ICO probes clients of private investigators who broke the law on their behalf
Who knew what and when?
The UK's privacy watchdog is now investigating whether corporate giants and others breached the Data Protection Act by hiring private eyes who allegedly hacked systems and blagged personal records.
The Information Commissioner’s Office (ICO) has received a list of 98 companies and individuals probed by the Serious Organised Crime Agency (SOCA) - which had been looking into claims of private investigators unlawfully accessing records and “blagging” personal files to get information for their clients.
SOCA's investigation, dubbed Operation Millipede, resulted in the conviction of four men for fraud last year. On 30 August, SOCA passed more than 20 files related to this investigation to the ICO, including correspondence and receipts between clients and the private gumshoes.
Details of a further nine clients have been withheld by SOCA, at the request of the Metropolitan Police, as they relate to ongoing criminal investigations.
The ICO will now assess the SOCA material to establish whether or not the private detectives' clients were aware that laws may have been broken in obtaining requested information.
SOCA was heavily criticised for sitting on the information for several years: it's claimed the cops' dossier revealed a hive of illegal activity - and a level of wrongdoing that was far more widespread than the allegations of newspaper reporters' voicemail-eavesdropping and blagging that led Rupert Murdoch to close the News of the World.
The ICO can wield several powers, depending on the outcome of the investigation, to end any data snaffling or possibly launch a criminal prosecution. Unlawfully obtaining or accessing personal data, contrary to section 55 of the Data Protection Act 1998, or for failing to notify as a data controller, could result in a prosecution against the customers of dodgy private dicks.
Other enforcement options include a civil action for breaching the Data Protection Act, with monetary penalties of up to £500,000, and enforcement notices and undertakings, to oblige changes in policies or procedures. The ICO will also establish whether the clients fall under the ICO’s jurisdiction. Initial estimates suggesting as many as a quarter of the clients may have been based outside the UK.
"We will liaise with our international counterparts where an organisation or individual appears to have breached the Data Protection Act, but is based abroad," an ICO statement explains.
The ICO warned that even the initial phase of its investigation is likely to take several months. It will not be publishing the list of clients at this stage, it says, so as not to prejudice any potential criminal prosecution. ®