A case was ruled before Dublin Circuit Court on Wednesday 9th May for an infant who was captured on video when his mother was the subject of the surveillance. A psychiatric injury was alleged. The Defendants named in the proceedings were the insurer and the private investigation company. Senior Counsel made the application to the Court citing high profile cases involving breaches of privacy and an offer in the sum of €50K was ruled before O’Sullivan J.
This case highlights the difficulties insurers face when instructing private investigation companies and the problems insurers can face when surveillance is deemed to breach privacy by being overly intrusive, excessive, unnecessary and irrelevant. Insurers should exercise extreme caution where family and children are likely to be seen while surveillance in being carried out. Attempts should be made by the investigator to pixelate, or minimise the identification of any children and the family of somebody who is the subject of a period of surveillance. Reports should not contain references to the children and family where such references are unnecessary and irrelevant.
While it is difficult to understand the full reasoning and rationale behind the offer made by the Defendants, it is quite clear that the Defendants perceived that the infant Plaintiff would overcome a number of significant obstacles faced by the Plaintiff in the case of Collins -v- FBD Insurance plc 2012/52 CA.
The Code of Practice on Data Protection for the Insurance Sectorwas approved by the Data Protection Commissioner [DPC] under Section 13 (2) of the Data Protection Acts, [1988 and 2003] in June 2013.
The Code covers a multitude of important topics and includes guidelines for the instruction of private investigators by insurers. The Code also sets out various considerations in relation to data access requests and the exceptions.
In the past the DPC’s annual reports have made reference to breaches of privacy by employers, private investigators and insurers. The following case studies published in the annual reports shed some light on the difficulties that can arise when instructing private investigators to carry our surveillance:
Case study 14 2009: covered the situation where an Employer breached the Data Protection Acts by covert surveillance using a private investigator
In October 2008, the DPC received a complaint from an individual concerning the processing, without his knowledge or consent, of both his and his children’s personal data by his employer. The complaint involved the obtaining and processing of his personal data and that of his children by way of a private investigator producing footage of his movements and his children’s movements on a DVD for the company without his knowledge or consent.
The DPC’s office commenced an investigation into the matter by writing to the company and informed it of its obligations under the Data Protection Acts. The company informed the DPC of the circumstances which led to it hiring a private investigator to check on the employee’s activities. According to it, the complainant was employed as a sales representative and, as such, spent virtually all of his time away from the company’s premises. It stated it became concerned that the employee was not carrying out his duties as required by his contract of employment and it decided it was necessary to check on his activities in his sales territory. A private investigator was engaged to check on the employee’s activities in order to establish whether or not he was performing his duties. The private investigator recorded the movements of the employee for a period of approximately one week and produced a DVD of those movements which he provided to the company. Some of the recordings produced on the DVD also contained images of the employee’s children.
The DPC’s Office was concerned about the justification for the processing of the employee’s personal data by way of the private investigator recording his movements. The Company was asked to review any documentation it had which it believed may suggest that the processing of the employee’s personal data in this way was justified. We subsequently received a range of documents in that regard. The DPC’s Office also asked if it had taken any steps to address the concerns it had about the employee’s activities prior to the hiring of the private investigator – to which it replied that it believed there were no other steps it could have taken. The Company also informed the DPC’s Office that it felt it needed to make observations of the employee’s company car over a period of at least a week before it could be satisfied that the employee had a case to answer. The company stated that it did not have the resources internally to check this over such a period of time and for that reason the private investigator was asked to check and report. Having considered the case put forward by the company and the documentation submitted, the DPC’s Office informed the Company that it considered that the processing of the employee’s personal data by way of a private investigator recording the employee’s movements was not justified as it had not taken appropriate steps to highlight its concerns to the employee prior to making the decision to hire a private investigator to record his movements. The DPC’s office also requested that the DVD in question be destroyed and we subsequently received confirmation of its destruction from the company.
The complainant subsequently requested a decision under Section 10 of the Acts. The DPC’s decision found that the company had contravened Section 2(1)(a) of the Acts by the processing of the employee’s personal data and that of his children, in the recording of images by a private investigator acting on its behalf, without his knowledge or consent.
The DPC express the view that covert surveillance of individuals is very difficult to reconcile with the Data Protection Acts. As a minimum and this may not even make such surveillance legal, there must be strong and evidence based justification for such surveillance in the first instance.
Case Study 13 2011: Deals with access to reports compiled by private investigators
The DPC received a complaint from an individual concerning the alleged failure of HSG Zander Ireland Limited to comply with an access request. The complainant who made the data access request requested was a former employee of HSG Zander Ireland Limited. He wished to access any personal data contained in documentation relating to the surveillance carried out by the private investigator.
Initially, HSG Zander Ireland Limited failed to fully comply with the access and stated that it was withholding the security report compiled by the private investigator by virtue of the exemption under Section 5(1)(g) of the Data Protection Acts 1988 and 2003. This Section restricts the right of access to personal data “in respect of which a claim of privilege could be maintained in proceedings in a court in relation to communications between a client and his professional legal advisers or between those advisers”.
The DPC stated that it is unlawful for an entity to pass any details of its employees to a private investigator for the purposes of surveillance or for any other purpose unless that entity has put a contract in place with in line with Section 2C(3) of the Data Protection Acts 1988 and 2003 which would render the private investigator to be a data processor.
The decision by a data controller to engage the services of a private investigator to gather personal data surreptitiously about a data subject carries very serious risk of breaching the provisions of the Data Protection Acts and the general right to privacy protected by Bunreacht na hÉireann (the Irish Constitution), the European Charter of Fundamental Rights and the European Convention on Human Rights. It should therefore not be taken lightly. Data controllers who hire a private investigator to undertake surveillance on an individual and/or to seek a background or other report from a private investigator on an individual must be aware of and should ensure that the following rules are observed both by themselves and by the private investigator:
I. Prior to passing any instructions to a private investigator in respect of any individual, the data controller should have a written contract in place with the private investigator which meets the requirements of Section 2C(3) of the Data Protection Acts.
- Any processing of information by private investigators on their behalf must be undertaken in full compliance with the Data Protection Acts.
- The private investigator is expected to comply at all times with the Data Protection Acts and should not perform their functions in such a way as to cause the data controller to breach any of its obligations under the Data Protection Acts.
IV. Any unauthorised processing, use or disclosure of personal data by the private investigator is strictly prohibited.
V. Where the private investigator, pursuant to its obligations under contract from the data controller, processes the personal data of an individual on behalf of the data controller, the private investigator should:
Process the personal data only in accordance with the specific instructions of the data controller;
Process the personal data only as is necessary for the fulfilment of its duties and obligations under the contract with the instructing data controller;
Implement appropriate measures to protect against accidental loss, destruction, damage, alteration, disclosure or unlawful access to the personal data in their possession;
At the conclusion of each investigation deliver all data collected and processed under the contract of service to the instructing data controller and delete all such personal data held by itself at that time;
Not further disclose the personal data to any other party except with the express approval of the data controller;
Not seek to access personal data held by other data controllers which is not in the public domain without the consent of the data subject or unless otherwise permitted by law.
With regard to the right of access to reports compiled by private investigators, the responsibility to comply with a data subject access request lies with the data controller who hired the private investigator.
Where a private investigator receives an access request from an individual, they should transmit that request without delay for processing to the data controller who commissioned them in respect of the particular task.
The DPC found that the restrictions to the right of access to personal data which are set down in Section 5 of the Data Protection Acts could reasonably be applied to an access request by an individual for a copy of a surveillance report or accompanying photographs or video footage taken by a private investigator.
While it is clear that strict protocols and procedures must be put in place prior to instructing private investigators, the screening of reports submitted by private investigators to insurers is equally important, in order to ensure the reports comply with the protocols put in place and the Data Protection Acts. Intrusive surveillance and breaches of privacy will prove to be costly to insurers in the Civil Courts, not to mention any action to be taken by the DPC’s office, if a Plaintiff can demonstrate that there was a breach of duty and that they were injured by the breach.