What does this cover?

Last year the Irish Office of the Data Protection Commissioner (the DPC) successfully prosecuted several cases brought against private investigators hired by credit unions. As part of its investigation, it emerged that over 100 credit unions had enlisted the services of third party agents who used illegal means to obtain people's personal information (such as addresses and PPS numbers) from State organisations and then passed that information to credit unions to trace its debtors.

It has been reported that the DPC has expanded its probe to other financial service institutions and that there are a number of 'live' investigations where the DPC has a strong suspicion that data protection offences have been committed on behalf of banks and insurers. These investigations are being advanced by the DPC special investigations unit with a view to prosecution. Similar to the credit unions, the suspected criminal offences relate to the unlawful acquisition of personal information, with the aim of the financial institution tracing people who owe banks money or have made claims against insurance companies.

Whilst it is not illegal to trace people through lawful means (such as questioning acquaintances) it is an offence to dupe companies that hold personal data into sharing it by pretending to work for a government agency (e.g. the HSE, Gardai or Department of Social Protection) in order to obtain personal information.  Any organisation that stores personal data, from utility companies to doctor's surgeries, is vulnerable to these unlawful requests.

Interestingly, the Irish Data Protection Act only allows the DPC to prosecute the private investigator who commits the offence and not the company employing the investigator. However, if there is evidence that the company was aware the investigator was acting unlawfully, or where there was no system put in place to prevent the illegal activity, the company can be at risk of prosecution.  A fine of up to EUR 3,000 per offence or 12 months imprisonment can be handed down by the District Court and the person whose data was shared may also have a civil claim against whoever was storing the data in the first place, if they can prove damage occurred.

We understand that the DPC is currently communicating with the financial services sector to ensure that private investigators use legitimate means to obtain personal information. In addition, a number of larger companies have started to implement traceability programmes so that they can trace when and which staff view sensitive data.

A new licensing regime will be introduced next month for private investigators which should help to improve industry standards. Licensing of private investigators will come under the responsibility of the Private Security Authority (PSA), which regulates cash-in-transit and other security firms.  Only those licensed by the PSA will be able to advertise or represent themselves as a 'Licensed Private Investigator'. It will also be an offence for a person to engage or employ an unlicensed private investigator. The register will be available online enabling businesses and the public to check that their security provider is licensed.

What action could be taken to manage risks that may arise from this development?

Financial services companies should ensure any tracing activities are carried out in accordance with applicable legal requirements.