The UK Information Commissioner’s Office investigates unlawful access to personal information through the use of private investigators.

October 16, 2013 |

In Exclusive: Blue-chip hacking scandal – at last, the investigations into those on Soca list begin the Independent reports on an investigation by the UK Information Commissioner’s Office into law firms, financial organisations and insurance organisations who unlawfully obtained personal information through the use of private investigators.

It provides:

Nineteen blue-chip clients of corrupt private investigators are to be investigated for criminal offences after disclosures in The Independent forced law enforcement agencies finally to act upon evidence they had buried for seven years.

The Information Commissioner’s Office (ICO) has announced that law firms, financial organisations and insurance companies are to be probed for unlawfully obtaining personal information on up to 125 victims.

Investigators from the ICO have spent two weeks examining 31 files of invoices, notes and reports originally seized by the Serious Organised Crime Agency (Soca) during an investigation that began in 2008. The 19 organisations being investigated on suspicion of knowingly commissioning criminality comprise five retailers, three insurers, four legal firms, two financial organisations and one construction company.  Soca’s officers knew the private investigators had committed serious criminal offences, including computer hacking, as far back as 2006 – yet took no action.

A four-year investigation codenamed Operation Millipede ignored the worst offences, and the role of the clients who fuelled the unlawful trade in personal data. The four PIs were jailed for minor offences in 2012 but the organisations that hired them escaped scrutiny until The Independent revealed Soca’s inaction in June.

Trevor Pearce, the agency’s director-general, eventually agreed to pass files on 98 clients over to the ICO in August to investigate for criminal breaches of the data protection act. And today, the Information Commissioner, Christopher Graham, admitted that Soca’s inaction may have let some of the clients off the hook when he revealed that 12 of the companies were now inactive.

Keith Vaz, chairman of the Home Affairs Select Committee – which is investigating the case – said: “I am baffled that for over four years Soca failed to conduct a scoping exercise which has taken the ICO only two weeks to complete. These issues could have been dealt with years ago.”

In a letter to Mr Vaz, Mr Graham outlined the initial inquiries conducted by his investigators since they took possession of the material last month. He said: “From material examined, I can say that in the case of 19 clients falling into the category of active there is evidence of a section 55 and/or data protection breach… it appears that the number of data subjects (victims) who we believe to have been affected is in the region of 125. This figure is arrived at based on the taskings recorded by the 19 clients.”

The names of almost 100 blue-chip companies identified by Millipede were handed to the Home Affairs Select Committee in July.  But the agency’s former chairman, Sir Ian Andrews, ruled that the information should be classified to protect the “financial viability of major organisations” rather than “tainting them with public association with criminality”.

One week later he resigned after it emerged that he had failed to declare to the committee that he owned a private company with his wife, who worked for a leading corporate intelligence firm, the Good Governance Group.

The case has raised accusations of double-standards at a time when the Press is at the centre of the largest criminal investigation in British history over practices which include the hiring of corrupt private eyes.

Even Mark Lewis, lawyer for the family of murder victim Milly Dowler, whose phone was hacked by News of the World journalists while she was missing, has said: “Consistency demands that the same rules apply to all, whether you run a newspaper, a pharmaceutical company or a law firm.”

The Home Affairs Select Committee voted unanimously to publish the classified list, but was persuaded to delay after the ICO launched its investigation. However, it is unclear whether the ICO will be able to mount successful prosecutions after Mr Graham admitted the “seven-year dither” may allow the clients to escape action.

Those on the client list compiled by Soca reportedly include X Factor mogul Simon Cowell, accountancy firm Deloitte, the banks Credit Suisse and Chase Manhattan, and the law firms Richards Butler (now Reed Smith), Herbert Smith Freehills and Clyde and Co.

Soca, which is being abolished and rebranded as the National Crime Agency, has stressed that featuring on its list does not indicate wrongdoing, as the clients may have been unaware of the methods the PIs were using.

Timeline: Quest for the truth

22 June The Independent reveals Soca sat for years on evidence that some of Britain’s most respected companies hired rogue private eyes.

18 July The Independent reveals Sir Ian Andrews, former Soca chairman, says the blue-chip clients should not be identified as it would damage their commercial interests.

22 July The Independent reveals Sir Ian, who helped to block publication of the list, failed to declare to the Committee that his wife worked for a private investigations firm.

24 July Soca passes the list of 102 blue-chip companies to the Home Affairs Select Committee, but classifies the information to save big companies from being “tainted with public association with criminality”.

1 August Sir Ian resigns.

31 August Soca finally hands the historic evidence on 98 blue-chip clients to the Information Commissioner days before Trevor Pearce, its director-general, reappears before the Home Affairs Select Committee.

The media release by the ICO is found here and it provides:

The ICO has begun an investigation into whether clients of rogue private investigators may have breached the Data Protection Act, after receiving material from the Serious Organised Crime Agency (SOCA).

On 28 August, the ICO took receipt of a list of 98 company and individual clients who SOCA had identified as part of their inquiry into private investigators and the ‘blagging’ of personal information.

That investigation, Operation Millipede, saw four men convicted of fraud offences in 2012, after SOCA found they had obtained information illegally.

On 30 August, SOCA passed more than 20 files of material from that investigation to the ICO, including correspondence between clients and the private investigators and receipts for payments. Details of a further nine clients have been withheld by SOCA, at the request of the Metropolitan Police, as they relate to ongoing police investigations.

The ICO will now assess the SOCA material, as well as writing in due course to all the individuals and organisations listed, to establish what information the private investigators provided, and whether the clients were aware that the law might have been broken to obtain that information.

Several enforcement options are available to the ICO, depending on the outcome of the investigation:

  • Criminal prosecution, for unlawfully obtaining or accessing personal data (known as a ‘section 55’ offence) or for failing to notify as a data controller
  • Civil action for breaching the Data Protection Act, with monetary penalties of up to £500,000
  • Enforcement notices and undertakings, to oblige changes in policies or procedures

The team will also look to establish whether the clients fall under the ICO’s jurisdiction, with initial estimates suggesting as many as a quarter of the clients may have been based outside the UK. We will liaise with our international counterparts where an organisation or individual looks to have breached the Data Protection Act, but is based abroad.

We envisage the initial phase of this investigation will take several months, after which time we will publish an update. As we are yet to assess the material, and as that assessment may prompt criminal investigations, we will not be publishing the list of clients at this stage.

 

 

 

Leave a Reply





Verified by MonsterInsights