In an enforcement action brought by the Irish Office of the Data Protection Commissioner, Irish private investigation firm MCK Investigations and two of its directors were fined for breaches of the Irish Data Protection Acts. MCK Investigations had obtained personal data, illegally and by deception, from the Department of Social Protection and from the Health Service Executive and had then disclosed the personal information to various credit unions. These were the first prosecutions under the Data Protection Acts to be brought against private investigators and the first where company directors were prosecuted as well as the company itself. The Data Protection Commissioner’s Office commented that these prosecutions send “a strong message to private investigators and tracing agents to comply fully with data protection legislation” and that they “serve to remind all companies and businesses who hire private investigators or tracing agents that they have onerous responsibilities under the Data Protection Acts to ensure that all tracing or other work carried out on their behalf by private investigators or tracing agents is done lawfully. Specifically, in this regard, those operating in the credit union, banking, financial services, legal and insurance sectors should take note of [these] proceedings and review their engagement of private investigators and tracing agents to ensure they have fully safeguarded all personal data against unlawful forms of data processing.”
TIP: This case is a reminder to check vendor agreements to ensure that vendors are complying with relevant data protection rules. This is particularly true when the third parties are private investigators or tracing or other agents that are engaged to obtain information that may amount to personal information.