ICO probes private eye clients

A probe into whether clients of rogue private investigators have breached the Data Protection Act has been launched by the Information Commissioner’s Office (ICO).

The move comes after the Serious Organised Crime Agency (Soca) last week handed the ICO a list of 98 organisations and individuals that had been identified in a police inquiry as clients of private investigators who illegally obtained personal information.

Under the inquiry, codenamed Operation Millipede, four men were convicted of fraud offences in 2012, after SOCA found they had obtained information through “blagging”  - impersonation or deception – and other illegal methods.

The findings have been scrutinised by the Home Affairs Select Committee, which called for the names of the private investigators’ clients to be made public. Committee chairman Keith Vaz compared one of the cases to the phone hacking of murdered school girl Millie Dowler by the former News of the World newspaper.

On Friday, Soca passed more than 20 files from Operation Millipede to the ICO, including correspondence between private investigators and their clients and receipts for payments. Details of a further nine clients were withheld by Soca on the grounds that they related to ongoing police investigations.

In a statement released today, the ICO said it would now assess the Soca material and would write to all the organisations and individuals on the list in due course. It would ask the clients what information private investigators had provided them with, and whether they were aware that the law might have been broken to obtain the information.

The ICO stated that enforcement options open to it – depending on the outcome of the investigation -  included:

• Criminal prosecution, for unlawfully obtaining or accessing personal data (known as a ‘section 55’ offence) or for failing to notify as a data controller
• Civil action for breaching the Data Protection Act, with monetary penalties of up to £500,000
• Enforcement notices and undertakings, to oblige changes in policies or procedures

“The team will also look to establish whether the clients fall under the ICO’s jurisdiction, with initial estimates suggesting as many as a quarter of the clients may have been based outside the UK,” it stated.

“We will liaise with our international counterparts where an organisation or individual looks to have breached the Data Protection Act, but is based abroad.”  

The ICO stated that an update on the investigation would be published at the end of its initial phase which was expected to take several months.

“As we are yet to assess the material, and as that assessment may prompt criminal investigations, we will not be publishing the list of clients at this stage,” it added.