Ian Kerr, the private detective from Droitwich (Worcestershire), maintained a blacklist for use by the construction industry; he has just been fined £5,000 for breaching the Data Protection Act. Although the Information Commissioner has issued a press release explaining that this is the end of the matter, the real truth is that the prosecution exposes the fact that Government chose to exempt manual dodgy dossiers of personal details from the protection afforded by the Act and the weakness of the Information Commissioner’s current powers.
First, the prosecution of Mr Kerr was for the failure to register the processing of automated personal data. Note that the prosecution had nothing to do with any breach of any data protection principle – for example, disclosing inaccurate or irrelevant personal data unfairly or unlawfully. The only offence, the Commissioner could find in his armoury was that Mr Kerr’s company had failed to click onto his web-site, complete the necessary paperwork and pay the required £35 per annum.
If Mr Kerr had the data protection knowledge I would expect of our ISEB course attendees, then he would have known that if he had held his personal information in a manual form in a filing system that was reasonably structured (but not the high degree of structured demanded by a relevant filing system), then he could have waived the proverbial two fingers at the Commissioner. This prosecution would not have taken place; there would be no breach of the Data Protection Act, no fine and probably no publicity.
The Commissioner’s threat to serve Enforcement Notices on 17 construction firms that paid Mr Kerr for details on construction workers would probably come to naught and even thoughts of a Monetary Penalty Notice (when they eventually commence) would evaporate. Indeed, Mr Kerr, could look forward to enjoy continuing retirement income that amounted to £478,937 between April 2006 and February 2009.
Back in 1998, Harry Cohen MP, attempted to close this manual file loophole. In moving an amendment to the then Data Protection Bill, he said that the Bill’s manual file provisions would permit “a private sector organisation such as the Economic League, which kept dossiers on trade union members for the purposes of blacklisting them, will be allowed to keep whatever information it likes, however inaccurate or irrelevant it is, and to disclose it to whomever it likes, so long as it keeps the information on paper and in date order”.
He added that “The lack of data protection controls means that individuals will have no rights, and there will be unlimited disclosure to anybody of secret dossiers and files of irrelevant or inaccurate information, which may be kept for ever. In short, organisations such as the Economic League, and private investigators, will enjoy the same level of total exemption as MI5, MI6 and GCHQ. It is hard to believe that that is what Ministers really intend”. (Hansard, 2 Jul 1998: Column 616).
The Minister (Geoff Hoon) replied “...the Government do not believe that (Mr Cohen’s amendment) was necessary or desirable. To do so would be to impose additional burdens on business and others who use manual records in circumstances in which there is little or no threat to privacy”. This policy of excluding personnel manual records was repeated when the Freedom of Information Act was enacted; the Government introduced an exemption that maintained the exclusion of many manual employee files about public sector staff from the Data Protection Act (see section 33A(2) of the Act).
In short, what the Commissioner should have (and has been refused by Government) is the ability to prosecute anyone who deliberately sets out to flout a Data Protection Principle. Instead, the Government’s policy has resulted in the prosecution of an offence that is the data protection equivalent of not obtaining a dog licence. This is very short measure, when Mr Kerr’s activities have probably resulted in an unknown number of data subjects not getting employment, possibly for years on end.
Finally, the Government has embarked on a consultation following this case (http://www.berr.gov.uk/consultations/page52145.html). It talks about defining “a blacklist of trade unionists”, “the prohibition of the compilation, dissemination and use of such blacklists” and making “it unlawful for organisations to refuse employment, to dismiss an employee or otherwise cause detriment to a worker for a reason related to a blacklist”. The consultation suggests that courts can “hear complaints from any persons that they have suffered loss or potential loss because of a prohibited blacklisting activity”.
I think this completely misses the obvious. All the above abuse in this case could easily have been avoided if Government classified employee records as an Accessible Record (thus giving employee records the same status as social work, education or health records). Thus would grant employees the full protection of a data protection regime, provide for rights of access, redress if there was damage and ask for independent assessments from an independent Commissioner.
If readers agree with me, they should go to the above web-site and remind the Government that this simple and more protective solution was suggested a decade ago.