The UK’s independent authority set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals.

Private investigators convicted of unlawfully obtaining personal information

News release: 20 November 2013

Two men who ran a company that tricked organisations into revealing personal details about customers have today been found guilty of conspiring to breach the Data Protection Act.

Barry Spencer, 41, and Adrian Stanton, 40, ran ICU Investigations Ltd in Feltham, Middlesex. The pair were convicted at Isleworth Crown Court of conspiring to unlawfully obtain personal data. Five employees of the company had previously pleaded guilty to the same offence: Robert Sparling (38), Joel Jones (43), Michael Sparling (41), Neil Sturton (43) and Lee Humphreys (41). The company ICU Investigations Ltd was also found guilty as a separate defendant. A sentencing hearing has now been listed for the 24 January 2014.

ICU Investigations Ltd worked on behalf of clients to trace individuals, primarily for the purpose of debt recovery. The court heard the company had routinely tricked organisations including utility companies, GP surgeries and TV Licensing into revealing personal data, often by claiming to be the individuals they were trying to trace. Clients included Allianz Insurance PLC, Brighton & Hove Council, Leeds Building Society and Dee Valley Water.

An ICO investigation estimated there were nearly 2,000 separate offences between 1 April 2009 to 12 May 2010.

ICO Criminal Investigations Team Manager Damian Moran said:

“Private investigators must learn they are not above the law. While the majority of private investigators go about their business in an honest manner, unscrupulous operators such as ICU Investigations Ltd taint the industry and blight the reputations of their counterparts.

“These men knew they were breaking the law, but did so anyway, presumably confident they would not be caught. That faith was misplaced, and they and their employees will now face the consequences of their actions.”

The ICO found no evidence of criminality by any organisation that employed ICU Investigations Ltd. The information requested could typically have been obtained legitimately, and there was no evidence clients were aware the data had been obtained by illegal means.

Unlawfully obtaining or accessing personal data is a criminal offence under section 55 of the Data Protection Act 1998. The offence is punishable by way of ‘fine only’ - up to £5,000 in a Magistrates Court or an unlimited fine in a Crown Court. The ICO continues to call for more effective deterrent sentences, including the threat of prison, to be available to the courts to stop the unlawful use of personal information.

Information Commissioner Christopher Graham said:

“Public confidence in the security of information held about them is the foundation on which all sorts of online services and developments depends.

“The public expects to see firmer action taken against people who break the rules in this area, and Parliament needs to recognise that. I spoke with the Home Secretary Theresa May on this matter earlier this week to urge her to introduce more effective sentences for these kinds of offences, and she has agreed to meet me to discuss the matter. That conversation needs to result in action.”

Changes to allow the courts to issue custodial sentences where personal data has been illegally obtained are already on the statute book, as part of the Criminal Justice and Immigration Act 2008, but are yet to be commenced, despite endorsement by several senior officials.

Notes to Editors

1.    The Information Commissioner’s Office upholds information rights in the public interest, promoting openness by public bodies and data privacy for individuals.

2.    The ICO has specific responsibilities set out in the Data Protection Act 1998, the Freedom of Information Act 2000, Environmental Information Regulations 2004 and Privacy and Electronic Communications Regulations 2003.

3.    The ICO is on TwitterFacebook and  LinkedIn. Read more in the ICO blog and e-newsletter. Our Press Office page provides more information for journalists.

4.    Anyone who processes personal information must comply with eight principles of the Data Protection Act, which make sure that personal information is:

·         Fairly and lawfully processed
·         Processed for limited purposes
·         Adequate, relevant and not excessive
·         Accurate and up to date
·         Not kept for longer than is necessary
·         Processed in line with your rights
·         Secure
·         Not transferred to other countries without adequate protection

5.    Civil Monetary Penalties (CMPs) are subject to a right of appeal to the (First-tier Tribunal) General Regulatory Chamber against the imposition of the monetary penalty and/or the amount of the penalty specified in the monetary penalty notice. 

6.    Any monetary penalty is paid into the Treasury’s Consolidated Fund and is not kept by the Information Commissioner’s Office (ICO).