Bray District Court, yesterday, fined a firm of private investigators, and its two directors, €10,500 for unlawfully obtaining personal data. The court found that the directors had used ‘subterfuge’ to unlawfully obtain the addresses of credit union clients in arrears. The directors posed as a VEC and hospital worker to obtain the information, via telephone calls, from employees at the Department of Social Protection (seven cases), and the Health Services Authority (HSE) (sixteen cases).
The offences
The Data Protection Commissioner (DPC) prosecuted the firm of private investigators, for twenty-three counts of breaches of section 22 of the Data Protection Acts (DPAs) 1988 and 2003. Pursuant to section 22, it is an offence to obtain access to personal data without the prior authority of the data controller by whom the data is kept and to disclose the data to another person.
The DPC further prosecuted the two directors of the firm for twenty-three counts of breaches of section 29 of the DPAs, for their part in the offences committed by the company. Section 29 provides for the prosecution of directors, or other officers of a company, where an offence by a company is proved to have been committed with the consent or connivance of or to be attributable to any neglect on the part of the directors or other officers.
Bray District Court imposed a fine of €1,500 for each of seven counts, including five counts on behalf of the company, and one each for both company directors who had pleaded guilty to unlawfully obtaining personal data.
Significance of Prosecutions
A Press Release published by the ODPC, highlights the significance of these prosecutions. It notes:-
(1) They are the first prosecutions to be completed by the DPC against private investigators for breaches of the DPAs.
(2) This is the first time company directors have been prosecuted by the DPC for their part in the commission of data protection offences by their company.
(3) This is the first prosecution by the DPC for offenders using "blagging" techniques.
Comment
The outcome of these prosecutions serves as a warning to private investigators to comply with the DPAs in conducting their business, and for companies who hire private investigators to ensure any work carried out on their behalf is done lawfully. It also shows that the DPC will not hesitate to prosecute directors and other officers of companies for offences committed by their companies. In addition, it demonstrates the risk to the security of personal data which is held by large organisations, and the importance of training staff in order to prevent unlawful soliciting of personal data by private investigators.
The DPC stated that it will be engaging further with the Department of Social Protection and the HSE on the implications of the data security breaches which occurred, and the steps which should be taken to ensure such breaches do not recur.