[Home] [Databases] [World Law] [Multidatabase Search] [Help] [Feedback]
	Irish Data Protection Commission Case Studies
You are here: BAILII >> Databases >> Irish Data Protection Commission Case Studies >> Case Study 13: Access to reports compiled by private investigators [2011] IEDPC 13 (2011) URL: http://www.bailii.org/ie/cases/IEDPC/2011/[2011]IEDPC13.html Cite as: [2011] IEDPC 13

[New search] [Help]

Case Study 13: Access to reports compiled by private investigators [2011] IEDPC 13 (2011)

My Office received a complaint from an individual concerning the alleged failure of HSG Zander Ireland Limited to comply with an access request submitted to it in October 2010. The requester was a former employee of HSG Zander Ireland Limited and he informed us that the company had hired a private investigator to monitor him for a period of time. He was particularly eager to access any personal data contained in documentation relating to the surveillance carried out by the private investigator.

We commenced an investigation with HSG Zander Ireland Limited in relation to an alleged failure to comply with the access request. It subsequently provided the requester with a copy of his personnel file but stated that it was withholding the security report compiled by the private investigator by virtue of the exemption under Section 5(1)(g) of the Data Protection Acts 1988 and 2003. This Section restricts the right of access to personal data "in respect of which a claim of privilege could be maintained in proceedings in a court in relation to communications between a client and his professional legal advisers or between those advisers".

It was not obvious to our investigation that a security report compiled by a private investigator could constitute a communication between a client and their professional legal advisers to which a claim of privilege could be maintained in proceedings in a court. On that basis we sought an explanation from HSG Zander Ireland Limited as to its application of that provision to restrict the right of access to the data subject. In response, the company immediately released a copy of the security report and associated photographs to the data subject while maintaining its position that it was entitled to restrict the right of access in accordance with Section 5(1)(g).

We also established in the course of our investigation that there was no contract in place between HSG Zander Ireland Limited and the private investigator who prepared the security report. Engaging the services of a private investigator is no different to engaging the services of any other third party service provider. For that reason, it is unlawful for an entity to pass any details of its employees to a private investigator for the purposes of surveillance or for any other purpose unless that entity has put a contract in place with in line with Section 2C(3) of the Data Protection Acts 1988 and 2003 which would render the private investigator to be a data processor.

With greater frequency complaints such as this one are coming to my Office regarding difficulties which data subjects are experiencing in accessing security or surveillance reports which have been conducted on them by private investigators. I consider it necessary, therefore, to set down my position in relation to the requisitioning of such reports in the first instance and then the right of access by data subjects to them.

The decision by a data controller to engage the services of a private investigator to gather personal data surreptitiously about a data subject carries very serious risk of breaching the provisions of the Data Protection Acts and the general right to privacy protected by Bunreacht na hÉireann (the Irish Constitution), the European Charter of Fundamental Rights and the European Convention on Human Rights.  It should therefore not be taken lightly.  Data controllers who hire a private investigator to undertake surveillance on an individual and/or to seek a background or other report from a private investigator on an individual must be aware of and should ensure that the following rules are observed both by themselves and by the private investigator:

I. Prior to passing any instructions to a private investigator in respect of any individual, the data controller should have a written contract in place with the private investigator which meets the requirements of Section 2C(3) of the Data Protection Acts.

II.  Any processing of information by private investigators on their behalf must be undertaken in full compliance with the Data Protection Acts.

III. The private investigator is expected to comply at all times with the Data Protection Acts and should not perform their functions in such a way as to cause the data controller to breach any of its obligations under the Data Protection Acts.

IV. Any unauthorised processing, use or disclosure of personal data by the private investigator is strictly prohibited.

V. Where the private investigator, pursuant to its obligations under contract from the data controller, processes the personal data of an individual on behalf of the data controller, the private investigator should:

• Process the personal data only in accordance with the specific instructions of the data controller;
• Process the personal data only as is necessary for the fulfilment of  its duties and obligations under the contract with the instructing data controller;
• Implement appropriate measures to protect against accidental loss, destruction, damage, alteration, disclosure or unlawful access to the personal data in their possession;
• At the conclusion of each investigation deliver all data collected and processed under the contract of service to the instructing data controller and delete all such personal data held by itself at that time;
• Not further disclose the personal data to any other party except with the express approval of the data controller;
• Not seek to access personal data held by other data controllers which is not in the public domain without the consent of the data subject or unless otherwise permitted by law.

With regard to the right of access to reports compiled by private investigators, the responsibility to comply with a data subject access request lies with the data controller who hired the private investigator. Where a private investigator receives an access request from an individual, they should transmit that request without delay for processing to the data controller who commissioned them in respect of the particular task. I do not consider that any of the restrictions to the right of access to personal data which are set down in Section 5 of the Data Protection Acts could reasonably be applied to an access request by an individual for a copy of a surveillance report or accompanying photographs or video footage taken by a private investigator. As in the aforementioned complaint, Section 5(1)(g) is invalidly relied on from time to time as a means of restricting access by data subjects to private investigator reports by data controllers or by solicitors who hired private investigators on their behalf. This Section does not equate to privilege at common law (i.e. legal advice privilege and litigation privilege). Instead, this very narrow statutory restriction to the right of access only applies where (i) there is a communication between a client and his professional legal advisors or a communication as between a client's professional legal advisors; and (ii) that is a communication in respect of which a claim of privilege could be maintained in proceedings in a court. A private investigator's report, commissioned by a data controller or by a solicitor acting on behalf of a data controller, is clearly not a communication between a client and his professional legal advisors. Nor is it a communication as between a client's professional legal advisors. For those reasons, the statutory exception in Section 5(1)(g) does not apply to such a report.

I will continue to defend the rights of data subjects to access a copy of private investigator reports and I do not contemplate that any of the limited restrictions to the right of access in the provisions of Section 5 can, as a generality, be validly claimed in such cases.