Private Investigators - Home Affairs Committee Contents


3  The remedies

37.  Though there is no direct regulation of private investigators, there is some legislation which governs the acquisition, storage and use of personal information—principally the Data Protection Act 1998 and the Regulation of Investigatory Powers Act 2000. The penalties for the misuse of personal data are negligible and the there is no regime of regulatory guidance for the sector.

Data offences

38.  When a private investigator conducts "covert surveillance", such as bugging, on instructions from a public authority, this activity falls under the Regulation of Investigatory Powers Act 2000. However, the Act provides no protection where the investigator's client is a private individual. For these private cases, the main statutory protection comes from the Data Protection Act 1998.

39.  There are three Commissioners with responsibilities that have a bearing on the private investigation industry: the Information Commissioner, whose responsibilities focus on the Data Protection Act; the Interception of Communications Commissioner, whose task is to keep under review the issue of warrants for the interception of communications; and the Surveillance Commissioner, with oversight of the conduct of covert surveillance and covert human intelligence sources by public authorities.

40.  The division of responsibility between the Information Commissioner and the Interception Commissioner was not clear. The Minister, Lynne Featherstone, recognised that the disjunction between the different data commissioners was not ideal. She told the Committee that:

What I have always thought would be the ideal is if you had an over-arching commissioner, or not that you have an over-arching commissioner but you have the commissions co-located. I thought that might be very helpful, in terms of sharing and working together as the commissioner body.[50]

41.  Personal privacy would be better protected by closer working between the Information Commissioner, the Chief Surveillance Commissioner and the Interception of Communications Commissioner. We recommend that the Government aim, before the end of the next Parliament, to co-locate the three Commissioners in shared offices and introduce a statutory requirement for them to cooperate on cases where both the Data Protection Act and the Regulation of Investigatory Powers Act are relevant. In the longer term, consideration should be given to merging the three offices into a single Office of the Information and Privacy Commissioner.

SECTION 55 OFFENCES

42.  Most of the actions pursued by the Office of the Information Commissioner were in relation to "blagging" information in contravention of section 55 of the Data Protection Act, which deals with the unlawful obtaining, disclosure and selling of personal data and the procurement of such actions. Christopher Graham, the Information Commissioner, told us:

We are now in the 21st century, an information society, and keeping information secure is really important. All the things we want to do about open data, about data sharing, depend on people having confidence that the information they give to the authorities will stay secure [...] a range of penalties need to be available, not just a modest fine.[51]

43.  As the Information Commissioner emphasised, breach of section 55 of the Data Protection Act is an offence punishable only by a fine. In the Magistrates' Court, the fine is up to £5,000, in the Crown Court, it can be an unlimited fine, but cases rarely reach the Crown Court. Typically, fines have been around £100 per count, taking account of the defendant's means.[52] The concern that these sentencing powers were not a sufficient deterrent was raised in 2006 in the previous Information Commissioner's reports What price privacy? and What price privacy now?.[53]

44.  Section 77 of the Criminal Justice and Immigration Act, confers on the Secretary of State an Order-making power to increase the penalty for offences under section 55 of the Data Protection Act. Both the Information Commissioner, Christopher Graham, and his predecessor, Richard Thomas, believed that this power should be invoked so that a stronger and more deterrent penalty could be available to the courts.[54]

45.  In order to provide a more effective deterrent, the Information Commissioner and Crown Prosecution Service could consider making greater use of powers to confiscate their criminal proceeds. The Proceeds of Crime Act 2002 gives prosecuting authorities the power to seek the recovery of any benefit the convicted defendant obtained by breaching the Data Protection Act, or any other statute. The Information Commissioner's Office obtained confiscation orders for the first time for section 55 offences in a case before Warrington Crown Court in 2011. The defendants were made subject to confiscation orders amounting to £73,700. This stands in contrast to the cases of Steve Whittamore, Glen Mulcaire and Sharon and Stephen Anderson, who may have profited considerably from data offences, but received relatively light sentences.

46.  Confiscation orders should be sought where a person is convicted of data and privacy offences and has sold the information for profit.

47.  We recommend that the Home Secretary exercise her power under section 77 of the Criminal Justice and Immigration Act 2008 to strengthen the penalties available for offences relating to the unlawful obtaining, disclosure and selling of personal data under section 55 of the Data Protection Act. The current fine—typically around £100—is derisory. It is simply not an effective deterrent.

Policing

48.  Commander Peter Spindler, Metropolitan Police Service Director of Professional Standards, told us that most forces had introduced "declarable associations policies", which required all employees who had connections into certain industries to declare them to help forces to improve risk-management.[55] He said that the Metropolitan Police also maintained a register of business interests, governed by the Police Regulations 2003. This listed 14 categories of incompatible interests, including working as a private investigator.[56] However, across the country this was dealt with dealt with on a case-by-case basis, and it would be up to the individual Chief Constables to decide whether or not to authorise an officer to work as a private investigator.[57] Nor was there any requirement for police officers to record their contact with private investigators.[58]

49.  In response to our follow-up inquiries with Commander Spindler, we received a recall of historic cases known to the Directorate of Professional Standards Intelligence Bureau, including Operation Barbatus, Operation Two Bridges and Operation Abelard. In Operation Barbatus, for example, two former Metropolitan Police constables who had established a private investigations company, three other ex-police officers, two of whom were working as private investigators and one further man also employed as a private investigator were convicted.[59] Our evidence from Mr Schwarz suggested that this problem had not been rooted out.

50.  The Metropolitan Police's system of safeguards for reducing the risks of serving police officers being corrupted by conflicting interests—including declarable associations policies, a register of business interests and a list of incompatible interests—should be standardised across the country. However, these checks alone might not be enough to solve the problem. The Government must act to sever the links between private investigators and the police forces. We recommend that there should be a cooling off period of a minimum of a year between retirement from the police force and working in private investigation. Any contact between police officers and private investigators should be formally recorded by both parties, across all police forces.

51.  If proper safeguards were put in place, some of our witnesses believed that private investigators could be granted increased access in certain circumstances. Steve Bishop proposed to give investigators limited access to certain police records through "a Central SPOC", which could improve their contribution and alleviate the need for investigators to obtain the basic details unlawfully.[60]

52.  The Institute of Professional Investigators told us that the self-regulation exercised by the Association of British Investigators had been recognised by the Drivers and Vehicle Licensing Agency (DVLA) with accreditation for access to the on-line vehicle-keeper database in certain circumstances.[61] The Institute told us that investigators would like access to some public body databases such as the Land Registry and the DVLA database without the obstacles currently placed in their way. It suggested that licensing could be a first step in earning the professional respect that would one day make that access justifiable, as it was in other countries.[62]

53.  The Information Commissioner's Office recognised that, given the nature of the work they engaged in, even legitimate investigators may find it difficult to comply with the law. The Office was bound to apply the law as it stands and could create exemptions in the Data Protection Act, even if their absence may cause legal uncertainty for private investigators, who were acting responsibly and carrying out otherwise legitimate investigations.[63]

Regulation

54.  The most straightforward option for bringing structure and safeguards to the private investigation industry may be to introduce regulation to the sector. As the World Association of Private Investigators pointed out, at present there was nothing in law to distinguish companies that pursue legitimate business activities from corrupt operatives, but a licence could give a client confidence that they were hiring a legitimate investigator. [64] There was almost unanimous agreement among our witnesses that the sector would be improved by regulation.[65]

55.  Schedule 2 to the Private Security Industry Act 2001 contains provisions for licensing of private investigation by the Security Industry Authority through an order made by the Home Secretary. Consultation on a licensing regime commenced in August 2007 and an impact assessment was published in September 2008, which recommended that regulation should take the form of compulsory licensing of private investigation activity based on a "fit and proper" test and including competency criteria.

56.  The Security Industry Authority already has an established model for licensing. It is an independent statutory body reporting to the Home Secretary, established by the Private Security Industry Act and responsible for regulating the private security industry. From January 2012 the cost of an Authority licence (which lasts for three years) is £220 (it was previously £245).[66] The Authority told us that there were two main elements to its licensing regime: first, whether an applicant had any background or criminal history that implied a risk for operating in the sector; and second, whether an applicant had the skills and competencies necessary for the role. [67]

LICENSING A DIVERSE INDUSTRY

57.  Bishop International was concerned that regulation should take into account the range of constituents in the industry and its variety of clients, services, levels of organisation and backgrounds; a one-size-fits-all approach may not be suitable for such a diverse sector.[68] Threshold Security was in favour of licensing in sub-categories, such as surveillance; desktop enquiries and data research; and physical investigation and interviewing.[69] In order to overcome this obstacle, the Surveillance Group suggested that any future consultation group needed to have a membership drawn from a diverse range of specialist areas. [70]

58.  We heard a range of opinions for the level of detail that should be included in regulations. For example, G4S believed that regulation needed to cover:

a)  standards of behaviour for companies and individuals operating in the industry;

b)  screening and vetting of personnel and sub-contractors to ensure disreputable individuals were deterred from joining the industry;

c)  training and accreditation of personnel, which would need to be sufficient to ensure standards of behaviour and performance were reasonable and easily assessable;

d)  incident reporting and management were sufficient to allow investigation by independent organisations, whether Government or industry appointed;

e)  grievance procedures, to ensure those who have issues with individuals or providers had the ability to pursue reasonable grievances;

f)  compliance and enforcement mechanisms to ensure the areas above were followed by those operating within the industry.[71]

59.  The Surveillance Group found it "ridiculous" that private investigators could utilise tracking and digital monitoring devices without having to make an application for permission under the Regulation of Investigatory Powers Act and requested that any use of these devices by private individuals or private organisations should be prohibited under the licensing criteria. [72] It suggested that it would be necessary to licence the use of electronic tracking devices for intrusive surveillance applications and that sentencing needed to be introduced to police the illegal accessing of data from digital devices. [73]

60.  G4S believed that a regulatory framework needed to be focused on the individual, rather than companies, in order to ensure that unethical or incompetent individuals could not operate in the market while ensuring ease of movement between companies for others.[74] Bisio Training agreed that without the sanction of removing an individual licence there would be no effective deterrent or remedy to those affected by wrongdoing.[75]

61.  Several witnesses emphasised that regulations should not be too burdensome for small and medium-sized enterprises (SMEs) or individuals, but should be robust enough to deter unethical behaviour.[76]

62.  Speechly Bircham suggested that the critical component of regulation would be a Code of Conduct, resembling the Code of Conduct for Solicitors. It said that there was no guidance on private investigators in the solicitors' Code, but believed that the two codes could be "easily integrated". Richard Thomas suggested that a fundamental aspect of regulation should be that for private investigators, a breach of section 55 of the Data Protection Act must entail disqualification from operating in the business.[77]

COMPETENCY CRITERIA

63.  Five competency requirements were set out in the paper Private Investigation and Precognition Agents Draft Core Competency Specification in July 2007. These were: conduct investigations; conduct (formal) interviews; search for information and preservation of evidence; conduct surveillance; and understand and work to the relevant laws and standards.[78] However, Bishop International believed that the range of activities is so wide as to make any single competency course impossible as well as unnecessary.[79] Instead, it proposed that there should be a simple test of understanding of the law as it applies to investigations. The Highway Code was proposed a good example of how to educate people in order to test their knowledge of relevant law.[80] Bishop International also put forward that new who did not come from a relevant background should be required to find an apprenticeship with an investigation company. Their first year of employment could require a provisional license and, with the endorsement of their employer, could be followed by a full license one year from the start of an apprenticeship.[81]

64.  However, Bishop International believed that the competency requirement was "absurd" because of the range of skills necessary. It pointed out that, according to the Home Office, if an investigator from another EU country were to come to the UK to carry out an investigation he or she could legally do so "without being subject to any prior check": [82]

In other words, a resident of another EU country could arrive in the UK to carry out an investigation without any criminal record check and with no consideration given to the "harm" that person might cause, while people who have established track records in the UK would be required to meet so-called competency requirements at considerable cost.[83]

65.  This may also be a problem in the case of professions which carry out some of the same activities as private investigators and compete against them, but are exempted from regulation under the Private Security Industry Act, such as journalists, lawyers and accountants.[84]

66.  The Risk Advisory Group believed that in-house investigators posed the same risks as private investigators.[85] Stringent conditions in the UK could drive away the international corporate investigations sector abroad with £100m of business.[86] The Risk Advisory Group believed that tasks such as corporate due diligence, merger and acquisition work, private equity funding and corporate finance support were sufficiently guarded by the Data Protection Act.[87] The case of Howard Hill, a corporate investigative partner who was not an accountant at the accountancy firm PKF, demonstrated that an "umbrella" professional licence could not necessarily provide sufficient regulatory protection.[88] The Ravenstone Group suggested that licensing, regulatory controls, monitoring and auditing should apply to investigation firms that provide any part of their services that are not covered by documented procedures audited by their clients. It suggested that operations whose clients are registered businesses and those clients regulate, monitor and audit the investigation activities to documented procedures be required to register this status.  All investigation services could therefore be either licensed investigators or registered investigators.[89]

67.  The Association of Fraud Investigators suggested that "Private Investigator" become a protected title, as in the case of "social worker", so that nobody could use the term to describe themselves without being subject to regulation.[90]

THE TIMETABLE FOR ACTION

68.  Security International pointed out that there had been attempts to regulate the industry since the 1960s.[91] The Government suggested that any action should wait for the conclusions of Lord Justice Leveson's inquiry.[92] However, the current definition of private investigations in the PSIA excluded activities for the purpose of obtaining information exclusively for journalistic purposes and the Information Commissioner believed that there was "precious little evidence that this has much to do with the press these days".[93]

69.  The Government insisted that it would move forward with regulation quickly and that the delay of a decade was down to the previous Government. However, the Association of British Investigators highlighted the "off/on abolition of the proposed regulatory authority", the Security Industry Authority, in the Government's cull of quangos.[94] According to the published minutes of a meeting of the Authority:

The Chief Executive explained that The SIA would have liked to address the regulation of PIs earlier. The planned roll out for licensing Private Investigators would have meant an offence date of 1 October 2011. However, the Home Office had halted work and funding on this project in 2010 due to uncertainty as to the future of the SIA.[95]

70.  The Government has accepted a framework for a new regulatory regime proposed by the Authority and announced that new legislation will be introduced at the earliest opportunity to abolish the Authority in its current form and introduce a new regulatory regime for the private security industry.[96] This will inevitably delay the introduction of regulation of private investigators.

71.  The Minister told us that the process of regulation would be swift, once a decision had been made, but that "the lengthy bit will be moving forward from when the legislation is passed".[97] The next stage in the process would be training, capacity-building in the industry and the licensing application process. The Minister believed "that second part could be up to two years" and that the system should be in place before 2015.[98]

72.  "Private Investigator" should be a protected title—as in the case of "social worker"—so that nobody could use the term to describe themselves without being subject to regulation.

73.  We recommend the introduction of a two-tier system of licensing of private investigators and private investigation companies and registration of others undertaking investigative work. Full licensing should apply to individuals operating or employed as full-time investigators and to private investigation companies. Registration should apply to in-house investigation work carried out by employees of companies which are already subject to regulation, such as solicitors and insurance companies. Both should be governed by a new Code of Conduct for Private Investigators, which would also apply to sub-contracted and part-time investigators. A criminal record for breach of section 55 should disqualify individuals from operating as private investigators.

74.  Whereas licensing will impose an additional regulatory burden on the industry, it could also provide the new safeguards necessary to provide some potential benefits. We recommend that the Government analyse the risks and benefits of granting increased access to certain prescribed databases for licensed investigators, in order to facilitate the legitimate pursuit of investigation activities. For example, a licence may confer the right to access the on-line vehicle-keeper database in certain circumstances. It should consider how this would interact with the changes proposed to data protection laws by the European Commission. The United Kingdom has rightly moved to a situation of information management rather than merely looking at data protection. We also recognise that appropriate sharing of data can prevent crime and contribute significantly to other outcomes that are in the public interest. However, any new access should be carefully monitored.

75.  In terms of skills, we are convinced that competency does not ensure conscience. The core of any training regime for investigators ought to be knowledge of the Code of Conduct and the legal constraints that govern the industry. With this in mind, any contravention of data laws should result in the suspension of a licence and prohibition from engaging in investigation activity, linked to meaningful penalties for the worst offences.

76.  It should be possible to implement such a regime quickly after the creation of the new Security Industry Authority, by the end of 2013 at the latest. The Government should include a timetable for implementation in its response to this Report. In view of the repeated delays, on-going abuses and the risks we have identified, the Government should take action quickly. There is no need to wait for the Leveson Inquiry to report before work to set out the principles of regulation and registration begins. Early publication of a draft bill could allow for public and Parliamentary consideration of potential legislation alongside the Leveson report.


50   Q 468 [Lynne Featherstone] Back

51   Q 29 Back

52   Ev 69 [ICO]; Q 21 [Christopher Graham], 9th Report - Referral fees and the theft of personal data: evidence from the Information Commissioner, HC 1473, Published 27 October 2011  Back

53   Information Commissioner's Office, What price privacy?, HC 1056, 10 May 2006, Information Commissioner's Office, What price privacy now?, HC 36, 13 December 2006 Back

54   Q 6 [Christopher Graham] Back

55   Q 110 [Commander Spindler] Back

56   Q 110 [Commander Spindler] Back

57   Q 122 [Commander Spindler] Back

58   Q 129 [Commander Spindler] Back

59   Ev 82 Back

60   Ev w17 [Steve Bishop] Back

61   Ev 66 [ABI] Back

62   Ev w11 [IPI] Back

63   Ev 70 [ICO] Back

64   Ev 72 [WAPI]; Ev w16 [Cerberus Investigations Ltd] Back

65   For example, Ev 61 [Home Office]; Ev w1 [G4S]; Ev 64 [ABI]; Ev w4 [Threshold Security]; Ev w6 [Surveillance Group Ltd]; Ev w9 [Institute of Professional Investigators] Back

66   Ev 61 [HO & SIA] Back

67   Q 448 [Bill Butler] Back

68   Ev w18 [Bishop International]; Ev 80 [Kroll] Back

69   Ev w6 [The Surveillance Group Ltd Back

70   Ev w7 [The Surveillance Group Ltd] Back

71   Ev w1 [G4S] Back

72   Ev w8 [The Surveillance Group Ltd] Back

73   Ev w7 [The Surveillance Group Ltd] Back

74   Ev w1 [G4S] Back

75   Ev w15 [Bisio Training] Back

76   Ev w1 [G4S] Back

77   Q 7 [Christopher Graham] Back

78   Ev 73 [Risk Advisory Group] Back

79   Ev w19 [ Bishop International] Back

80   Ev w19 [ Bishop International] Back

81   Ev w19 [ Bishop International] Back

82   Ev w20 [Bishop International] Back

83   Ev w20 [Bishop International] Back

84   Ev w23 [GPW] Back

85   Ev 73 [Risk Advisory Group] Back

86   Ev w20 [Bishop International] Back

87   Ev 73 [Risk Advisory Group] Back

88   Ev w23 [GPW] Back

89   Ev w22 [Ravenstone Group] Back

90   Ev w21 [CFE] Back

91   Ev w14 [Security International]. For example, Tony Gardner, the Private Investigators Bill 1969; Norman Fowler, Security Industry Licensing Bill 1970; The Younger Committee on Privacy 1970; Michael Fidler, the Private Detectives Control Bills 1 and 2 1973; Bruce George, Private Security (Registration) Bills, 1977, 1985, 1987 Back

92   Ev 61 [HO and SIA]; Q 472 [Lynne Featherstone] Back

93   Q 28 [Christopher Graham]; Ev w18 [Bishop International] Back

94   Ev 66 [ABI] Back

95   Para 29 of minutes of the SIA Board Meeting dated 28th July 2011 available at http://www.sia.homeoffice.gov.uk/Documents/board-minutes/2011/sia-board-110728.pdf Back

96   Ev 61 [Home Office]; HL Deb 23 March 2011 col. 832ff Back

97   Q 470-472 [Lynne Featherstone] Back

98   Q 474 [Lynne Featherstone] Back


 
previous page contents next page


© Parliamentary copyright 2012
Prepared 6 July 2012