You are the employer of a man who’s been off work sick for some time, and you suspect that he is either putting it on, or is actually working somewhere else, while you’re still paying him. You want to see if the man is defrauding you, and you have hired a private investigator (PI). The PI sets about looking into the case. A typical first stop is ‘internet public facing data’; is the man – let’s say he is claiming he has a bad back – showing off with pictures on Facebook doing hand stands with his children in the garden?! The PI puts the man’s home under surveillance, and follows him, to see if the man acts or moves in a way that proves or not that the man is exaggerating his injury. Such as; setting off for a job in the morning.
That’s a typical case for a PI, and – mapped out in words by Association of British Investigations (ABI) secretariat Tony Imossi (pictured) – is a data protection impact assessment (DPIA), part of a data protection code of conduct that is out to consultation among ABI members and more widely in July 2020. For in that hypothetical story are all the ingredients of a DPIA: an outline of the case and its purpose, the objective; the ‘lawful basis for processing personal data’; the investigator’s method; and any risks such as ethical issues.
The 42-page document not only sets out data protection for the ABI member and PIs more generally; Tony Imossi has drawn up where the PI sector stands. He’s the ideal man to do it, both in terms of his position, as a practitioner and long-time office holder in the ABI; and thanks to his memory of working for regulation of the sector. For instance, who else recalls the mid-2000s reports by the UK data protection regulator the ICO, titled What Price Privacy, and What Price Privacy Now? Since then, the Leveson Inquiry in the early 2010s laid out as part of the official review into News of the World phone-tapping scandal, the part played by people calling themselves private investigators. As Tony says, part of the problem is that anyone can say they are a PI – base themselves anywhere thanks to the internet, and in truth be an information broker, finding any information for anyone, no matter how intrusive.
The ABI was informing its members about the new general data protection regulation (GDPR, made into UK law as the Data Protection Act 2018) well before it became law in May 2018; Professional Security Magazine attended a seminar on GDPR for ABI members in London in September 2016.
How, then, is the PI to work competently, as a professional, and to comply with the GDPR? Hence this code of conduct, not only so that the PI carries out surveillance within the law, even if without the person being watched knowing, let alone giving consent. Data has to be handled and stored lawfully – if the PI jots down details of someone else while putting the suspected malingerer under surveillance, those notes if not necessary to the case should be destroyed, for example.
As the code lays out, what is the lawful basis of a case before the PI begins to process personal data (whether a husband suspecting that his wife is unfaithful, or a family seeking a missing relative, or an insurance company checking that a claim is not a ‘crash for cash’ set-up).
Tony sets out a ‘snapshot’ of the UK’s private investigation industry, largely, he writes, ‘a loose, unquantified network of unvetted, untrained, unqualified, unregulated, unlicensed, self-employed individuals with sub-contracted instructions’. Some franchises and partnerships employ staff; some are even international. Yet the sheer volume and variety of work – investigation of traffic accidents, or intellectual property theft; tracing debtors; whether a company director is taking bribes; or to return to the original example, if a ‘trip of slip’ insurance claim is bogus – means that much is sub-contracted out to the proverbial one man (or woman) self-employed bands. As Tony stresses, many of them are honest and hard-working ‘and do their very best to act professionally’.
Unfortunately, as Tony adds, the information brokers calling themselves PIs ‘are nothing other than common, white collar criminals’ who make money by invading privacy. Global emails and the internet means anyone can try their hands as a PI, hence ‘a noticeable diminution of integrity, quality, financial probity and professionalism within the sector’.
A bugbear of Tony’s is that the sector is so unchecked, no-one can say how many PIs are in the UK, even. It’s in the thousands, whether 2000 or 10,000, and much may depend on your definition of PI – and, given that anyone can call themselves a PI, and they are in fact a loss adjuster or bailiff, the question may be meaningless. Meanwhile, all sectors of society (insurers, solicitors, businesses chasing up debtors)want ever more information and ever faster. “It seems incredible then,” Tony concludes, “that the UK is one of the remaining countries in the free world where there is no current system for the vetting, registration or licensing of investigators in the private sector.”
As Tony touches on, the Private Security Industry Act 2001 allows for PIs to be badged, and as Home Secretary Theresa May went so far as to announce that the Security Industry Authority (SIA) would indeed badge PIs; it never happened. Given that ‘lack of political will’, how to protect the public? Not only from a PI gathering who knows what data, but to have that data under control, for example, so that it isn’t hacked and spread? The code of conduct goes through the data protection principles as long set out under UK law.
Not least, the code sets out who is responsible for what. The data controller, it suggests, is the client, whether a mom searching for the child she gave away for adoption, or the law firm acting as an intermediary, on an individual’s behalf. The PI is generally the data processor. The code urges a written agreement or contract between client and PI, because for one thing ‘too often the service provider takes it for granted the fee-paying client has a right to investigate an individual’, without the PI assessing the impact and risks of such processing of personal data.
As the code hints, it’s for the PI to know his business, because the corporate or citizen looking to hire a PI is ‘inexperienced’ and won’t know the law. Hence a three-part ‘legitimate interest’ test – is there a legitimate interest, is it necessary to process data to achieve it, and how to balance the interests and rights of the person under surveillance?
In short, far from being a dull document about compliance, the 43-page code sets out how to go about the business of being a PI; including, how to address risk and security – such as, protecting your email or other communications with the client of data gathered.
