Private investigators convicted of unlawfully obtaining personal information
November 22, 2013 |
The Information Commissioner of the UK has issued a media release (found here) about a conviction of two private investigators who tricked organisations to obtain personal information, usually in connection with debt recovery actions.
The Press Release provides:
Two men who ran a company that tricked organisations into revealing personal details about customers have today been found guilty of conspiring to breach the Data Protection Act.
Barry Spencer, 41, and Adrian Stanton, 40, ran ICU Investigations Ltd in Feltham, Middlesex. The pair were convicted at Isleworth Crown Court of conspiring to unlawfully obtain personal data. Five employees of the company had previously pleaded guilty to the same offence: Robert Sparling (38), Joel Jones (43), Michael Sparling (41), Neil Sturton (43) and Lee Humphreys (41). The company ICU Investigations Ltd was also found guilty as a separate defendant. A sentencing hearing has now been listed for the 24 January 2014.
ICU Investigations Ltd worked on behalf of clients to trace individuals, primarily for the purpose of debt recovery. The court heard the company had routinely tricked organisations including utility companies, GP surgeries and TV Licensing into revealing personal data, often by claiming to be the individuals they were trying to trace. Clients included Allianz Insurance PLC, Brighton & Hove Council, Leeds Building Society and Dee Valley Water.
An ICO investigation estimated there were nearly 2,000 separate offences between 1 April 2009 to 12 May 2010.
ICO Criminal Investigations Team Manager Damian Moran said:
“Private investigators must learn they are not above the law. While the majority of private investigators go about their business in an honest manner, unscrupulous operators such as ICU Investigations Ltd taint the industry and blight the reputations of their counterparts.
“These men knew they were breaking the law, but did so anyway, presumably confident they would not be caught. That faith was misplaced, and they and their employees will now face the consequences of their actions.”
The ICO found no evidence of criminality by any organisation that employed ICU Investigations Ltd. The information requested could typically have been obtained legitimately, and there was no evidence clients were aware the data had been obtained by illegal means.
Unlawfully obtaining or accessing personal data is a criminal offence under section 55 of the Data Protection Act 1998. The offence is punishable by way of ‘fine only’ – up to £5,000 in a Magistrates Court or an unlimited fine in a Crown Court. The ICO continues to call for more effective deterrent sentences, including the threat of prison, to be available to the courts to stop the unlawful use of personal information.
Information Commissioner Christopher Graham said:
“Public confidence in the security of information held about them is the foundation on which all sorts of online services and developments depends.
“The public expects to see firmer action taken against people who break the rules in this area, and Parliament needs to recognise that. I spoke with the Home Secretary Theresa May on this matter earlier this week to urge her to introduce more effective sentences for these kinds of offences, and she has agreed to meet me to discuss the matter. That conversation needs to result in action.”
Changes to allow the courts to issue custodial sentences where personal data has been illegally obtained are already on the statute book, as part of the Criminal Justice and Immigration Act 2008, but are yet to be commenced, despite endorsement by several senior officials.
With an interest in privacy and a practice in privacy law it never ceases to amaze me how on the one hand the Privacy Act can be either misunderstood or abused to screen information and act as a brake on information flow but on the other the procedures and training can be so lax that vital personal information can be provided to exactly the wrong people. The Privacy Act may be 25 years old however the instances of the same sort of breaches occuring is quite consistent. Hopefully the Privacy Commissioner with his new powers in March next year will make a difference.