Legal eagle

/ 01 June 2009

Everything you need to know about employment law
This month… Boys from the blacklist

Back in 2003, during consultation on legislation to outlaw the use of employee ‘blacklists’, the government said that ‘regulations will not be introduced until there is evidence that blacklisting is occurring or may occur’. As no legislation followed, it could legitimately have been concluded that there were no blacklists in operation and the whole thing was simply a non-issue. Skip forward to March 2009, however, and an investigation by the Information Commissioner’s Office (ICO) revealed that a large and profitable blacklist service has been running in the UK for at least 15 years, with some of the biggest names in construction among the subscribers.

A business called the Consulting Association, run by Ian Kerr, has apparently kept a database of sensitive personal information about more than 3,000 construction workers, including details of individuals’ personal relationships and trade union activities, as well as information about employment history and health and safety complaints they had raised. This data was used by 40-plus construction companies to vet individuals for employment. 

The discovery could lead to employment tribunal claims from those denied jobs on trade union grounds, for example, but will there also be fall-out because of the terms of the Data Protection Act 1998 (DPA)?

The ICO has already made it clear that Ian Kerr will be prosecuted for breaching the DPA. Those who process personal information must register with the ICO as a data controller, which Mr Kerr had failed to do. Personal information was also held on individuals and shared without their knowledge or consent – a particularly serious failing, given the amount of sensitive personal information which appears to have been held. Indeed, the Consulting Association not only neglected to obtain the required explicit consent of each individual whose information was held, but repeatedly denied the very existence of the database.

Noises have also been made by the ICO about prosecuting the construction companies which used the information on Mr Kerr’s database. It is an offence to knowingly or recklessly obtain or procure the disclosure of personal information. However, to be guilty of such a crime, this must take place without the data controller’s consent.   

There is no law against organisations sharing personal information, but this must be backed up by a sound business case and comply with the Act. Any sharing should preferably be supported by a privacy impact assessment and the consent of individuals should be obtained in advance. Transparency about how information is being used and shared is critical.

The ICO has now taken control of the Consulting Association’s database and has set up a helpline for individuals who want to know whether their details were on the blacklist. If an individual can show they have suffered damage as a result of a breach of the DPA, they can sue for compensation to cover loss of earnings, damage to reputation and even any distress suffered. 

When the fines which could be handed out if the prosecutions are successful are also taken into consideration, it looks like blacklisting is going to prove costly in more ways than one.

Alan Delaney is a senior solicitor in the Employment Team at Maclay Murray & Spens LLP