Included in this issue: General Data Protection Regulation (GDPR) adopted by EU; Private investigator (PI) forced to comply with subject access request (SAR); ICO to review private investigators (PI) for data privacy compliance and more...
General Data Protection Regulation (GDPR) adopted by EU
The EU has issued a final codified text of the GDPR on 14 April 2016. The new laws are expected to be in force in just over 2 years, meaning that it is crucial for organisations to start preparations now. Increased rights for individuals and higher penalties mean that organisations should pay close attention to their data protection strategies.
Private investigator (PI) forced to comply with subject access request (SAR)
The High Court has ordered a PI firm to comply with a SAR issued by a couple connected to a company it had been investigating.
The PI sought to refuse the SAR on the basis that the data was used to detect/ prevent crime and apprehend criminals, but on the facts the court was unconvinced that complying with the SAR would prejudice such public interests. There was no blanket exemption for the PI due to the nature of its work. The court also rejected arguments that the data constituted legally privileged material. This demonstrates the high burden faced by companies seeking to rely on exemptions to access.
In line with the ruling in the recent case of Dawson-Damer, the court held it would be proportionate to force compliance with the SAR. In Dawson-Damer, ordering disclosure under the SAR was considered disproportionate since it would be better dealt with under foreign disclosure rules.
Commenting on the motive of the SAR, the court seemed to suggest that mixed-motives (including obtaining information with an eye to potential litigation) may not prevent a SAR being enforced provided there was a legitimate reason for the data subject to seek access, but the court did not rule on this point. The legitimate reason in this case related to concerns that the PI held inaccurate data.
ICO to review private investigators (PI) for data privacy compliance
PIs should check their data protection practices now, following an announcement that the Information Commissioner's Office (ICO) will visit PIs firms suspected of wrongdoing to check their compliance with data privacy rules. The ICO expressed concern that a number of PIs were flouting data privacy rules, particularly by: storing large amounts of data and selling it to paying customers; hacking and “blagging” to illegally obtain data; and failing to register with the ICO, which is a criminal offence.
Failure to comply with ICO notice leads to prosecution
Failure to comply with a third party information notice issued by the ICO led to the prosecution of Keurboom Communications Limited and its director and fines of £1500 and £1000 respectively. The information notice had been made in connection with ongoing investigations for breaches of the Privacy and Electronic Communications (EC Directive) Regulations 2003 – which deals with electronic marketing and advertising and also contains rules on cookies, security breaches and customer privacy regarding phone directories, traffic data, and location data. This sends a clear message to companies: comply with ICO investigations, or face penalties.