Tony Imossi of the Association of British Investigators (ABI) explores the practice of processing personal data without an individual’s knowledge, and outlines the risks it poses to solicitors

Covert processing of personal data is a common occurrence in professional investigations, and a service regularly utilised by lawyers, especially when commissioning trace / locate assignments.


Lawful processing of data

This covert processing can take place in a number of ways, including by obtaining information indirectly from third parties or by extracting data from web browsers. A prevalent misconception holds that open-source processing for commercial purposes, as opposed to domestic and household ones, is exempt from data protection laws.

The relationship between a legal professional and their chosen investigative or litigation support service provider is usually consistent with the role of controller instructing a processor. While doubtful, the prospect of a joint controllership exists.

Therefore, the decision of identifying the lawful basis for the processing, assessing the risk of harm and other key general data protection regulation (GDPR) requirements, falls on the lawyer / controller, who must put in place written and clear instructions, setting out the GDPR roles and responsibilities. The service provider / processor will, in any event, have the legal duty to assist the controller generally on all data protection matters. This includes the elimination or mitigation of any risk of harm to the individuals, something that could easily be overlooked, when only in receipt of the end client’s version of the scenario.

Service provider compliance

Practitioners will no doubt be aware of their legal responsibilities, but do they insist on their service providers also being as GDPR savvy?

Last year the Information Commissioner’s Office (ICO) was concerned that vulnerable people, such as victims of abuse, might be at high-risk of harm by trace enquiries. The ICO sought to understand operational practices when conducting tracing activities, interactions with clients and traced subjects, and the legal and ethical considerations taken. The ICO also wanted to know how service providers ensure compliance with the data protection legislation when facilitating trace requests.

In its findings and recommendations, the ICO highlighted the importance of conducting risk assessments and due diligence checks to identify any risks that may impact data subjects. The ICO also advised the integration of data security and privacy measures into all data processing activities, with considerations taken to the nature and purpose of the processing.

GDPR Code of conduct

The ICO advised that concerned support groups for victims of abuse were being informed of the ongoing work between the ICO and ABI in the development of a proposed UK GDPR code of conduct.

By enhancing compliance with data privacy laws and promoting uniform standards throughout the industry, the code may enable investigative and litigation support service providers who aspire to become code members to instil trust and confidence in the sector.

The code addresses good practice in four main areas that the ABI recognised as being challenging for service providers:

  • identifying and communicating their role and responsibilities
  • the lawful basis for processing data
  • conducting legitimate interest assessments, and
  • data protection impact assessments (DPIA).

Because of the nature of a trace / locate assignment, invisible processing activity is unavoidable. The person cannot exercise their right to data protection or monitor how their data is used by the controller if they are unaware that their personal information is being gathered and used.

The risks of infringment

This opacity in processing poses significant risks, as individuals are deprived of the opportunity to control or request information about how their personal data is being handled. The correct application of an exception or exemption, or the informed use of the code’s DPIA template, may offer individuals some protection against the risk of harm, whilst addressing the chosen professional investigator’s risk of infringing data protection laws in the invisible processing activity.

On glancing at the above four key issues, a lawyer may promptly recognise how they could alleviate their own compliance risks by requesting that their preferred service providers participate in the code scheme.

If approved, code membership will be a voluntary programme open to any investigative agency that meets the criteria; most will qualify, but those who do not take their obligations under GDPR seriously, will not. The ABI is author and code owner. An independent monitoring body accredited by the ICO will monitor code member compliance with the code.