3 The remedies
37. Though there is no direct regulation of private
investigators, there is some legislation which governs the acquisition,
storage and use of personal informationprincipally the
Data Protection Act 1998 and the Regulation of Investigatory
Powers Act 2000. The penalties for the misuse of personal
data are negligible and the there is no regime of regulatory guidance
for the sector.
Data offences
38. When a private investigator conducts "covert
surveillance", such as bugging, on instructions from a public
authority, this activity falls under the Regulation of Investigatory
Powers Act 2000. However, the Act provides no protection where
the investigator's client is a private individual. For these private
cases, the main statutory protection comes from the Data Protection
Act 1998.
39. There are three Commissioners with responsibilities
that have a bearing on the private investigation industry: the
Information Commissioner, whose responsibilities focus on the
Data Protection Act; the Interception of Communications Commissioner,
whose task is to keep under review the issue of warrants
for the interception of communications; and the Surveillance Commissioner,
with oversight of the conduct of covert surveillance and covert
human intelligence sources by public authorities.
40. The division of responsibility between the
Information Commissioner and the Interception Commissioner was
not clear. The Minister, Lynne Featherstone, recognised that the
disjunction between the different data commissioners was not ideal.
She told the Committee that:
What I have always thought would be the ideal is
if you had an over-arching commissioner, or not that you have
an over-arching commissioner but you have the commissions co-located.
I thought that might be very helpful, in terms of sharing and
working together as the commissioner body.[50]
41. Personal privacy would be
better protected by closer working between the Information Commissioner,
the Chief Surveillance Commissioner and the Interception of Communications
Commissioner. We recommend that the Government aim, before the
end of the next Parliament, to co-locate the three Commissioners
in shared offices and introduce a statutory requirement for them
to cooperate on cases where both the Data Protection Act and the
Regulation of Investigatory Powers Act are relevant. In the longer
term, consideration should be given to merging the three offices
into a single Office of the Information and Privacy Commissioner.
SECTION 55 OFFENCES
42. Most of the actions pursued by the Office
of the Information Commissioner were in relation to "blagging"
information in contravention of section 55 of the Data Protection
Act, which deals with the unlawful obtaining, disclosure and selling
of personal data and the procurement of such actions. Christopher
Graham, the Information Commissioner, told us:
We are now in the 21st century,
an information society, and keeping information secure is really
important. All the things we want to do about open data, about
data sharing, depend on people having confidence that the information
they give to the authorities will stay secure [...] a range of
penalties need to be available, not just a modest fine.[51]
43. As the Information Commissioner emphasised,
breach of section 55 of the Data Protection Act is an offence
punishable only by a fine. In the Magistrates' Court, the fine
is up to £5,000, in the Crown Court, it can be an unlimited
fine, but cases rarely reach the Crown Court. Typically, fines
have been around £100 per count, taking account of the defendant's
means.[52] The concern
that these sentencing powers were not a sufficient deterrent was
raised in 2006 in the previous Information Commissioner's reports
What price privacy? and What price privacy now?.[53]
44. Section 77 of the Criminal Justice and Immigration
Act, confers on the Secretary of State an Order-making power
to increase the penalty for offences under section 55 of the Data
Protection Act. Both the Information Commissioner, Christopher
Graham, and his predecessor, Richard Thomas, believed that this
power should be invoked so that a stronger and more deterrent
penalty could be available to the courts.[54]
45. In order to provide a more effective deterrent,
the Information Commissioner and Crown Prosecution Service could
consider making greater use of powers to confiscate their criminal
proceeds. The Proceeds of Crime Act 2002 gives prosecuting authorities
the power to seek the recovery of any benefit the convicted defendant
obtained by breaching the Data Protection Act, or any other statute.
The Information Commissioner's Office obtained confiscation orders
for the first time for section 55 offences in a case before Warrington
Crown Court in 2011. The defendants were made subject to confiscation
orders amounting to £73,700. This stands in contrast to the
cases of Steve Whittamore, Glen Mulcaire and Sharon and Stephen
Anderson, who may have profited considerably from data offences,
but received relatively light sentences.
46. Confiscation orders should
be sought where a person is convicted of data and privacy offences
and has sold the information for profit.
47. We recommend that the Home
Secretary exercise her power under section 77 of the Criminal
Justice and Immigration Act 2008 to strengthen the penalties available
for offences relating to the unlawful obtaining, disclosure and
selling of personal data under section 55 of the Data Protection
Act. The current finetypically around £100is
derisory. It is simply not an effective deterrent.
Policing
48. Commander Peter Spindler, Metropolitan Police
Service Director of Professional Standards, told us that most
forces had introduced "declarable associations policies",
which required all employees who had connections into certain
industries to declare them to help forces to improve risk-management.[55]
He said that the Metropolitan Police also maintained a register
of business interests, governed by the Police Regulations 2003.
This listed 14 categories of incompatible interests, including
working as a private investigator.[56]
However, across the country this was dealt with dealt with on
a case-by-case basis, and it would be up to the individual Chief
Constables to decide whether or not to authorise an officer to
work as a private investigator.[57]
Nor was there any requirement for police officers to record their
contact with private investigators.[58]
49. In response to our follow-up inquiries with
Commander Spindler, we received a recall of historic cases known
to the Directorate of Professional Standards Intelligence Bureau,
including Operation Barbatus, Operation Two Bridges and Operation
Abelard. In Operation Barbatus, for example, two former Metropolitan
Police constables who had established a private investigations
company, three other ex-police officers, two of whom were working
as private investigators and one further man also employed as
a private investigator were convicted.[59]
Our evidence from Mr Schwarz suggested that this problem had not
been rooted out.
50. The Metropolitan Police's
system of safeguards for reducing the risks of serving police
officers being corrupted by conflicting interestsincluding
declarable associations policies, a register of business interests
and a list of incompatible interestsshould be standardised
across the country. However, these checks alone might not be enough
to solve the problem. The Government must act to sever the links
between private investigators and the police forces. We recommend
that there should be a cooling off period of a minimum of a year
between retirement from the police force and working in private
investigation. Any contact between police officers and private
investigators should be formally recorded by both parties, across
all police forces.
51. If proper safeguards were put in place, some
of our witnesses believed that private investigators could be
granted increased access in certain circumstances. Steve
Bishop proposed to give investigators limited access to certain
police records through "a Central SPOC", which could
improve their contribution and alleviate the need for investigators
to obtain the basic details unlawfully.[60]
52. The Institute of Professional Investigators
told us that the self-regulation exercised by the Association
of British Investigators had been recognised by the Drivers and
Vehicle Licensing Agency (DVLA) with accreditation for access
to the on-line vehicle-keeper database in certain circumstances.[61]
The Institute told us that investigators would like access to
some public body databases such as the Land Registry and the DVLA
database without the obstacles currently placed in their way.
It suggested that licensing could be a first step in earning the
professional respect that would one day make that access justifiable,
as it was in other countries.[62]
53. The Information Commissioner's Office recognised
that, given the nature of the work they engaged in, even legitimate
investigators may find it difficult to comply with the law. The
Office was bound to apply the law as it stands and could create
exemptions in the Data Protection Act, even if their absence
may cause legal uncertainty for private investigators, who were
acting responsibly and carrying out otherwise legitimate investigations.[63]
Regulation
54. The most straightforward option for bringing
structure and safeguards to the private investigation industry
may be to introduce regulation to the sector. As the World Association
of Private Investigators pointed out, at present there was nothing
in law to distinguish companies that pursue legitimate business
activities from corrupt operatives, but a licence could give a
client confidence that they were hiring a legitimate investigator.
[64] There was
almost unanimous agreement among our witnesses that the sector
would be improved by regulation.[65]
55. Schedule 2 to the Private Security Industry
Act 2001 contains provisions for licensing of private investigation
by the Security Industry Authority through an order made by the
Home Secretary. Consultation on a licensing regime commenced in
August 2007 and an impact assessment was published in September
2008, which recommended that regulation should take the form of
compulsory licensing of private investigation activity based on
a "fit and proper" test and including competency criteria.
56. The Security Industry Authority already has
an established model for licensing. It is an independent statutory
body reporting to the Home Secretary, established by the Private
Security Industry Act and responsible for regulating the private
security industry. From January 2012 the cost of an Authority
licence (which lasts for three years) is £220 (it was previously
£245).[66] The Authority
told us that there were two main elements to its licensing regime:
first, whether an applicant had any background or criminal history
that implied a risk for operating in the sector; and second, whether
an applicant had the skills and competencies necessary for the
role. [67]
LICENSING A DIVERSE INDUSTRY
57. Bishop International was concerned that regulation
should take into account the range of constituents in the industry
and its variety of clients, services, levels of organisation and
backgrounds; a one-size-fits-all approach may not be suitable
for such a diverse sector.[68]
Threshold Security was in favour of licensing in sub-categories,
such as surveillance; desktop enquiries and data research; and
physical investigation and interviewing.[69]
In order to overcome this obstacle, the Surveillance Group suggested
that any future consultation group needed to have a membership
drawn from a diverse range of specialist areas. [70]
58. We heard a range of opinions for the level
of detail that should be included in regulations. For example,
G4S believed that regulation needed to cover:
a) standards of behaviour for companies and individuals
operating in the industry;
b) screening and vetting of personnel and sub-contractors
to ensure disreputable individuals were deterred from joining
the industry;
c) training and accreditation of personnel, which
would need to be sufficient to ensure standards of behaviour and
performance were reasonable and easily assessable;
d) incident reporting and management were sufficient
to allow investigation by independent organisations, whether Government
or industry appointed;
e) grievance procedures, to ensure those who
have issues with individuals or providers had the ability to pursue
reasonable grievances;
f) compliance and enforcement mechanisms to ensure
the areas above were followed by those operating within the industry.[71]
59. The Surveillance Group found it "ridiculous"
that private investigators could utilise tracking and digital
monitoring devices without having to make an application for permission
under the Regulation of Investigatory Powers Act and requested
that any use of these devices by private individuals or private
organisations should be prohibited under the licensing criteria.
[72] It suggested
that it would be necessary to licence the use of electronic tracking
devices for intrusive surveillance applications and that sentencing
needed to be introduced to police the illegal accessing of data
from digital devices. [73]
60. G4S believed that a regulatory framework
needed to be focused on the individual, rather than companies,
in order to ensure that unethical or incompetent individuals could
not operate in the market while ensuring ease of movement between
companies for others.[74]
Bisio Training agreed that without the sanction of removing an
individual licence there would be no effective deterrent or remedy
to those affected by wrongdoing.[75]
61. Several witnesses emphasised that regulations
should not be too burdensome for small and medium-sized enterprises
(SMEs) or individuals, but should be robust enough to deter unethical
behaviour.[76]
62. Speechly Bircham suggested that the critical
component of regulation would be a Code of Conduct, resembling
the Code of Conduct for Solicitors. It said that there was no
guidance on private investigators in the solicitors' Code, but
believed that the two codes could be "easily integrated".
Richard Thomas suggested that a fundamental aspect of regulation
should be that for private investigators, a breach of section
55 of the Data Protection Act must entail disqualification from
operating in the business.[77]
COMPETENCY CRITERIA
63. Five competency requirements were set out
in the paper Private Investigation and Precognition Agents
Draft Core Competency Specification in July 2007. These were:
conduct investigations; conduct (formal) interviews; search for
information and preservation of evidence; conduct surveillance;
and understand and work to the relevant laws and standards.[78]
However, Bishop International believed that the range of activities
is so wide as to make any single competency course impossible
as well as unnecessary.[79]
Instead, it proposed that there should be a simple test of understanding
of the law as it applies to investigations. The Highway Code was
proposed a good example of how to educate people in order to test
their knowledge of relevant law.[80]
Bishop International also put forward that new who did not come
from a relevant background should be required to find an apprenticeship
with an investigation company. Their first year of employment
could require a provisional license and, with the endorsement
of their employer, could be followed by a full license one year
from the start of an apprenticeship.[81]
64. However, Bishop International believed that
the competency requirement was "absurd" because of the
range of skills necessary. It pointed out that, according to the
Home Office, if an investigator from another EU country were to
come to the UK to carry out an investigation he or she could legally
do so "without being subject to any prior check":
[82]
In other words, a resident of another EU country
could arrive in the UK to carry out an investigation without any
criminal record check and with no consideration given to the "harm"
that person might cause, while people who have established track
records in the UK would be required to meet so-called competency
requirements at considerable cost.[83]
65. This may also be a problem in the case of
professions which carry out some of the same activities as private
investigators and compete against them, but are exempted from
regulation under the Private Security Industry Act, such
as journalists, lawyers and accountants.[84]
66. The Risk Advisory Group believed that in-house
investigators posed the same risks as private investigators.[85]
Stringent conditions in the UK could drive away the international
corporate investigations sector abroad with £100m of business.[86]
The Risk Advisory Group believed that tasks such as corporate
due diligence, merger and acquisition work, private equity funding
and corporate finance support were sufficiently guarded by the
Data Protection Act.[87]
The case of Howard Hill, a corporate investigative partner who
was not an accountant at the accountancy firm PKF, demonstrated
that an "umbrella" professional licence could not necessarily
provide sufficient regulatory protection.[88]
The Ravenstone Group suggested that licensing, regulatory controls,
monitoring and auditing should apply to investigation firms that
provide any part of their services that are not covered by documented
procedures audited by their clients. It suggested that operations
whose clients are registered businesses and those clients regulate,
monitor and audit the investigation activities to documented procedures
be required to register this status. All investigation services
could therefore be either licensed investigators or registered
investigators.[89]
67. The Association of Fraud Investigators suggested
that "Private Investigator" become a protected title,
as in the case of "social worker", so that nobody could
use the term to describe themselves without being subject to regulation.[90]
THE TIMETABLE FOR ACTION
68. Security International pointed out that there
had been attempts to regulate the industry since the 1960s.[91]
The Government suggested that any action should wait for the conclusions
of Lord Justice Leveson's inquiry.[92]
However, the current definition of private investigations in the
PSIA excluded activities for the purpose of obtaining information
exclusively for journalistic purposes and the Information Commissioner
believed that there was "precious little evidence that this
has much to do with the press these days".[93]
69. The Government insisted that it would move
forward with regulation quickly and that the delay of a decade
was down to the previous Government. However, the Association
of British Investigators highlighted the "off/on abolition
of the proposed regulatory authority", the Security Industry
Authority, in the Government's cull of quangos.[94]
According to the published minutes of a meeting of the Authority:
The Chief Executive explained that The SIA would
have liked to address the regulation of PIs earlier. The planned
roll out for licensing Private Investigators would have meant
an offence date of 1 October 2011. However, the Home Office had
halted work and funding on this project in 2010 due to uncertainty
as to the future of the SIA.[95]
70. The Government has accepted a framework for
a new regulatory regime proposed by the Authority and announced
that new legislation will be introduced at the earliest opportunity
to abolish the Authority in its current form and introduce a new
regulatory regime for the private security industry.[96]
This will inevitably delay the introduction of regulation of private
investigators.
71. The Minister told us that the process of
regulation would be swift, once a decision had been made, but
that "the lengthy bit will be moving forward from when the
legislation is passed".[97]
The next stage in the process would be training, capacity-building
in the industry and the licensing application process. The Minister
believed "that second part could be up to two years"
and that the system should be in place before 2015.[98]
72. "Private Investigator"
should be a protected titleas in the case of "social
worker"so that nobody could use the term to describe
themselves without being subject to regulation.
73. We recommend the introduction
of a two-tier system of licensing of private investigators and
private investigation companies and registration of others undertaking
investigative work. Full licensing should apply to individuals
operating or employed as full-time investigators and to private
investigation companies. Registration should apply to in-house
investigation work carried out by employees of companies which
are already subject to regulation, such as solicitors and insurance
companies. Both should be governed by a new Code of Conduct for
Private Investigators, which would also apply to sub-contracted
and part-time investigators. A criminal record for breach of section
55 should disqualify individuals from operating as private investigators.
74. Whereas licensing will impose
an additional regulatory burden on the industry, it could also
provide the new safeguards necessary to provide some potential
benefits. We recommend that the Government analyse the risks and
benefits of granting increased access to certain prescribed databases
for licensed investigators, in order to facilitate the legitimate
pursuit of investigation activities. For example, a licence may
confer the right to access the on-line vehicle-keeper database
in certain circumstances. It should consider how this would interact
with the changes proposed to data protection laws by the European
Commission. The United Kingdom has rightly moved to a situation
of information management rather than merely looking at data protection.
We also recognise that appropriate sharing of data can prevent
crime and contribute significantly to other outcomes that are
in the public interest. However, any new access should be carefully
monitored.
75. In terms of skills, we are
convinced that competency does not ensure conscience. The core
of any training regime for investigators ought to be knowledge
of the Code of Conduct and the legal constraints that govern the
industry. With this in mind, any contravention of data laws should
result in the suspension of a licence and prohibition from engaging
in investigation activity, linked to meaningful penalties for
the worst offences.
76. It should be possible to
implement such a regime quickly after the creation of the new
Security Industry Authority, by the end of 2013 at the latest.
The Government should include a timetable for implementation in
its response to this Report. In view of the repeated delays, on-going
abuses and the risks we have identified, the Government should
take action quickly. There is no need to wait for the Leveson
Inquiry to report before work to set out the principles of regulation
and registration begins. Early publication of a draft bill could
allow for public and Parliamentary consideration of potential
legislation alongside the Leveson report.
50 Q 468 [Lynne Featherstone] Back
51
Q 29 Back
52
Ev 69 [ICO]; Q 21 [Christopher Graham], 9th Report - Referral fees and the theft of personal data: evidence from the Information Commissioner,
HC 1473, Published 27 October 2011 Back
53
Information Commissioner's Office, What price privacy?,
HC 1056, 10 May 2006, Information Commissioner's Office, What
price privacy now?, HC 36, 13 December 2006 Back
54
Q 6 [Christopher Graham] Back
55
Q 110 [Commander Spindler] Back
56
Q 110 [Commander Spindler] Back
57
Q 122 [Commander Spindler] Back
58
Q 129 [Commander Spindler] Back
59
Ev 82 Back
60
Ev w17 [Steve Bishop] Back
61
Ev 66 [ABI] Back
62
Ev w11 [IPI] Back
63
Ev 70 [ICO] Back
64
Ev 72 [WAPI]; Ev w16 [Cerberus Investigations Ltd] Back
65
For example, Ev 61 [Home Office]; Ev w1 [G4S]; Ev 64 [ABI]; Ev
w4 [Threshold Security]; Ev w6 [Surveillance Group Ltd]; Ev w9
[Institute of Professional Investigators] Back
66
Ev 61 [HO & SIA] Back
67
Q 448 [Bill Butler] Back
68
Ev w18 [Bishop International]; Ev 80 [Kroll] Back
69
Ev w6 [The Surveillance Group Ltd Back
70
Ev w7 [The Surveillance Group Ltd] Back
71
Ev w1 [G4S] Back
72
Ev w8 [The Surveillance Group Ltd] Back
73
Ev w7 [The Surveillance Group Ltd] Back
74
Ev w1 [G4S] Back
75
Ev w15 [Bisio Training] Back
76
Ev w1 [G4S] Back
77
Q 7 [Christopher Graham] Back
78
Ev 73 [Risk Advisory Group] Back
79
Ev w19 [ Bishop International] Back
80
Ev w19 [ Bishop International] Back
81
Ev w19 [ Bishop International] Back
82
Ev w20 [Bishop International] Back
83
Ev w20 [Bishop International] Back
84
Ev w23 [GPW] Back
85
Ev 73 [Risk Advisory Group] Back
86
Ev w20 [Bishop International] Back
87
Ev 73 [Risk Advisory Group] Back
88
Ev w23 [GPW] Back
89
Ev w22 [Ravenstone Group] Back
90
Ev w21 [CFE] Back
91
Ev w14 [Security International]. For example, Tony Gardner, the
Private Investigators Bill 1969; Norman Fowler, Security
Industry Licensing Bill 1970; The Younger Committee on Privacy
1970; Michael Fidler, the Private Detectives Control Bills
1 and 2 1973; Bruce George, Private Security (Registration)
Bills, 1977, 1985, 1987 Back
92
Ev 61 [HO and SIA]; Q 472 [Lynne Featherstone] Back
93
Q 28 [Christopher Graham]; Ev w18 [Bishop International] Back
94
Ev 66 [ABI] Back
95
Para 29 of minutes of the SIA Board Meeting dated 28th
July 2011 available at http://www.sia.homeoffice.gov.uk/Documents/board-minutes/2011/sia-board-110728.pdf Back
96
Ev 61 [Home Office]; HL Deb 23 March 2011 col. 832ff Back
97
Q 470-472 [Lynne Featherstone] Back
98
Q 474 [Lynne Featherstone] Back
|