Artboard 1

The UK’s data protection regulator publishes a new code of conduct for UK private investigators and litigation services

Home The UK’s data protection regulator publishes a new code of conduct for UK private investigators and litigation services

The UK’s data protection regulator publishes a new code of conduct for UK private investigators and litigation services

Authors: Amy Bradbury, Anita Bapat, Nadia Ahmed

The UK’s data protection regulator publishes a new code of conduct for UK private investigators and litigation services

On 13 November, the Information Commissioner’s Office (ICO) approved and published a new sector-owned code of conduct – the Association of British Investigators Limited (ABI) UK GDPR Code of Conduct for Investigative and Litigation Support Services (Code).

What is the Code?

The Code seeks to address key challenges faced by investigators and enable code members to demonstrate compliance with specific areas of data protection law in the provision of investigative and litigation support services.

It aims to provide sector-specific guidance and to increase accountability in handling personal data. As such, by complying with the Code, you are complying with data protection laws in the UK.

The Code includes advice, guidance, and practical examples in relation to:

  • the roles and responsibilities of investigators;
  • how to conduct Data Protection Impact Assessments;
  • identification of the lawful basis for processing personal data;
  • Legitimate Interests Assessments including for invisible processing such as covert surveillance, tracking devices, background checks and social media monitoring; and
  • consent to share when tracing and locating individuals in certain cases.

How does the Code help your private investigation or litigation service?

  • Public confidence: Verified adherence to the Code is intended to give confidence to users and subjects of investigative and litigation support services. It demonstrates that Code members comply with key aspects of data protection law and operate to a high standard in key areas.
  • Reduce risk and enforcement action: Showing compliance with the Code reduces the risks of enforcement action from the ICO. This means you are less likely to receive fines, reprimands or other regulatory action in the event of a breach of data protection laws.
  • Due diligence carried out by users: Users of investigation and litigation services (particularly other businesses who are controllers) should be carrying out diligence on service providers. Your prospective clients may check whether you adhere to the Code when they are carrying out due diligence prior to instructing you.

Can I sign up to the Code? If so, how?

Investigators and litigation services can voluntarily sign up for the Code and Code membership is managed by an independent ICO approved and UKAS accredited monitoring body. Code members must satisfy the monitoring body with the requirements explained in Appendix I to the Code. Such requirements include:

  • Administrative evidence: Such as registration with the ICO, basic DBS disclosure, two references, finance checks and CV.
  • Training: Satisfactory completion and maintenance of data protection training to the level comparable to the ABI UK GDPR compliance workshop, or training to an equivalent standard on the areas covered by the Code – including data protection impact assessments, lawful bases and more.
  • Roles and responsibilities: Evidence that the Code member has documented and communicated to its client the roles and responsibilities in respect of the data processing undertaken in the delivery of Code services. This could be evidenced for example by providing a copy of the client engagement letter and/or contract.
  • Case extracts: Samples of Data Protection Impact Assessments, lawful bases relied on, Legitimate Interest Assessments. In particular for children and the Code notes that Code members must not maintain a register of criminal convictions.
  • Complaints: Evidence of any complaints received by the Code member from individuals in relation to data protection and the steps the Code member took to respond to the complaint and where relevant, evidence that in relation to monitoring body investigations of alleged breaches of the Code, the Code member has communicated with the monitoring body in accordance with the Code and the cooperation criteria in this Code.

The Code builds on the existing standards and criteria required for ABI membership however, Code members are not required to be ABI members and Code membership is available to any sector agency that meets the Code member criteria as at Appendix I to the Code, whether affiliated to the ABI or not.

What to do next?

We can assist you with your data protection compliance programme ahead of signing up to the Code. The following checklist describes the compliance steps that we suggest to cover:

  • Registration with the ICO: As a data controller you are obliged to pay a fee to the ICO depending on your size.
  • Records of processing activity: This document explains what data you process, how, who it is shared with and why. This is a legal requirement under GDPR (in most cases) but in any case will be a necessary exercise in order to satisfy the other requirements below.
  • Privacy policies: Such as website privacy policy, employees privacy policy, recruitment privacy policy, privacy policy for users and third parties subject to the services – this is to comply with transparency requirements.
  • Cookie audit: Policy and mechanism cookie banner – this is the consent mechanism that allows you to drop cookies. A good cookie banner will be tailored to your needs and allow users to decide what type of cookies they want. This is a requirement under the electronic marketing rules.
  • Assessments: Such as Data Protection Impact Assessments, Legitimate Interests Assessments and Transfer Risk Assessments – this is to demonstrate your compliance and prove accountability.
  • Supplier onboarding checklist and procedure and template data sharing clauses: To ensure you have carried out due diligence on any third parties you choose to use to help fulfil your services.
  • Data protection rights procedure: This document sets out how to manage DSARs and other requests in relation to an individual’s data. Dealing with these requests is a legal requirement, getting it wrong can lead to fines and to reputational damage.
  • Security incident management policy: This document sets out what each team needs to do in the event of a data breach. Dealing with these requests is a legal requirement, getting it wrong can lead to fines and to reputational damage.
  • Regular privacy training: We can provide introductory or further training sessions depending on what your staff have already received. In order to comply with your security obligations you must train people to ensure that human error is avoided to the extent possible and that they understand what the GDPR requirements are.
  • Data handling policy: This policy contains an explanation on why data protection is important and how you and your staff and comply with data protections laws on a day to day basis.
  • BYOD and acceptable use policy: This policy would contain rules on how employees are allowed to use their personal devices including acceptable use practices.
  • Data security policy: This policy documents how you keep data safe from an organisational and technical perspective.
  • Data retention policy: This document explains how long you keep each type of data.

If you would like more information, please feel free to reach out to one of our dedicated data protection lawyers, or if you would like keep up to date on the latest in data protection, please subscribe to our newsletter, The Data Download here.

Further details about the Code can be found here.

Recent posts

Previous
Next
Unable to row the distance: No copyright in a rowing machine as a work of artistic craftsmanship (WaterRower v Liking)
Read more
The wait is over – Sky v SkyKick decision handed down today
Read more
Autumn Budget 2024: Headlines
Read more
The Final Word
Read more
The UK's new Data (Use and Access) Bill has been introduced into Parliament
Read more
New reforms but a long wait for change: government publishes Employment Rights Bill draft
Read more
The UK's Data Protection Regulator begins its modernisation plans
Read more
A cautionary tale of lessons learnt in cases involving crypto fraud from D'Aloia v Persons Unknown Category A & Ors [2024]
Read more
‘This is a true story’: A lesson learnt from ‘Baby Reindeer’ for shows dramatising the lives of real people
Read more
Tougher protection on its way for victims of revenge porn
Read more

More from this author

Previous
Next
The UK's new Data (Use and Access) Bill has been introduced into Parliament
Read more
Facial Recognition Technology: skip the DPIA and face the consequences
Read more
The new UK government announce the Digital Information and Smart Data Bill
Read more
What businesses should consider before implementing monitoring
Read more
'Consent or pay’: the EDPB’s two cents on the right model
Read more
The Government moves to address unlawful immigration exemption under the Data Protection Act 2018
Read more
The Online Safety Act is Finally Here
Read more
Byte by Byte: The progress of the UK Data Protection and Digital Information Bill
Read more
Ofcom publishes first code of practice in relation to the Online Safety Act
Read more
The UK Government bridges the gap for UK-US personal data transfers
Read more
The Culture, Media and Sport Committee’s recommendations on monitoring employees
Read more
DATA DEFENCE IN THE METAVERSE: IT'S NOT A GAME
Read more
The Government’s attempts to safeguard the immigration exemption under the Data Protection Act fails in the High Court
Read more
Navigating the grey areas of AI ethics: ICO's updated guidance provides clarity on utilising AI
Read more
EDPB releases lukewarm opinion on the EU-US Data Privacy Framework
Read more
ICO focusses on child protection in latest guidance to the games industry
Read more
Government to replace the UK GDPR
Read more

Share this page

Artboard 1