Background Checks don’t always check out

by Robert Haniver

In the battle against exaggerated and fraudulent claims, private investigators are commonly instructed to carry out background checks and surveillance to assist insurance companies manage and defend claims.

Media reports and audits by the Office of the Data Protection Commissioner (‘ODPC’) suggest there has been a widespread practice of private investigators unlawfully accessing confidential social welfare information from our public service and passing this information onto insurance companies without the data subject’s knowledge or consent.

The foregoing practice led to the ODPC’s audit of the insurance sector and, what was previously known as, the Department of Social and Family Affairs.

As part of its probe into the insurance industry (commenced in 2007), the ODPC revealed a number of insurance companies possessed individuals’ personal information that could only have been obtained from confidential social welfare records.  It was concluded at the time that civil servants in the Department of Social and Family Affairs routinely disclosed social welfare information to private investigators.

This investigation led to the publication of the Data Protection Code of Practice for the Insurance Sector, which includes a requirement for insurance companies to engage only licensed private investigators that agree to comply with the Data Protection Acts 1988 and 2003 (the ‘Acts’).

The recent unprecedented prosecutions of three insurance companies for wrongfully keeping confidential social welfare information unlawfully obtained from a private investigator highlighted the ongoing efforts by the ODPC to tackle breaches of the Acts by the insurance industry.

The prosecutions followed a complaint by the Department of Social Protection in December 2010, after it discovered an unusual pattern of access to its database by an official who allegedly supplied confidential social welfare data to a private investigator, who in turn, allegedly gave this information to three insurance companies.  A related Gardaí investigation into the alleged unlawful leaking of information is ongoing.

The successful prosecutions illustrate insurance companies will be held accountable where they retain unlawfully obtained personal information.  Insurance companies cannot distance themselves from breaches of the Acts by engaging private investigators.  Therefore they should ensure their own compliance with the Acts and that of any private investigator, solicitor or other provider they engage in the investigation or defence of a claim.

The public service must play its part in eradicating the misuse of citizens’ highly sensitive personal information.  Robust internal systems and policies should be maintained to educate staff of their responsibilities under the Acts, to identify those who access personal data not related to their work, and take appropriate disciplinary action (up to and including dismissal) against those who disregard their obligation to respect another’s privacy.

O'Rourke Reid image symbolising our company.