ICO Takes Data Protection Enforcement Against Public Body Over Violent Client List

The Information Commissioner has required a local authority to give an undertaking admitting breaches of data protection rules in relation to a list it kept of potentially violent clients. While the list was maintained to safeguard the council’s staff and contractors, the way in which it was compiled and managed breached the Data Protection Act.

How to manage lists of this type is a recurring issues for councils, housing associations and other public service providers. There is a duty to look after the health and safety of employees and workers while respecting the data protection rights of individuals named in the list.

Eastleigh Borough Council’s list contained information about mental health and criminal convictions, both of which are sensitive personal data – the most highly protected type of information under the Data Protection Act. Use of that type of data without consent is restricted and only possible where necessary for specified reasons.

As well as including sensitive pesonal data when it should not have done, Eastleigh’s list contained too much personal information for its purpose and was not managed properly to respect the data protection rights of the people named in the list. In the Eastleigh case a person on the list got hold of it and made a complaint to the ICO.

The undertaking that Eastleigh has given indicates how the Information Commissioner thinks this sort of list should be compiled and managed.

Any organisation maintaining a list of this type should review how it is compiled, maintained and kept secure in order to avoid possible enforcement action by the Information Commissioner. Provided that they are dealt with properly lists of clients presenting a possible risk to staff and contractors can be legal and a vital part of keeping colleagues safe and avoiding potential personal injury claims.

The specialist data protection solicitors in the award-winning Business Law Team at Forbes are used to advising public and private bodies on all sorts of data protection compliance issues and can assist in helping to draw up appropriate policies for dealing with lists. To find out more and to contact the team click here.

Daniel Milnes

About Daniel Milnes

Dan is a Partner and Head of Contracts & Projects. Dan’s blogs cover the areas in which his specialities lie in commercial, regulatory and governance law which cover a broad range of matters dealing with contracts, projects, corporate and group structures, funding and compliance with a range of legal regimes including data protection. This also involves writing and advising on various forms of commercial contracts including joint ventures, development and construction agreements and intellectual property contracts including IT agreements, sponsorships and other rights licensing arrangements.
This entry was posted in Corporate & Restructuring and tagged , , .