Data Protection watchdog probes private detectives hired by banks
Investigation into use of specialist organisations to illegally obtain data about consumers, writes Sarah McCabe
The Office of the Data Protection Commissioner is probing at least three cases of suspected illegal activity by private investigators hired by banks and insurers.
Having successfully prosecuted several cases of illegal activity by private investigators hired by credit unions, the DPC has expanded its probe into other financial service institutions.
Three private investigators were prosecuted last year for obtaining personal information using illegal means such as addresses and PPS numbers from State organisations and passing it to credit unions for tracking debts. In excess of 100 credit unions were enlisting the services of rogue agents to obtain people's data.
Now three live cases, where the DPC has a strong suspicion of data protection offences committed on behalf of banks and insurers, are being progressed by its special investigations unit with a view to prosecution.
The suspected criminal offences relate to the acquisition of personal information unlawfully, with the aim of tracing people who owe banks money or have made claims against insurance companies.
It is not illegal to trace people through lawful means, such as questioning their acquaintances. But it is an offence to dupe companies who hold data into sharing it - by pretending to work for the HSE, for example, to obtain the addresses of medical card patients, or accessing it through Gardai or other insider contacts.
Any organisation which stores personal data, from utility companies to doctors surgeries, is vulnerable. More and more large organisations are being asked by the DPC to implement traceability programmes, so that it would be possible to trace when and which staff view sensitive data.
The banks and insurers for whom the information is illegally obtained appear to be safe for now. The Data Protection Act only allows the DPC to prosecute the private investigator who commits the offence; at the moment the Commissioner cannot bring an action against the company employing such an investigator.
A fine of up to €3,000 per offence or 12 months imprisonment can be handed down by the District Court.
The person whose data was shared may also have a civil claim against whoever was storing the data in the first place, if they can prove damage was done.
However, the DPC is understood to be communicating to the financial services industry that companies must ensure any private investigators they employ must use legitimate means to obtain information.
It may seek to attach liability to employers where it is clear the company was aware the investigator was acting unlawfully, or where there was no system put in place to prevent the illegal activity.
The DPC operates a zero tolerance policy towards those who obtain personal information illegally. Anyone found to have committed such an offence is prosecuted.
It takes a different approach to marketing- related offences, such as companies who send out unwanted text messages or emails advertising their wares. A 'two strikes and you're out' prosecution policy is taken towards those type of offences.
Separately, a new licensing regime will be introduced next month for private investigators which should help to improve industry standards.
Licensing of private investigators will come under the responsibility of the Private Security Authority (PSA), which regulates cash-in-transit and other security firms.
Only those licensed by the PSA will be able to advertise or represent themselves as a Licensed Private Investigator. It will also be an offence for a person to engage or employ an unlicensed private investigator.
The register will be available online, meaning businesses and the public can check their security provider is licensed by checking the details on the register.
Sunday Indo Business