Last week, Dublin District Court convicted a private investigator on two charges of unlawfully obtaining access to personal information, and disclosing it, without authority, to various Credit Unions, in breach of section 22 of the Data Protection Acts (DPAs) 1988 and 2003. He was fined €2,500 for each offence.
Separately, the private investigator pleaded guilty to 69 charges, and these were taken into consideration by the Court in imposing the sentence. Ten of these charges related to breaches of section 22, and sixty related to breaches of section 16(2) of the DPAs in respect of processing the personal data of a number of individuals in circumstances where the private investigator had not registered as a data processor in the public register maintained by the Data Protection Commissioner (DPC).
In the cases before the court, the private investigator had unlawfully obtained access to personal information and used it to provide tracing reports to various Credit Unions on individuals they hoped to take action against for non-payment of debts.
Significance of Prosecution
This was the first prosecution to be completed by the DPC against a data processor for processing personal data without having registered as a data processor on the DPC's public register.
It is the second occasion on which the DPC has successfully prosecuted a private investigator for breaching section 22 of the DPAs. It serves, once again, as a warning to private investigators to comply fully with the DPAs in the conduct of their business and that if they fail to do so, they will be pursued and prosecuted for offending behaviour. It also highlights the importance of all businesses who hire private investigators of ensuring that all tracing or other work carried out on their behalf by private investigators is done lawfully.
In this case, the DPC found no evidence that any of the relevant Credit Unions had carried out due diligence prior to hiring the services of the private investigator, and highlighted that this was a "serious deficiency".