check if the Company has registered with the ICO and if the registration is accurate and up to date. Unless an exemption applies, processing personal data without being properly registered is an offence. If there are deficiencies in the registration, correct these immediately. This is the first thing the ICO will check in any investigation.
What else do I need to know?
Employees and applicants who were unsuccessful in seeking employment may exercise rights under the Act against the companies.
The companies should expect an increased number of ‘subject access requests’, requiring them to produce personal data held by the company and will need to have procedures in place to respond to such requests (within 40 days of receipt).
Companies may also need to be prepared to respond to ‘Section 10’ notices, requiring them to stop processing the individual’s personal data. Data controllers must respond to such notices with 21 days of receipt.
Individuals could also bring claims for damages for breach of the Act, or complain to the Information Commissioner.