Recent enforcement action by the Information Commissioner's Officer (ICO) against The Consulting Association, which led to the firm being shut down for its breach of data protection legislation and significant fines for its owner, is a stark reminder to all companies of their obligations under the Data Protection Act 1998 (the Act) and the penalties for non-compliance.The action concerned the firm's operation of a database containing personal information on construction workers, which was sold to construction companies to vet workers for employment. It not only highlights the risks in using third party databases for recruitment processes, but also the extensive obligations on companies processing personal information. It seems likely that the newly appointed Information Commissioner, Christopher Graham, will also continue the trend towards more aggressive enforcement action.
As an employer 'processes' considerable amounts of information relating to its employees, contract workers and applicants, it falls within the remit of the Act. Employers must, therefore, be aware of their duties towards that information and to the individuals to whom it relates.
The Act requires employers to follow eight data protection principles concerning the way in which data is collected, processed and stored. Employers must ensure compliance at every stage of the employment process, from the application process to providing references following termination of the relationship, and are usually also required to register with the ICO as data controllers. Clear internal policies will be required at each stage of the process and the adequacy of security measures must be assessed. In addition to these general obligations, the Act and ICO guidance on the Act provide specific rules concerning the transfer of data, both in the merger and acquisition process and internationally through intra-company transfers.
The importance of adhering to these obligations cannot be overstated, as a failure to do so may lead to criminal and civil liability, as well as adverse publicity for the employer.
No comments:
Post a Comment