In his recently published 2011 Annual Report, the Data Protection Commissioner (the “DPC”) states that, in his view, a data controller should not rely on a claim of legal privilege to deny an access request for a private investigator’s report. Section 5(1)(g) of the Data Protection Acts 1988 and 2003 provides that where communications exclusively concern a client and their “professional legal advisors”, then a claim of privilege exists.
The views of the DPC follow an October 2010 investigation by his office into an employer’s (HSG Zander Ireland Ltd) alleged failure to comply with a data access request by an employee for information which had been gathered by a private investigator hired to monitor the employee. Although the employer provided the employee’s personnel file, it claimed privilege over the private investigator’s report under section 5(1)(g) of the Acts.
Following a request from the DPC, the employer released the private investigator’s report but maintained its claim of privilege over the document. However, during the course of his investigation, the DPC established that not only did the communications between the employer and the private investigator fail to constitute professional legal advice, but no contract existed between the parties. As such no claim of privilege arose.
The 2011 Annual Report states that engaging the services of a private investigator is no different to engaging the services of any other third party service provider. For this reason, it is unlawful for an entity to pass any employee information to a private investigator unless a data processing contract pursuant to section 2C(3) of the Acts is in place between the entity and the private investigator. The report of the October 2010 investigation contains helpful rules for a data controller regarding the formation of a contract for engaging the services of a private investigator.
View the DPC’s Annual Report here.
Contributed by Brian McElligott