Personal Data

Data relating to a living individual who can be identified from that information or from that data and other information in possession of the Controller, includes name, address, telephone number, identity number. Also includes expression of opinion about the individual, and of the intentions of the Controller in respect of that individual.

Special category data

Different from ordinary personal data (such as name, address, telephone) and relates to data revealing or concerning:


  • Racial or ethnic origin.
  • Political opinions.
  • Religious or philosophical beliefs.
  • Trade union membership.
  • Genetic data.
  • Biometric data for the purpose of uniquely identifying a natural person.
  • Data concerning health.
  • Data concerning a natural person’s sex life or sexual orientation.


The processing of special category data will require one of 10 separate conditions to be met. In addition to the Article 6 lawful basis the processing of the special category data must be necessary for the purpose D&D Investigations has identified and that they are satisfied there is no other reasonable and less intrusive way to achieve this purpose.

Five of the 10 conditions also require D&D Investigations to meet additional conditions and safeguards as set out under schedule 1 of the Data Protection Act 2018. The conditions must be determined and set out in a written record (Data Protection Impact Assessment) prior to processing commencing to assess the risk. D&D Investigations will rarely process special category data but may find some cases where it is, for example, the data subject has provided explicit consent or in legal claims, contemplated legal claims or legal advice and more likely where the reasons are of substantial public interest (with a basis in law).

The substantial public interest condition will also require D&D Investigations to meet one of 23 specific conditions as set out in Part 2 of Schedule 1 of the Data Protection Act 2018, including and of more relevance to D&D Investigations (1) preventing or detecting unlawful acts, (14) preventing fraud, and (20) insurance.

Criminal offence data

Personal data relating to criminal offences are in addition to the lawful basis under Article 6 of the UK GDPR requirement subject to additional conditions because of the potentially significant impact that the processing of such data can have upon the data subject. The additional conditions (there are currently 28 to choose from) are set out in Schedule 1 of the Data Protection Act 2018 and the ICO website. It is important to note that this type of data is treated differently to other types of data, eg special category data. The ICO has explained that this is because the interests of society at large and the need to protect the public from criminal activity are likely to mean that the use of criminal offence data can be justified in a wider variety of circumstances, despite the potential impact on individual rights.

The processing of the criminal offence data must be necessary for the purpose D&D Investigations has identified and that they are satisfied there is no other reasonable and less intrusive way to achieve this purpose.

Data Subject

Refers to any individual person who can be identified, directly or indirectly, via an identifier such as a name, an ID number, location data, or via factors specific to the person's physical, physiological, genetic, mental, economic, cultural, or social identity.

Controller or Joint Controller

Means the natural or legal person, agency, or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. Put simply, the Controller determines what information is needed and why. The Controller’s responsibilities are greater than the Processor’s.


Is a person or organization who deals with personal data as instructed by a Controller for specific purposes and services offered to the Controller that involve personal data processing. The status of the service provider as Controller or Processor may vary depending on the activity and needs to be reassessed for each processing of an individual’s data.

Third Party

Any individual/organisation other than the Data Subject, the Controller, Joint Controller, Processor, or the agents/sub-contractors appointed by any of them when permitted by the Controller or the client.


Any operation related to organisation, retrieval, disclosure and deletion of data and includes: Obtaining and recording data. Accessing, altering, adding to, merging, deleting data. Retrieval, consultation or use of data. Disclosure or otherwise making available of data.

Relevant Filing System

Any paper filing system or other manual filing system, which is structured so that information about an individual is readily accessible. Please note that this is the definition of “Relevant Filing System". Personal data as defined, and covered, by the prevailing data protection legislation can be held in any format, electronic (including websites and emails), paper-based, photographic etc. from which the individual's information can be readily extracted.

Investigative Service Provider (‘Professional Investigation’)

The Private Security Industry Act 2001 defines investigations as:


…. to any surveillance, inquiries or investigations that are carried out for the purpose of:


obtaining information about a particular person or about the activities or

whereabouts of a particular person; or


obtaining information about the circumstances in which or means by which

property has been lost or damaged

Litigation Support Services

An investigation agency client portfolio will inevitably include members of the legal profession and thus potentially forms part of the judicial process. Lawyers rely on outsourced investigative services for a number of reasons; primarily as part of their own case handling for lay, professional or commercial clients in contentious scenarios in contemplation of, or part of on-going legal proceedings. This work is referred to within the judicial system as “Litigation Support” and often includes activities that process personal data.


Privacy, in its broadest sense, is about the right of an individual to be left alone. It can take two main forms, and these can be subject to different types of intrusion: Physical privacy – interference such as surveillance and the taking of biometric information, and Informational privacy – the ability of a person to control, edit, manage, and delete information about themselves and to decide how and to what extent such information is communicated to others.

Data protection law

The UK General Data Protection Regulation as applied in the UK and The Data Protection Act 2018.



Principle 1. Lawfulness, fairness, and transparency.

Principle 2. Purpose limitation.

Principle 3. Data minimization.

Principle 4. Accuracy.

Principle 5. Storage limitation.

Principle 6. Integrity & confidentiality (security)

Principle 7. Accountability.

All processing of personal data must be done in accordance with the seven data protection principles.