Introduction:
In this article, the Association of British Investigators considers the processing of personal data without the individual's knowledge, an activity very common in professional investigation.
Invisible processing is the processing of personal data that occurs without the individual's knowledge. This can happen, for example, when personal data is obtained from an internet browser, or when data is obtained indirectly through third-party sources, as the individual won’t be aware that the professional investigator is collecting and using their personal data. Invisible processing can pose high risks because individuals cannot exercise their data protection rights or exercise control over the professional investigator’s use of their data if they are unaware that their personal data is being processed. In particular, if the professional investigator handles personal data in ways that the individual does not reasonably expect and does not provide the individual with privacy information, the professional investigator may potentially infringe data protection law.
The professional investigator should consider the impact on their lawful basis for processing and must be confident that they have a compelling reason to undertake this type of processing and can mitigate the impact on individual rights.
However, even if the processing has a detrimental impact on the individual, this does not mean that their interests always take precedence over the professional investigator's legitimate interests. This is determined by the gravity of the impact and if it is justified in light of the professional investigator's purpose. The interests of the professional investigator do not necessarily have to coincide with those of the individual, and if the professional investigator has a more compelling interest, this may justify some impact on individuals.
Exceptions to requirement to provide privacy information [1] (under Article 14(5)(b), e.g., when the information has not been obtained directly from the individual)
Professional investigators may consider whether providing the privacy information to the individual would be impossible, involve disproportionate effort or make the achievement of the objectives of the processing impossible, or seriously impair them.
If the professional investigator intends to rely on one of these exceptions, they must still publish their general privacy information, for example, in a privacy notice on its website and conduct a DPIA.
Data Protection Impact Assessment: When a professional investigator does not provide privacy information to the individual directly because it is relying on one of the exceptions, this may pose a high risk to the individual.
A DPIA will help assess and demonstrate whether the professional investigator is taking a proportionate approach. It will help the professional investigator consider how best to mitigate the impact on individuals’ ability to exercise their rights and it will also help demonstrate how the professional investigator complies with the data protection principles.
Here are some examples of invisible processing in investigative services:
Example 1: Providing privacy information would be impossible
A professional investigator is asked by a client to trace a particular person, for whom they have no current contact details. The UK GDPR requires the professional investigator to provide privacy information to the person being traced within a reasonable period and no later than one month. Despite the professional investigator’s efforts, it proves to be difficult to trace the person concerned and it takes longer than one month. The professional investigator relies on the exception that it is impossible to provide privacy information directly to the person concerned. This remains the case until the professional investigator locates the person and is then able to provide the privacy information.
Example 2: Providing privacy information would be disproportionate.
A professional investigator is conducting an investigation for its client that involves looking through local, publicly available historical records at the Registry Office. The professional investigator decides that none of these records assist their investigation. The professional investigator must provide privacy information directly to people, even when using data from publicly accessible sources. However, the professional investigator relies on the exception for disproportionate effort because there is no effect on those concerned and any contact with them would not be proportionate in the circumstances.
Example 3: Providing privacy information would render impossible or seriously impair the achievement of the objective
A professional investigator is asked to investigate potential gross misconduct by a person’s employer using covert monitoring. The professional investigator considers that telling the employee about the collection of the personal data would render the objective of the processing impossible or else seriously impair it because the individual would behave differently if they knew about the monitoring. The professional investigator does a DPIA to consider the processing, which explains its justification for relying on the exception.
In all of these examples, it is important for professional investigators to ensure that they are complying with data protection law and that they are transparent about their data processing activities.
Exemptions from the requirement to provide privacy information:
a. In some circumstances, an exemption may also apply from right to be informed, e.g., prevention or detection of crime, or where it would impede the performance of tasks carried out for the purposes of legal proceedings.
b. This latter exemption recognises that disclosing certain privacy information to individuals during ongoing or contemplated legal proceedings may hinder the legitimate interests pursued by the controller, such as defending their position or providing evidence.
[1] Under the UK GDPR, providing privacy information refers to the requirement for organisations or controllers to inform individuals about how their personal data will be processed. This information should be communicated in a clear, concise, transparent, and easily accessible manner.
It involves providing individuals with details such as the purposes for processing their data, the legal basis for processing, the categories of personal data collected, the recipients or categories of recipients who will receive the data, the retention period for the data, the individual's rights regarding their data, and any other relevant information.
This information should be communicated to individuals through privacy notices or privacy policies, which should be readily available and easily understandable to ensure that individuals are informed about the collection, use, storage, and disclosure of their personal data.