The watchdog announced that it had opened its own investigation into 98 companies and individuals after being handed information recovered by the Serious Organised Crime Agency (SOCA) as part of a separate operation.
"On 30 August, SOCA passed more than 20 files of material from that investigation to the ICO, including correspondence between clients and the private investigators and receipts for payments," the ICO said in a statement. "Details of a further nine clients have been withheld by SOCA, at the request of the Metropolitan Police, as they relate to ongoing police investigations."
"The ICO will now assess the SOCA material, as well as writing in due course to all the individuals and organisations listed, to establish what information the private investigators provided, and whether the clients were aware that the law might have been broken to obtain that information," it said.
SOCA gathered the materials it has now passed to the ICO as part of its 'Operation Millipede', which concluded when four private investigators were convicted of data 'blagging' offences under the Fraud Act in 2012.
Last month SOCA's director general Trevor Pearce said that the agency had, at that stage, kept the information secret from the ICO in order not to prejudice Operation Millipede and, when that ended, an overlapping and still ongoing Metropolitan Police Service (MPS) operation, 'Tuleta', into "criminal acts that intrude on individual privacy for journalistic purposes".
SOCA has faced criticism about its decision not to disclose the names of the prosecuted private investigators' 107 clients allegedly involved in so-called "blue-chip hacking", with Parliament's Home Affairs Committee chairman Keith Vaz keen on regulatory scrutiny. SOCA previously passed the names of 102 of the 107 clients onto the Home Affairs Committee but only under a protective marking, meaning that the lists cannot be made public.
Pearce said that the decision to classify the lists was "to ensure that publication would not prejudice current investigations by the MPS or any possible regulatory action by the ICO or others". Even when those investigations are concluded, "there will still be data protection issues to consider" around any potential disclosure, he said.
In its statement the ICO said that organisations found to have breached the DPA could face criminal prosecution, civil monetary penalties or be ordered to change data protection polices or procedures in accordance with enforcement notices or regulatory undertakings. It said, though, that as many as a quarter of the private investigators' clients listed on the files it has been passed may not be based within the UK and would therefore not be subject to regulatory action by the ICO.
"We will liaise with our international counterparts where an organisation or individual looks to have breached the Data Protection Act, but is based abroad," the ICO said. "We envisage the initial phase of this investigation will take several months, after which time we will publish an update. As we are yet to assess the material, and as that assessment may prompt criminal investigations, we will not be publishing the list of clients at this stage."
Section 55 of the DPA states that is generally unlawful for a person to "knowingly or recklessly without the consent of the data controller obtain or disclose personal data or the information contained in personal data, or procure the disclosure to another person of the information contained in personal data" without the consent of those who control the data. Businesses and their staff can in certain cases be deemed to have committed a criminal offence under the DPA.
"If a company or other corporation commits a criminal offence under the Act, any director, manager, secretary or similar officer or someone purporting to act in any such capacity is personally guilty of the offence, as well as the corporate body, if the offence was committed with their consent or connivance; or the offence is attributable to neglect on their part," guidance issued by the ICO states.
Criminal offences under the DPA include unlawfully obtaining, disclosing, or procuring the disclosure of personal data, or selling, or offering to sell, personal data which has been unlawfully obtained.
Section 61 of the Act sets out the provisions under which directors, or other staff within businesses, can be held criminally liable for a breach of data protection laws.
"Where an offence under this Act has been committed by a body corporate and is proved to have been committed with the consent or connivance of or to be attributable to any neglect on the part of any director, manager, secretary or similar officer of the body corporate or any person who was purporting to act in any such capacity, he as well as the body corporate shall be guilty of that offence and be liable to be proceeded against and punished accordingly," the Act states.
