There have been two recent developments which shed light on the data protection compliance (or more accurately compliance failings) of private investigators.

First, the ICO has announced that it will be sending officers from its Criminal Investigations team to visit private investigators suspected of unlawful practices. The ICO has decided to take action after gathering information on the handling of personal data by private investigators and uncovering incidences of non-compliance with data protection law.

Second, the High Court's latest decision concerning data subject access requests (SARs) has required a firm of private investigators to comply with the SAR made on behalf of a couple who were the subject of one of the firm's investigations.

The investigators, Community Safety Development (UK) Ltd (CSD), had sought to escape compliance with the SAR on a number of grounds, including the Data Protection Act 1998 (DPA) exemptions for detection of crime, under section 29(1), and legal professional privilege, under paragraph 10 of Schedule 7.

ICO's concerns with private investigators

Private investigators will be acting as data controllers and must therefore comply with the DPA. The ICO is concerned that many investigators are failing to meet their legal obligations and their research has highlighted a number of specific practices adopted by investigators which raise privacy concerns, including:

  • maintaining excessive records of personal data and selling it to third parties;
  • illegally obtaining personal information by using persuasion and/or deception, known as "blagging";
  • hacking to obtain personal data;
  • failing to register as a data controller with the ICO, which is a criminal offence;
  • use of surveillance and tracking devices which may be in breach of the DPA; and
  • failing to give data subjects access to personal data held about them.  

This ICO action is a reminder to private investigators, and the organisations that instruct them, such as insurers, of the requirement to have regard to compliance with data protection law when conducting investigations.

The High Court considers subject access requests

The recent High Court decision in Gurieva v Community Safety Development (UK) Ltd [2016] has exposed one firm of private investigator's unsuccessful efforts to avoid compliance with a SAR.

Individuals are empowered to make a SAR under section 7 of the DPA and this entitles the individual to be provided with a copy of their personal data. In circumstances where a data controller has failed to comply with the SAR in breach of section 7, a court may order compliance.

There are a limited number of exemptions which data controllers may rely on to avoid having to comply with a SAR; these include:

  • where providing a copy of the individual's personal data is impossible or would involve disproportionate effort (section 8(2));
  • if the data is processed for the purposes of the prevention or detection of crime or for the prosecution or apprehension of offenders (section 29(1)); or
  • where a claim of legal professional privilege could be maintained in respect of the data (paragraph 10 of Schedule 7).  

In the present case, CSD refused to comply with SAR received from the solicitor of the couple it was investigating, and legal proceedings were subsequently issued against CSD.

CSD claimed a number of reasons for not complying with the SAR, including:

  • the SAR was not valid as it was issued by the couple's solicitor and, in its view, insufficient evidence was provided that the solicitor acted on behalf of the couple;
  • the data processed by CSD was for the purposes of detection of crime, such that the section 29(1) exemption applied; and
  • the legal professional privilege exemption applied on the basis that CSD were instructed through solicitors. When proceedings were threatened, CSD also claimed litigation privilege.  

The Decision

The Court noted that where the requester of a SAR is not the data subject, it is reasonable to look for proof of authority. However, if the requester is a firm of solicitors that confirms its authority in the SAR, no more proof should ordinarily be required.

The Court accepted that it was likely that some personal data was processed by CSD for the purposes of detecting crime, but that CSD's attempt to claim a blanket exemption for organisations such as themselves was wrong in principle.

In the Court's view there was certainly some personal data processed by CSD for purposes other than detecting crime, and the Court was not convinced that complying with the SAR would be likely to prejudice any of the matters which are set out in the section 29(1) exemption.

The Court also disagreed with CSD's claim that the privilege exemption applied. This was largely due to CSD's failure to provide sufficient detail in support of its claim. CSD did not provide any reasonable analysis of which personal data would be covered by the exemption and which would not – the Court noted that it was not likely that all data held by CSD would attract privilege.

The Court therefore issued an order for CSD to comply with the SAR.

Implications

The case provides useful guidance to data controllers wishing to rely on the crime or privilege exemptions under the DPA.

If data controllers wish to rely on the crime exemption, they need to be able, in the view of the Court, "to demonstrate in detail why the application of the DPA in the usual way would be likely to prejudice one of the specified purposes".

The Court's judgment can be read here.