Data Protection Commissioner investigation results in Prosecution of Private Investigator company and its Directors

M.C.K Rentals Limited (trading as M.C.K. Investigations) was successfully prosecuted, on 6 October 2014, before Bray District Court in relation to twenty three counts of breaches of Section 22 of the Data Protection Acts 1998 and 2003 (the “Acts”) for obtaining access to personal data without the prior authority of the data controller by whom the data is kept and disclosing the date to another party.

The directors of M.C.K Rentals Limited were also each charged with twenty three counts of breaches of section 29 of the Acts for their roles in the offences carried out by the company. This if the first time that the directors of a company have been prosecuted by the Data Protection Commissioner in respect of breaches of the Acts.
The accused company pleaded guilty to five sample charges for offences under section 22 of the Acts and upon conviction the Court imposed a fine of €1500 per offence. The Directors pleaded guilty to one sample charge each and upon conviction imposed a fine of €1500 each.

The data unlawfully obtained was held by the Department of Social Protection and the Primary Care Reimbursement Service of the Health Service Executive and was disclosed to various Credit Unions.
The outcome of the investigation is significant in that it is the first time a private investigation firm has been prosecuted by the Data Protection Commissioner for breaches of the Acts. Further, the Credit Unions in receipt of the information were noted by the Commissioner to have “asked no questions” in relation to the origins of the data obtained and that they “took the unlawfully obtained personal data and used it, and they commended the success rate of M.C.K. Investigations to their colleagues in the sector”. Additionally, the Data Protection Commissioner noted that a number of Credit Unions provided M.C.K Investigations with PPS numbers to assist in tracing individuals concerned. The Commissioner has noted that it intends to pursue these issues with the Credit Unions in the immediate future.

In light of the successful convictions obtained in this case (particularly against the directors personally) it is imperative that all businesses that procure of the services of private investigator firms ensure that they do so in compliance with the Acts. More generally, businesses should ensure that they pay due regard to the provisions of the Acts in relation to all data that comes into their possession or control.
For any guidance your business requires in relation to the Data Protection Acts 1988 and 2003, please contact Adrian Smyth at