The New Year is an ideal time for all businesses to reflect on the previous twelve months’ performance, what lessons were learned, and how improvements in output could be made for the year ahead. Those ups and downs of 2021, including occasional false hopes of full recovery, undoubtedly challenged us all, but one thing we learned here was not only to ensure the policies we had in place were fit for purpose, but also that we adhered to them. We needed to ask ourselves, “Does what we produce meet legal requirements?”
Naturally, Data Protection was at the forefront of our minds. With still so many interpretations of relatively recent legislation being bandied about, could we justify our own understanding of its complexities? As with much of what the EU imposed on the UK, GDPR seemed to be one more piece of complicated legalese which would present lawyers with a potential goldmine; something else to pontificate on and argue its finer points.
Frontline members of our staff had attended ABI workshops. We were, therefore, well aware it was essential to compile and consider a data protection impact assessment (DPIA) for each type of case, perhaps combining it with the legitimate interest assessment (LIA). In addition, we were content that we at least understood the basics of the Act.
It was, therefore, somewhat ironic when, towards the latter part of 2021, it was a law-firm which phoned us and displayed a total disregard for the law. In relation to an intellectual property matter, we had been recommended to provide due diligence on a number of individuals preparatory to civil litigation. In particular, could we deliver a full list of all criminal convictions in relation to the parties for the other side. Contemporaneous notes of the ensuing conversation read . . .
Q: Let me just clarify that . . . you want internet research on any criminal convictions reported in the public domain, or am I understanding you wish us to access criminal records?
A: Full criminal record check, please.
Q: You are aware of the Data Protection Act and that what you are requesting would be highly illegal?
A: I know all about the Data Protection Act.
Q: Would you like to send us an email please and we will address it accordingly.
Our immediate reaction was to check out the law-firm; finding it was a small outfit, but had certainly been in business for many years. The paralegal who had called us clearly existed too. The expected email arrived some 24 hours later and, whereas the ‘full criminal records’ demand was no longer present, we were still being asked to quote for the provision of material information of directors, ex-directors, shareholders, and companies, regarding past convictions, civil suit, bankruptcy and other insolvency. Furthermore, the firm confirmed that they were aware of data protection and helpfully added, “This can be done by investigating in local news publications, news or any social media platform.” We politely drew their attention to our concerns and declined the invitation to quote.
Those concerns included what we had learned at the GDPR workshops . . . “Personal data relating to criminal offences are in addition to the lawful basis under Article 6 of the UK GDPR requirement subject to additional conditions, [and are commonly treated as being equivalent to special category (sensitive) personal data], because of the potentially significant impact that the processing of such data can have upon the data subject. The additional conditions [there are currently 28 to choose from] are set out in Schedule 1 of the Data Protection Act 2018 and the ICO website.” The law firm may have been able to support the requirement with one of the requisite conditions, but it was clear to us that they had not considered the compliance issues, nor more to the point carried out their own DPIA being also a controller or joint controller in this proposed enterprise.
Members who have attended an ABI GDPR workshop will already be aware the investigator’s and/or the client’s legitimate interest alone is not enough and most certainly ABI members would need to conduct both a DPIA and LIA. I am sure our members who contemplate processing criminal offence data already have the requisite Policy Statement and the ability to conduct a DPIA and LIA.
These points were so evidently alien to the law firm in question. It should be less of a surprise that they may similarly be unfamiliar to many less-qualified potential clients looking for assistance from the investigation industry. It is, therefore, incumbent on the professional members of the ABI to lead the way.
Meantime, we hope that our 2022 clients have a better understanding of what can and cannot be achieved . . . in a legitimate manner.
Source: Dick Smith QPM
IP Forensics [GB] Ltd
[ABI Governing Council]