The ICO uncovered the database during an investigation into the Consulting Association, which was run from Droitwich by Ian Kerr. It said that the blacklist had been in operation for 15 years, and that companies paid £3,000 a year for access to it.
The ICO has also published a list of over 40 companies that it said used the database. The list contains some of the construction industry's biggest companies.
"This is a serious breach of the Data Protection Act," said deputy information commissioner David Smith. "Not only was personal information held on individuals without their knowledge or consent but the very existence of the database was repeatedly denied. The covert system enabled Mr Kerr to unlawfully trade personal information on workers for many years helping the construction industry to vet prospective employees."
The database is likely to have broken the Data Protection Act because it stored personal information on people without their knowledge or permission and without giving them the chance to see and correct information.
The ICO has issued Kerr with an enforcement notice. It says: "The Commissioner takes the view that damage or distress to the individuals named on the list is likely as a result of them not being aware of the existence of the list and being denied the opportunity of explaining or correcting what may be inaccurate personal data about them, which may be processed by the data controller or others and which may jeopardise the employment prospects of an individual in the construction industry."
Companies acting on the basis of information in the database may have broken employment laws. Much of the information in the database reportedly centred on individuals' membership of and activism in trade unions. It is against the law to refuse someone a job because of trade union membership.
Trade union Unite said in a statement that it would be encouraging its members to exercise their legal rights.
"Unite the Union will be alerting its activists of possible claims under Trade Union & Labour Relations (Consolidation) Act 1992 [section] 137. Possible claims may be taken against employers based on the refusal of employment on grounds related to trade union membership if the individuals can evidence that they were refused work by companies on the list, and were listed as trade union activists on the list," it said.
The ICO said that it will take action against Kerr and that it has not yet decided how to deal with the companies listed as users of the database.
“We will prosecute Mr Kerr and we are also considering what regulatory action to take against construction firms who have been using the system," said Smith. "I remind business leaders that they must take their obligations under the Data Protection Act seriously. Trading people’s personal details in this way is unlawful and we are determined to stamp out this type of activity."
Construction workers had long claimed that a blacklist was in operation but the Government's Department for Business, Enterprise and Regulatory Reform had said that it would not investigate while there was no firm evidence of such a list, Unite said. It called on the Government to conduct an investigation.
Though the ICO says that this database is illegal, employers are permitted to vet potential employees. To do this and comply with the Data Protection Act firms must process personal data fairly and lawfully, which means telling individuals that vetting is taking place, explaining how their information might be used and allowing them access to the information. Companies should also ensure that their systems for processing data are secure.