Consulting Association | Information Commissioner | Enforcement | Eversheds e80 | Compliance

Latest Resources

Breaking Global News
Global Compliance and Privacy News - Breaking News, updated every 30 minutes
•   Compliance, Privacy and Security
•  Money Laundering
•  Phishing
•  Regulatory Issues
•  SOX, Basel 2, MiFID

You Tell Us:

News
Are Smartphones Endangering Security? - Wick Hill
Dealing with Internet Security Threats - Ian Kilpatrick
How the New EU Rules on Data Export Affect Companies in and Outside the EU - Thomas Helbing
Farmers' Data Leak Highlights Old Technology Use - Wick Hill
Saving Money with SFTP - Wick Hill
UK Information Commissioner targets firm selling vetting data - Eversheds e80
12 Key Steps to Internet Security - Wick Hill
Telephone Monitoring Legality in the UK - Dechert
Firewall or UTM - Wick Hill
UK Information Commissioner demands mobile device encryption - Eversheds e80
Data loss - liability, reputation and mitigation of risk - Eversheds e80
Phorm, Webwise and OIX - BCS Security Forum
The challenges of PCI DSS compliance - Thales, Russell Fewing
"Quality" Data Vendor Spams us! Editor astounded!
National Gateway Security Survey 2008 - Wick Hill
Unified Threat Management - Watchguard Technologies

news archives:
0 | 1 | 2 | 3 | 4 | 5 |
6 | 7 | 8 | 9 | 10 | 11 |
12 | 13
[What is this?]

Industry Blogs
• Tim Berners Lee's Blog
• Tim Callan's SSL Blog
• Davis Wright Tremaine's Privacy & Security Law Blog
• Emergent Chaos Blog
• Michael Farnum's Blog
• Phillip Hallam-Baker's Blog - The dotFuture Manifesto: Internet Crime, Web Services, Philosophy
• Stuart King's Security and Risk Management Blog
• David Lacey's IT Security Blog
• Metasploit Official Blog
• Jeff Pettorino's Security Convergence Blog
• Jeff Richards's Demand Insights Blog
• David Rowe's Risk ManagementBlog
• Bruce Schneier's Security Blog
• Larry Seltzer's Security Weblog
• Mike Spinney's Private Communications Blog
• Richard Steinnon's Threat Chaos Blog
• The TechWeb Blog
• Tim Trent's Marketing by Permission Blog
• Rebecca Wong 's DP Thinker Blog

Newsletters
23 February Newsletter
Newsletter Archives are located in "News"

Industry Update
Internet Security Intelligence Briefing - November 2005
Find out the latest trends in e-commerce, web usage & the latest threats from adware/Spyware

Reports
Phorm, Webwise and OIX - BCS Security Forum
'The Any Era has Arrived, and Everyione has Noticed' - Stratton Sclavos - VeriSign
Identity Security - Time to Share
Malicious code threats - iDefense
Public Alerts - updated as they happen from Stopbadware.org
Public Alerts - updated as they happen from Websense
Public Advisories - updated as they happen, from iDefense
Phoraging - Privacy invasion through the Semantic web: a special report by Mike Davies of VeriSign

Legislation
Privacy Laws & Business International E-news, Issue 57
Privacy Laws & Business UNited Kingdom E-news, Issue 60

Security Reviews
February 2007 - VeriSign Security Review
The security review archive is here

Case Studies
Finance Industry
Case Study Example
A case study on a Finance industry company.

White Papers
VeriSign® Intelligent Infrastructure for Security
VeriSign® Intelligent Infrastructure: An Overview
Identity Protection Fraud Detection Service - description of the service
Life of a Threat - Video on Threat Management Lifecycle
Optimizing Enterprise Information Security Compliance - Dealing with all the audits
For a full list of all whitepapers, visit our Whitepaper library

Legal Notices
Privacy Policy
Terms of use

UK Information Commissioner targets firm selling vetting data

The Information Commissioner's Office (ICO) has taken stringent enforcement action against a business that it believes has been selling data about construction industry workers to prospective employees.

The action against the Consulting Association is further evidence of the proactive enforcement activity being adopted by the ICO. It's an interesting case study of the range of powers that the ICO has to:

obtaining a warrant to obtain entry

issuing enforcement notice to effectively cease using the data

the threat of criminal sanctions because they had also failed to register with the ICO.

The impact may well be to close this business down, which is proof that the ICO is far from being a toothless tiger amongst regulators.

Perhaps of greater impact, though, is the involvement of some household names in the case. In a world where the use of vetting seems to be increasing, whether driven by heightened security concerns or otherwise, this provides a cautionary tale.

To some, it will be surprising that some well–known construction businesses have become caught up in this. What isn't known at this stage is how those businesses interacted with the Consulting Association, but it would appear from press reports that they, too, now face investigation by the ICO.

This case highlights a number of key compliance issues in respect of vetting practice but there are some practical steps that can be taken.

First and foremost, vetting should not be done as a general fishing exercise but only to address specific justifiable risks where the information can't be reasonably obtained elsewhere.

Secondly, if you are going to engage in staff vetting it should be done on an open and consensual basis. You should inform the individual about the nature of the investigation being undertaken and what you will do with the information, and get their consent.

You should select with care who you engage to provide information to you. This is because under the legislation it will be the purchaser of that information, as the data controller, who is responsible for ensuring that that information it processes has been collected and is used in compliance with the legislation.

Due diligence should be exercised: ask questions about how they collect their data. If in doubt, don't use it.

Make sure you have a contract for supply of the data and check that it has provisions in it that give you assurances that the information has been collected in a manner which is compliant with the Data Protection Act (DPA) and that its transfer and use by you will also be compliant (preferably supported by an indemnity).

There should be a feedback loop to the individual so that they are aware of the reason for the decision. It's worth remembering, too, that the individual can raise an access request under the DPA to find out what information you have about them.

Be very careful if you are going to place reliance on the information obtained to make the recruitment decision. Is it reliable enough? Some reports suggest that the nature of the information stored may give difficulties for an employer who actually took a decision not to recruit on the basis of the information. For example, if a business decided not to recruit the otherwise best candidate on the basis of their union membership, that could give rise to a claim. If proven (which of course can be difficult), compensation could be substantial.

Guidance has been issued by the ICO under the Employment Practices Code in connection with pre–employment vetting. (View ICO guidance )

If there are some lessons to be learnt from this case, perhaps the main one for employers is to stop and think about whether they need to be vetting and then to ensure that any information they do buy in has been lawfully obtained. If not, they can find themselves on the wrong end of an ICO investigation and, as in this case, unwelcome public relations.

This article is reproduced from Eversheds e80 service. You can find out more about Eversheds e80 and search the Eversheds e80 archive at www.eversheds80.com. e80 is provided by Eversheds for information purposes only and should not be regarded as a substitute for taking legal advice. It is reproduced here by kind permission of and is © Eversheds.