The ICO has begun an investigation into whether clients of so-called rogue private investigators may have breached the Data Protection Act 1998, after receiving material from the Serious Organised Crime Agency (SOCA).
On 28 August, the ICO took receipt of a list of 98 company and individual clients who SOCA had identified as part of their inquiry into private investigators and the ‘blagging’ of personal information. That investigation, Operation Millipede, saw four men convicted of fraud offences in 2012, after SOCA found they had obtained information illegally.
On 30 August, SOCA passed more than 20 files of material from that investigation to the ICO, including correspondence between clients and the private investigators and receipts for payments. Details of a further nine clients have been withheld by SOCA, at the request of the Metropolitan Police, as they relate to ongoing police investigations.
The ICO states that it will now assess the SOCA material, as well as writing in due course to all the individuals and organisations listed, to establish what information the private investigators provided, and whether the clients were aware that the law might have been broken to obtain that information. The ICO considers that several enforcement options are available to the ICO, depending on the outcome of the investigation:
· Criminal prosecution, for unlawfully obtaining or accessing personal data (known as a ‘section 55’ offence) or for failing to notify as a data controller
· Civil action for breaching the Data Protection Act, with monetary penalties of up to £500,000
· Enforcement notices and undertakings, to oblige changes in policies or procedures
The team will also look to establish whether the clients fall under the ICO’s jurisdiction, with initial estimates suggesting as many as a quarter of the clients may have been based outside the UK. The ICO intends to liaise with its international counterparts where an organisation or individual looks to have breached the Data Protection Act but is based abroad.
The ICO states that it envisages that the initial phase of this investigation will take several months, after which time it will publish an update. Because the ICO is yet to assess the material, and as that assessment may prompt criminal investigations, it is not willing to publish the list of clients at this stage.
Laurence Eastham comments:
The options listed by the ICO seem limited. After all the rogue private investigators were convicted of fraud so the various inchoate offences under the Serious Crime Act 2007 (replacing incitement with wider-ranging offences) would seem to come into play if there was any encouragement or any assistance. Perhaps, even the initial assessment has ruled that possibility out.
The suggestion will no doubt be made that this investigation is a fig-leaf to cover the embarrassment that is felt (or that the mainstream media thinks should be felt) about journalists facing trial when others are not. The press certainly feels hard done by when journalist clients have been charged with involvement in acts which are similar in nature to those carried out on behalf of other clients of the investigators.