Home Affairs CommitteeWritten evidence submitted by the Information Commissioner’s Office [PI08]

The Information Commissioner’s Office (ICO)

The Information Commissioner has responsibility for promoting and enforcing the Data Protection Act 1998 (DPA), the Freedom of Information Act 2000 (FOIA), the Environmental Information Regulations (EIR) and the Privacy and Electronic Communications Regulations. He is independent from government and upholds information rights in the public interest, promoting openness by public bodies and data privacy for individuals. The Commissioner does this by providing guidance to individuals and organisations, solving problems where he can, and taking appropriate action where the law is broken.

The Information Commissioner is pleased to provide his evidence to the Committee because individual self-employed private investigators, and private investigation firms, are generally “data controllers” for the purposes of the DPA. This means that when they collect, use or disclose “personal data”—that is information that identifies someone—they have to do so in compliance with the DPA. Therefore some of a private investigators’ activities can fall within the ICO’s regulatory regime.

Private Investigators and the Data Protection Act 1998

The DPA imposes various rules on those processing personal data—for example relating to data standards and security. However its provisions relating to the collection of personal data are probably of most relevance to the Committee.

The DPA requires that personal data has to be processed fairly. In short, this means that when information is collected about individuals, they should be aware of this, or be able to find out about it easily. There are limited exemptions from the DPA’s fair processing requirements, for example where the police telling a suspect that they are collecting information about him would amount to a “tip off” and would prejudice the purpose of crime prevention. However, the law usually requires information collection to be fair and transparent.

Because of the nature of their business, private investigators will often be engaged to collect information about individuals without their knowing about it. However, the very limited exemptions from the DPA’s fair processing requirements mean that some of the information collection that private investigators do may not be in compliance with the DPA’s fair processing provisions—even where a particular investigation may be taking place for a legitimate purpose.

The exemptions in the DPA are based on the purpose for which personal data is processed—for example crime prevention, regulatory activity or journalism—rather than on the nature of the organisation carrying out the processing. This means that a private investigation company working with an insurance company on a counter-fraud case could sometimes, depending on the circumstances, benefit from the DPA’s “crime prevention” exemption. This means that the private investigator may, quite legitimately, be able to collect information about suspected fraudsters covertly. However, there are other activities that some private investigators will engage in that are highly unlikely to benefit from an exemption—for example where investigators carry out “matrimonial and relationship investigations”. Although the DPA’s crime prevention exemption does not apply to civil matters such as the enforcement of debts—bread and butter work for many private investigators—other exemptions may apply to civil matters, for example s.35 (disclosures required by law or made in connection with legal proceedings). However, if a company tries to recover a debt without taking legal action initially, private investigators employed by them at this stage are unlikely to be able to rely on an exemption.

A breach of the data protection principles, including their fair processing requirements, is not a criminal offence. The principles are enforced through civil sanctions. However, there is a specific criminal offence at s.55 of the DPA that relates to the unlawful obtaining of personal data. A private investigator will commit an offence where he knowingly obtains personal data without the consent of the data controller. This might be the case where an investigator uses bribery or deception to obtain information from a data controller. This offence is commonly referred to as “blagging”. We say more about this later in our evidence.

It is worth noting that the DPA, through the obligations it imposes on data controllers—particularly its security requirements and its non-disclosure provisions—should generally make it difficult for private investigators and others to obtain information about individuals from data controllers. The data protection default position is that data controllers cannot give out personal data to private investigators or other third parties without consent unless a specific exemption from the DPA’s non-disclosure provisions applies or it is otherwise fair to do so. This means that in some cases private investigators may choose not to make open requests for information, as the police would do for example, because the data controller may well be prevented by law from providing the information that the private investigator seeks for the purpose that he seeks it.

The role of the client that engages a private investigator is important. It is highly unlikely that a private investigator will ever collect information about another individual purely for his own purposes. The investigator will always be engaged by a client, be it a corporate one or a private citizen. However, this does not mean that private investigators are not responsible as “data controllers” under the DPA. It certainly does not mean that a private investigator that breaches the data protection principles, or commits a criminal offence, can avoid liability because he is acting as an agent of the client. However, in some cases both the client and the investigator could be legally responsible for the surveillance that takes place.

ICO Engagement with the Private Investigation Industry

The ICO engages with its stakeholders—including private investigators—through two main routes. Firstly, through its education, liaison and advice-giving role, and secondly through its complaints handling and enforcement functions.

We have had some involvement with the private investigation industry over the years. For example, we worked with the Association of British Investigators on its “Data Protection: A best practice guide for Professional Investigators” (2008). We have also written various articles for the private investigators’ trade press. We are confident that our activities in this area have conveyed some important messages to private investigators about their legal obligations under the DPA. However, it may well be the case that our efforts here have only influenced the more reputable end of the market; not all private investigators are members of professional bodies.

We do not log precise numbers of enquiries received or complaints made to the ICO about the activities of private investigators. We do receive complaints about private investigators, but relatively few. We have received complaints about:

aggressive and inappropriate surveillance techniques used by investigators working for insurance companies (not primarily a data protection issue);

surveillance carried out in marital contexts—eg one spouse using an investigator to spy on the other;

tracking devices found on vehicle; and

private investigation companies’ failure to give individuals access to information held about them. (The companies often argue that they are not data controllers themselves because they are usually working for another company—a view we do not generally accept.)

The relatively low number of complaints we receive does not necessarily equate with levels of public concern about the activities of private investigators. It is worth noting that an individual may well complain about the company that engages a private investigator, rather than about the investigator him or herself.

ICO Action Against Private Investigators

Most ICO action taken against private investigators has resulted from them “blagging” information in contravention of DPA s.55 (unlawfully obtaining information). Most of these have been to do with tracing individuals for debt recovery purposes, asset investigation, insurance-fraud related enquiries and various legal or employment disputes. They have generally resulted in prosecution and the imposition of fines that generally appear low in relation to the income the defendants are likely to have earned from their “blagging” activity. A fine of a few hundred pounds is not unusual.

Some s.55 cases show how illegally obtaining information can have an extremely detrimental effect on individuals’ lives. In 2004 the ICO prosecuted a private investigator who was found guilty of attempting to illegally obtain a rape-victim’s medical records. The victim suspects this was done to avenge the perpetrator’s conviction for assaulting her and perhaps to obtain information about her that would help his appeal. The private investigator in this case claimed he could not remember who had hired him to obtain this information. If the investigator had known the circumstances of the case, his actions would have been deplorable. If he did not know, this shows that some investigators will agree to obtain information for clients with no care at all for the consequences of their actions. In October 2005, the investigator in this case was fined £750. As the victim reportedly told the BBC at the time, “It’s maddening really, for people that commit this crime to just receive a miniscule fine—I do think it is wrong.”

“What Price Privacy?” and “What Price Privacy Now?”

The main work the ICO has done that impacts on the activities of private investigators are our reports to Parliament “What price privacy?” and its follow-up report, “What price privacy now”—both published in 2006. These reports documented the unlawful trade in personal information, in which private investigators were found to play a significant role. Our first report contained a recommendation that The Association of British Investigators should extend its National Occupational Standard for Investigation to include explicit reference to section 55 offences, and undertake other specific measures aimed at raising standards among private investigators.

The reports detail cases where the activities of private investigators have put individuals in real danger. They also explain the relationship between private investigators, their clients and their sources of information. We recommend both our reports to the Committee as useful background information about the activities of private investigators. Our conclusion that the possibility of a prison sentence is required to provide an effective deterrent for s.55 offences is as valid now as it was then. As the Committee will know, the ICO continues to push the government to bring the relevant provisions in the Criminal Justice and Immigration Act 2008 into effect.

DPA and the Regulation of Investigatory Powers Act 2000

The relationship between the DPA and the Regulation of Investigatory Powers Act 2000 (RIPA) in the context of private investigators’ surveillance activities is sometimes misunderstood. There is clearly an overlap between the two pieces of legislation in so far as the surveillance activity that RIPA is intended to regulate can lead—in reality generally does lead—to the collection, use etc. of information about individuals—ie it leads to the processing of personal data and is therefore a data protection matter. The RIPA and DPA regulatory regimes are not mutually exclusive.

Private investigators do engage in activities that fall within RIPA’s definition of “covert surveillance”—for example placing a device on a vehicle to track its whereabouts. However, RIPA only applies where a private investigator is paid by, and is acting on instructions from, a public authority to assist the authority with its functions. RIPA provides no protection for individuals who are the subject of “private investigations”—for example where one individual employs an investigator to collect information about another individual. The primary regulation of surveillance in private contexts comes about through the DPA, in so far as this involves the processing of personal data—as it usually will.

ICO will give due attention to any recommendations the Committee may wish to make about the relationship between the ICO and the Chief Surveillance Commissioner, the Interception of Communications Commissioner and about the interface between the DPA and RIPA in the context of private investigators.

Additional Observations

We do not wish to portray the private investigation industry in an unfairly negative way. We can certainly understand why individuals or companies may feel the need to employ an investigator, for example to recover unpaid debts or for other legitimate civil purposes. Official channels entities may offer little or no assistance in cases like this. We recognise that there are investigators that carry out legitimate activities in a lawful way.

However, it is the ICO’s role to regulate compliance with the DPA. The DPA contains important requirements relating to the transparency of information collection, and has only limited exemptions. This means that, given the nature of the work they engage in, even legitimate investigators may find it difficult to comply with the law. Although the ICO, in accordance with good regulatory practice, sets priorities for action and takes a proportionate approach to enforcement, it must apply the law as it stands. It cannot create read exemptions into the DPA if they do not exist, even if their absence may cause legal uncertainty for private investigators—even ones acting responsibly and carrying out otherwise legitimate investigations.

As we said in “What price privacy?”, the ICO is very supportive of the industry’s own efforts to police itself and to set professional standards for investigators. We expect data protection, and privacy more widely, to be recognised in any guiding ethical principles developed by, or for, the industry. Data protection training should be a part of any basic competency criteria. Issues concerning the obtaining of personal data, its quality and security are clearly matters for the ICO. However, we can only deal with the “informational” aspects of a private investigator’s activity. We cannot address issues to do with the broader standards that society expects private investigators operating in the UK to meet—only a trade association with specific responsibilities for the private investigation industry could do this.

A private investigation company’s membership of a reputable professional body, or its supervision by an appropriate statutory regulator, does not mean that it will necessarily comply with the DPA. However, it would be the ICO’s prerogative to target its regulatory action at investigators that have not signed up to industry best practice and to adopt a relatively light-touch in respect of those that have.

Despite all the efforts that regulators or the industry itself may make, we have little doubt that without further steps there will remain a core of individual investigators and investigation companies that will continue to use unacceptable means, such as bribery, subterfuge and harassment, to carry out their business. If a regulatory regime is set up to police the private investigation industry, it will need to be supported by sufficient powers to deal with the less reputable part of the industry. Our own experience of dealing with private investigators suggests that criminal penalties and custodial sentences must be available in order to deal with the most serious examples of malpractice. We have also found that our own limited audit powers—we can only audit private sector organisations with their consent—are, ineffective against the less reputable private investigation companies. We say more about these deficiencies in our enforcement powers in “What price privacy?”.

An advantage of a regulator with specific responsibilities for the private investigation industry might be to make it easier for members of the public to make a complaint and to seek redress where they believe that they have been the victim of unacceptable investigatory practice. As it stands, an individual who wants to make a complaint because they have found a tracking device under their car, or because their voicemail messages have been intercepted, would probably be unsure where to go for assistance. The ICO may only be able to help them with some aspects of their complaint, it at all.

If there is to be a regulator with specific responsibilities for the private investigation industry, its relationship with other regulators and law enforcement agencies will need to be thought through carefully. There is a danger that the creation of an additional regulator could merely confuse affected individuals about who to take their concerns to. Clear lines of responsibility and, as far as possible, a one-stop shop for affected individuals will be important.

Summary

Even legitimate private investigators may find it hard to carry out their work lawfully given the DPA’s general prohibition of the covert collection of personal information.

There appears to be a hard core of private investigators whose activities put the privacy of individuals at unacceptable risk and who rely on rely on illegal methods to obtain personal information. A lack of custodial sentences for breaches of s.55 of the DPA, coupled with the ICO’s limited audit powers, mean the ICO and the courts are insufficiently equipped to deal with them.

A regulator with specific responsibilities for the private investigation industry could help to set the broad ethical and behavioural standards society expects investigators to meet, including respect for individuals’ privacy. It could also provide a mechanism for individuals to raise concerns about the activities of private investigators.

The ICO would support any industry initiatives aimed at promoting informational best practice amongst investigators. However, this alone is unlikely to have the necessary effect on the less reputable part of the market.

January 2012

Prepared 5th July 2012