The role of investigative service providers in GDPR

Legal practitioners involved in contentious matters often work with investigative service providers or litigation support agents.

Typical assignments may include assisting in complex fraud cases, where the service provider might be required to identify the methods used in the fraud, the individuals involved, or the movement of assets.

In more routine litigation support, tasks could involve locating and interviewing witnesses, persons of interest, and informants, as well as sketching the scene of the incident or serving legal documents.

When working with a service provider, the lawyer is usually positioned as the data controller and the contractor as the data processor.

A controller/processor agreement will be established that includes the terms outlined in Article 28(3) of the General Data Protection Legislation (GDPR).

The contractor’s agreement and role

Sometimes instructions include a clause that the contractor must not undertake any activities beyond their role as a processor while executing the instructions.

This clause is unnecessary and can lead to confusion. It may hinder the contractor’s ability to exercise their expertise or cause an unintended breach.

The rationale behind such a provision is understandable, as the controller must maintain oversight. However, even the most straightforward investigation will inevitably require the contractor to make decisions regarding the purpose and means of processing a data subject's personal data that were not included in the original instructions.

It may be impractical for the contractor to halt the investigation to seek further guidance from the controller.

For instance, if the contractor pursues a speculative line of inquiry involving the data of a previously unknown person of interest, a potential ‘hot’ lead that could help achieve the controller's objectives, their actions may be considered ancillary processing for that personal data.

This could result in situations where the contractor inadvertently assumes the role of controller, determining the purposes and means of processing in ways not anticipated in the controller/processor agreement.

With the contractor's activities if deemed to assume the role of controller for that part of the processing, would attach the associated responsibilities toward the rights of that individual.

In practice, few controllers actually establish controller/processor agreements within the investigative sector.

Savvy contractors/processors typically have their own terms of business that address these legal obligations. These terms become binding when incorporated into the assignment, such as in the agent’s proposal or engagement letter.

Model terms for investigators

Members of the Association of British Investigators (ABI) are provided with model terms for this purpose.

These model terms include provisions that allow the processor to outsource data processing where necessary.

The ABI goes a step further, offering model terms that govern relationships between members when subcontracting assignments that involve personal data processing (for example, processor/sub-processor agreements).

If inter-agency activities lack specific business terms, the ABI byelaws, which both ABI member contractors must adhere to, default to the ABI model document.

At the heart of an investigative and litigation support service provider’s work is the processing of personal data. They must operate within the framework of the UK GDPR and fully understand their roles and responsibilities regarding personal data processing.

It is the responsibility of the legal practitioner to ensure that their selected contractor is well-informed about these aspects.

Roles in data processing

The UK GDPR identifies various roles in data processing, including controllers, processors and joint controllers.

Each role carries specific legal obligations, outlined below.

Controller

The role that determines the purposes and means of processing personal data.

Investigative service providers often take on the role of controllers when they decide how and why data is processed.

Processor

Processors process personal data on behalf of the controller.

Investigative service providers may act as processors when they follow instructions from a client without identifying the purposes of the processing.

Maintaining this distinction throughout an assignment can be challenging, if not impossible, for an investigative service provider, depending on the type of investigation.

Joint controller

When both the investigative service provider and the client jointly determine the purposes and means of processing, they are considered joint controllers.

This is common when the client influences how the investigative services are executed.

Importance for lawyers

Lawyers have significant reasons to ensure their chosen investigators and litigation support agents are well-versed in their roles under the UK GDPR.

Compliance with data protection law

Lawyers must guarantee that all parties involved in processing personal data on their behalf comply with the UK GDPR.

A clear understanding of roles helps prevent breaches that could result in legal liabilities.

Protecting client interests

Lawyers are responsible for safeguarding their clients' rights and interests.

When investigators understand their responsibilities, they are less likely to mishandle or improperly disclose personal data.

Accountability

Lawyers want assurance that investigators are accountable for their data processing activities.

Clearly defined roles ensure that responsibilities are understood, which is essential for compliance and risk management.

Building trust

Demonstrating a thorough understanding of GDPR roles and responsibilities enhances credibility and trustworthiness in the eyes of clients, influencing a lawyer’s decision to engage a particular investigator.

Mitigating risks

Understanding the implications of acting as controllers or processors enables investigative service providers to manage risks associated with data processing, including potential financial and reputational harm.

Understanding their role

It’s vital for investigative service providers to understand the roles and responsibilities outlined in the UK GDPR.

These directly affect legal compliance and the protection of personal data, which are of vital to both lawyers and their clients.

The ABI has taken a significant step forward in ensuring that the investigative and litigation support sector adheres to the highest standards of data protection and ethical conduct.

With the introduction of the UK GDPR Code of Conduct for Investigative and Litigation Support Services, approved by the Information Commission under Article 40(5), the ABI has established a comprehensive framework that not only aligns with existing legislation but also enhances accountability and transparency within the sector.