Last week, the European Union brought charges against Britain for failing to protect Internet users’ privacy. That particular case surrounded Internet Service Providers and behavioral advertising through a company called Phorm. The FTC is currently wrestling with similar behavioral advertising problems in the US. There is, however, a great example of the EU Data Protection Directive 95/46/EC and it’s fundamental privacy rights protection in the United Kingdom.
Each EU country elects or appoints a data protection authority (“DPA”) who heads the compliance and regulation of privacy. The UK passed the Data Protection Act of 1998 to comply with the EU’s Directive, establishing an Information Commissioner as their DPA. The Commissioner is appointed by the Queen and reports directly to Parliament.
The current commissioner, Richard Thomas began prosecution of Ian Kerr, a private investigator used extensively within the UK construction business. An investigation of Mr. Kerr revealed he compiled a database of 3,213 workers used by 40 construction companies for vetting potential employees. The very prominent construction companies would pay Mr. Kerr £3,000 annually for access to the database and use the information to make decisions on hiring. After an eight month ICO investigation, Commissioner Thomas said he has documents which
“… show that files on individuals included comments on individuals such as ‘communist party’, ‘ex-shop steward, definite problems, no go’, ‘do not touch’, ‘orchestrated strike action’ and ‘lazy and a trouble-stirrer’.”
In a statement, Deputy Information Commissioner, David Smith, said:
“This is a serious breach of the Data Protection Act. Not only was personal information held on individuals without their knowledge or consent but the very existence of the database was repeatedly denied. The covert system enabled Mr Kerr to unlawfully trade personal information on workers for many years helping the construction industry to vet prospective employees. The Data Protection Act clearly states that organisations must be open about how they process personal information, and in most cases those processing personal information must register with the ICO – Mr Kerr did not comply with the law on either count.
British intellectual property lawyer Steve Kuncewicz said:
“What employers cannot do is use data in the way they have. If they’re not careful, the directors of the construction company concerned could end up facing a criminal charge as well as a civil action.” The EU Directive gives employees the right to see and correct inaccurate personal data their employer may hold about them.
This case suggests the Phorm incident is simply a discrepancy or oversight rather than a disrespect for British Citizens’ privacy. Commissioner Thomas snared a clear violator and a large sampling of the UK construction companies. Deputy Commissioner Smith states quite clearly,
“We will prosecute Mr Kerr and we are also considering what regulatory action to take against construction firms who have been using the system. I remind business leaders that they must take their obligations under the Data Protection Act seriously. Trading people’s personal details in this way is unlawful and we are determined to stamp out this type of activity.”
The complete list of construction companies may be found at the end of the ICO’s statement on the matter. For a privacy professional or CIPP candidate, a quick review of several of Mr. Kerr and the construction companies’ violations of the Data Protection Directive is in order.
The Section I, Article 6, of the Data Protection Directive requires private data collected be
- (b) collected for specified, explicit and legitimate purposes and not further processed in a way incompatible with those purposes. Further processing of data for historical, statistical or scientific purposes shall not be considered as incompatible provided that Member States provide appropriate safeguards;
- (d) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that data which are inaccurate or incomplete, having regard to the purposes for which they were collected or for which they are further processed, are erased or rectified;
While Section II, Article 7, states that, as criteria for making data processing legitimate, personal data may not be processed unless:
- (a) the data subject has unambiguously given his consent; or
- (d) processing is necessary in order to protect the vital interests of the data subject; or
In Section V, Article 12, data subjects are guaranteed specific rights:
- (a) without constraint at reasonable intervals and without excessive delay or expense:
- confirmation as to whether or not data relating to him are being processed and information at least as to the purposes of the processing, the categories of data concerned, and the recipients or categories of recipients to whom the data are disclosed,
- communication to him in an intelligible form of the data undergoing processing and of any available information as to their source,
- knowledge of the logic involved in any automatic processing of data concerning him at least in the case of the automated decisions referred .to in Article 15 (1);
- (b) as appropriate the rectification, erasure or blocking of data the processing of which does not comply with the provisions of this Directive, in particular because of the incomplete or inaccurate nature of the data;
- (c) notification to third parties to whom the data have been disclosed of any rectification, erasure or blocking carried out in compliance with (b), unless this proves impossible or involves a disproportionate effort.