Law firms which used rogue private investigators (PIs) are now facing an investigation into whether they breached the Data Protection Act, the Information Commissioner’s Office (ICO) has announced.
The ICO has received a list of 98 company and individual clients who the Serious Organised Crime Agency (SOCA) identified as part of its inquiry into private investigators and the ‘blagging’ of personal information.
The list is said to include 22 law firms and SOCA’s refusal to publish all those on it has been heavily criticised by newspapers, who see it as double standards given what has happened to them around phone hacking.
The SOCA investigation, Operation Millipede, saw four men convicted of fraud offences in 2012 after being found to have obtained information illegally.
SOCA has passed more than 20 files of material from that investigation to the ICO, including correspondence between clients and the private investigators and receipts for payments.
Details of a further nine clients have been withheld by SOCA, at the request of the Metropolitan Police, as they relate to ongoing police investigations. It is not known if any of these are law firms.
The ICO will now assess the SOCA material, as well as writing to all the individuals and organisations listed, to establish what information the private investigators provided, and whether the clients were aware that the law might have been broken to obtain that information.
The BBC reported that it has spoken to one solicitor on the list, who said she commissioned a private investigation agency to track down a man who had stolen £20m from her clients. She insisted that she told the agency in writing not to use illegal means.
The ICO said it has several enforcement options available, depending on the outcome of the investigation:
- Criminal prosecution, for unlawfully obtaining or accessing personal data (known as a ‘section 55’ offence) or for failing to notify as a data controller;
- Civil action for breaching the Data Protection Act, with monetary penalties of up to £500,000; and
- Enforcement notices and undertakings, to oblige changes in policies or procedures
The ICO said the initial phase of this investigation is likely to take several months and that it will not be publishing the list of clients at this stage.
Meanwhile, law firms seeking to employ a PI will from this autumn be able to select one with a British Standards kitemark, in advance of a statutory licensing regime set to be brought in late next year.
Responding to concerns about the lack of regulation of the industry amid the fallout from the phone hacking scandal, home secretary Theresa May announced at the end of July that licensing would begin from autumn 2014.
In the meantime the British Standards Institution (BSI) is due to launch its own standard, BS 102000, whose official title is Code of practice for the provision of investigative services. The wording of the draft standard has received approval by the relevant committee of the BSI and is awaiting publication this autumn.
The BSI said the code would provide guidance for PIs and “competency criteria for licensing”. Key areas covered were “conducting investigations and interviews; the search for information and preservation of evidence; effective surveillance; and understanding and working to relevant laws and standards.” It noted that the code also “may be used by those who wish to purchase investigative services”.
Peter Farrington, managing director of Probe Investigations, which has been successfully assessed against the draft standard by SSAIB, an independent security industry certification body, said lawyers could consider the BSI kitemark as a “one-stop due diligence process when seeking to appoint an investigator”.
He added that if ever a law firm was questioned on its choice of investigator or process server by the Solicitors Regulation Authority, it could “comfortably point to BS102000 and say that [its] choice was a prudent one with solid foundation”.