Information Commissioner's Office
Assessing data protection practices of UK tracing agents
Blog posted by: Anthony Luhman, ICO Director of PACE Projects and Interim Director of Investigations, 14 November 2023.
Anthony Luhman is ICO Director of PACE Projects and Interim Director of Investigations. Anthony is responsible for leading on ICO PACE Projects, our agile response to high priority issues and also responsible for overseeing sensitive, complex and high-profile investigative activity.
Earlier this year a women’s charity raised concerns with us about the alleged actions of a tracing agent – an investigator using various methods to find a person’s current address details. The charity said that a tracing agent had tracked down a domestic abuse victim to their place of safety at a refuge and passed this personal information to their abusive former partner.
Protecting the information rights of victims of domestic abuse is a priority for the ICO, so we decided to get an overview of the data protection practices of the UK private investigation and tracing agent sector.
We contacted several tracing companies and asked professional associations about their role and responsibility to members. To gain a complete picture we also spoke with groups supporting victims of domestic abuse, the National Police Chiefs’ Council and the Home Office to assess whether tracing agents were mishandling the personal information of domestic abuse victims.
We gathered valuable information from the sector, including the safeguarding procedures tracing agents follow when asked to conduct a trace and the requirements their professional body expects of them.
Many of the tracing agents we spoke with demonstrated an awareness of the potential risks to vulnerable people and victims of domestic abuse if they are traced. That includes requiring a person’s consent before sharing their data for ‘lost family or friend’ and ‘ex-partner’ tracing, and not starting a trace for a person believed to be vulnerable.
We also found that private investigators’ industry bodies encourage data protection compliance and provide relevant training and resources to their members.
Our enquiries did not reveal evidence where tracing agents had been involved with the sharing of victims’ details. However, our engagement with the industry and charities highlighted that abusers are turning to readily available and affordable technology themselves to trace ex-partners. This includes inserting air tags into cuddly toys given to children at supervised visits, as well as tracking victims via smart phones and watches and through searches on social media profiles.
Recommendations to the tracing agent sector
Although we did not find evidence of non-compliance with data protection law, we have reminded tracing agents and its professional bodies of their data protection obligations. Our recommendations include:
- Before agreeing to conduct any tracing services, agents should ensure any impact on the people they are tracing is justified. Safeguarding policies must be followed, and checks made to ensure any risks to people are identified and mitigated against. One way organisations can do this is by conducting ongoing Data Protection Impact Assessments (DPIA).
- Data security and privacy measures should be integrated into all data protection activities. Agents should carefully consider and safeguard the information rights of the person they are tracing throughout an investigation. People being traced should also be provided with the information they need to exercise their data protection rights such as the right to be informed or the right of access to their personal information.
- Agents should conduct an audit of their policies and procedures to ensure they are complying with data protection law. They should also regularly review the ICO’s guidance on collecting and using personal information and their legal obligations to comply.
Our ongoing work to protect the information rights of domestic abuse victims
Our engagement continues with women’s charities and other organisations, which informed our enquiries by highlighting the potential for significant harm to victims.
We’ll continue to work with these groups to ensure organisations are handling the personal information of domestic abuse victims appropriately and keeping them safe. And where we find evidence of non-compliance, we will take enforcement action just as we reprimanded seven organisations in the past 14 months for data breaches affecting victims of domestic abuse.
As highlighted, advances in technology and popularity of social media mean that perpetrators have an enhanced level of access to information about their partner and children. That means using spyware to hack a phone or harass victims using social media, and monitoring and tracking victims via location settings and smart wearables.
Specialist support groups and charities, such as Refuge, Women’s Aid and SafeLives provide tools and resources for women and children experiencing complex forms of tech abuse. Their websites provide crucial information on how to mitigate against these threats, and we'll help amplify such support so victims can be empowered to use technology safely and regain their freedom.
Notes to Editors
About the Information Commissioner’s Office (ICO)
- The ICO is the UK’s independent regulator for data protection and information rights law, upholding information rights in the public interest, promoting openness by public bodies and data privacy for individuals.
- The ICO has specific responsibilities set out in the Data Protection Act 2018 (DPA2018), the United Kingdom General Data Protection Regulation (UK GDPR), the Freedom of Information Act 2000 (FOIA), Environmental Information Regulations 2004 (EIR), Privacy and Electronic Communications Regulations 2003 (PECR) and a further five acts and regulations.
- The ICO can take action to address and change the behaviour of organisations and individuals that collect, use, and keep personal information. This includes criminal prosecution, non-criminal enforcement and audit.
- To report a concern to the ICO telephone call our helpline on 0303 123 1113, or go to ico.org.uk/concerns.
Latest News from
Information Commissioner's Office
Statement on Court of Appeal judgment on Freedom of Information Act appeal24/11/2023 09:20:00
The Court of Appeal has ruled against the Information Commissioner’s Office (ICO) in a Freedom of Information Act 2000 appeal regarding the ability to aggregate public interest factors for and against disclosure when applying exemptions under the Act.
Statement regarding the outcome of the Independent External Review of Lancashire Police’s handling of the Nicola Bulley case21/11/2023 12:25:00
Statement regarding the outcome of the Independent External Review of Lancashire Police’s handling of the Nicola Bulley case.
Information Commissioner seeks permission to appeal Clearview AI Inc ruling20/11/2023 12:25:00
The UK Information Commissioner is seeking permission to appeal the judgment of the First Tier Tribunal (Information Rights) (Tribunal) on Clearview AI Inc (Clearview).
Former NHS secretary found guilty of illegally accessing medical records17/11/2023 12:25:00
A former NHS employee has been found guilty and fined for illegally accessing the medical records of over 150 people.
What to consider when using online forms to receive information requests16/11/2023 11:10:00
Are you using online forms to receive information requests?
‘Be smarter than your smart tech’ – ICO issues top tips for consumers buying smart devices on Black Friday16/11/2023 10:10:00
The Information Commissioner’s Office (ICO) has shared its top tips to support consumers shopping smart tech this Black Friday.
ICO and European Data Protection Supervisor (EDPS) sign Memorandum of Understanding09/11/2023 12:25:00
The UK Information Commissioner’s Office (ICO) and the European Data Protection Supervisor (EDPS) have signed a Memorandum of Understanding (MoU), which reinforces their common mission to uphold individuals’ data protection and privacy rights, and cooperate internationally to achieve this goal.
An apology from the ICO to Dame Alison Rose06/11/2023 16:20:00
The ICO recently investigated a complaint from Nigel Farage.
Information Commissioner’s Office issues three fines totalling £170,000 for illegal direct marketing02/11/2023 12:25:00
Three companies offering financial services have been fined £170,000 collectively by the Information Commissioner’s Office (ICO) for illegal direct marketing under the Privacy and Electronic Communications Regulations (PECR).