These are the recommendations by the Association of British Investigators' professional investigators in the UK.
Professional investigations are subject to the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. These laws set out strict rules on how personal data can be collected, used, stored, and shared.
Here are some safeguards you can put in place to protect people's personal data when carrying out investigations without their consent:
1. Only collect and use personal data that is necessary for the investigation. Avoid collecting or using any irrelevant or excessive data.
2. Obtain the personal data lawfully, which means that you must have a legal basis for processing the data. This legal basis could be legitimate interest, public interest, or legal obligation.
3. Inform individuals about the processing of their personal data as soon as it is reasonable and feasible to do so. This is known as providing a privacy notice. The privacy notice should contain information about the purpose of the processing, the legal basis for processing, the categories of personal data being processed, and the rights that individuals have in relation to their personal data.
4. Keep personal data secure by implementing appropriate technical and organisational measures. This could include encrypting data, limiting access to data, and having a clear data retention policy.
5. Ensure that any third parties who process personal data on your behalf also comply with the UK GDPR and the Data Protection Act 2018. You should have written contracts in place with these third parties that set out their obligations in relation to data protection, see for example the ABI members’ model terms of business.
6. Respond promptly and appropriately to any requests from individuals to exercise their data protection rights. These rights include the right to access their personal data, the right to rectify inaccurate data, the right to object to processing, the right to erasure, and the right to data portability.
7. Regularly review and evaluate your data protection practices ensuring that they remain effective and compliant with the UK GDPR and the Data Protection Act 2018.
8. Minimise the risk of accidental disclosure or loss of personal data by creating and implementing a data protection policy. This policy should include guidelines for handling personal data, such as how it should be stored, who should have access to it, and how it should be disposed of when it is no longer needed, see for example the ABI members’ model data protection policy.
9. Conduct a Data Protection Impact Assessment (DPIA) before conducting any investigations. A DPIA is a process that helps you identify and minimise the data protection risks associated with a particular processing activity, see for example the optional template in the ABI proposed UK GDPR Code of Conduct.
10. Train your staff on data protection laws and best practices for handling personal data. This includes providing regular refresher training to ensure that staff members remain up-to-date on any changes to data protection laws and regulations, see for example the ABI UK GDPR workshops for investigative and litigation support service providers.
11. Be transparent and accountable for your processing activities. This includes maintaining records of your processing activities and being able to demonstrate compliance with the UK GDPR and the Data Protection Act 2018. Accountability is a key objective for ABI membership and the proposed ABI UK GDPR Code of Conduct.
12. Consider using pseudonymisation or anonymisation techniques to protect individuals' identities. This can help to minimise the risk of accidental disclosure of personal data.
13. Obtain legal advice if you are unsure about the legality of your processing activities. A lawyer who specialises in data protection law can help you to identify any potential risks and provide guidance on how to mitigate them. With ABI membership comes the benefit of a 30-minute free consultation with specialised solicitors, Brabners.
By implementing these safeguards, you can help to protect people's personal data when carrying out investigations without their consent, while also ensuring that you remain compliant with data protection laws and regulations.
Should I attend an ABI UK GDPR workshop ?
Attending an ABI UK GDPR workshop could be a good idea if you want to improve your knowledge and understanding of the UK GDPR and how it applies to your work as a professional investigator. It will also count towards the intended requirements to achieve code membership if the proposed ABI UK GDPR code of conduct is approved by the Information Commissioner’s Office.