We would like to place strictly necessary cookies and performance cookies on your computer to improve our website service.
To find out more about how we use cookies and how you can change your cookies settings, please read our  cookies statement.                
Otherwise, we'll assume you are OK to continue.   Please close this message

Beware the blacklist! Will data protection come to the rescue for construction companies?

29 November 2013

The anticipated compensation scheme, by which construction companies may voluntarily pay back millions of pounds to blacklisted workers, serves as a timely reminder to ensure they are compliant with their current and future data protection responsibilities.

The blacklist begins…

Workers involved on some of the biggest construction projects in recent history, such as the Olympic Park, the Jubilee line extension and the Millennium Dome, discovered in October that they may be entitled to compensation if they were named on an industry-wide blacklist dating back to the 1980s.

The Consulting Association kept sensitive personal data of over 3,200 individuals, often including information extending to their National Insurance details, car registration number, their personal relationships and trade union activity. 43 of the biggest construction companies in Britain, including Sir Robert McAlpine, Carillion and Balfour Beatty, subscribed to this blacklist which informed them of potential 'troublemakers' in the industry, 'militant ringleaders' and unsubstantiated allegations of benefit fraud.

This secret documentation led to listed workers being denied any future employment, for reasons beyond their knowledge. Only after an Information Commissioner's Office (ICO) raid in 2008 did the full picture emerge and legal action commence.

The ICO reaction

Ian and Mary Kerr, who ran the Consulting Association, were fined £5,000 for breach of the Data Protection Act 1998 (DPA): in failing to notify as a data controller. The ICO also served 14 enforcement notices against some of the construction companies involved to stop them using the information on the list.

Had the unlawful processing of personal data taken place after changes in the law in April 2010, monetary penalties of up to £500,000 would have been imposed as well. However, as no evidence of such processing was found after this date, the ICO did not have the power under the DPA to issue stronger penalties.

What can construction firms do now to avoid such penalties?

Firms must now ensure that if they obtain personal information about job applicants from third parties, they must be completely open with those applicants about the process. As the ICO has explicitly stated, it is a breach of the DPA to use personal data covertly to vet workers for employment.

With increased awareness from the blacklisting press coverage, former employees and contractors will want to know what information construction companies hold about them and whether it is inaccurate or not. Construction companies should prepare themselves for handling an increased number of subject access requests.

What knock-on effects will the proposed EU Data Protection Regulation have?

The Regulation will overhaul the current patchwork of often outdated national laws by having one single piece of legislation. It is still to be negotiated with national governments in the council and we expect that a final draft of the Regulation will be approved by May 2014.

The Regulation will have a number of serious ramifications for the construction industry, particularly if adopted in its current form. Construction companies will have to think carefully about their obligations under the proposed new regime:

Heavy fines: of up to €100m or 5% of annual worldwide turnover may be imposed for non-compliance with the Regulation. Data protection authorities will also have the power to investigate organisations without prior notice.

Stricter rules relating to employee consent: if employers wish to use the personal data of employees, consent must be obtained on an explicit and 'opt-in' basis. Therefore, construction companies will have to inform employees of the particular use of their personal data and ensure that freely-given consent is obtained.

Mandatory appointment of a Data Protection Officer (DPO): for those businesses that process personal data related to more than 5,000 data subjects in a consecutive 12-month period. This will undoubtedly concern large construction firms - even if they already have a DPO appointed, their DPOs will now have to be far more vigilant and proactive. DPOs, who may be internally or externally appointed, will ultimately be responsible for putting into place data protection policies. Construction companies should view this as a positive step to ensure that breaches of the DPA, such as the use of an illegal blacklist, do not occur.

The data protection authority must be notified of breaches within 72 hours: in most cases. The authority will keep a public register of all types of breaches. Data breaches may also need to be notified to the affected individuals who will have the right to claim compensation. In the wake of the blacklisting scandal, construction companies may be at particular risk of a cyber-attack or a hacking from individuals seeking revenge or wishing to find out what information is held about them.

Therefore, companies should review their security practices and policies as a matter of urgency to limit the risk of a data breach - the financial and reputational implications are just too substantial to ignore!

For more information please contact Mark Smith, Partner

T: +44 (0)20 7427 6722