- London 020 7067 1500
- Email clerks@25bedfordrow.com
Private investigations and data privacy - the ABI Code of Conduct for Investigative and Litigation Support Services
Those with long memories will remember the two reports published under the tenure of Richard Thomas, the then Information Commissioner, "What price privacy?" in May 2006 and "What price privacy now?" in December 2006. The Commissioner had a particularly keen interest in halting the trade in unlawfully obtained personal data, regarding it as a high watermark of privacy invasion. Criminal prosecutions followed (see in particular the case of R v Daniel Summers and others in 2012 here), albeit not always brought by the Information Commissioner's Office ("the ICO") and not always successfully.
The ABI Code
It is against that long background that the Association of British Investigators (ABI) "Code of Conduct for Investigative and Litigation Support Services", approved by the ICO on 15 October 2024 and drawn to wider attention in its 20 February 2025 email newsletter ("the ABI Code"), is to be welcomed.
Part 5 of the Data Protection Act 2018 requires the ICO to draw up a number of statutory codes of conduct (data sharing, direct marketing, age-appropriate design and journalism) for parliamentary approval and section 128 empowers the ICO to adopt other industry developed codes on a statutory basis. Article 40 of the UK General Data Protection Regulation contains an even broader approach to the development of sector specific codes. Under Article 40 the ICO is charged with "encouraging" industry bodies to develop codes of practice which are intended to contribute to the proper application of data protection rules. Once produced in the private sector and submitted, the ICO can formally approve codes pursuant to Article 40 (5) thereby expressing its view as to whether compliance with the proposed code would satisfy data protection requirements.
Although the Article 40 power has existed since 2018, it is somewhat surprising that despite the encouragement of the ICO, the ABI Code is the first to be approved. That may say more about the willingness of industry to adopt uniform standards in relation to data protection matters than it does about the issues that they might address.
Who might choose to adopt the ABI Code?
The ABI Code is a set of standards which any ABI member or non-member may choose to abide by in order (in the words of the ICO) "to demonstrate compliance with specific areas of data protection law in the provision of investigative and litigation support services." The ABI puts the advantages of adopting in similar terms: "By choosing support services that adhere to and are audited to this code, clients can ensure that their service providers demonstrate the necessary data protection standards."
According to the ABI website (https://www.theabi.org.uk/gdprcode) code "membership" is open to both ABI members and non-members who meet defined "Code Member Criteria". The criteria are outlined in Appendix I to the Code and specify various requirements that a business offering code services must satisfy to obtain membership. The criteria are said by the ABI to be "attainable by businesses of any size, provided their leadership is committed to compliance".
The attraction to individual organisations of adoption of a code of conduct formally approved by the ICO is clear: subject to the better view of the Courts, the organisation is insulated from complaint that its practices are in breach of data protection laws.
Article 40 (4) makes provision for the monitoring of compliance with approved codes. As matters currently stand, the Security Systems and Alarms Inspection Board ("SSAIB") is the only monitoring body for the purposes of the ABI Code, subject to approval by the ICO. However, the SSAIB also delivers certification of the BS102000/2018 standard, which is a code of practice for the provision of investigative services, which may provide further incentive for organisations to adopt the ABI Code and submit to formal monitoring.
Verified adherence to the Code is intended "to give confidence to users of Investigative & Litigation Support Services that Code Members have demonstrated compliance with key aspects of data protection law and a high standard of data protection and accountability in those key areas".
What does the ABI Code provide?
The ABI Code is a lengthy document (some 99 pages) and bears close reading, but in broad terms, the ABI Code includes advice and guidance on data protection issues commonly encountered in the context of private investigations, including:
- roles and responsibilities when acting as controllers, joint controllers or processors;
- identification of the lawful basis for processing personal data;
- legitimate interests assessments;
- data protection impact assessments (DPIAs); and
- consent to share when tracing and locating individuals in certain cases.
As the ABI Code explains, it is divided into three parts, plus appendices. Part A explains the scope, objectives, background, benefits and added value of the Code. Part B gives guidance on the key issues on which the code focusses. Part C explains how the Code is managed, compliance is monitored and infringements dealt with.
The Appendices provide details of the Code Member Criteria (Appendix I), a template DPIA (Appendix II), and further guidance on the lawful basis of legitimate interests and the requirements for consent (Appendix III).
In relation to the often (vexed) question of whether service providers such as investigators are joint data controllers with their clients, as opposed to data processors, the ABI Code adopts a firm stance that code members are joint controllers when they share decision-making responsibility with a client over how and why personal data is processed, with the result that “both parties must work together to ensure compliance with GDPR obligations”. That position is unarguably legally correct, but whether in reality a service provider is in a position to ensure that its client is also compliant will depend upon the balance of power between the contracting parties.
The ABI Code goes on to emphasise that members must identify a clear lawful basis for processing personal data, such as legitimate interest (e.g. fraud prevention or claims investigations), contractual necessity, legal obligation, or consent (where appropriate). Here, adopters of the Code will be heavily reliant on the purposes of the client, it not being a sustainable argument that the member has a legitimate interest in providing services to its client. In relation to special category data (e.g. health or criminal data) the ABI Code correctly notes that additional bases are required, such as explicit consent or meeting a substantial public interest condition.
In relation to data subject rights, the ABI Code provides that members must ensure individuals can exercise their data rights, including the those of data access, rectification of inaccurate data, erasure, restriction / objection and portability. Members must also be transparent about how they collect, process, and store data, including providing privacy notices.
On data sharing and "third-party processing", which would apply where sub-contractors or investigators are instructed, the ABI Code instructs members that personal data must only be shared where lawful, necessary, and proportionate, contracts must be in place when engaging third-party processors to ensure they comply with data protection law and data sharing with law enforcement, regulators, or insurers must meet strict legal requirements.
The ABI Code addresses data security by requiring members to implement strong security measures, such as encryption and access controls, regular audits and staff training, and secure storage and destruction of personal data. In the event of a data breach, members must assess the risk to individuals, report high-risk breaches to the ICO within 72 hours and inform affected individuals if necessary.
The code also sets out expectations on data retention and minimisation, accountability and governance, complaints handling and ICO oversight, and international data transfers. Throughout there is a particular emphasis on recording rationales and regular staff training.
Conclusion
Much of the detail of the ABI Code is uncontroversial, repeating, as it does, best practices which have developed in multiple economic sectors over many years and in the light of expanding body of legislative provisions and case law. Having said that, some of the positions taken and the worked examples may come as a shock to investigators who have, in this author's experience, historically at least, sought to maintain that they are "only" processors and that provided their clients are pursuing a legitimate interest then compliance is assured.
It behoves any organisation that from time to time calls on investigators, whether in the context of actual or contemplated litigation or otherwise, to pay particular attention to the ABI Code. Whether it is adopted on a voluntary basis or not, it is this set of standards against which their activities, and those of any investigators engaged on its behalf, will now be measured.