Christopher GrahamIn my previous blog on Operation Millipede, I said that October 8th would be an interesting day; and so it turned out. The Home Affairs Select Committee is not convinced that the Information Commissioner (ICO) is going about his investigation in the right way and MPs on the Committee made their objections abundantly clear.

To some extent, I agree with the Committee’s assessment and I explain why in the blog. Contrary to the ICO’s assertions before the Committee, I think a Monetary Penalty Notice (“MPN”) is unlikely to be available and any prosecution of the S.55 offences in the Magistrates Court is not going to be easy  given the time delays of some years.

I have split the blog into two; a factual commentary on the evidence presented to the Committee and a commentary about the criticisms arising from the evidence session. I should add that the evidence session was often a mixture of testy confrontation and polite sarcasm. This was because the Commissioner often did not answer the question that had been asked; I suspect one reason for this is that the ICO’s numbers given to the Committee did not add up (see below).

Factual commentary from the evidence session

Operation Millipede is the name coined by the Serious Organised Crime Agency (“SOCA”) for one of its investigations that involved blagging by private investigators (PIs). SOCA, now subsumed into the National Crime Agency (“NCA”) launched earlier this month, sent details of 102 clients to the ICO in 31 large folders of evidence.

However for some unknown reason, SOCA delayed sending the folders to the ICO for 18 months and quite clearly, the Committee wants to know “Why?”. One MP on the Committee suspected the delay was because the PIs involved included ex-police officers who were being protected. The Commissioner, by contrast, thinks that this delay was because SOCA did not see the matter as a priority (i.e. the DPA offences were not a “serious crime” falling within the remit of SOCA).

The Committee were told by the Commissioner that there were actually 98 clients who used the PIs in SOCA’s files and 125 target data subject victims (many of which do not know they have been under surveillance). Of these 98 clients:

  •  8 already arose in the Millipede prosecutions, so no further action is being taken;
  • 12 were be classified as inactive in that there is evidence that these businesses are no longer trading;
  • 11 clients presented insufficient information; these 11 could be regarded active if new information comes to light. Six of these are based in the UK, four are out of the UK and the location of the remaining client is unknown;
  • 67 clients were active from evidence at Companies House, public registers or from active websites and private individuals who instructed PIs were traceable.

So far so good; the numbers add up to 98.

However, then the maths gets “murky” to say the least. Of the 67 (i.e. the ones the ICO could target), 24 are located outside the jurisdiction (but the ICO promised to pursue these with the help of overseas regulators; there appears to be 8 other jurisdictions – but this is not confirmed in the oral exchanges).

It appears that 19 clients of errant PIs are being closely targeted for possible prosecution or enforcement. Of these 19, four are law-firms, five are in general retail, three are in insurance and two are financial services. Of the rest, four are Private Investigators, one is in the security industry and one is in construction.

This leaves 24 other clients. Three times the Commissioner was asked about these other 24; all I can say that nobody was the wiser following his answers. At one stage, a confused Keith Vaz, chair of the Committee, said that from the ICO’s evidence that he now counted 71 cases but then his “maths was not the best”.

The ICO also stated that if a conspiracy can be proved, he will prosecute at the Crown Court so that an unlimited fine can be levied and press for recovery of proceeds of crime. He will also pass files to other regulators (e.g. the Solicitor’s Regulatory Authority or in financial services).

At the Committee hearing, the ICO impassionedly called for the commencement of the custodial S.55 offence and asked for the Commitee’s MPs to take Parliamentary steps to “rescue the section 55 offence from Leveson”; these steps should require the Government to explain properly why it could not start the custodial element of the offence. Surely, he added, that the section 55 offence was not being commenced “for fear of the Daily Mail”.

I should add that Government excuses about section 55 are complete balderdash as it has already partially commenced an offence in data protection. As you probably know, the practice of enforced subject access should be a criminal offence by virtue of section 56 of the DPA. There was partial commencement of section 56 of the Data Protection Act 1998 in the sexily entitled “The Data Protection Act 1998 (Commencement No. 3) Order 2011”.

I thus see no logical reason why the custodial element of the S.55 offence cannot be partially commenced to exclude Leveson complications.

Criticisms from the evidence session

The Commissioner was wrong to assert to MPs that an MPN would be in his armoury. His written evidence states that the material he obtained from SOCA “relates to the period 2001 to 2009”. As the MPN regime was commenced in 2010, then a MPN is not available (and this was determined by the Tribunal with the Scottish Borders case where the Tribunal considered it was fair only to consider the contraventions from the date of the commencement of the MPN provisions on 6 April 2010).

The Commissioner also referred to the section 55 prosecution being available; the problem being that most Magistrate Court prosecutions have to be taken within 6 months of the offence.  FOI aficionados, for instance, will recognise this problem as the ICO cannot prosecute the section 77 FOIA offence because of the time delay (see references).

Even if the ICO can pursue a prosecution in the Magistrates Court, I can see many arguments on the grounds that it is wrong to pursue trivial offences after years of delay when the offence is not reportable and does not even involve the taking of a DNA sample (such as section 55 as currently constituted).

It is also clear that the Home Affairs Committee does not like the ICO asking the NCA for help.

The Commissioner’s position is that he needs upto £200,000 to do the investigation properly and needs seven or eight experienced investigators. It appears from the oral evidence session that the NCA could second these investigators to the ICO, thus reducing the ICO’s investigation costs to £50,000. He told the Committee that he could not afford £200,000 and could not see a problem in using NCA staff.

By contrast, the Committee see lots of problems and used words such as “baffled” or “compromising your investigation”. The problem from its perspective is that the NCA officers seconded to the ICO could easily be the SOCA officers who delayed giving the ICO the files of evidence. The Committee wants the ICO to investigate independently of the NCA; Keith Vaz said that the ICO should not have to “borrow pencils and rubbers” from the NCA.

Finally, the Commissioner did not quite understand other Committee’s concerns about his investigation. All of the offences committed by PIs were for unlawful interception of communications (e.g. offence under RIPA) or misuse of computers; the clients of these PIs have not been questioned at all.

The Committee has recognised that the DPA offence can be committed by the clients of these PIs through the instructions given to them. So when one MP asked the ICO whether he would consider other police investigations similar to Millipede where clients instructed PIs to obtain personal data by deception, the ICO dismissed the suggestion and said he was not “touting for extra work”.

From the Committee’s perspective, similar section 55 crimes possibly committed by important organisations with household names, are not even being looked at from an evidential perspective. This won’t go down well, I suspect.

I also think the Select Committee are looking to publish the list of 98 names of clients minus the 19 the ICO is considering; Parliamentary privilege should avoid libel issues. Publication of these (possibly plus 19) could follow in three months time when the ICO gives a “progress report” on the prosecution.

I think such publicity could even help the ICO. You never know; ex members of staff and whistle-blowers might come forward with the further evidence he needs.


The evidence session (30 mins) is well worth a watch:

Original Blog on Operation Millepede:

The problem with the S.77 offence in FOIA (see which the Government says it will correct

This post originally appeared on Hawktalk and is reproduced with permission and thanks