Anyone in the investigation sector who has closely studied the data protection laws (by the way, that should be everyone) will readily acknowledge that the legislation is what governs the sector's activities. After all, processing personal data is the sector’s core business activity. So, it made sense for the ABI to develop a sector-specific good practice guide on this complex law.
The ABI UK GDPR code of conduct is freely available to download from the ICO website. There is no cost whatsoever to download and comply with the code. There is a nominal fee to become an audited and approved code member. The code offers a standard by which code members may be measured by an independent monitoring body. True, it is voluntary, so agencies outside the scheme could continue voicing their compliance, but hopefully now they will at least have available the guidance in the code.
The success of the code as an adhered-to standard is dependent on market forces driving investigative agencies to apply for what will be the coveted code membership status, earning the trust and credibility that the sector often struggles to achieve. And those market forces will probably be led by the legal profession as the primary source of assignments for investigators.
Will the lawyers embrace the voluntary scheme? I think so, but it will take time to persuade a profession so set in its ways. The ABI is not seeking good agencies to be excluded, but rather that they be persuaded by their professional clients and representatives to be included in the scheme.
We are seeing a few court cases emerge where personal data processing investigative techniques are coming under scrutiny; such cases could prove persuasive. In one recent High Court case, a law firm that presented their investigative service provider’s report in evidence was later embarrassed to have to withdraw the report in its entirety. Another case, in Europe (and let’s not forget the UK GDPR mirrors the EU regulation), the investigator’s very helpful surveillance report was thrown out for breaching the rights and freedoms of the data subject; if only that country had a similar code of conduct! Another English case is pending where the court, unhappy with the lack of transparency, has very recently required an explanation of the data processing involved in the ‘smoke & mirrors’ investigation report submitted in evidence; a case in which everyone involved is shuffling to reposition their role to try and escape responsibility. Call yourself what you like (controller or processor), but it’s the processing activity that will determine your role. And determining ‘purpose AND means’ is not always clear and is quite often interpreted for convenience without a legal basis. Had the investigators had the luxury of the ABI’s code and adhered to it, they may have found themselves in a stronger and more authoritative position, and of course their professional clients in less discomfort.
There is now a noticeable show of interest within the investigative sector following the ICO’s press release about the code’s approval. The industry’s realisation that the imminent implementation of the ABI UK GDPR code of conduct affords the investigative and litigation support service providers an opportunistic punctuation point.
There has never been a better moment for all stakeholders to grasp the chance to be part of the legacy of a true profession, finally available to be adopted, or at least perfected, for this and the next generation.
After 100 years of lobbying, 25 of which were conducted under the mistaken belief that a statutory mention held greater significance, it might be time to abandon the industry's fixation on statutory licensing and embrace the current reality. The voluntary scheme on the table potentially offers a better, and certainly more relevant, form of level playing field and accountability than a state licence was ever going to be capable of achieving.
I listened to Johnathan Hall KC on the radio recently. He is the UK's independent reviewer of terrorism legislation and state threats. He mentioned the dangers to the nation’s security from the unchecked and unaccountable activities of some "private investigator" agencies when accepting assignments from hostile foreign governments, probably unwittingly. The risk of this happening is mitigated with the code’s regulatory regime. Compliance with the code would alert an agency to the dangers, not least when conducting the code’s required risk assessment.
Having a licence to operate as an investigator in the private sector would only provide minimal protection to the public. This public protection would, of course, be the only purpose to implement statutory licensing. This may come as a shock to the pro-licensing lobbyists, who may have the misconceived notion that with a licence comes privileges, status, some kudos, or even higher fees. Not so. Were the UK government persuaded to revisit applying some regulatory control, it will only be to address the harm being caused to the public by the activities of poor or illegal practices. This is exactly what the ICO-approved code of conduct is designed to address by providing guidance in the area of the PI sector’s activities that is causing the harm (data protection abuse). Why would this not be important to the legal profession and other stakeholders?
Trust and respect must be earned, not claimed through a sense of entitlement.
