Information Commissioner's Office
Printable version E-mail this to a friend

ICO launches investigation into rogue private investigator clients

The ICO has begun an investigation into whether clients of rogue private investigators may have breached the Data Protection Act, after receiving material from the Serious Organised Crime Agency (SOCA).

On 28 August, the ICO took receipt of a list of 98 company and individual clients who SOCA had identified as part of their inquiry into private investigators and the ‘blagging’ of personal information.

That investigation, Operation Millipede, saw four men convicted of fraud offences in 2012, after SOCA found they had obtained information illegally.

On 30 August, SOCA passed more than 20 files of material from that investigation to the ICO, including correspondence between clients and the private investigators and receipts for payments. Details of a further nine clients have been withheld by SOCA, at the request of the Metropolitan Police, as they relate to ongoing police investigations.

The ICO will now assess the SOCA material, as well as writing in due course to all the individuals and organisations listed, to establish what information the private investigators provided, and whether the clients were aware that the law might have been broken to obtain that information.

Several enforcement options are available to the ICO, depending on the outcome of the investigation:

  • Criminal prosecution, for unlawfully obtaining or accessing personal data (known as a ‘section 55’ offence) or for failing to notify as a data controller
  • Civil action for breaching the Data Protection Act, with monetary penalties of up to £500,000
  • Enforcement notices and undertakings, to oblige changes in policies or procedures

The team will also look to establish whether the clients fall under the ICO’s jurisdiction, with initial estimates suggesting as many as a quarter of the clients may have been based outside the UK. We will liaise with our international counterparts where an organisation or individual looks to have breached the Data Protection Act, but is based abroad.

We envisage the initial phase of this investigation will take several months, after which time we will publish an update. As we are yet to assess the material, and as that assessment may prompt criminal investigations, we will not be publishing the list of clients at this stage.

If you need more information, please contact the ICO press office on 0303 123 9070 or visit the website at:

Notes to Editors

1. The Information Commissioner’s Office upholds information rights in the public interest, promoting openness by public bodies and data privacy for individuals.

2. The ICO regulates the Data Protection Act 1998, the Freedom of Information Act 2000, the Privacy and Electronic Communications Regulations 2003 and the Environmental Information Regulations 2004. In Scotland, freedom of information is a devolved matter and Scottish public authorities are subject to the Freedom of Information (Scotland) Act 2002 which is regulated by the Office of the Scottish Information Commissioner in St Andrews.

3. The ICO is on Twitter, Facebook and LinkedIn, and produces a monthly e-newsletter.

4. Anyone who processes personal information must comply with eight principles of the Data Protection Act, which make sure that personal information is:

  • Fairly and lawfully processed
  • Processed for limited purposes
  • Adequate, relevant and not excessive
  • Accurate and up to date
  • Not kept for longer than is necessary
  • Processed in line with your rights
  • Secure 
  • Not transferred to other countries without adequate protection

5. If you need more information, please contact the ICO press office on 0303 123 9070.

5 ways to enhance Microsoft 365 with sustained information and process Governance.