Why must you ensure your Private Investigator is GDPR Compliant?
If you are data controller i.e. (business owner / legal professional) and share personal data with a private investigator who is not GDPR compliant, you are breaking the law, risk heavy fines and reputational damage to your business. Therefore, simply understanding some of the very basics will help protect both you and your business. Read on to see an example of one of the most common misconceptions within the industry, which could land you in serious trouble if you get it wrong!
Data Controller & Data Processor Responsibilities
Many of our legal and business clients who instruct us to carry out investigations are by law in accordance with the GDPR ‘data controllers’ there is, however, often confusion regarding roles and responsibilities of the data controller and data processor.
The GDPR states the following:
Data Controller: a data controller determines the purposes and means of processing personal data. If you are a controller, you are not relieved of your obligations where a processor is involved – the GDPR places further obligations on you to ensure your contracts with processors comply with the GDPR.
This means you have a responsibility to ensure your investigator is not only competent but also compliant; the act also requires a written contract to be in place detailing those roles and responsibilities.
Data Processor: a data processor is responsible for processing personal data on behalf of a controller. If you are a processor, the GDPR places specific legal obligations on you; for example, you are required to maintain records of personal data and processing activities. You will have legal liability if you are responsible for a breach.
Previous regulation has been somewhat ‘sketchy’ regarding the data processors legal liability, thankfully, the GDPR now makes this very clear!
The general position of the Information Commissioner’s Office regarding a Private Investigators roles and responsibilities:
Due to the nature of their work,“It is unlikely a private investigator would be a data processor. This is due to the high degree of independence, expertise, control and processing of personal information such as writing and retaining reports, obtaining photographic or video evidence”. Senior Policy Officer (Strategic Liaison)
For the avoidance of doubt the General Data Protection Regulation (EU) 2016/679 (GDPR) states the following:
The fact that one organisation provides a service to another organisation does not necessarily mean that it is acting as a data processor. It could be a data controller in its own right, depending on the degree of control it exercises over the processing operation. The document can be found here
How does this actually work relating to Private Investigation?
There are many private investigators who vehemently disagree with the following example. However, the ICO’s position and guidance are clear. Many will now be forced to change their processes, accept more responsibility or risk prosecution.
Given the ICO’s general position (above), see the following example:
Example: – A solicitor or business owner instruct’s a private investigator to carry out a surveillance investigation in order to ascertain the subjects true levels of mobility.
The solicitor or business owner – Assumes the legal responsibilities as a Data Controller.
The Private Investigator – Assumes the legal responsibilities as a Data Controller.
The reason the PI is a Data Controller and not, as many would assume and argue the Data Processor, is due to the high degree of independence, expertise, control and processing of personal information expected during this type of investigation. Deciding where to observe, record, photograph or write a report turns the processor into a data controller and as such a written contract must be in place between data controllers clearly detailing responsibilities.
Great news for the solicitor or business owner, not so great for the investigator!
Assuming shared Data Controller responsibilities is nothing whatsoever to do with the GDPR. This has been the case for many years in accordance with the Data Protection Act 1998. Many investigators either did not understand the previous regulation or simply chose to ignore it.