top of page

Applying Data Protection to Private Investigations

Tracey O'Connell

Lawpoint is currently providing work experience to a sixth form student. Leyna has been carrying out various tasks including sitting in on meetings and has seen how varied our work can be working in various industries and the issues that arise. But as she is considering a career in the field of private investigation, we gave her the task of researching what data protection means for private investigators. Below is her blog on the subject…


What’s the issue?

Under usual grounds, private investigations do not fall within the intelligence services or law enforcement exemptions and must therefore act in accordance with data protection laws.

The mishandling of data can implicate the firm, investigators, and the client who initiated the enquiry. So it is crucial all employees are legally and operationally trained to handle and protect personal data.

What this means during the investigation process:

Giving an Enquiry the Go Ahead

After your firm receives an enquiry from a potential client, you should complete a DPIA (data protection impact assessment) to consider whether:

  1. it is a legitimate request

  2. does the client have the data subject’s permission to collect their data?

  3. if not, do the client’s needs outweigh the data subject’s need to privacy – an example of an inappropriate enquiry could be to find someone who does not wish to be found, who is of legal adult age, and under no legal basis

  4. surveillance is appropriate or if other less intrusive methods (e.g. social media research) will be sufficient – generally surveillance should be a last resort.


Obtaining Information from Third Parties

Data protection laws place restrictions on disclosures of personal data to third parties – such as a private investigation firm – meaning obtaining data from third parties is potentially complex for both sides of the transfer.


When requesting information from a third party:

  1. ensure there is a lawful exemption allowing the disclosure

  2. consider what information to disclose in making the request – by providing information about the enquiry, you may be disclosing personal data of the data subject at the centre of the investigation

  3. inform the third party of their role within the investigation

  4. do not ‘blag’! It is a criminal offence to obtain information through deception – therefore clear and truthful justifications for the need to obtain data should be provided.


Handling Data

All operatives must report to the lead investigator and should hand over any collected data through a secure method, such as encryption. (Note if freelance private investigators are used, they will likely be data processors.)

After the investigation is complete:

  1. all operatives must erase their own copies of documentation relating to the data subject and enquiry – and possibly sign a destruction of data certificate

  2. securely transfer the data to the client, allowing them to build their personal case

  3. only keep the data within your systems for as long as necessary – consider maintaining a running audit, stating how and when data was stored and deleted.


Data protection is very complex and its subjective application to individual fields and cases is too difficult to conclude in a blog. However, the use of sensibly and logically drawn conclusions of the motives behind the enquiry and the potential risks of the enquiry are the basic building blocks to adhering to data protection laws within private investigations.

Remember: all data controllers must be registered with the ICO (Information Commissioners Office).


If you have any questions, then please get in touch with a member of the Lawpoint team today.

bottom of page