Today’s move by the Information Commissioner’s Office (ICO) to punish a firm for breaching the Data Protection Act (DPA) could be the first of many similar cases as the organisation seeks to flex its muscles, experts have said.

The ICO raided a company called The Consulting Association, which had kept a secret database of personal information on over 3,000 UK construction workers.

The data protection watchdog said that it will prosecute the firm’s boss under the DPA, and possibly go after the 40 construction companies that used the database as a covert vetting tool.

Matthew Tyler, director at consultancy firm Evolution Security Systems, warned that there will be “a raft of these cases” this year, as businesses continue to mishandle customer data.

“The way data is handled and managed in the UK is farcical, and has been for years because there has been no comeback,” he said. “But if the fines go up and the directors face possible jail sentences, then they’ll give it more focus.”

Tom Ilube, chief executive of online identity firm Garlik, said that the announcement shows “the ICO flexing its muscles in a way we have not seen before”, and that it should be a wake-up call to executives.

Ilube predicted a rise in sites specifically set up to provide similar illegal services to potential recruiters by trawling through the web for personal information.

Gartner analyst Thomas Otter argued that companies should be prepared for a hardening of the ICO’s stance towards organisations that mishandle data.

“The ICO is becoming more vocal and more assertive and coming more into line with the rest of Europe in this regard,” he said. “From an IT and HR point of view, organisations need to be more vigilant about data protection, because there are likely to be a number of prosecutions, and a growing public awareness of privacy issues.”

Paula Barrett, a partner at law firm Eversheds, advised firms wanting to vet potential employees to treat this as a “cautionary tale”.

She added that they must perform due diligence on any third parties they use to provide them with such information, and to include a “feedback loop” to the individual so that they are aware of what is going on.

“If in doubt, don’t use it,” said Barrett. “Make sure you have a contract for supply of the data, and check that it has provisions in it that give you assurances that the information has been collected in a manner which is compliant with the DPA, and that its transfer and use by you will also be compliant.”