In early September the Information Commissioner's Office (the ICO) announced that it had commenced an investigation into 98 ‘blue chip’ businesses and individuals after being given information recovered by the Serious Organised Crime Agency (SOCA) as part of a separate investigation into the ‘blagging’ of personal information.
The SOCA's investigation, Operation Millipede, saw four men convicted of fraud offences in 2012, after SOCA found they had obtained information illegally.
The ICO is currently conducting an investigation into whether businesses and individuals that use private investigators have themselves breached data protection laws. Any businesses or individuals which use private investigators need to be especially vigilant to ensure that appropriate contracts are in place and that all data gathering is done in line with legal requirements.
How does this affect your business?
Under the Data Protection Act it is unlawful for a person to "knowingly or recklessly without the consent of the data controller obtain or disclose personal data or the information contained in personal data, or procure the disclosure to another person of the information contained in personal data" without the consent of those who control the data.
If a company or other corporation commits a criminal offence under the Data Protection Act, any director, manager, secretary or similar officer or someone purporting to act in any such capacity can be found personally guilty of the offence, as well as the corporate body, if the offence was committed with their consent or connivance, or the offence is attributable to neglect on their part.
What are the next steps and possible consequences?
The ICO is assessing the information provided by the SOCA and will be writing to those individuals and businesses named by the SOCA to establish what information they received from private investigators, and whether the they were aware that the law may have been breached to obtain that information.
Depending on the outcome of the investigation several enforcement options are available to the ICO:
criminal prosecution, for unlawfully obtaining or accessing personal data or for failing to notify as a data controller;
civil action for breaching the Data Protection Act, with monetary penalties of up to £500,000; and
enforcement notices and undertakings to oblige changes in policies or procedures
The ICO will first need to assess whether the individuals and businesses under investigation fall within the ICO's jurisdiction, as initial estimates suggest that as many as a quarter of the businesses under investigation may be based outside of the UK.
The ICO has stated that they envisage that the initial phase of the investigation will take several months, after which time the ICO will publish an update. To date the ICO has refused to publish details of the organisations that are under investigation.
In the meantime organisations that use private investigators would be well advised to review all current arrangements to ensure that appropriate contracts are in place with private investigators and that methods deployed by private investigators are monitored to ensure they are lawful.
If you have any concerns about your business' current or historic use of private investigators please contact Alison Deighton or Juliet Bradshaw.
This publication is intended for general guidance and represents our understanding of the relevant law and practice as at September 2013. Specific advice should be sought for specific cases; we cannot be held responsible for any action (or decision not to take action) made in reliance upon the content of this publication.
TLT LLP is a limited liability partnership registered in England & Wales number OC 308658 whose registered office is at One Redcliff Street, Bristol BS1 6TP England. A list of members (all of whom are solicitors or lawyers) can be inspected by visiting the People section of this website. TLT LLP is authorised and regulated by the Solicitors Regulation Authority under number 406297.