UK Company Sold Workers' Secret Data

krou writes "The BBC is reporting that the Information Commissioner's Office has shut down a company in the UK for a serious breach of the Data Protection Act. It claims that the company, The Consulting Association in Droitwich, Worcs, ran a secret system that it repeatedly denied existed for 15 years, selling workers' confidential data, including union activities, to building firms, allowing potential employers to unlawfully vet job applicants. About 3,213 workers were in the database, and other information included data on personal relationships, political affiliations, and employment histories. More than 40 firms are believed to have used the service, paying a £3,000 annual fee, and each of them will be investigated, too." The article says that The Consulting Association faces a £5,000 fine — after pulling in £1.8 million over 15 years with its illegal blacklist.

5k fine, 1.8M in profits

[KiloByte]

It's kind of hard to say "continue, please" louder than by slapping such an enormous fine.

Re:

[Anonymous Coward]

Actually, it can get a lot worse for them, they can be forced to stop all data exports for a long investigation time. I was on a project receiving data for a rather large global company (who is making the news quite regularly these days) from all European markets as part of a pan Europe system. The data itself was nothing special, the company owned it in each market and was merely transferring it around within, yet one country data protection overlords somehow found protocol wasn't precisely being followed.

Re:

[InsertWittyNameHere]

Sounds like a solid business plan

Re:

[cayenne8]

"Sounds like a solid business plan"

Well, it was. This is an old school method...currently being replaced by just scanning the internet in general, target searching on Facebook and the like.

As much as the old music industry is hurting with online distribution, so will services like this due to this kind of information being out there for free.

Re:

[infonography]

Well, it was. This is an old school method...currently being replaced by just scanning the internet in general, target searching on Facebook and the like.

As much as the old music industry is hurting with online distribution, so will services like this due to this kind of information being out there for free.

I concur, I limit the amount of info on my social sites. It's neither safe nor is it ethical some of the practices or conclusions that these create. Does it really matter that someone dressed up on Halloween like a pirate, does that make them a software pirate? But that is what some dumb folk will say if they look on a facebook page of wacky drunkeness.

ok I am blaming the stupid here and....

oh wait thats ok. If they have no clue I wouldn't work for them anyway. If you have to rely on someone else to tell y

Re:

[FatdogHaiku]

OK, 3,213 employees(and former employees, one would think) in the database. Forty firms are paying £3,000 on a yearly basis for information on that tiny little group... How often do those 3,213 people apply for new jobs?

These numbers are like Minnie Mouse, I think they're fu*king Goofy.

Re:5k fine, 1.8M in profits

[Captain Hook]

those 3,213 employees are the ones who are blacklisted, that doesn't mean the employers are only checking 3213 potential employees.

and before anyone says those 3213 employees had it coming for being trouble makers - http://news.bbc.co.uk/1/hi/uk/7928331.stm [bbc.co.uk]

Re:5k fine, 1.8M in profits

[Shakrai]

It's kind of hard to say "continue, please" louder than by slapping such an enormous fine.

What are the odds of the employers who illegally used said database being fined or punished in some way? Punish the people who used the database and you'll find that the next time someone offers up illegal information for sale they'll have a much harder time finding customers.

Re:

[davolfman]

If it's the same small statutory fine, they could just pay it and keep going. It's not like this data is a product they're selling, this data is just a small HR cost with potentially large abusive rewards.

Re:

[Shakrai]

Umm, where did I say that?

Re:

[vishbar]

This is a fundamentally different scenario. Johns/small-time pot smokers commit victimless crimes. The firms in this case are knowingly violating the privacy of each of these 3,000-plus workers. It would be more like prosecuting someone who attempts to hire a hitman.

Re:

[QuantumRiff]

I'm sure the lawsuits by the people on the list who have been denied employment because of it, will be much more helpful in making sure companies don't want to go this route again.

Inaccurate summary

[Apatharch]

...what a surprise.

The article does not say that the company is being fined £5000; it's the owner himself who faces prosecution, and hence a criminal record.

Re:

[fuzzyfuzzyfungus]

Perhaps we could put the owner on some sort of blacklist...

Re:

[mgblst]

We could, but apparently we couldn't tell anyone about it, at least not in the UK.

Re:

[u38cg]

I think the fine is a legal maximum; when the law was written it was never envisaged that a company would be abusing data in this way.

Am I right in thinking that a company doing this would, in general, be entirely legal in the US?

Re:

[DavidTC]

What sort of moron would write a law where the penalty doesn't apply per incidence?

Re:

[digitig]

The penalty does apply per incidence. There is once incidence. The prosecution is for failing to register the company with the data protection office, not for selling the data. And the summary also appears to be wrong to say that the DCO has closed down the company; all the report says is that it has already ceased trading.

Re:

[darth dickinson]

Am I right in thinking that a company doing this would, in general, be entirely legal in the US?

No...no, you're not.

Re:5k fine, 1.8M in profits

[Tony Hoyle]

The company has been shut down. Its owner faces prosecution *and* a £5000 fine (and for a case like this they will go for the maximum penalties).

Also all its customers are now under investigation and also face possible prosecution.

Also both the original company *and* its customers are wide open for legal action against them if they denied anyone a job because of this data.

That's a pretty fucking heavy disincentive for anyone doing it again.

Re:5k fine, 1.8M in profits

[Hatta]

Let us know when it actually happens.

mod parent up, underrated

[Travoltus]

That's "if" it actually happens.

It will happen.

[jotaeleemeese]

Union leaders were taling all day about this.

There was legislation in place, that the government did not enact, because the existence of such black lists hasn't been probed at that point!

I am not really making this up. Check the BBC or other British media...

The current Labour government is a complete embarrassment to the notion of Democracy.

Re:

[jonbryce]

The maximum penalty is a £5000 fine, plus a court injunction preventing them from doing it again. If they do it again, which they won't, they could be jailed for contempt of court.

Most likely, another company will start up in another part of the country doing the same thing, and in 15 years time, it will get fined £5000.

Of course construction companies are not hiring in significant numbers at the moment anyway, so maybe they will wait a few years before this new company is set up.

Re:

[compro01]

Much nicer idea would be 5k pounds times 3213 instances. That would handily disappear those profits almost 9-fold.

Re:

[rhyder128k]

"It's kind of hard to say "continue, please" louder than by slapping such an enormous fine."

Oh come on, it worked with Microsoft. Oh right...

Re:

[ObsessiveMathsFreak]

Most people working in the construction industry do not have a Facebook account. Most probably do not have a MySpace account either. They also probably don't have a lot of access to legal options either.

Re:

[domi28]

Most people working in the construction industry do not have a Facebook account. Most probably do not have a MySpace account either. They also probably don't have a lot of access to legal options either.

How did you come to that conclusion?

Re:sounds like the work of a genius

[fuzzyfuzzyfungus]

Highly variable, I suspect.

Illiterate undocumented immigrant getting paid 80 pence an hour to carry a hod? Probably not.

Skilled tradesman who happens to have political opinions pinker than his boss would like? Quite possibly(especially the web stuff).

Access to legal options, unfortunately, is very much a game for the wealthy; but the interwebs are pretty far downmarket these days.

Re:

[MrPhilby]

50% of my construction staff have Facebook. The other guy's fingers are too fat.

Re:

[xaxa]

The people targeted were union members, so they have access to lawyers. They're also in the UK, where fees are much more reasonable, and there's the Legal Aid system, for people that can't afford it.

Re:

[Eunuchswear]

Yup, 'cos most building workers have a facebook page.

Re:sounds like the work of a genius

[Cally]

That's the infuriating aspect of this for some of us in the infosec world. This wasn't "selling private data", it was a good old-fashioned blacklist of "troublesome" employees who did annoying things like joining unions, complaining about health and safety violations (construction's very dangerous in the UK, I think it's ~100 deaths a year, and you can work out the ratio of deaths to maimings and career-ending injuries.) What they did was vile and evil, and the companies (huge mainstream FTSE-listed corporations, mostly) should be taken to the fucking cleaners as a clear sign that this sort of thing is illegal for good reasons, and will not be tolerated. However it's got FA to do with "leaking of personal data"; the headlines here, on the Beeb and even El Reg have been totally misleading.

Re:

[prefect42]

Cut out the 'in the UK bit'. A quick google gives me outdated figures for 2005/6:

UK: 59
US: 5702

Re:

[prefect42]

A more correct google gives:

UK: 59
US: 1186

Re:

[Teun]

Being on a tangent, safety on larger projects is (much) better managed.

Re:

[Teun]

Unionisation is a human right like free speech, telling someone he's not hired because he's a union member would deliver a 100% certain charge for discrimination.

Re:

[Ironica]

Chances are, sharing this type of data would break various laws in the US, including those protecting workers' rights to unionize and whistleblower protection laws.

Individual workers could also sue the company for providing information that was prejudicial against them to prospective employers. When I was a manager, we couldn't even say *good* things about previous employees; if we got a call from a prospective employer checking an applicant's previous employment, all we could do was confirm (or fail to co

much bigger damage to society

[pmarini]

surely the damage done over 15 years to the families of those not employed because of this illegal practice is much bigger than £1.8mln...

Re:

[filekutter]

I agree with you totally pmarini. Unfortunately this is just the proverbial iceberg tip, with much more still hidden. These are corporations whose activities the last few decades since Reagan have centered on removal of restrictions, merging of interests with national law, and abolition through demonization of unions.

Re:

[Hognoxious]

Because it's not like the UK had a leader who more or less followed Ronnie's policies to the letter, is it.

Re:

[Beyond_GoodandEvil]

Hell, I've got karma to burn so with a -1 Troll mod, let's add a -1 offtopic, b/c the kosdot mods don't have a -1 disagree option. Seriously google jobs bank uaw if you don't believe my claim of sweetheart deals. Next google merit pay teachers to see how that union is making reform difficult.

Logic much?

[danaris]

I think the mods' problem with you is your erroneous extrapolation of a couple of (admittedly important) problems with particular unions to the conclusion that all unions are evil and must be destroyed wherever they are found.

Dan Aris

Re:

[Anonymous Coward]

A few key details were left out of the article.

1.) Did the workers agree to background checks?
2.) Was the information provided false?

If no to #1 or yes to #2, they have grounds to sue the company individually. The fine is only from the government. This happens every day in the US, but you don't hear much uproar.

Re:much bigger damage to society

[dkleinsc]

Even if they agreed to a background check, they probably didn't agree to be checked for activities that aren't in any way illegal or reflecting on job performance, such as (FTFA) "ex-shop steward" or "Irish ex-Army".

Re:

[g_attrill]

In this case it's not the checking of the employees that is the focus of attention (it says the companies using the service were written to and warned), but the building of the database. The employee's details were not allowed to be shared in such a way without their permission, and the company wasn't registered to even create such a database. Certain details (such as records of them reporting safety breaches, union membership etc) would be of debatable legality in any database of that tye.

Re:

[CraftyJack]

This decision establishes that The Consulting Association's actions were illegal. In the US, The Consulting Association would now be the target of lawsuits from workers affected by those illegal actions. I'm not quite sure if it's the same deal in the UK.

Re:

[digitig]

This decision establishes that The Consulting Association's actions were illegal.

No it doesn't. That won't be established until the court rules on it, and it hasn't come to court yet.

In the US, The Consulting Association would now be the target of lawsuits from workers affected by those illegal actions. I'm not quite sure if it's the same deal in the UK.

Not yet, because it's not yet established that the actions were illegal. Even if the ruling goes the way everybody here assumes it already has, all it will establish is that the data was being sold by a company not properly registered with the DCO, not whether the selling of the data is itself illegal. Indeed, it seems it isn't, because (from the RA) 'A spokesman for the Department for Business said it did

I'm confused

[Vinegar Joe]

How are the company's actions different than those of the government?

Re:

[jandersen]

Does your government sell information about your political activities etc to a cabal of semi-criminals? No? Well, there you have your answer, then.

Just because you have an ingrown bias that tells that "Everthing the government does is evil, and everything a private business does is sort of OK, even if it is criminal" doesn't mean that it makes sense. You would probably benefit from taking off your blinkers once in a while.

Re:

[Ninnle Labs, LLC]

The government sells personal information about workers (such as political activies) to companies so that they can illegally vet employees? Care to provide some citations?

Re:

[ObsessiveMathsFreak]

How are the company's actions different than those of the government?

Governments can be held accountable for their actions.

Re:I'm confused

[cbiltcliffe]

Governments can be held accountable for their actions.

Really? What country do you live in? I'd like to move there.

This is an old, old blacklist

[ab8ten]

This blacklist was specifically for the construction industry - for those who haven't RTFA. The terrible thing is that this list, and its sale for money, has been around for years and years. It's the industry's dirty little secret. It's only now they've computerised the records that they can use the Data Protection Act to prosecute. Sadly, I have no doubt that the information will live on somehow. All the major players have fingers in the pie and won't give it up, I think.

Re:

[krou]

The Data protection act has been around for about 10 years already in the UK, and from what I can understand, the electronic database has been around for 15 years. They didn't recently digitize it. Of course, before then, it's anybody's guess, but these guys could have been prosecuted 10 years ago.

Re:This is an old, old blacklist

[pjt33]

It's only now they've computerised the records that they can use the Data Protection Act to prosecute.

That's not true. The DPA covers "information which ... (c) is recorded as part of a relevant filing system or with the intention that it should form part of a relevant filing system", where "relevant filing system" is defined as "any set of information relating to individuals to the extent that, although the information is not processed by means of equipment operating automatically in response to instructions given for that purpose, the set is structured, either by reference to individuals or by reference to criteria relating to individuals, in such a way that specific information relating to a particular individual is readily accessible."

Re:

[Big Hairy Ian]

It's only now they've computerised the records that they can use the Data Protection Act to prosecute.

Absolute rubbish the UK DPA has applied to paper records since it was updated in was updated in 1998 please get your facts straight

Re:

[cbiltcliffe]

....please get your facts straight

Facts? We don't need facts. This is the Internet!

Tortuous?

[DoofusOfDeath]

The article says that The Consulting Association faces a £5,000 fine â" after pulling in £1.8 million over 15 years with its illegal blacklist.

Are they also open to civil lawsuits from affected employees?

Re:

[krou]

Looks like it. According to the video on the BBC page, the ICO claims that if someone can prove they suffered as a result of this database, they can claim compensation.

Re:

[fuzzyfuzzyfungus]

So, I wonder what the odds are that potential claimants will be pushed into the delightful catch-22 of "Oh, sure, if you were on the secret list you would be entitled to redress; but secret list is secret, so how are you going to prove that?"

It happens [eff.org].

Re:

[krou]

Yeah, not going to be too easy, but at least they're taking it seriously and offering help. According to news on the ICO's website [ico.gov.uk], "From 16 March the ICO will operate a dedicated enquiry system for people who believe personal information about them may be held on the database. Members of the public are advised not to contact the ICO until 16 March."

Common practice

[benwiggy]

Anyone remember The Economic League [wikipedia.org]? I'd be surprised if someone wasn't still maintaining it.

Re:

[Anonymous Coward]

In fact, this Guardian article [guardian.co.uk] suggests that Ian Kerr, the man behind this company, used to work for the Economic League.

"political affiliations"

[krou]

Just to point out that the original BBC article (when I submitted the story to /.) had a quote from the notes in the illegal database stating that someone was a member of the Communist Party, hence why I mentioned it contained political affiliations. Not sure why the BBC removed this, but just thought I'd mention it in case someone wonders why.

4. ?????

[Ogive17]

Finally we figure out the 4. ????? before 5. Profit!

British Paranoia at its finest!

[ringbarer]

Let me get this right:

British Employers are paranoid that potential employees are Communists or worse. They subscribe to a secret blacklist that potentials have no knowledge of or ability to refute allegations. Anyone blacklisted will not be employed, but the work still needs to be done.

So they draft in cheap labor from countries that didn't even exist twenty years ago. As these migrant workers aren't on the blacklist, they get cherry picked for work that local labor should have the same rights to apply for. The end result being the rise of local unemployment through no fault of the workers.

No wonder their economy is fucked.

Re:

[myxiplx]

Christ knows why this got -1, I'd mod you up if I got the chance.

If this turns out to be even part of the reason why so many foreign workers are being employed, heads need to roll.

Re:

[u38cg]

Foreign workers tend to show up on time and do the job without whining. I'd take half a dozen random Poles over half a dozen random Brits any day. Why British people are so convinced they deserve a job in front of people who work harder and for less than they do is a source of constant mystery to me.

Re:

[Anonymous Coward]

Translation: I'd prefer to employ illegal immigrants because if they complain about dangerous working conditions or being paid less than minimum wage, I can just have them deported rather than doing something about the problem.

Re:

[rich_r]

It'd work if it wasn't for the fact that Poles are entitled to work in the UK.
Immigrants yes, illegal no.

Re:

[Zaiff Urgulbunger]

Christ knows why this got -1, I'd mod you up if I got the chance.

Because "ringbarer" is on the secret /. mods Neg-list(TM)? ;)

Re:

[meringuoid]

Actually, the economy's fucked because we don't actually make things any more. The trend since the eighties has been for Britain to turn into one big bank. We don't make things - we finance other people to make things, and take a cut of the proceeds. Or rather, we sell their debts on to get the cash up front now and let someone else hold that risk. Or, even more profitably, we wait for someone else to finance yet another someone else to make things, we buy the debt, repackage it, and sell it on to the emplo

Re:

[Anonymous Coward]

British Employers are paranoid that potential employees are Communists or worse.

I think you're extrapolating USA anti-communist paranoia to the UK. Trade unions are fairly mainstream - heck, the current ruling party originated as the political arm of the trades unions and they rarely talk about deposing the Queen and hoisting the red flag over London these days (Mind you, the Labour Party and the unions aren't quite as pally these days - the unions having discovered that, whoever you vote for, the Government always gets in). However, union activists might be awkward about pay and condi

Re:

[Ninnle Labs, LLC]

You mean other than the fact that blacklists like that database are illegal?

Re:

[Anonymous Coward]

You mean other than the fact that blacklists like that database are illegal?

If you rely on the law for your morals then you have no morals at all.

Re:

[Ninnle Labs, LLC]

And you possibly think I care, how?

I've got to hand it to you...

[Ginger Unicorn]

That's some spectacular grammar.

Re:

[jonbryce]

The database itself isn't illegal. What's illegal is not telling the subjects of its existence, not giving them the opportunity to have information contained in it corrected, and some of the recruitment decisions made on the basis of it.

Re:

[Qzukk]

Seems only fair.

Let us know when we get secret blacklists of employers so that we can badmouth them without risk of reprisal, and we'll call it even.

solution:

[Anonymous Admin]

Charge them with 3213 instances and fine them per instance. The profit disappears and so does the motivation.

Re:

[Animaether]

Isn't there a solution proposed in many legal systems? Put oversimplified: "You cannot profit from the crime you committed"?

I.e. they would have to give back* the 1.8 million pounds PLUS the 5 thousand pound fine. More than likely they don't have that 1.8 million laying around somewhere, having spent much of it in time, so that'll be fun to pay back... that 5 thousand would look rather trivial in comparison. This extends to doing interviews, selling movie rights, etc. - all of it would go back into payin

Re:

[canajin56]

They already did that I think. The company is toast. The $5000 fine and/or jail time is for the owner, with them also looking for other people to charge criminally.

Re:

[mormop]

Better than that. Fine them the average annual wage lost by the builders on their list, say £15,000 a year, times 3213 builders, times the number of years the list operated = £722,925,000 spread evenly across the data company and the customers that used them.

Reminds me

[dfiguero]

of story that just came out yesterday from Toronto. I guess this practice is more common than I thought. Spanning more than one industry for sure. [thestar.com]

Well, maybe a little obtuse

[cdrguru]

Let's say that I run a company and we are absolutely committed to never, ever hiring an "ex-shop steward". Let's assume there isn't a service on the Internet where I can look up people to determine if they were ever involved in union leadership.

What am I to do? Well, I could just hire people in an uninformed way and hope for the best. Right?

Wrong. I would (obviously) do whatever it takes to make sure that prospective employees are not and never have been union-affiliated. Sure, this might result in som

Re:

[VJ42]

I would (obviously) do whatever it takes to make sure that prospective employees are not and never have been union-affiliated.

Then you would be acting unlawfully, here in the UK you have a right to be represented by a Union, not employing someone because of union related activities would be illegal in itself. Similarly, you can't refuse to employ someone if they refuse union membership (as seems to be the case over in the states judging by previous /. posts complaining about unions)

Re:

[Ironica]

Then you would be acting unlawfully, here in the UK you have a right to be represented by a Union, not employing someone because of union related activities would be illegal in itself.

It's also illegal in the US.

And before somebody asks....

[jotaeleemeese]

... how would anybody would ever know? you should know that in the UK you have the right to see all the documentation about how a company reached the decision to hire a certain person to fill a position when you are applying for that position.

If they can't prove they did it based on objective criteria they would be in deep shit...

Re:

[VJ42]

as seems to be the case over in the states judging by previous /. posts complaining about unions

Most states aren't "union shop" states where the union can force everyone to join or quit. Several states don't even let unions take your money if you're not a member (some states let the unions take a "negotiation fee" from non-members).

Here in the UK the unions have no rights at all over people who are non-members. The Unions in the UK were emasculated by Margret Thatcher, ironically I think that they are better organisations for it.

Re:

[jonbryce]

It is illegal to discriminate against people for engaging in trade union activities.