During the normal course of business, many organisations use the services of an investigator. But there are some pitfalls that need to be considered when instructing investigators.
As the instigator of the investigation, you are the Data Controller – you are determining the processing. You choose the investigator who is going to process the personal data for you – your Data Processor. You are responsible for the Data Processor's activities. If they breach data protection law then it is you who stands to be prosecuted or sued in a civil court.
The 1998 Data Protection Act (DPA) requires you to instruct the investigator in writing, and in those instructions include reference to the data protection principles. Not doing so could constitute a breach of the 1998 DPA.
Your investigator, in the first line of enquiry, is likely to access one of the credit databases. According to the Information Commissioner, anyone accessing a credit database becomes joint Data Controller with that credit database. This begs the question: are you, the instructing client, also joint Data Controller with the credit database? And does that therefore make the agent joint Data Controller with you?
If you instructed the agent as part of his investigation to access the credit database, then I think it safe to say that he is acting as your Data Processor and you become joint Data Controller through your Data Processor with the credit database. If you did not instruct the investigator to access a credit database, then he has determined that processing and therefore must be Data Controller, and thus joint Data Controller with you.
However, as joint Data Controller, you may be jointly and severally liable for any breaches of the DPA. Moreover, the credit database may also be liable, because they are joint Data Controller with the investigator.
The investigator is now proceeding with his investigation and sees that he has the need to instruct an agency in Brighton. He regularly uses this investigator, so picks up the phone, explains what he wants done and does not follow it up with written instructions. If investigator (1) is joint Data Controller, the instructions should be in writing, in accordance with the DPA rules.
The question also arises as to what the relationship is between investigator (2) in Brighton and the instructing client. At this stage, it would appear that investigator (2) is Data Processor for the first Data Controller and, although the first Data Controller does not even know he exists, he is still responsible for his activities.
Part of the assignment that is taking place in Brighton requires a surveillance, so investigator (2) instructs two of his regulars to conduct a surveillance. He instructs them by phone as he normally does. He is now determining this aspect of the processing so, if we follow the argument through, he becomes joint Data Controller with you the client, investigator (1) and the credit database. The two new investigators become the Data Processors.
Once the assignment is completed, the information will be handed over to the lawyers and then brought to court. At this stage, imagine you are the lawyer on the other side and, as part of the disclosure process, you have been given the investigator's report. It is your job to find any flaw with the other side's case.
Not a clear case
In this case, the evidence itself would not be challenged; it is quite clear. However, the DPA now allows for the methodology of the investigation to be questioned. If the Data Subject's lawyer can demonstrate that there have been breaches of the DPA, then he can put forward the argument that there is a breach of his client's human rights (Article 6 – "My client is entitled to a fair trial. There is a breach of data protection here, therefore my client is not obtaining a fair trial."). The case is thrown out, with costs awarded in favour of the Data Subject, and the claim is paid. The Information Commissioner is informed and the Commissioner takes appropriate action.
You as the client (first Data Controller) are now seriously out of pocket, and are looking for recompense. You have a potential of three joint Data Controllers and one Data Processor, or five Data Processors, to sue. The recompense you are looking for is the £* million you have had to pay out, plus the legal costs, and any costs incurred with any dealings you may have had with the Information Commissioner. You find that none of the defendants in the action you take are worth £* million, and none of them has professional indemnity, because you did not check beforehand.
The Information Commissioner has decided to prosecute and you end up with a £5,000 fine and a criminal record. You can't rely on the defence that the Data Processor acted outside your data protection guidelines, because when you instructed him you did not give him any, if you had any to give him at all.
In the past, companies have often ignored the potential consequences of such investigations. But privacy laws will become more severe as further directives emanate from the European Parliament. Under the new Private Security Industry Act, investigators will eventually have to be licensed.
Remember, it is you or your company's reputation that is at stake. Think about how much checking do you do on the credentials of investigators that you entrust with your reputation.
Before instructing an investigator ensure that: