Raid on builders database shows privacy watchdog has teeth

The UK'sprivacy watchdogis demonstrating that it has real power by shutting down an illegal database ofpersonal informationon construction industry workers.

The Information Commissioner's Office (ICO) seized the database in a raid at the Consulting Association in Droitwich, West Midlands.

"This is proof the ICO is far from being a toothless tiger among regulators," says Paula Barrett, partner at international law firm Eversheds.

The database contained sensitive information such as the employment history and trade union activity of construction workers without their consent or knowledge.

The ICO says Consulting Association owner Ian Kerr ran the database for the past 15 years and charged construction firms a £3,000 annual subscription fee.

Kerr charged subscribers for personal details held about individuals to enable subscribers to vet potential employees.

He faces prosecution for breaching the Data Protection Act, which requires data controllers to register and be open about how they process personal information.

The action against Kerr is evidence of proactive enforcement by the ICO and that the watchdog has a range of powers, says Barrett.

Prominent construction firms Balfour Beatty, Sir Robert McAlpine, Taylor Woodrow and Laing O'Rourke are listed among Kerr's past and present subscribers.

David Smith, deputy information commissioner, says the ICO is considering taking action against these construction firms for using the database.

This case highlights a number of key compliance issues and should serve as a cautionary tale against vetting employees in this way, says Barrett.

Vetting should be done only to address specific justifiable risks in an open way with the consent of those involved.

Organisations should select information providers with care, says Barrett, because as users of the information they could be charged under the Data Protection Act.

"Ask questions about how they collect their data. If in doubt, don't use it," she says.

Businesses purchasing vetting information should have a contract that gives assurances that the information is collected in a way that complies with the Data Protection Act.

Those that check suppliers and build guarantees into contracts will reduce the risk being charged under the Data Protection Act as the ICO becomes increasingly proactive.