Scottish Affairs Committee - Minutes of EvidenceHC 156

Oral Evidence

Taken before the Scottish Affairs Committee

on Tuesday 16 October 2012

Members present:

Mr Ian Davidson (Chair)

Iain McKenzie

Pamela Nash

Mr Alan Reid

Lindsay Roy


Examination of Witnesses

Witnesses: David Smith, Deputy Information Commissioner, and David Clancy, Investigations Manager, Information Commissioner’s Office, gave evidence.

Q670 Chair: Good morning, gentlemen. I welcome you to this meeting of the Scottish Affairs Select Committee. Could I start by asking you to introduce yourselves and tell us what place you have in the organisation?

David Smith: Good morning. I am David Smith. I am Deputy Information Commissioner. In our office we have responsibility for looking after data protection legislation and freedom of information legislation. Under the Commissioner, we have two deputies and I have particular responsibility for data protection legislation. Indeed, I was in post at the time of the exposure of the construction industry database.

David Clancy: I am David Clancy. I am the Investigations Manager within the enforcement department within the Commissioner’s Office. At the time of the investigation into the Consulting Association I led the investigation.

Q671 Chair: I want to clarify each of your backgrounds before you came into this position.

David Smith: Yes, certainly. I have been in this position for over 20 years now with the Office of the Data Protection Commissioner and previously the Data Protection Registrar. Before that I was a full-time trade union officer with NALGO, as it was then, and now Unison.

Q672 Chair: Goodness me, not many people remember NALGO.

David Smith: I do and with some fond memories as well, I have to say.

David Clancy: As to my background, in the 1980s I served as a police officer with the Greater Manchester Police for eight years. After that I was a qualified social worker before I was employed by the Commissioner’s Office.

Q673 Chair: I want to start off by asking you how the activities of the Consulting Association came to your organisation’s attention.

David Smith: I will start and my colleague David can obviously add in more. The activities of the Economic League were something that was known to us, certainly ever since I have been in the Office, and were an area of concern, but at that time, when we were under the 1984 Data Protection Act, essentially the law did not apply to paper records. It only extended to computerised and electronic records. All the information we had was that the Economic League operated on paper records and deliberately so to keep themselves outside the reach of data protection law. Although we had concerns about the activities and the keeping of essentially secret records, at that time there was no action we could take.

What cast a light on it all and started to give us a proper basis for investigation was an article in The Guardian in 2008, which exposed the Consulting Association and the work that was going on there. That provided us with some investigative leads that we could follow up. We did that through the use of phone records using powers under the Regulation of Investigatory Powers Act, which led us to Ian Kerr, who essentially ran the Consulting Association database from premises in Droitwich. We obtained a search warrant for that and David led the execution of that warrant.

Q674 Chair: I will come on to that in a minute. First of all I want to pursue the question of how this came to your attention. This came to your attention because of a press article. You were aware generally, but I want to clarify whether or not you were proactive. Are there other organisations out there that you are undertaking any steps to try and identify, or do you wait on things being drawn to your attention?

David Smith: It’s a mix. We react to matters that come to our attention. We have thousands of complaints of breaches of the data protection law to our Office each year. Those are a primary source of information and intelligence that we act on. We also scan the media. We react to what goes on here in Parliament and pursue lines of inquiry on that basis, but we don’t have any powers to go out and do what I would call proactive checks on organisations. We don’t turn up and audit their activities without their consent to that process. Indeed, at the time we are talking about here we didn’t have an audit function as such within the Office, but we have now developed one and we do have some powers to go and do proactive audits. So the position has changed. We don’t have an ability to just go out and check up on people to make sure that they are complying with the law.

Q675 Lindsay Roy: How many proactive audits have you done?

David Smith: I can come back to you with the exact figure but it would be around 60 or 70 now; it is that sort of number. We are geared up to do that sort of number each year. We started with one team of auditors and we now have three teams of auditors. It is still an expanding area.

Q676 Lindsay Roy: In how many have you found evidence of blacklisting?

David Smith: None of those.

Q677 Chair: What is an audit team? It sounds like hundreds of people or is it a man and a boy?

David Smith: David may correct me if I have got this wrong. There is the head of the team, there are a couple of lead auditors and then something like four auditors. It is about six people, who will split up. When we go out to a business, it is normally two or three people going to a business to do the checks.

Q678 Mr Reid: How many complaints have you had about blacklisting?

David Smith: I believe we have had one.

David Clancy: It is very difficult because we get lots of complaints from individuals who say they believe that they have been blacklisted. We make it quite clear that we would need some form of evidence to support their assertions. Quite often a worker may believe that he has been blacklisted within the workplace because he cannot find a job. What we say is that that isn’t sufficient for us to initiate an investigation. Where there is sufficient suspicion to indicate that blacklisting may be the case, we will carry out an investigation.

Q679 Mr Reid: What would you regard as a reasonable suspicion?

David Clancy: It is whereby somebody can produce some form of evidence, either supported by a third party or other documentary evidence, to suggest that they may be excluded from the workplace. I had to conduct an investigation a while back in relation to one such allegation. It was quite an extensive investigation but it turned out that it was not a blacklisting per se; it was just that a company refused to employ one particular individual because of an incident that occurred on site. Whenever he applied subsequently he was refused access to that site. He believed he was blacklisted and it is fair to say that that company would not employ him because of a dispute in the past. That is not blacklisting.

Q680 Mr Reid: Do you have records of the number of complaints that you have had? I know you have said that only one was backed up by documentary evidence.

David Clancy: We would not record individual allegations of blacklisting separately from all the other types of complaints that we get. We would say that there may be a case of unfair processing. That would be something that would be recorded within the Office.

Q681 Mr Reid: So blacklisting would not be recorded specifically.

David Clancy: We don’t have a specific recording statistic for blacklisting.

Q682 Mr Reid: Do you not think you should have?

David Clancy: It is very difficult to do that. If we do that across the board, we would have lots of different allegations that are made to us that would have to be recorded separately. We could end up with hundreds, if not thousands, of categories of allegations that are made to us.

Q683 Mr Reid: Could you make an educated guess at the number of blacklisting complaints you have had?

David Clancy: Complaints that are supported by any form of evidence would be very few.

Q684 Chair: We can maybe come back to that because there is obviously a difficulty about evidence. Had the press cuttings about the Consulting Association not arrived with you, there would, by definition, have been no evidence. I am therefore not quite clear how you determine the question of when you are proactive or not.

David Clancy: In relation to the article by Mr Chamberlain that initiated the Consulting Association investigation, the article indicated that he had access to some form of evidence or some information and that individual would be willing to speak to our Office in relation to their experience. One of the individuals actually worked in the construction industry and was a participant in the blacklisting process. That indicated that there was strong evidence available to support the assertion that blacklisting was taking place.

Q685 Chair: You were starting to get to the exciting bit about what action you took against the Consulting Association. Maybe we could return to that and you could tell us, once this information was drawn to your attention, what you then did.

David Smith: I will explain a little bit about how the Data Protection Act applies. It does not outlaw blacklisting per se. It outlaws the unlawful processing of personal data. It is perfectly possible to operate a database of this type within the law. These sorts of databases do exist, particularly in the retail industry-for example, to keep track of people who have been dismissed through theft. What is necessary for them to operate within the law is that they are open. The problem with the Consulting Association was the covert and secret nature of it.

Essentially, if an employer when it takes someone on says to the employee, "Look, in the event of your being dismissed for theft, we will report that to our industry database. You have a right of access, a right to challenge, and a right to complain to the Commissioner’s Office", that sort of system can operate. It was the secret nature here that was the problem. The Act also essentially only applies to information that is recorded on an electronic database or in organised, structured paper records. There is no doubt that it applied to Ian Kerr, who operated the database, because, albeit most of his records were paper records, they were certainly structured in a Rolodex form. He had an electronic index as well. But the construction companies who were supplying information didn’t necessarily record the information that they were supplying in a recordable form. If a construction company simply phoned up Ian Kerr and said, "Look, we have dismissed Fred Bloggs from this site today and you ought to put him on the database", I won’t comment on whether the company was acting properly or morally, but that is not a data protection breach by the company.

If someone applies to the company for a job and the company does a check on that person, phones up Ian Kerr and says, "Is this person on your database? Should I employ him?", and they simply come back with a yes/no answer, the breach by the company is potentially the failure to tell someone that they are making that sort of check. That is really how the law applies to this.

None of this is criminal. These are breaches of the data protection principles that personal data should be processed fairly and lawfully, which is about being open with people about how their information is used and that personal data shall be accurate. At that time we had no powers to punish breaches of the data protection principles. Our powers were to bring about compliance through issuing enforcement notices, which we issued to 14 of the construction companies. They basically said, "You must stop supplying information and you must stop using this database."

A breach of those notices is then a criminal offence. This is not a punishment as such. Suggestions that all we did was rap people over the knuckles or whatever are a little wide of the mark because the powers were not even about rapping over the knuckles; they were about delivering compliance. We issued one of those notices to Ian Kerr. We have an urgency procedure and it was the first time we had used it where we can issue a notice as a matter of urgency to stop him using the information with immediate effect.

Q686 Lindsay Roy: Is that not a rap over the knuckles?

David Smith: No. I don’t see it as a rap over the knuckles. It is translating the general requirement in the Data Protection Act to process information fairly and properly into a specific legal obligation where there has been evidence of the breach. There is no punishment element in there. It is just placing you under a stronger obligation to comply with the law. The rap over the knuckles comes if you fail to follow that notice.

Q687 Lindsay Roy: It’s saying, "Don’t do it again."

David Smith: It is saying, "Don’t do it again", yes. "Don’t do it again or that will be a criminal offence"; that’s right.

Q688 Mr Reid: There is one point I wanted to raise. Mr Smith said that for it to come under the terms of the Act the data would have to be in a structured form. Does that mean that, if I was to hold information on people’s trade union activities but it was all handwritten on scraps of paper and wasn’t filed in alphabetical order, if I don’t file it in some structured way, then I am not breaking the law?

David Smith: That is correct; yes.

Q689 Mr Reid: Do you not think that’s a big loophole?

David Smith: It is a loophole but how big a loophole in this day and age when most records are held electronically anyway is open to question. The original intention of data protection law was essentially to protect people from the growth of electronic computerised records and the power that that brought in terms of processing information. That was the extent of our original 1984 Data Protection Act.

When the new 1998 Act came in-because it was based on a European Directive, and some other laws, particularly the law in Germany, already extended it to these structured paper records, the IDB paper records, which operated like a computer system, if you like-that was brought into UK law.

Q690 Mr Reid: Suppose I effectively made up a blacklist of a few hundred people, each of them recorded on a separate piece of paper. Simply by not recording it alphabetically but filing it in some formula that I hold in my head and I can put my hand on straight away, when you do a raid, I would just tell you that that is not a structured database and you wouldn’t be able to do anything.

David Smith: Possibly. If it was a serious breach like the holding of blacklisting information, we would do our best to argue that what you were holding was a structured record. Even if it is a little bit disorganised, if it is not too big a record and you know what is there, essentially you hold the index in your-

Q691 Mr Reid: But I am going to tell lies when you come and ask me. I am going to say, "No, it is not structured", even though I have the structure in my head.

David Smith: That’s right and at the end of the day we would use our enforcement powers.

Q692 Mr Reid: But how could you if I argued that this was unstructured?

David Smith: Because we could say, "We don’t believe you." We would issue a notice and you could appeal to a tribunal and argue it there. You make a very sound point. We would have to weigh this up as to how convincing we could make our arguments that we don’t believe you. I can only agree with you that the law would be stronger if it applied to all sorts of records, but it is not a law about individuals processing information about each other. Your personal household records that you might keep of your friends and so on would not come within the scope of the law, but if you were operating a business, even if it was not structured paper records, there is an argument that those should be covered where they have information about individuals.

Q693 Mr Reid: But the law as it stands at the moment would seem to suggest that that is not covered.

David Smith: Yes. It applies to electronic records and information in what is called, in the law, a relevant filing system. It talks about structure, accessibility and so on in defining a relevant filing system.

Q694 Chair: Can I just be clear then? Those construction companies who were supplying information to the Consulting Association were not committing any offence by supplying that information even if it was false.

David Smith: They were not committing a criminal offence, no. They could have been in breach of the data protection principles if they held that information themselves on a database.

Q695 Chair: That’s right, but, if they were simply submitting information on a case-by-case basis to allow somebody else to compile the electronic list, the supplier was not committing an offence.

David Smith: That’s right.

Q696 Chair: Then, if the construction company accesses the list, they themselves are not committing an offence.

David Smith: That’s right. I hesitate on "offence" because they are not criminal offences; they are breaches of the Data Protection Act. They have to be a data controller for the information, but they are not a data controller unless they have it recorded in paper form.

Q697 Chair: We will obviously make recommendations. Surely someone who condones, supplies or accesses lists or information for lists is just as guilty as those who hold the material.

David Smith: I can really only comment on what is guilty under the law we have, but there is clearly an argument that there was wrongdoing.

Chair: "Under the law" is a wonderful euphemism. This is wrongdoing that should be punished in some way or another.

Q698 Mr Reid: I want to explore this a bit further. I take your point that there is no criminal offence, but there are the data protection principles. I understood that, if I hold data, I am only allowed to process that data for the purposes for which I acquired it. Is that correct?

David Smith: That is essentially correct.

Q699 Mr Reid: If I hold data about employees, I am presumably entitled to use that data to pay them, to allocate holidays, to manage sick leave and all sorts of things like that. Surely handing that data over to a third party is a breach of the data protection principles.

David Smith: That would be right. You could correct that by telling the person that that was your intention.

Q700 Mr Reid: If I don’t actually tell the person that my intention is to hand it over to a third party, then I am breaking the data protection principles.

David Smith: Yes, if the data that you pass to the third party is data that you hold. If it is just, "We sacked Fred Bloggs from the building site", and you haven’t recorded that in a record, then that is not data you hold; it is just information that you have.

Q701 Mr Reid: If I fire Fred Bloggs but don’t write down that I have fired Fred Bloggs and I then tell a third party that I’ve fired Fred Bloggs, then I am within the law.

David Smith: Yes.

Q702 Mr Reid: But, if I write down that I have fired Fred Bloggs and tell a third party, then I have broken the law.

David Smith: We are in danger of getting into angels on a pinhead here.

Q703 Mr Reid: But it is important.

David Smith: If you are disclosing information from your recorded database, then that is a breach of the Act. If you go to your record and you say, "I am disclosing to Ian Kerr that Fred Bloggs was dismissed", and that is a disclosure from my record, you are disclosing your computerised or manual record.

Q704 Mr Reid: But surely a company that fires somebody records that they have fired them.

David Smith: You would expect so, but they might not record all the reasons that they pass over.

Q705 Chair: If they say that they have sacked Fred Bloggs, "And here is his national insurance number", then that is clearly a breach, is it not, because the national insurance number is held by them in some form of their records?

David Smith: Yes.

Q706 Chair: So anybody who has supplied a national insurance number has committed an offence.

David Smith: It is likely, yes, that anybody who supplies a national insurance number-

Q707 Chair: What are the circumstances in which somebody could supply a national insurance number and not commit an offence?

David Smith: If someone came to a building site for a job, presented their record or gave a national insurance number to whoever was employing them on the site and simply the person on the site phoned up Ian Kerr and said, "I’ve got so-and-so here with this national insurance number", and the information was never recorded in the construction company’s records. I can only agree that that is unlikely. If a national insurance number is disclosed, that is likely to have come from a record, and, if the person wasn’t made aware, and again it is almost certainly the case that they weren’t made aware, then that is almost certainly a breach of data protection.

David Clancy: Can I just jump in at this point? From my knowledge of the way that this system operated, what you would get is a situation whereby you might get a construction worker who goes to an agency. They understand that vacancies are available on certain sites. The agency may phone up representatives of the construction company to say, "We have Dave Clancy here who is looking for work. He’s a qualified electrician. This is his national insurance number." That information may be recorded on a note within the construction company. They will make a check with Kerr, come back and say, "Do not start Dave Clancy; he is a troublemaker." That information then goes back to the agency. There may never be any record within the construction company of that check having taken place other than the fact that Kerr would bill the construction company for a fee. The construction company may never hold in any official records the name of Dave Clancy and my national insurance number.

Q708 Chair: That is clearly a loophole then, isn’t it?

David Clancy: It is something that the legislation doesn’t cover at this moment in time.

Q709 Chair: That is almost a definition of "loophole", isn’t it?

David Clancy: Yes, but all we can do is act within the legislation.

Chair: Absolutely. We are going to make recommendations from this. We are just seeking clarification. You are confirming to us that that is a loophole and we will respond accordingly. It was just in case there was another interpretation of it that I had not picked up.

Q710 Mr Reid: Say information is given over the phone. Say I am an employer and somebody comes to me looking for a job. If they hand me a piece of paper with their national insurance number on it and I hold that piece of paper, and I then phone up the Consulting Association, am I committing an offence if I hold that piece of paper in my hand and read out the national insurance number?

David Smith: Probably not, no.

Q711 Mr Reid: But I hold the data.

David Smith: But it is not held in a structured filing system. It is just a scrap of paper, as we have talked about.

Q712 Chair: I understand that. I want to come back to the other point you mentioned about enforcement notices. As I understand it, you wrote to construction companies asking them if they were doing these things. If they replied and said, "Yes, we were", you sent them an enforcement notice saying, "Don’t do it again." If they did do it again, that was then a criminal offence. Is that right?

David Smith: That’s correct.

Q713 Chair: What happened if somebody did not reply or they replied saying, "It wasn’t me"?

David Smith: Everybody did reply. We looked at the responses that we received from those businesses. If you will just bear with me a moment, I can tell you that some of the responses came back that the company was no longer in existence or it was mistaken for a different legal entity. With some of them we had no evidence that they had made any use of services within the previous five years; they had been a past customer. Some of them expressly denied ever processing information by means of electronic media or recordings. This is the discussion we have had. They said all they did was yes/no exchanges over the telephone. Some of them denied ever using the services at all. They said they may have attended networking meetings organised by the Association but didn’t use the checking services. Those ones that came back with a variety of those reasons we didn’t pursue to formal notices.

Q714 Chair: Some of them might have been lying.

David Smith: They might have been, certainly.

Q715 Chair: In those circumstances was that where you then conducted audits?

David Smith: No. Our intention here was to stop the construction industry database and the blacklisting system of which that was the basis from operating-to close it all down. Essentially, we were satisfied that the system had been closed down. Ian Kerr had ceased operating to all intents and purposes. It is a fair point, Chair. Not using our audit power, we would have had to go to court and get a warrant to search the other construction companies, but there probably would have been sufficient grounds. It is grounds for suspicion that there is a breach and there is no doubt that we had that. But we concluded that going to court to get a warrant to investigate these companies to find out, as we may have done, that some of them weren’t telling the truth, so that we could then issue them with a notice that required them to stop doing what we were satisfied they had stopped doing anyway, would not have been a good use of resources and effort.

Q716 Chair: How were you satisfied that they had stopped doing this? They had told you that they had stopped doing it, but how did you know that they weren’t doing exactly the same thing but with somebody else?

David Smith: There was no reason to suppose that anybody else had set up the equivalent of the Consulting Association database. There is no evidence to this day to suggest that that has happened. We have closed down the perpetrator of the database-Ian Kerr.

Q717 Chair: We have been approached about a firm called Caprim. It has been suggested that they are operating in the same way and that they operated in the same way at that time. Was that ever drawn to your attention?

David Clancy: I don’t recall Caprim being drawn to our attention. It has subsequently been drawn to my attention, yes. The GMB raised that as an issue only recently. My view is that, if there is evidence that Caprim are operating a similar system and if GMB have any evidence that they can provide to us, then we will no doubt follow that up.

Q718 Chair: But you didn’t have that at the time.

David Clancy: As far as I am aware, it was not within my knowledge.

Q719 Chair: Maybe that is something you can check for us. As I mentioned privately to you outside, if upon reflection or when you have left here you discover that the answer you have given wasn’t accurate because there was information of which you were not aware, then you can let us know. I am taking it that you were not aware of Caprim at the time, though it has been drawn to your attention since. Was there any other organisation that was undertaking this sort of work of whom you were aware at the time or to whom your attention has been drawn since?

David Clancy: To my knowledge there has been no indication of any other organisation, other than the Economic League, which I believe was a precursor to the Consulting Association.

Q720 Chair: I want to go back to the stages that were taken. You were telling us that you raided the offices of the Consulting Association. Can you clarify what happened from then or what happened when you visited them?

David Clancy: Yes. We visited the premises of the Consulting Association after we obtained the search warrant at Manchester Crown court. When we attended the premises, Ian Kerr was on the premises along with one female. Straight away, as soon as we almost entered the premises, we identified the Consulting Association database-the card index system that operated the blacklist. With this was an index system that clearly indicated A-Z who the workers were within the database. We quickly identified the construction companies that were using the database.

That was the extent of the cover of our warrant. Our warrant said we could search for evidence that indicated there was a blacklist within the construction industry. We removed that information, took it back to our office and then formulated a plan of action to deal with Kerr, the construction companies and how we would deal with construction workers to try and let them have access to their records.

Q721 Chair: There was more stuff there, was there, that wasn’t covered by your warrant?

David Clancy: There was a lot more stuff within the office that wasn’t covered by our warrant, yes.

Q722 Chair: When you say "a lot more", did you seize 10% of the stuff, 5% or 90%? Give me an idea.

David Clancy: It is very difficult. I would say between 5% and 10% of the stuff. We didn’t actually search every item within the office because our warrant specifically said "the existence of a blacklist". Once we had found that, our search, in theory, should stop because we had found the evidence that we were looking for.

Q723 Chair: In a sense what you were looking for was evidence that it existed-not the entire blacklist and everything related to it.

David Clancy: That blacklist was the blacklist of the construction industry.

Q724 Chair: Was what you seized and what you saw relating to the construction industry 5% of the material that was there?

David Clancy: We saw the blacklist. I can’t say exactly what it was in relation to the entire construction industry blacklist because we looked and found the blacklist. That was the blacklist that was operating.

Q725 Chair: You took a pile of stuff away with you.

David Clancy: Yes.

Q726 Chair: What percentage of the stuff that was there did you leave?

David Clancy: As I said, we are talking of between 5% and 10% of what was in the office. What the other 90% or 95% was I can’t comment on because we didn’t go through lots of it. We just took the information that was relevant to our inquiry.

Q727 Lindsay Roy: How do you know that there wasn’t another blacklist?

David Clancy: We were satisfied that that was the blacklist because it was quite clear-

Q728 Lindsay Roy: But how do you know that the 85% that was left didn’t contain a blacklist?

David Clancy: I was satisfied at the time. I had looked at it and thought, "This is the blacklist." It was quite clearly an A-Z of the workers with the monodex system.

Q729 Lindsay Roy: Did you look at the 85% or sample 85%?

Chair: Sorry, 95% because it was 5%.

David Clancy: We didn’t go through all the other information. We looked and said, "We are satisfied that that is the information. That is the blacklist that operates within the construction industry."

Q730 Lindsay Roy: Why didn’t you look at the other stuff?

David Clancy: As I said, we were satisfied that that was the information that was covered by the scope of the warrant.

Q731 Chair: How did you know that the other stuff was not relevant if you did not look at it?

David Clancy: We started looking at stuff but we just dismissed that and then said, "Right, this is what we have come in for." When we started the search there was a number of officers that attended. We started searching for information and suddenly one of the officers said, "I’ve found what appears to be what we are looking for." We then looked at it, spoke to Kerr and we satisfied ourselves. In fact Kerr provided us then with a list of the participant companies.

Q732 Chair: What was the other material that was there?

David Clancy: I can’t say what the other material was.

Q733 Chair: What do you mean you can’t tell us? Is it that you won’t tell us or that you don’t know?

David Clancy: I can’t tell you. I didn’t go through every piece of paper and identify what it was.

Q734 Chair: Did you go through anything? Can you tell us any information about anything else that you saw?

David Clancy: We were just looking through information and said, "This is the blacklist", and that was it. We were satisfied that that was the information we were looking for.

Q735 Chair: Was it shopping lists, car repair receipts, mortgage documents or blacklists for other industries?

David Clancy: I can’t say. I don’t recall seeing any other blacklist for any other industries. As I said, we focused on what we came in for, which was the blacklist for the construction industry.

Q736 Chair: You can see why we are struggling slightly here. You go into an office and take 5% of the material. We are trying to clarify what the other 95% might have been. Did it look as if it was the same thing? Did it have a big label on the top saying "Building Industry This Way", "Retail This Way" or "Engineering That Way"?

David Clancy: No; there was nothing like that.

Q737 Chair: Help us.

David Clancy: We just went in there and there were filing cabinets full of stuff. We identified that we had the blacklist for the construction industry. We looked at it and thought, "This is the evidence we came for."

Q738 Chair: So, for all you know, there could therefore be blacklists for a whole number of other industries: the shipping industry, the railways, local government or anything else.

David Clancy: There could have been, but I don’t know; I didn’t see that list.

Q739 Chair: Did any of your colleagues see anything?

David Clancy: As far as I am aware, we did not see any other blacklist of the nature you are talking about.

Q740 Chair: If you were able to identify that you had not seen a blacklist, by omission you must have been able to identify what it was you were seeing. So what was it you were seeing?

David Clancy: When we went in there the blacklist was contained in a box. That was the box with the blacklist in, with the index on the top and the card index system. We removed that. There were lots of other files within the office. I can’t comment on what was in those files. It is not that I don’t want to comment on them but I can’t comment on them.

Q741 Lindsay Roy: What was the nature of the rest of the business?

David Clancy: Kerr’s business?

Lindsay Roy: Yes.

David Clancy: I think he did provide some intelligence to the construction industry. It would appear that he provided some form of press cutting service.

Q742 Chair: So we are left in complete ignorance about what the remaining 95% was in Kerr’s office.

David Clancy: Yes.

Q743 Chair: And you didn’t see it as being relevant at all to clarify what it was.

David Clancy: It didn’t appear within the scope of our warrant.

David Smith: Chair, we have to be very careful, particularly given who we are. We had a warrant, the scope of which was to seize-

Chair: I understand that.

David Smith: Going outside the scope of the warrant would have been-

Q744 Chair: I agree totally, but what I am struggling with is that I am not clear from what you are saying to me whether or not this was car receipts, motoring expenses, electricity bills, or whether or not it was a completely different blacklist that was identified as not being relevant to the warrant and therefore you could not take it and you quite properly left that alone. It is obviously relevant to us to know whether or not there were other blacklists there that you felt you were not able to lift at that time because they weren’t covered by your warrant. These seem to me to be not unreasonable points to make to you.

David Clancy: I can understand why you are asking the questions but I can only answer with what’s within my knowledge. I can honestly say that that was the information that we were looking for. We removed that, but there was lots of other stuff that we didn’t look at because we were satisfied that that proved the breach of the Act that we were there to investigate.

Q745 Chair: You wouldn’t be able to collect all of the material relating to the construction industry blacklist; you were there to obtain proof that a construction industry blacklist was operating.

David Clancy: That’s correct.

Q746 Chair: There could have been twice as many names for the construction industry blacklist or 10 times as many names actually there, because you weren’t interested in collecting everything relating to that; you were only interested in obtaining enough information to establish that this did exist.

David Clancy: When we looked at the information that we had it was quite clear that it was extensive. It went back over 30 years and covered the construction industry. We were satisfied that that was the database we were looking for.

Q747 Chair: Was that the entire database?

David Clancy: I can only say that I was satisfied at the time that that was what we were looking for.

Q748 Chair: No; with respect, that was not what I asked you. You were looking for proof that there was a database and you got it. I understand that. What I am asking you now is whether or not you were satisfied that you got the entire database.

David Clancy: I was satisfied at the time that we got the entire Consulting Association database, yes.

Q749 Chair: Dealing with everything or dealing only with construction.

David Clancy: Dealing with the construction industry. That is all we were looking for.

Q750 Chair: How were you satisfied that in some of the other files and filing cabinets there wasn’t also material relating to the construction industry if you had not gone through them all?

David Clancy: I was just satisfied at the time. We went in there and looked for the information. We had spoken to Kerr and were satisfied that that was what we had gone in for. That was what was covered by the warrant.

Chair: We have gone round in circles enough there, I think.

Q751 Iain McKenzie: I have a quick question on that. Were you satisfied you had the blacklist because of the help and assistance from the Consulting Association on the 5% that you had discovered? It is almost like, "It’s a fair cop. I will tell you everything I know on that 5% to get you off my back. Go away and leave me with the 95%." How readily did they respond with the additional information on the 5%? You are saying they gave up to you the businesses they were dealing with and so on. How readily did they do that? When you discovered that blacklist, was it, "Oh, it’s a fair cop; there you go. There’s additional information and don’t look at the rest"?

David Clancy: We were in there and recovered the actual database. We started looking for information in relation to the companies that were accessing the database. At one point I remember asking Kerr, "How do you identify the companies?", because I realised that there were numbers on the cards which identified people who were providing information to and from. Kerr provided us with a list of those companies.

Q752 Iain McKenzie: Forgive me, gentlemen, but it seems a strange raid. I am trying to put it in the context of what the police would do. If the police did a drugs raid, they wouldn’t go in, find a pill and say, "Right, that’s enough; let’s go", and leave it at that. They would assume that that room had additional things to look at and so on. But you didn’t because you decided that 5% was enough.

David Clancy: Yes. The police would no doubt operate the same system. They would look and say, "Have we secured the evidence that we are looking for?" You can’t do speculative searches elsewhere. We went in there. The warrant covered the existence of a blacklist of construction workers. That’s what we found.

Q753 Chair: You might have picked up that we are not entirely happy with that. It does seem to us, to use the police analogy, that, if they had found drugs, they might very well have gone on to find a couple of shotguns as well. I don’t think it would be acceptable if we were discussing this with the police for them simply to say they got what they came for and so they stopped. I am genuinely surprised that you stopped at that point. I can entirely understand why you did not feel empowered to collect everything that was there. Originally we were going to ask you why you didn’t just take everything, but you have told us that you felt constrained by the narrowness of the warrant that you had. I still don’t understand why you didn’t go through everything else just to make sure that it wasn’t entirely relevant.

David Smith: I am not sure that that was our purpose. Our purpose was investigating Ian Kerr as to the setting up of the database. We obtained a warrant to get evidence that he was operating in breach of the Act. Once we had obtained that evidence, which we did, we had the evidence to take enforcement action, which we did take.

Chair: As you can tell, our enthusiasm is less than total.

Q754 Lindsay Roy: How many individuals were held on file?

David Smith: It is 3,400.

David Clancy: It is 3,200.

Q755 Lindsay Roy: Were these individuals contacted and told they were on this database?

David Smith: No, they weren’t.

Q756 Lindsay Roy: Why not?

David Smith: We took it upon ourselves to set up a service where individuals could contact us to check whether they were on the database. The starting point is that the person who would be responsible for giving access under data protection legislation is the data controller-the owner of the database. That would be Ian Kerr. There was clearly a difficulty there because, if he had gone out of business and wasn’t co-operating, then nobody would get access to their data.

Having seized the database, we set up the arrangement whereby individuals could contact us to check whether they were on the database. We publicised that arrangement. It was part of all the press material when we announced the successful warrant against Ian Kerr and the action we were taking.

Q757 Lindsay Roy: How did you publicise it? How did you make it available publicly?

David Smith: We put it in our press information. It was picked up by the press. It was there on our website, and we have had more than 2,000 responses to that.

Q758 Chair: There will still be large numbers of people who have not contacted you about this. Why were you not more proactive? Where you had addresses, why did you not write to the person named on the address with a "Return to" so that if they had moved away it comes back to you? Why did you not place adverts in the paper rather than rely on the press printing your press releases?

David Smith: Because essentially we thought we were doing the right and proportionate thing at the time by enabling people to have access. To write out to everybody at what were in many cases very old addresses-they came back from the old Economic League records-would have raised issues both about the resources that we would have had to put into that and the risks of writing out to old addresses from where someone has probably moved. You at least have to give a hint that someone was on the database.

Since then, and only in the last few months, we have received representations from Liberty and the GMB that we should have done more and we should have written out. We are now taking steps to put that into place, but I have to say to you, Chair, that nobody raised any question for three years that we were not doing enough to notify people. 2,000 or so people were sufficiently aware to contact our office to ask those questions.

I do accept that we could have done more, and, maybe, on reflection, even we should have done more, but please don’t think we were cavalier or not living up to our responsibilities. We thought we were doing what was the right thing to do at the time.

Q759 Iain McKenzie: How many of the 2,000 who contacted you and who assumed they were on some blacklist turned out to be on the blacklist?

David Smith: We have had 2,400 who have contacted our telephone inquiry service. If you contact our telephone inquiry service, essentially you give your name and we either say to you, "There’s nobody who looks like you on the list", or, "There’s someone who looks as though it may be you, so write in." We have had about 620 people write in. As I say, some of those may have just written in and never phoned us. Of those that wrote in, we have scored 198 matches; so 198 people have had their information back.

Q760 Iain McKenzie: Isn’t it worrying that 2,500 people assumed they were on a blacklist and, when they wrote in, they had to go through two filters and discover that almost 200 were actually on that blacklist? Did those numbers not indicate that there was a lot more to be found in that office than you thought with these numbers?

David Smith: That is not what it would suggest to us. It was just that there were that number of people who had been turned down for jobs and may have suspected that they were on a blacklist, and actually they weren’t on the blacklist. I don’t think it suggests that there were other blacklists in operation of this type. It may suggest there were informal networks within the construction industry where information was still passed around from one person to another.

Q761 Chair: It seems to me that the exercise you undertook did not work in a sense. Like my colleague, I am a bit surprised at these two levels of filter. I can understand the point about people having to make contact with you in some way or another, but, if you phone in, you then have to write in. My knowledge of construction workers is less than total, but their enthusiasm for writing in letters to bureaucratic organisations is not up there with lawyers and accountants. I would have thought that quite a number of them would have seen this as just simply a way of fobbing them off. "Ah well, very good, write us a letter and we’ll think about it." That doesn’t sound particularly co-operative and helpful. I would have thought that if you now only have less than 200 matches-I think you said 198 matches out of 3,500 over the three or four years since this came out-you are not progressing all that well in terms of contacting people.

David Clancy: In relation to the two-tier system of checking on individuals, you have to understand that we wanted to satisfy ourselves that the person asking for the information was the person that information belonged to. I am aware of a situation whereby somebody phoned the Commissioner’s Office in an attempt to try and obtain information to satisfy themselves whether a senior official within a union was on a blacklist. Unfortunately for them, they provided the wrong spelling of the forename, but, had they got confirmation, then they could have used that information to say, yes or no, whether this person was blacklisted or not. I am aware, anecdotally, that this information was used in some campaign for leadership within the union to say that this person didn’t appear on the blacklist when in fact the person did. That is why we had to be careful. We had to make sure that, if somebody phoned in, there was a confirmation. "It would appear that you may be on the blacklist, but send us some form of identification in order for us to provide you with a redacted copy of what this organisation held about you."

Q762 Chair: So you had to send identification as well.

David Clancy: Just to confirm that that person was who they said they were.

Q763 Chair: What sort of identification did people have to send?

David Clancy: It would be the JIB cards or maybe a passport or driving licence. It would be something that allowed us to confirm that we believed that that was the person.

Q764 Chair: I understand some of the reasons behind this, but you can understand why that operates at quite a high level of filter. It is almost as if that was designed to stop people getting this information.

David Clancy: We are the Information Commissioner’s Office. We have to apply that degree of security in those circumstances.

David Smith: Any suggestion that it was designed to stop people-I know that is not quite what you are saying, Chair-is misplaced. We were keen to make this information available. We set up the service but we had to properly protect that information.

Q765 Chair: If you were on a bonus system and had been given targets and so far you had 198 out of 3,500 on the list contacting you, you wouldn’t have got much of a bonus, would you? The system clearly is not working. If the objective is to get in touch with people and tell them they are on the blacklist, then it’s not working.

David Smith: The objective is for people who think that they may have been on the blacklist, and may have a compensation claim because they have suffered damage because of that, to be able to pursue that. It wasn’t simply to notify victims for the sake of notifying them. They are not victims of criminal activity here. We keep coming back to that. This is not crime here.

As I have said, many of the records were very old Economic League records. Many of the people may well be dead now or their lives have moved on considerably. I certainly do not have any reason to suppose that there are 3,400 people who, if only they knew, would all be queuing up at the courts to take action, but I do accept there may be some people who are not aware and for whom more could be done. We are doing more now.

Q766 Chair: It would be helpful if you could let us know, on reflection, what you intend to do to try and contact these 3,500. I appreciate that you may not have it at your fingertips, but what steps have been taken is something we would want to include in our report in due course.

David Smith: I can tell you roughly what we are doing. We have had an approach from the GMB about identifying their members and enabling them to notify or get in touch with people who may have been on the blacklist. We are in the process of setting up a system with their lawyers to enable them to check their membership list against our records and then contact those where there appears to be a match. All that is progressing and we are in the process of setting up a confidentiality agreement with their lawyers.

We have had a similar approach from UCATT. We have a meeting with them tomorrow so we are progressing that. We are also looking at the feasibility of contacting others who do not match against the GMB or UCATT records. We are essentially looking at tracing organisations to check, if we can, whether there is a match with the name and a current address. We are exploring at the moment about using those services. We are in discussion with some businesses about commercial products that they offer. We are likely to do a trial run of, say, 100 or 200 and write out to them to see what response we get. That will provide evidence, Chair, for the points you are making as to whether there really is a pent-up demand or people are not interested.

Q767 Iain McKenzie: I want a wee bit of further information on the initial phone call-the contact. Is it the case that you just call up and leave your name and number? "I am John Smith and here is my number. Am I on the blacklist?" You would then call back and say, "Yes, lo and behold there is a John Smith on here but you need to send in additional identification so that we can further check it." Is that a basic message that can be left?

David Clancy: It is that type of information. I respond quite often because within the construction industry quite a lot of the workers have my number. They will ring me up personally and I will check the information from them. You have to understand that there is a lot of inaccuracy on the database. It is historic information and you cannot trust these construction companies to provide accurate information to Kerr.

On occasions we also have to accept that some of these construction workers gave aliases in order to access the workplace. On one particular occasion I had a situation whereby one worker who had a court order for access to the information has had a look at the database and he told someone that they appeared on the database. That person phoned me to check whether he had a card within the system. On the information he provided I couldn’t identify him. I had to ask that person, "Did you operate under an alias within the construction industry?" He said, "Yes; this was my alias." Once I knew that, I was able to access his record, but it was quite clear that the other construction worker knew his alias and identified the card there. On face value there was no record there.

We will do that and people will ring up and ask, "Am I on the database?" There may be one or two entries that are very similar. We will ask them probing questions, if we get access to the cards, such as, "Were you involved in any particular dispute in this period of time?" "Oh yes, I was involved in a particular dispute and that resulted in me being dismissed from such-and-such a site."

We will get confirmation. We just don’t do it on very basic information. At times we will go further into that to look at the information that is contained within their records in order to try and facilitate disclosure of that information to the individuals. The system is not there to block their access; it is there to try and give them access where we can. As Mr Smith said, we could have done better.

Q768 Chair: You can understand why we didn’t quite come to that impression in the sense of what would be best practice elsewhere. I want to return to the question of enforcement notices and the issue of the firms to whom you wrote and who sent you replies. Can we have copies of those responses?

David Smith: I am sorry, Chair, but you can’t have copies of the individual company-by-company responses because we are under a duty not to disclose information about identifiable businesses that come into our possession as a result of our activities. We can certainly provide you with the information that we provided to Liberty and will provide more widely, which is the underlying report on which our analysis is based. That sets out the reasons why we would not necessarily-

Q769 Chair: Could you give us a list of the firms to whom enforcement notices were issued?

David Smith: Yes; we can certainly give that.

Q770 Chair: And the firms to whom letters were sent.

David Smith: Yes, I think we can give that. I will check and we will give you what information we can.

Q771 Chair: By a process of elimination we can then work out, and if necessary write to the firms ourselves, those who are on one list but not on the other.

David Smith: Yes.

Q772 Chair: Can you clarify for us the sort of information that was held on these employees? I have seen some of the files. Some are names; some are national insurance numbers; some have personal comments that are somewhat derogatory; some relate to various incidents; and some relate to political activities. Were there any other categories of things that were there that were not directly relevant to people’s industrial experience?

David Clancy: It is fair to say that there was information in relation to third parties that was not relevant to particular individuals. There was information in relation to their spouses and vehicles that they may have used, and other information in relation to third-party occupations, the individual’s occupation and education and so on. You would say it was beyond the scope of work records.

Q773 Chair: Quite a lot of that was actually beyond what would have been relevant to a construction company deciding whether or not simply to employ somebody.

David Clancy: It could be information in relation to a person’s political leanings.

Q774 Chair: In one of the hearings, Mr Clancy, you indicated that you thought some of this material had been received from either the police or security services or something similar. Can you clarify why you thought that?

David Clancy: It is the language that is contained within some of the reports. It is a small number of reports of the 3,000 odd files that are in there, but some of them indicated to me, being an ex-police officer, that the information contained within those could have come from sources such as the police and the security organisations.

Q775 Chair: Was that simply just because of the language that was used? As an ex-police officer, if somebody was telling you things, you might then have written them down in a police officer manner, such as, "I was proceeding in a westerly direction" or something similar, rather than it having been a police officer that put the information in.

David Clancy: I believe some of the information would have come from those types of sources. There were entries such as a person being removed from the country and coming back into the United Kingdom. This was at a particular time when perhaps people from the Republic of Ireland were being monitored. This was what would appear to have been an Irish national and individuals being given security clearance working on MOD construction sites. There was information in relation to the registered keeper details of vehicles. Where would that come from?

In one particular case there was what was referred to as "a special" within the database attached to one individual’s records. That seems to be an in-depth analysis of an individual’s home circumstances and what his neighbours thought about him. In my opinion, that would have been part of, in effect, an intelligence record in relation to an individual. That could have been police or other sources. It is the very nature of the information and the way it is worded. Most entries within the database are referenced to individuals. It would be individuals of construction companies. Where there is reference to "specials", the only reference is to "J", which I believe may have referred to Jack Winder, who was a previous member of the Economic League. These were old records.

Q776 Chair: The ones that are dealing with things that might have come from the police and security services you would relate to this "J", who had previously been working for the Economic League.

David Clancy: In relation to where it makes reference to "specials", yes.

Q777 Chair: That would suggest that that was simply material that had been carried over by Ian Kerr rather than currently contributed, as it were, or at that time.

David Clancy: Yes.

Q778 Chair: That is helpful. As I understand what the Consulting Association was doing with the information it held, it got it in and it sat there passively waiting until somebody contacted it to ask if Mr X was on the records. It then gave out the information and billed the company involved. Is that the business model?

David Smith: That is my understanding. The evidence we have suggests that it didn’t necessarily give out the information it held. It was often, "Don’t employ this person", or, "This person’s not on the database", rather than disclosing all the contents of the file.

Q779 Chair: How do you know that?

David Clancy: If you are looking at the records, you get a feel for how the system operated. You would quite often just see a record in relation to a check. A construction company would make a check. It would be checked by reference to the construction company and "Did not start" or an indication that their employment was never taken up.

Q780 Chair: As I understand it, there were two sets of charges. There was a membership fee and a usage fee for firms with a construction association. Do I take it that evidence of a usage fee is evidence of having access to a blacklist? Is there anything else that that could have been for?

David Clancy: You had a quarterly fee for membership of the Consulting Association. Within that quarterly fee it would appear that you got so many checks included. Once you extended beyond those checks, then you were billed separately. I think it was £2.20 per check. If you didn’t exceed your amount, then you just paid the quarterly fee. Some organisations may have just paid the quarterly fee but not carried out any checks. We were able to cross-reference the records that we had that indicated that some organisations did not carry out any checks within a quarter, whereas other organisations did because of other information that they held.

Q781 Chair: Surely there are three categories. There are those that paid the quarterly fee and did not access. There are those that paid the quarterly fee and did access but not beyond the limit. Then there are those that did access above the limit. How could you distinguish between those that paid the quarterly fee and did not access and those that paid the quarterly fee and did access below the limit?

David Clancy: Kerr kept quite extensive records in relation to the usage.

Q782 Chair: That is helpful. It has been suggested to me, "This was just a membership fee and we went along to meet people." It was a networking organisation like the Rotary or the Masons, with apologies to anybody who is in any of these organisations. It was not, as it were, an organised conspiracy in any way. So you have information from his records that would confirm who actually used them to access particular people’s employment records. Can we have that?

David Smith: Sorry, Chair, the information-

Q783 Chair: What we want to know is whether you can give us a list of the firms who did access Kerr’s database to check individual workers.

David Smith: I am not sure that we know, at the end of the day, which ones. We have a list of 40-

David Clancy: We would be able to work out the quarterly usage figures of organisations.

David Smith: Let us take that away and consider it. We will give you what we can that doesn’t expose us to criminal breaches of the information.

Q784 Chair: It would be helpful if you could give us what you can. If there is stuff there that you can’t give us, we want you to tell us that you can’t give us it.

Lindsay Roy: And what it is you can’t give us.

Chair: We want to know the known unknowns as well as the unknown unknowns.

Iain McKenzie: I thought this list was voluntarily given up by this gentleman, saying, "Here is the list of businesses that have been using it."

Chair: But they are bound by confidentiality.

David Clancy: It is quite clear that the list has been published of the companies that were subscribers to the Consulting Association. What the Chairman is asking for is the quarterly usage figures. Kerr generated them to bill each individual company.

Chair: I am worried about firms saying, "It is nothing to do with us. We never used these lists. We just used this to meet people at various things for a drink and all the rest of it, to talk about health and safety, the weather and the state of the industry", as distinct from using it to access individual records. I want to clarify whether or not your information would sort that out for us.

Q785 Iain McKenzie: You would think they would be getting more for their money than just a yes or a no over the phone with a check. They must have been receiving more information than that, surely.

David Clancy: Ultimately all that most of them would have needed to have known was whether we actually employ this person or not.

Q786 Iain McKenzie: As an employer you would then be saying, "But how accurate is this? I need something more than just you saying on the phone no or yes." I could be sitting there with a list and just making up every tenth phone call saying, "No, don’t have him", or, "Yes". You need to get your money’s worth.

David Smith: Ultimately what you have to look at is that the system wasn’t operated at a very basic level within HR departments. It was operated at a much higher level. You would get the situation where people would say, "All I need to know is whether to employ this person because my time is of value; it is not to assess what has been said. I just need a basic decision, ‘Shall we take this person on board or not?’"

Q787 Chair: How do you know it was operated at a higher level?

David Clancy: From speaking to some of the construction workers. They have had their cards; they know who the individuals are who have made the decisions. When we spoke to the person who was involved in the process that led us, in effect, to identifying Kerr and the Consulting Association, he made it quite clear that when he was approached to meet Kerr within the Consulting Association it was very much on a need-to-know basis and he was quite high up within the HR department of one construction company. It was made quite clear to him that this was how the system operated.

Q788 Chair: Who was that and what was the company?

David Clancy: I can’t remember the name of the company, but I think it’s fair to say it was well reported. It was Alan Wainwright.

Q789 Chair: Maybe you could let us have the name of the company in due course if you cannot remember it now but you have it somewhere.

David Clancy: The information is in the public domain anyway.

Q790 Chair: We are never quite sure when we are speaking to you what is in the public domain. You are obviously closer to this than we are and therefore it is worthwhile just clarifying if you can let us have things.

David Smith: We will certainly do what we can. I am not sure that we are closer to all of it than you are. A lot of people have had their records. Some of this has been disclosed in response to court orders. Various people have given things out and given information before this Committee, which puts stuff in the public domain, and then we are free from our ties. We don’t know ourselves all that has been given out. We know what we have released ourselves.

David Clancy: Mr Chamberlain behind me might be able to assist you with that one. He actually wrote the article.

Chair: We never like to rely on the hyenas of capitalist press because you never know whether or not they are going to be telling you the truth. I know by now not to rely on stories that get into the papers. None the less, there are a variety of things that we will pursue.

Q791 Lindsay Roy: Is it right that Ian Kerr was prosecuted?

David Smith: Yes; that is right.

Q792 Lindsay Roy: What was the penalty?

David Smith: He was fined £5,000. Essentially, he was prosecuted for not being registered or notified as a data controller. Effectively he hadn’t got a licence.

Q793 Lindsay Roy: Do you think that was an adequate deterrent for the future?

David Smith: It was an adequate deterrent for the offence for which he was prosecuted. It was almost incidental to what was going on. He could have been notified to us and put down his business as an employment agency and carried on. If you will forgive me, Chair, we did him for the only thing we could do him for. The position now-and it wasn’t at the time-is that those who breach the data protection principles in a way that is serious and could lead to substantial damage or distress to individuals, which is clearly the case here, can be liable for a monetary penalty-a fine of up to £500,000. Had we had that power at the time, I have little doubt that we would have used it against Mr Kerr and sought to impose a much higher fine than that amount.

We would also have sought to use it against the construction companies. Indeed, had we been in this position now, we would have approached the point you make about us not investigating those who said they weren’t using it very differently. They would potentially have been liable for a fine of up to £500,000. We would have investigated them in more detail to establish whether there were grounds for imposing a fine, but at the time we didn’t have that power. Our concern was to shut the database down. In our view, we did not think that it would assist that aim by investigating those companies further because that aim had essentially been achieved.

David Clancy: At the time of the prosecution of Kerr the maximum fine was £5,000 in the magistrates court and it was unlimited in the higher courts. The magistrates declined jurisdiction in the Kerr case because they believed that they could not apply a punishment that was sufficient. The magistrates believed that £5,000 was not enough. When it was referred to the Crown court, of course, the court had to look into the means of Kerr, who, to all intents and purposes, was then unemployed, hence the £5,000 fine.

Q794 Chair: And there was no scope in those circumstances for fines on the companies involved because the law did not allow that at that stage.

David Clancy: That is correct.

Q795 Mr Reid: Can you tell us what legislation has changed that does now allow you to fine the companies?

David Smith: Yes. The Data Protection Act was amended a couple of years ago. Forgive me, I don’t remember the Act that introduced the amendments. It was from April 2010 that we had the power to impose these penalties. We have imposed about 20 or 25 since that date. We are using that power. One of the supporting arguments for giving us that power is the sorts of activities that were going on here.

Q796 Chair: But you have not used it for anything like this. There has not been anything similar to blacklisting.

David Smith: No; we have not had evidence of any activity like this on which to base it.

Q797 Chair: In terms of the suite of powers that you now have being much more extensive than you had before, I understand that, had you had then what you have now, you would have done things differently. Are there still any powers that you wish you had had then that you don’t have now?

David Smith: Yes. The main one is essentially the audit power and the ability to go to a business, knock on the door and say, "We don’t have firm evidence that you are doing things wrong, but we just want to come and check up that you are complying." That power was added to the Data Protection Act but its introduction is subject to secondary legislation. The power applies to Government Departments. We can come to a Government Department and say, "We want to check up." It’s not applicable to anybody else so far.

Q798 Chair: So that depends upon secondary legislation to introduce it.

David Smith: Yes.

Q799 Chair: We have allegations of various companies undertaking blacklisting and so on. At the moment you are not able to access them without suspicion?

David Smith: No.

Q800 Chair: If you have a suspicion, you are able to access them.

David Smith: We can of course ask and they can open the doors to us if they are willing to do so. If we have grounds for suspicion that we could put before a judge to give us a warrant, we can go for that.

Q801 Mr Reid: You said that there was legislation in the Act that still had not been brought into effect because it needed secondary legislation. Have the Government given you any indication whether they intend to bring that into effect?

David Smith: No. At the moment we have the power for central Government. There are provisions whereby it can be brought in for the rest of the public sector under one set of conditions. We have recently made a case to Government that we should have the power for local government and for the health service because of the serious data losses that there have been. There is another set of conditions that apply to the rest of the economy-essentially the private sector-which would have to be met.

Q802 Mr Reid: Have the Government given any indication whether or not they intend to introduce that legislation?

David Smith: No, they have not given any indication. We can make a case for that to be introduced.

Q803 Mr Reid: Have you made a case to Government?

David Smith: The way the legislation works is that we would have to make a case for particular sectors. At the time the legislation was being introduced we made the point about the Consulting Association and these sorts of activities. We were not given the general power. We don’t have a specific case. We have looked at the insurance industry because of activities there and that is an area where we may put forward a case.

Q804 Mr Reid: But at the moment you have not put forward any case for any sector in the private sector.

David Smith: No.

Q805 Mr Reid: Are the Government therefore waiting for you to make a case?

David Smith: I am sure that is what they would say, and to some extent it is true. The difficulty we have is that we feel we made the case to the Government as to why we need the power some years ago. Their response was to introduce the legislation that still holds that in abeyance for specific cases to be made.

Q806 Mr Reid: You say you made the case years ago, but am I right in saying that, since the legislation was passed, you have not made a case to Government for any particular private sector?

David Smith: No, we haven’t.

Q807 Mr Reid: Are you intending to?

David Smith: We have made no secret of the fact that the insurance industry is one area where, yes, we are looking.

Q808 Mr Reid: Do you feel there is a case that you might be able to make for the construction industry?

David Smith: It is very difficult to make a case, given that we have no evidence that blacklisting in breach of the data protection law is a continuing activity. The events here are too distant in the past for us to make the case now. If we had this sort of evidence before us now, then we would be making that sort of case.

Q809 Mr Reid: What sort of evidence would you need?

David Smith: Evidence of serious failures to meet the obligations under data protection law that cannot be addressed properly without that ability to make those checks. I have to say that we have made the case in the local government sector and the health sector because of the number of serious data losses that there have been in those sectors and the lack of proper attention to security. That case is still under consideration. There is no assurance that we will be given that.

Q810 Mr Reid: But, as well as data protection considerations, there are also the blacklisting regulations that were passed after the Consulting Association case. If you felt you had evidence that these blacklisting regulations were being breached, would that be sufficient to allow you to make a case or would it have to be data protection?

David Smith: It would have to be the case that the data protection law was being breached, but of course it is possible that it would be both.

Q811 Mr Reid: If you felt other laws were being breached and you could identify that through a proactive audit, would that be sufficient for you to make a case?

David Smith: No. Our powers only relate to the Data Protection Act. The case would have to be about data protection breaches.

Q812 Chair: But the operation of a blacklist is in itself a data protection breach.

David Smith: What do you mean by "a blacklist", Chair?

Q813 Mr Reid: It is defined by law in the 2010 regulations.

David Smith: The 2010 regulations, as I understand it-please forgive me if I am wrong because you probably know them better than I do-relate to trade union membership and trade union involvement as the reasons. There may be lots of people on the blacklist that we are talking about here who were not on that list for anything to do with trade union activity. There are different things here. You could call some of the databases that may operate within the law in other sectors blacklists. It is possible, if the construction companies had been entirely open with workers, the information had been accurate and there had been rights to access it and check it, that that would not have breached the data protection provisions.

Q814 Chair: I want to clarify what is going to happen now to the Consulting Association files. Have they all been returned to Mr Kerr?

David Clancy: We retained the original copies. We had no powers to remove that information totally from Kerr. He received a copy back.

Q815 Chair: He received a copy back.

David Clancy: Yes.

Q816 Chair: Who has the originals?

David Clancy: We have the originals.

Q817 Chair: What do you intend to do with them?

David Clancy: My understanding is that they will form part of the National Archive in due course because this information is information that informed the change in legislation.

Q818 Chair: It is not the intention to burn them in the near future before the remainder of the 198 and so on have had the opportunity to access them. There is nothing likely to be done in the near future that would prejudice any of that.

David Smith: No, there isn’t. The original intention was that we would open up this ability for people to make checks and, then once that had dried up and time had passed, we would destroy the information because there are risks to keeping it. But things have moved on considerably since then and so we have no immediate intention of doing that.

Q819 Chair: You might feel that this is not something for you, but in terms of redress for individuals whose lives have been damaged by the operation of the Consulting Association, blacklists and so on, do you feel that the opportunities for them to seek redress are adequate?

David Smith: They have an opportunity to make a claim under the Data Protection Act through the courts for damage that they have suffered as a result of being on the database. If you can claim damage you can also claim distress, but you can’t just go on the basis of distress. We don’t necessarily get to know about cases that are brought before the courts, but where people have brought cases-I have to say not necessarily in relation to blacklisting-the awards by the courts appear to have been fairly low, but that is not something over which we have control.

Our belief is very strongly that, given that this is data protection law, you should be able to claim compensation for distress without necessarily having damage because of the nature of personal information. I am not sure that that is particularly relevant here because some people will at least have suffered damage because they will not have got employment which they might otherwise have got. We would like the grounds upon which you can claim compensation to be wider than simply damage.

Q820 Mr Reid: As has been said correctly, the blacklisting regulations refer to trade union membership or trade union activities. Clearly we are getting evidence from individuals who believe that they are on a blacklist of some sort, although you have said in previous evidence that nobody has been able to produce any evidence to you.

I want to explore what is legal within the Data Protection Act and what is not. If I am an employer and I record that somebody is a very bad worker, would I be committing an offence if I passed that information to a third party?

David Smith: In simple terms, no. There are certain things you should do under the Data Protection Act. That is the sort of thing that happens with references, essentially.

Q821 Mr Reid: Yes, but surely for a reference the individual concerned has given their consent to a potential employer to contact a previous employer. What about if I pass it on without the individual’s consent? That would be an offence.

David Smith: That is right, if it is without the individual’s knowledge and without good cause. It is a combination of who you are passing information on to.

Q822 Mr Reid: Say I was passing it to somebody who was holding a database of workers’ competency.

David Smith: If you passed it on to someone to whom the individual wasn’t expecting it to be passed on and there weren’t pressing reasons, like a suspicion of criminal activity and it was the police you were passing it on to, then it would be a breach of the Data Protection Act. Please forgive me again, but I don’t like the word "offence" because it’s not criminal. It’s a breach.

Q823 Mr Reid: The employer there would be breaching the Act. If the person who was holding the database had registered with you that they were holding a database of people’s competencies to do construction work, would they be committing an offence?

David Smith: Not necessarily, no. If they are holding the database, it is their obligation to make sure people know that information is being held about them.

Q824 Mr Reid: Other than registering with you that they are carrying on this activity, how are they supposed to make people aware?

David Smith: There are two ways. The most likely is that they will have done it through whoever supplies them with the information. The employer would say, "I am going to pass your information on to a database run by XYZ." That discharges XYZ’s responsibility.

Q825 Mr Reid: Clearly if the employer passes the information on without telling the employee, we have already established that the employer is breaching the Act. Does the person holding the data breach the Act if the employer had not told the employee?

David Smith: Yes, and if they have not told the employees themselves. They could make their own contact and say, "We are telling you that you are now on our database."

Q826 Mr Reid: So there is an obligation on the data holder to notify.

David Smith: Yes. People should be told where and who is holding their information as a general proposition.

Q827 Lindsay Roy: We have heard allegations, particularly in the offshore industry, of a system "Not Required Back". Is that a kind of blacklist?

Chair: Somebody’s card would be marked "NRB", meaning "Not Required Back", which is effectively a blacklist.

Lindsay Roy: Have you had any inclination of this happening?

David Smith: If it is within one business and this is not passing information from one business to another, so, when someone leaves, the business records, "Don’t re-employ this person" or something, no, that is not a breach of data protection. If that individual makes an access request to the organisation, that is part of the record and they should be told. Indeed, the individual may want to challenge it. If an employer decides not to re-employ someone and records that on the record, that is not a data protection breach. There may be other employment issues.

Q828 Chair: But presumably it is if that is passed to another firm.

David Smith: Yes. As a general rule, I would say that, if that is passed to another firm without the individual’s knowledge, then that will be a data protection breach. The only area where I would hesitate is where there might be serious safety matters or criminal matters involved. Even then, I think it is hard to say that the individual shouldn’t have been told that this was going to happen.

Q829 Lindsay Roy: Some of the allegations of "Not Required Back" are because they had taken a particular interest in health and safety. That is the allegation. Therefore, that is the kind of information that may be passed on to other firms.

David Smith: It is the passing it on that is the problem. If an employer says, "I don’t want someone back" for whatever reasons, that is nothing to do with data protection.

Q830 Chair: I understand that.

David Smith: But passing that on to someone else without the individual’s knowledge and particularly without the opportunity to challenge it is.

Q831 Mr Reid: Do you need the individual’s consent or do you just have to inform them?

David Smith: I don’t think you have to get their consent. It rather depends on the stage at which this happens. The proper way of doing it would be to say, when you employ or hire someone, "We are part of this industry system and this is what will happen to you in these circumstances." Then you know what the proposition is when you enter into it.

Q832 Mr Reid: But if the employer doesn’t do that and writes to the employee saying, "I’ve fired you for being a bad worker and, by the way, I’m going to tell everybody else in the industry that you’re a bad worker", are they entitled to do that?

David Smith: If they have not told them originally, they should only pass it on with consent unless there are what I would call overriding reasons. "This person was a risk to health and safety on an oil rig, and to protect life and limb we need to pass this on even if the person doesn’t agree."

Q833 Chair: You seemed to suggest earlier on, which slightly surprised me, that, if somebody was "Not Required Back" for criminal behaviour and that was passed on to other firms, then that would be acceptable. That justifies it but surely it does not make it legal. Surely the crime from your perspective is the question of the information being passed on.

David Smith: It is, but there are exemptions in the Act from the requirement to tell people that information is being passed on where doing so would be likely to prejudice, among other things, criminal investigations and the like. I agree, Chair, that it is unlikely to happen, but, if someone was actively under investigation and you told them that was the case, they might do something that destroys the evidence or whatever.

Q834 Chair: I understand that. In general terms, as my colleague indicated, if someone was being marked "NRB" because they had been pursuing health and safety issues-not because they themselves were a threat to health and safety but because they had been pursuing it-and that was passed on to other firms, that is likely to be an offence. The difficulty is proving it, as you indicate. Without evidence, you are unwilling or unable to investigate by making anything that could be seen as fishing expeditions.

David Smith: That is essentially correct, Chair.

Q835 Chair: We come back to the circle where, unless somebody can prove that there is an offence, you won’t take action to identify if there is an offence.

David Clancy: If there was a whistleblower who came forward to say, "Look, I’m involved in this process. I work in the HR department of a particular oil company. This was the system we operated and these were the reasons why", we would then clearly investigate that."

Q836 Chair: But they would never work again, would they?

David Clancy: That is the difficulty you have and which surrounds this entire situation.

Q837 Chair: That is the difficulty I have with your points about the level of proof that you require.

David Clancy: Alternatively, if there was, in effect, the smoking gun or the e-mail that was sent that somebody had a copy of which clearly indicated this, we would act. Where you purely and simply have a person who says, "I believe I’ve been blacklisted"-

Q838 Chair: But what if you had a whole group of people? For example, we have been approached about particular locations where it has been suggested that whole categories of people are not being employed. That is evidence of a pattern. Each of them on its own does not necessarily prove anything, but, taken together, there would appear to be some evidence of a pattern. Surely that would then be sufficient for you to consider taking action.

David Clancy: That is the type of evidence we would be looking for as opposed to individuals. If a group of people said, "These are the circumstances", it would give us something on which to start an investigation.

David Smith: What we need is reasonable grounds for suspicion. It is not concrete evidence; you are absolutely right.

Q839 Chair: That is much more helpful. Obviously it might be a fit-up and so on and so forth, but a number of people making the same sort of suggestion about their refusal of employment would tend to be an indication that you could then progress with.

We had some of these suggestions in relation to the Olympics and one or two other industrial disputes concerning electricians and so on. You have never actually investigated any of those, though, even though there were a number of suggestions of blacklisting made dealing with particular locations.

David Clancy: I received one phone call once. I quite clearly said, "Send the information through to us along with the contact details of any individuals." They were never followed up. People make these allegations, but, again, if they are not supported we can’t do anything.

Q840 Chair: That has been very helpful. That is a very good note on which to end our questioning. When I said earlier on that I had to be somewhere at 9 o’clock I was joking. The fact that another member has come in doesn’t mean to say there is a second shift coming on. She has been at another Committee, which is why she was not able to get here before.

As I indicated earlier on, I would ask you whether or not there are any answers you had prepared to questions that we have not asked? Are there any points that you want to raise with us that you feel we have not covered in our discussions?

David Smith: There are no specific points, Chair, but I would emphasise, as I am sure you appreciate, that these were serious breaches of the Data Protection Act. The execution of the search warrant and the action we took is something we were proud of, and still are proud of, because we closed down the Consulting Association database. It was our work that stopped that. Although there are rumours and suggestions, we have no reason to suppose that anything like that sort of system has re-emerged.

Yes, had we had the powers that we have now, we could have done more and would have done more. We would certainly have been looking at imposing fines.

The question of notifying individuals is a valid point. With the benefit of hindsight, we could have done more, but I do have to say to you, Chair, that nobody raised any concern with us at all that we were not doing everything necessary until a few months ago. This could have been raised with us if people had serious concerns at the time and we would have looked at it again then.

In terms of how this is addressed, is it changes in data protection law or the law relating to blacklisting that needs changing? If it is the data protection law, it is a very wide remit. Where you want to address particular problems in particular areas, you perhaps need more specific law that addresses those areas.

We will provide the information that we promised you. Chair, we are keen to help and assist. Any suggestion-which I know has been made by one or two witnesses-that we were asleep on the job or we were improperly influenced is entirely misplaced. We think we have done the job of a responsible regulator here within the powers that we had available to us.

Chair: We appreciate that you are not the villains in all of this. None the less you were here and so it is entirely legitimate for us to raise these points with you. Thank you very much for coming along.

Prepared 15th April 2013