A Collection is a selection of features, articles, comments and opinions on any given theme or topic. It allows you to stay up‑to‑date with what interests you most.
Login here to access your saved articles and followed authors.
We have sent you an email so you can reset your password.
Sorry, we had a problem.
Tags related to this article
Published 17 May 2016
There have been two recent developments which shed light on the data protection compliance (or more accurately compliance failings) of private investigators.
First, the ICO has announced that it will be sending officers from its Criminal Investigations team to visit private investigators suspected of unlawful practices. The ICO has decided to take action after gathering information on the handling of personal data by private investigators and uncovering incidences of non-compliance with data protection law.
Second, the High Court's latest decision concerning data subject access requests (SARs) has required a firm of private investigators to comply with the SAR made on behalf of a couple who were the subject of one of the firm's investigations.
The investigators, Community Safety Development (UK) Ltd (CSD), had sought to escape compliance with the SAR on a number of grounds, including the Data Protection Act 1998 (DPA) exemptions for detection of crime, under section 29(1), and legal professional privilege, under paragraph 10 of Schedule 7.
ICO's concerns with private investigators
Private investigators will be acting as data controllers and must therefore comply with the DPA. The ICO is concerned that many investigators are failing to meet their legal obligations and their research has highlighted a number of specific practices adopted by investigators which raise privacy concerns, including:
This ICO action is a reminder to private investigators, and the organisations that instruct them, such as insurers, of the requirement to have regard to compliance with data protection law when conducting investigations.
The High Court considers subject access requests
The recent High Court decision in Gurieva v Community Safety Development (UK) Ltd  has exposed one firm of private investigator's unsuccessful efforts to avoid compliance with a SAR.
Individuals are empowered to make a SAR under section 7 of the DPA and this entitles the individual to be provided with a copy of their personal data. In circumstances where a data controller has failed to comply with the SAR in breach of section 7, a court may order compliance.
There are a limited number of exemptions which data controllers may rely on to avoid having to comply with a SAR; these include:
In the present case, CSD refused to comply with SAR received from the solicitor of the couple it was investigating, and legal proceedings were subsequently issued against CSD.
CSD claimed a number of reasons for not complying with the SAR, including:
The Court noted that where the requester of a SAR is not the data subject, it is reasonable to look for proof of authority. However, if the requester is a firm of solicitors that confirms its authority in the SAR, no more proof should ordinarily be required.
The Court accepted that it was likely that some personal data was processed by CSD for the purposes of detecting crime, but that CSD's attempt to claim a blanket exemption for organisations such as themselves was wrong in principle.
In the Court's view there was certainly some personal data processed by CSD for purposes other than detecting crime, and the Court was not convinced that complying with the SAR would be likely to prejudice any of the matters which are set out in the section 29(1) exemption.
The Court also disagreed with CSD's claim that the privilege exemption applied. This was largely due to CSD's failure to provide sufficient detail in support of its claim. CSD did not provide any reasonable analysis of which personal data would be covered by the exemption and which would not – the Court noted that it was not likely that all data held by CSD would attract privilege.
The Court therefore issued an order for CSD to comply with the SAR.
The case provides useful guidance to data controllers wishing to rely on the crime or privilege exemptions under the DPA.
If data controllers wish to rely on the crime exemption, they need to be able, in the view of the Court, "to demonstrate in detail why the application of the DPA in the usual way would be likely to prejudice one of the specified purposes".
The Court's judgment can be read here.
Submitted by Matthew Wixon, Solicitor
Return to main page >>>
Andrea Ward, Joanne Kingsland
Andrés Amunátegui Echeverría, Sascha Stullenberg
Martín G. Argañaraz Luque
Andrés Amunátegui Echeverría
Juan Diego Arango
Salvador Enrique Urbano Tejeda
Laura Wiseman, Mark Bailey, Georgia Court
Anthony Carrington, Helen Mason