Put October 8th in the diary; it might be an interesting Parliamentary day for data protection aficionados. It is the day when Operation Millipede might begin to realise its potential to out-perform Leveson for headlines concerning “shock-horror”, “privacy busting” exploits. On the other hand, Government indifference could make it a damp-squib.
Operation Millipede is the name coined by the Serious Organised Crime Agency (SOCA) for one of its investigations; it involved blagging by private investigators where, worryingly, some of the blaggers were retired police officers.
The relevant prosecution in privacy terms involved four private investigators (PIs) who tricked banks, building societies and telecommunications companies into revealing confidential details. The four PIs were given jail terms for “conspiracy to defraud” (and not the S.55 DPA offence).
As it happens the defendants pleaded guilty and received custodial sentences ranging from 6 to 12 months; however, their guilty plea meant that the identities of their clients were not made public. These clients included large private companies, law firms, well known accountancy firms and two celebrities.
The client-identities are of interest; for instance, what instructions were given? Who gave them? For how long has this been going on? Who were their targets? The idea that a law-firm encouraged PIs to break the law makes for an interesting yarn, does it not?
There is a great contrast between hacking undertaken by or at the behest of tabloid journalists and the hacking undertaken by these PIs. For instance, because of Leveson, the tabloid press have been put to the rack for indulging in unethical practices; by contrast the clients of these PIs have had an unhindered, quiet life in obscurity.
In addition, because of Leveson, the victims of press intrusion know this to be the case; by contrast victims of the PIs might not even know that they have been the subject of surveillance.
So how long have these organisations been using their PIs? Are there other PIs involved? What did senior management know and when did they know it? Are these organisations all going to claim that their relationship with the PIs was “all a mistake” and the “result of a rogue employee who has subsequently moved on”?
Many questions to answer; this explains why Home Affairs Select Committee asked SOCA and the Metropolitan Police to publish the names of the PIs’ clients.
Not unsurprisingly, SOCA and the Met. Police sidestepped this public “data sharing opportunity” and instead gave its list of 102 clients to the Committee (for them to make public via an unintentional leak one suspects). SOCA also passed this list to the ICO with the associated documentation for an investigation.
On September 12th, the Information Commissioner asked the Home Affairs Select Committee not to publish SOCA’s list of names until he has decided whether he is going to prosecute some of the organisations on the list.
He has also told the Committee that he will be reporting to the Committee about an initial, two-week scoping exercise, after which the scale of the inquiry into private investigator excess will be more apparent. That fortnight ends on October 8th when the ICO is due to appear before the Committee again.
It is quite clear that the Commissioner, if he takes action, is not primarily thinking of using criminal sanctions with respect to those organisations on SOCA’s list. He told the Committee:
“We may also be able to take civil enforcement action. Remember that I have powers to impose civil monetary penalties on data controllers for serious breaches of the data protection principles, and that is up to half a million pounds. I can also seek undertakings and make enforcement order”.
For my part, I should add that this talk about Monetary Penalty Notices might be premature as SOCA’s investigation started in 2008. It is therefore likely that some processing matters that the ICO will consider as serious contraventions occurred well before the MPN regime was commenced in April 2010 (see the blog analysis of the Scottish Borders MPN where the Tribunal said the fine could not apply to serious contraventions prior to the April date).
Also on the enforcement agenda is the reporting of misuse of personal data to other Regulators. The ICO told the Committee:
“I also hope the Committee will be reassured by the fact that next week we have a get-together with the other regulators-in particular, the Solicitors Regulation Authority and the Financial Conduct Authority-because there are some strong messages we need to send to professionals about what is legitimate when you are investigating things and what is not”.
Finally there is combining the Section 55 offence (going rate it appears is a £150 fine at the Magistrate’s level) with the proceeds of crime legislation to confiscate the profits of misuse. The Commissioner told MPs that:
“We have a big case coming up in Isleworth Crown Court at the end of October, involving private investigations and a private investigator company where two of the individuals are going for trial, five having pleaded guilty. We will also be looking for restitution of the proceeds of crime in that case”.
However, at the end of the day, to deal with SOCA’s list properly, the ICO needs evidence, time and resources. If law firms and large corporations are involved, they are unlikely (to use the police vernacular) to “come quietly” or “cough up”; they are likely to resist all the way in order to protect their reputations.
By October 8th also, we should know the answer to two important questions that have been posed by the Committee to Government. These questions ask whether the Government will:
• ensure that the Information Commissioner has sufficient resources to bring the investigation to an early conclusion (e.g. to fund a detailed inquiry into the affair with additional resources commensurate to that expended by the police when they investigated phone hacking); and
• press for the commencement of Section 77 of the Criminal Justice and Immigration Act 2008 (i.e. the custodial element of the S.55 offence).
I think the answer to both will be a long-winded, but rambling “no”; mainly because the Government has ignored such pleas from Parliament before.
However, such a refusal by Government carries a risk; the Committee might insert some “provocative commentary” in its Report which would be protected by Parliamentary Privilege.
But if the answer from Government is a “yes” or even partial “yes”, then October 8th will become a very important day indeed.
Our Update program for the end of the October 28th is one of the best I have compiled; see details on the main Amberhawk website.
The Blog on the Scottish Borders MPN: http://amberhawk.typepad.com/amberhawk/2013/08/does-quashing-the-scottish-borders-monetary-penalty-mean-a-change-to-ico-enforcement-policy.html