UK Company Sold Workers' Secret Data

krou writes "The BBC is reporting that the Information Commissioner's Office has shut down a company in the UK for a serious breach of the Data Protection Act. It claims that the company, The Consulting Association in Droitwich, Worcs, ran a secret system that it repeatedly denied existed for 15 years, selling workers' confidential data, including union activities, to building firms, allowing potential employers to unlawfully vet job applicants. About 3,213 workers were in the database, and other information included data on personal relationships, political affiliations, and employment histories. More than 40 firms are believed to have used the service, paying a £3,000 annual fee, and each of them will be investigated, too." The article says that The Consulting Association faces a £5,000 fine — after pulling in £1.8 million over 15 years with its illegal blacklist.

Tortuous?

[DoofusOfDeath]

The article says that The Consulting Association faces a £5,000 fine â" after pulling in £1.8 million over 15 years with its illegal blacklist.

Are they also open to civil lawsuits from affected employees?

Re:Tortuous?

[krou]

Yeah, not going to be too easy, but at least they're taking it seriously and offering help. According to news on the ICO's website, "From 16 March the ICO will operate a dedicated enquiry system for people who believe personal information about them may be held on the database. Members of the public are advised not to contact the ICO until 16 March."

Re:This is an old, old blacklist

[krou]

The Data protection act has been around for about 10 years already in the UK, and from what I can understand, the electronic database has been around for 15 years. They didn't recently digitize it. Of course, before then, it's anybody's guess, but these guys could have been prosecuted 10 years ago.

Re:much bigger damage to society

A few key details were left out of the article.

1.) Did the workers agree to background checks?
2.) Was the information provided false?

If no to #1 or yes to #2, they have grounds to sue the company individually. The fine is only from the government. This happens every day in the US, but you don't hear much uproar.

Re:5k fine, 1.8M in profits

[u38cg]

I think the fine is a legal maximum; when the law was written it was never envisaged that a company would be abusing data in this way.

Am I right in thinking that a company doing this would, in general, be entirely legal in the US?

Re:sounds like the work of a genius

[Cally]

That's the infuriating aspect of this for some of us in the infosec world. This wasn't "selling private data", it was a good old-fashioned blacklist of "troublesome" employees who did annoying things like joining unions, complaining about health and safety violations (construction's very dangerous in the UK, I think it's ~100 deaths a year, and you can work out the ratio of deaths to maimings and career-ending injuries.) What they did was vile and evil, and the companies (huge mainstream FTSE-listed corporations, mostly) should be taken to the fucking cleaners as a clear sign that this sort of thing is illegal for good reasons, and will not be tolerated. However it's got FA to do with "leaking of personal data"; the headlines here, on the Beeb and even El Reg have been totally misleading.

Re:Common practice

In fact, this Guardian article suggests that Ian Kerr, the man behind this company, used to work for the Economic League.