Home affairsLetter from Christopher Graham, Information Commissioner, to the Chair of the Committee, 30 September 2013

OPERATION SPRUCE—REVIEW AND ASSESSMENT OF SOCA LIST

When I appeared before your Committee on 10 September, I set out how the Information Commissioner’s Office (ICO) intended to treat the material passed to us by the Serious Organised Crime Agency (SOCA) at the end of last month.

I said that the ICO’s approach would be to review promptly the files handed over to us, pertaining to 98 clients of the four private investigators convicted as a result of Operation Millipede. I explained that the project would begin with a seeping exercise.

I have now received the report of my staff and, with my return to the office this morning following attendance at the International Conference of Data Protection Commissioners last week, I am able to update the Committee on progress to date. I stand ready to attend your Committee on 8 October and answer questions.

As I indicated in my evidence to the Committee, the ICO intends, so far as possible, to conduct a transparent process and to give timely progress reports. Naturally, I must be careful about what, and how much, I make public so as not to prejudice ongoing investigations. With that proviso in mind, I can report as follows.

My staff have reviewed the 31 lever arch folders of material handed to us by SOCA. The folders contained copies of exhibits seized from the offices and premises of the private investigators. The material related to the 98 clients of the investigators. Between 3 and 23 September my staff have been analysing material relating to those 90 clients who were not among the eight who had been used as evidence as part of Operation Millipede, in order to establish whether or not there was evidence of potential breaches—criminal or civil—of the Data Protection Act 1998 (DPA) linking a client to a private investigator. My staff also sought to establish whether clients were, or were not, still operating. They also sought to establish whether or not clients were in the jurisdiction and what was their notification status with the ICO under the DPA.

From a very thorough examination of the invoices, correspondence, notes, reports, evidence, ledger details and other miscellaneous material, together with open source research from Companies House and the ICO’s own records, my staff have established that of the 90 clients, 12 may be classified as inactive in that there is evidence that the business is no longer trading, either because the business is shown as dissolved at Companies House or there is specific mention of the business closing in other material. A further 67 clients are clearly active from evidence at Companies House, the public register or from an active website or, in the case of private individuals, that the person concerned can be traced and contacted. But of these 67, 24 are located outside the jurisdiction. In the case of a further 11 clients we have at present insufficient information. This is due to the lack of an address or lack of an entry at Companies House, the public register or the internet. These 11 could be regarded as either active or inactive as new information comes to light. We believe six of these are based in the UK, four are out of the jurisdiction and the location of the remaining client is unknown.

The ICO team reviewed the material to identify whether there was evidence of:

1.A potential section 55 DPA breach.1

2.A potential breach of the data protection principles (a civil matter).

3.Further enquiries needed to establish the reasons the “client” instructed or tasked the private investigator in order to establish whether or not there is prima facie evidence of an offence.

At this stage, the material relates to the period 2001 to 2009. From material examined, I can say that in the case of 19 clients falling into the category of active there is evidence of a section 55 and/or a data protection breach. The evidence varies in detail and will either require further investigation or assessment by senior staff and ICO lawyers before any enforcement action is considered. The 19 clients can be listed by the following business type:

Construction (1)
Financial (2)
General retail (5)
Insurance (3)
Legal (4)
Private investigators (3)
Security industry (1)
(Total 19)

From the evidence to hand it appears that the number of data subjects (victims) who we believe to have been affected is in the region of 125. This figure is arrived at based on the taskings recorded by the 19 clients.

The seeping exercise has identified a series of specific actions which are required to take the project forward but at this stage I can say that the ICO will commence a criminal investigation into each of the potential breaches of section 55 of the DPA including conspiracy, and breaches of the data protection principles. The ICO’s investigation will focus its activity on the potential criminal breaches of the DPA. We will also coordinate contact and engagement with relevant data protection authorities overseas. Furthermore, we will initiate contact and engagement with any remaining clients, aimed at prevention and education and stronger compliance with the DPA.

I can report that on 19 September a roundtable meeting to coordinate activity was held at the offices of SOCA involving the Solicitors Regulation Authority and the Financial Conduct Authority, SOCA, the Metropolitan Police, and the ICO. A further roundtable meeting is to be arranged for mid October to discuss the wider strategic issues arising.

I am concerned to avoid compromising any strands of my investigation. In this connection I should like to reemphasise the continued need for the Committee not to take any further steps to publish the details of clients on the so-called SOCA List.

I will update the Committee next week with any further developments and address the issue of priorities and resources.

I hope this is helpful.