Thursday, 10 October 2013

ICO to send some people a (potentially) lucrative message next year

Just like Willy Wonka, our Information Commissioner could be making a select group of people very happy sometime next year.

No, Christopher Graham won’t be handing out golden tickets to enable people to tour an enchanted chocolate factory. But he may be writing to 125 victims of Operation Spruce.

Back in 2008, investigators at the Serious & Organised Crime Agency started Operation Millipede, which, in February 2012, led to the convictions of four private investigators who had been engaged by some 98 clients who were seeking personal information about individuals. Some of the personal information was evidently to be obtained in dodgy ways. But which of these clients knew that the private investigators would be using unlawful methods to obtain the information that had been requested? The offences were carried out between January 2007 and May 2009.

To cut an extremely long and tedious story short, over the summer SOCA passed the ICO a bundle of some 31 lever arch files, and invited them to read the files and work out who had breached data protection law. Following a careful analysis by ICO staff, it’s now possible that 19 clients were aware that personal information relating to 125 individuals was going to be obtained unlawfully. And it’s on these 19 clients that the next stage of the investigation will focus.

For the next 8 months, a crack team of ICO investigators, supplemented by perhaps 7 other experienced investigators, will be working hard to see what action, if any, can be taken against them.

Who are they? We don’t know their names.  But we do know that they are in the construction industry (1), financial services (2), general retail (5), and insurance sector (3). Also, there are 4 law firms, 3 private investigators and 1 security industry firm under the spotlight.

Parliament’s Home Affairs Committee has been following developments quite closely, and Christopher Graham has made a number of appearances before it. Today’s image was taken at a particularly tetchy session (on 9 September), where it was clear that our beloved Commissioner was not very impressed with some of the questions that were being asked of him, and in turn some Committee members were not very happy with the line our Commissioner was taking.

Fancy having the temerity to blame parliamentarians for not bothering to implement laws which would have made data protection offences less inviting to commit! Or for reminding parliamentarians how little they cared about the unlawful trade in personal information in the days when Richard Thomas was Information Commissioner. Or having the nerve to say in public that the Committee would be behaving pretty badly if it were to publicise a list of potential wrongdoers before the ICO had adduced sufficient evidence to support allegations about any of them.

Christopher Graham used one telling phrase early on in the session: “In partnership with Parliament I think we can make progress.”  But as the session went on, it was clear that this partnership was in danger of becoming somewhat strained.  If you want to see a Commissioner ticking off parliamentarians for not doing their job very thoroughly, this is a session to watch.

The Committee was much politer to the Commissioner when it invited him to appear before it earlier this week (8 October). Perhaps someone had told the parlamentarians that they needed to adopt a much more conciliatory attitude if they were to retain an aura of executive authority. Our Commissioner was in a better mood, too. But he also made a point of expressing his independence by inferring how much notice he was minded to take about their opinion as to whether it would be appropriate to ask that investigators be seconded from the National Crime Agency support the ICO’s own team.

Anyway, sometime next year, some of these 125 victims will be contacted, and this is where they could hit the jackpot (if they are alive and can still remember what they were doing in 2007-9, that is). If it can be established that the clients knew that nefarious means were used to obtain personal about the victims, presumably these victims would be able to commence their own legal action against them. And, as the ICO would have kindly already complied a juicy bundle of evidence, the prospects of success could be pretty good.

So, if you get a letter from an ICO investigator next year advising that your details are associated with one of their investigations, it just could be your lucky day.

A quick comment about the custodial sentences handed out to the private investigators. They received sentences of 12 months, 8 months, 6 months and 4 months. So they had all completed their time in jail before the police sent the files to the ICO to start to investigate the clients who initially commissioned these acts.