Disclaimer

The new DPC website is currently under construction. Our latest guidance in relation to GDPR, which comes into effect on 25th May, 2018, can be found at gdprandyou.ie and via pages on this website starting with "NEW" as per the navigation pane on the left. All other material on this site relates to the previous legislative regime under the Data Protection Acts 1988-2003 ("the Acts"). While the Acts may continue to apply in some circumstances, as of 25th May, 2018 the GDPR is the primary piece of legislation governing data protection.

Data Protection Commission

Data Protection Commissioner welcomes outcome of prosecution proceedings against Private Investigators.

 

Media Release: 6 October, 2014
 

DATA PROTECTION COMMISSIONER WELCOMES COURT OUTCOME


 
The Data Protection Commissioner today welcomed the outcome of prosecution proceedings which concluded at Bray District Court and which were taken by the Office against a firm of private investigators and its directors.

Prosecution Details

Following an investigation by the Office of the Data Protection Commissioner (ODPC), M.C.K. Rentals Limited (trading as M.C.K. Investigations), was charged with twenty three counts of breaches of Section 22 of the Data Protection Acts, 1988 & 2003 for obtaining access to personal data without the prior authority of the data controller by whom the data is kept and disclosing the data to another person. In the cases before the Court, the personal data was kept by the Department of Social Protection (seven cases) and by the Primary Care Reimbursement Service of the Health Service Executive (sixteen cases). In all cases, the personal data obtained was disclosed to various Credit Unions in the State.
The two directors of M.C.K. Rentals Limited, Ms. Margaret Stuart and Ms. Wendy Martin, were separately charged with twenty three counts of breaches of Section 29 of the Data Protection Acts, 1988 & 2003 for their part in the offences committed by the company. This Section provides for the prosecution of company directors where an offence by a company is proved to have been committed with the consent or connivance of, or to be attributable to any neglect on the part of the company directors or other officers.

Court Outcomes

At Bray District Court today M.C.K. Rentals Limited pleaded guilty to five sample charges for offences under Section 22 of the Data Protection Acts, 1988 & 2003. The Court convicted the company in respect of each of the five charges and it imposed a fine of €1500 per offence.
Company Secretary and Director Ms. Margaret Stuart pleaded guilty to one sample charge for an offence under Section 29 of the Data Protection Acts, 1988 & 2003. The Court convicted her in respect of that offence and it imposed a fine of €1500 for that offence.
Company Director Ms. Wendy Martin pleaded guilty to one sample charge for an offence under Section 29 of the Data Protection Acts, 1988 & 2003. The Court convicted her in respect of that offence and it imposed a fine of €1500 for that offence.
The outcome of these prosecution proceedings is significant on a number of fronts.
·         These are the first prosecutions to be completed by the Data Protection Commissioner against private investigators for breaches of data protection legislation.
·         This is the first occasion on which company directors have been prosecuted by the Data Protection Commissioner for their part in the commission of data protection offences by their company.
·         The investigation of these cases uncovered wholesale and widespread “blagging” techniques used by the offenders and this is the first completed prosecution by the Data Protection Commissioner of offenders engaged in such practices.

Implications of Prosecutions

The Data Protection Commissioner believes that the outcome of these proceedings will have far-reaching implications.
  • In the first instance, it sends a strong message to private investigators and tracing agents to comply fully with data protection legislation in the conduct of their business and that if they fail to do so, they will be pursued and prosecuted for offending behaviour.
  • Secondly, it serves to remind all companies and businesses who hire private investigators or tracing agents that they have onerous responsibilities under the Data Protection Acts to ensure that all tracing or other work carried out on their behalf by private investigators or tracing agents is done lawfully. Specifically, in this regard, those operating in the credit union, banking, financial services, legal and insurance sectors should take note of today's proceedings and review their engagement of private investigators and tracing agents to ensure they have fully safeguarded all personal data against unlawful forms of data processing.
  • Thirdly, the outcome of these proceedings sends out a strong warning to directors and other officers of bodies corporate that they may be proceeded against and punished in a court of law for offences committed by the body corporate.
  • Finally, the findings of the investigation carried out in this case exposes the constant threat to the security of personal data which is in the hands of large data controllers and the vigilance which is required by front-line staff at all times to prevent unlawful soliciting of personal data, in particular by means of telephone contact, by unscrupulous agents. Data controllers across the State should regularly review their data protection procedures to maximise the effectiveness of their security protocols in order to counter such criminal activity. They must ensure that all staff, and particularly those at the front-line who handle telephone calls, are fully trained in the security protocols in order to be able to recognise and deal with the threat of information blagging or pretext calling if it arises.

Role of Credit Unions

The Data Protection Commissioner notes with disappointment a number of failures on the part of Credit Unions in this case. Firstly, the ODPC investigation found no evidence that any Credit Union established from M.C.K. Investigations what methods they were using to obtain access to new address information. This is particularly shocking in circumstances where trace reports containing new address details of members were returned to Credit Unions within hours, in some cases, of being sought. Rather than carrying out due diligence prior to hiring M.C.K. Investigations, the Credit Unions asked no questions, they took the unlawfully obtained personal data and used it, and they commended the success rate of M.C.K. Investigations to their colleagues in the sector. Secondly, a number of Credit Unions supplied PPS numbers to M.C.K. Investigations to assist them in tracing the members concerned. This is a matter of serious concern and it should not have happened. Thirdly, the ODPC investigation found that the level of other personal data released to M.C.K. Investigations (such as name, date of birth and last known address) served to ease the means by which the private investigators could ‘blag' certain information from other data controllers. The Data Protection Commissioner intends to pursue all of these issues further with the Credit Unions concerned and with their representative bodies in the immediate future.

Follow-Up With DSP and HSE

Finally, the Office of the Data Protection Commissioner will engage further with the Department of Social Protection and the Health Service Executive on the implications of the data security breaches which occurred in their organisations (as uncovered by the ODPC investigation) and on the steps that will be required to deal with those breaches and to prevent a recurrence.
Ends.
Media Queries to: Ciara O'Sullivan
Telephone: 057 8684800
Email: media@dataprotection.ie
Website: www.dataprotection.ie