The Information Commissioners Office (Good Practice Notes): “When can I disclose information to a private investigator”, advised that, “Private investigators should use caution when requesting information about individuals from an organisation. In making your request you will also be disclosing personal information about the individual, for example that they are involved in legal proceedings or are a beneficiary. Do not disclose any more information than is necessary for your request to be properly considered by the organisation. Do not deceive or mislead organisations as obtaining the information in this way is likely to be a criminal offence under the Act”… The above mentioned passage is self explanatory and I know that you will be careful about requesting / disclosing personal information unnecessarily.
So what is a Data Controller?
A Data Controller is a person who by themselves or with others determines the purposes and the manner in which personal data is processed or might be processed. A data controller must be a “person” recognised in law, such as: an individual, an organisation, or a corporate or unincorporated body of people. Essentially, you are a Data Controller and your compliance begins when you fulfil your statutory duty to declare yourself or your business or company to the Information commissioner’s office at Wilmslow in Cheshire, you join the published list of “Data Controllers”.
Under the Data Protection Act 1998 you could request a disclosure of information. The sections that set out the grounds under which the Private investigator could (Until 24th May 2018) apply for information to be disclosed were: Section 35 and section 29.
The Data Protection Act 2018 / General Data Protection Regulation came into force on: 25th May 2018 and allows data controllers to disclose information, provided a careful assessment and threshold analysis justifies the data release. So, if you need information to be disclosed in connection with legal or prospective legal proceedings (DPA98 Sec 35) – make applications using: Schedule 2, Part 1, Paragraph 5 (3) [a]
Schedule 2, Part 1, Paragraph 2 (1) [a] (DPA98 Sec 29) sets our the specific conditions if you are Preventing or detecting unlawful acts, Protecting the public against dishonesty or investigating fraud.
In practice this method of obtaining information is far from ideal. The Data Controller who has the information in not compelled to release the information and this makes the cumbersome and time consuming process somewhat unpopular, but, it is a method by which we can proceed in our investigations and should be used, “As” and “When”.
The Information Commissioners Office has produced a general guide that can be used for further information.
We always cover the Data Protection Act and GDPR when we deliver training at: Private Investigator Training UK
Kevin J Regan, Private Investigator Tutor