ICO powerless on builders’ blacklist

The Information Commissioner’s Office has been forced to admit it is powerless to take further action over a builders’ blacklist – seized by the regulator in 2009 – after calls for a crackdown against the 44 construction firms which are claimed to have used it.
Details of the blacklist were first revealed in 2008 when it emerged that an organisation called Consulting Association held files on about 3,200 agency workers, including so-called left-wing troublemakers, political activists, shop stewards and health and safety representatives. It was used by many companies to vet new recruits.
Now the GMB trade union is threatening legal action unless the ICO informs 2,863 builders their names are still on a blacklist. The move follows a similar letter from civil rights group Liberty a few weeks ago, with both organisations highly critical of the ICO for refusing to act for the past three years.
In a blogpost, ICO deputy commissioner David Smith conceded that it was “disappointing” that the regulator could not issue more substantial penalties, but “these were the maximum legal powers available to us at the time”.
He added: “We have since been given the power to issue civil monetary penalties up to £500,000, but these can only be issued where a breach of the Data Protection Act has taken place after April 2010. We’ve received no reliable evidence that unlawful processing of personal data continued after this date, and so the stronger penalties do not apply in this case.”
In response to calls for the ICO to inform builders they are on the list, Smith said: “Some of the information is incomplete (one person is listed as being born ‘in 1975 approximately’), some is in the form of poor-quality, handwritten notes and some is extremely dated, with one last known address listed for the 1970s.
“This makes it difficult to confidently identify some of the people listed in the database, and impossible to identify others. We might end up causing a more serious breach of privacy by sending sensitive personal information to the wrong person at the wrong address.”