Step Up For Oracle Our Director is walking 10KM every day this August for Oracle Head and Neck Cancer UK. Follow the walk & donate →
Tremark guide to the ABI Data Protection Code of Conduct for investigators Tremark guide to the ABI Data Protection Code of Conduct for investigators

A Tremark Guide for Legal Professionals

The ABI Code of Conduct, Explained

In October 2024 the ICO approved the Association of British Investigators' UK GDPR Code of Conduct, the first of its kind for the investigative sector. If you instruct investigators, tracing agents or process servers, it quietly rewrites what good looks like. This guide walks through what the Code says and how to use it to protect your firm and your clients.

30+ Years' Experience
ABI Members
ISO 27001 & 9001
Law Society Linked
UK & International
The Guide

Ten Things Every Instructing Solicitor Should Know

The Code runs to 99 pages of data protection detail. You do not need to read all of it. You do need to know what it demands of the investigators you instruct, where your own firm sits in the picture, and which questions separate a compliant supplier from a liability. Here are the ten points that matter most, in plain English.

Understanding the Code

What It Is and Who It Binds

Sections one to five cover the essentials: where the Code came from, who signs up to it, and what it means for the firms who send investigators their instructions.

1

What the Code is and why it exists

The Association of British Investigators spent years developing a UK GDPR code of conduct for what it calls Investigative and Litigation Support Services. The Information Commissioner approved it on 15 October 2024 under Article 40 of the UK GDPR, and it was published that November, the first ICO-approved code for the investigative sector.

Article 40 codes let a sector translate general data protection law into specific, monitored rules for its own work. Investigators handle personal data in unusually sensitive ways, often without the subject's knowledge, so a sector-specific rulebook was overdue.

The full Code is published on the ICO's website and is worth bookmarking. You can read it here as a PDF, though this guide covers the parts that matter to instructing firms.

2

Who the Code covers, and who checks

Membership of the Code is voluntary, and Code Members do not have to be ABI members. Any investigative business can apply, provided its principal meets the Code Member Criteria and it can demonstrate compliance to the satisfaction of an independent Monitoring Body.

That Monitoring Body is the SSAIB, the certification body that also audits the BS102000 standard for investigative services. It assesses applicants, carries out annual compliance audits, and can suspend or remove members who fall short. Verified members appear on the ABI's public register.

The practical point: Code membership is not a logo a firm awards itself. It is an externally audited status, which is exactly why it is useful to you as a buyer of investigative services.

3

What it means for instructing solicitors

You are not bound by the Code, but your suppliers' compliance directly affects your risk. When an investigator processes personal data unlawfully on your matter, the evidence they gather can be challenged, your client's position can be damaged, and your firm can face awkward regulatory questions.

The Code gives you a ready-made benchmark. A Code Member has demonstrated, to an independent auditor, working compliance on the exact issues that trip this sector up: data roles, impact assessments, lawful bases and covert methods.

It also helps that the ICO has said it will treat Code membership, and any action taken by the Monitoring Body, as a relevant factor when considering enforcement. Instructing a member is a documented risk decision in itself.

4

Controller, processor, joint controller: a quick map

The Code's largest section deals with data roles, because this is where instructions most often go wrong. The role is decided by the facts of the processing, not by what the contract says. Neither you nor your investigator can simply pick a label.

Broadly: when an investigator follows your detailed instructions with no real discretion, it acts as a processor. When it exercises professional judgement about what data to gather and how, it becomes a controller, or a joint controller alongside your firm. Most investigative work involves genuine discretion, so pure processor arrangements are rarer than people assume.

The Code requires members to work out their role before accepting an instruction and to explain it in the engagement letter. We cover this in depth in our companion guide on data roles, but the headline is simple: if your investigator has never discussed roles with you, that silence is telling.

5

Lawful basis and the legitimate interests test

Every piece of processing needs a lawful basis under Article 6 of the UK GDPR. For investigative work, 'consent' is almost never realistic. Where it is not appropriate to ask a debtor, a fraud suspect or an evasive defendant for permission to investigate them, the Code details how compliance with the Act can still be achieved.

The workhorse basis is legitimate interests, and the Code requires members to document a legitimate interests assessment: identifying the interest pursued, showing the processing is necessary, and balancing it against the rights of the individual. Establishing, exercising or defending legal claims is a classic legitimate interest.

For your file, the useful habit is stating the purpose of the instruction clearly. A one-line purpose such as service of proceedings, enforcement of a judgment or defence of a claim gives your investigator the foundation their assessment is built on.

Choose Wisely

Why an Accredited Partner Matters

The Code exists because data handling in this sector carries real risk. Tremark pairs ABI membership with independently audited standards, so every trace, serve and enquiry you instruct stands on documented, defensible foundations.

ABI Member
Association of British Investigators
ISO 27001
Information Security
ISO 9001
Quality Management
FSQS Registered
Financial Services Qualified
Cyber Essentials
Certified
Law Society
Connected
WAD Member
World Association of Detectives
Putting It Into Practice

Compliance in the Day-to-Day Detail

Sections six to ten get practical: sensitive data, impact assessments, subject access, enforcement, and the due diligence questions worth asking before your next instruction.

6

Special category and criminal offence data

Some personal data gets extra protection. Special category data covers things like health, ethnicity, religion, and sex life. Criminal offence data covers convictions, allegations and even suspicions, which the Code says must be treated with the same care as proven offences.

Processing either type needs more than a lawful basis. Special category data requires a condition under Article 9, most often that the processing is necessary for legal claims. Criminal offence data requires a condition from Schedule 1 of the Data Protection Act 2018, and for many conditions the investigator must hold an appropriate policy document setting out its safeguards and retention approach.

Notably, the Code forbids members from maintaining their own running register of convictions. Intelligence is gathered case by case, for a defined purpose, then handled under documented retention rules.

7

DPIAs and the problem of invisible processing

Most investigative work is invisible processing: the subject does not know their data is being gathered, so they cannot exercise their rights. Data protection law treats that as high risk, which is why the Code leans so heavily on data protection impact assessments.

A DPIA is a structured risk assessment completed before processing starts. The Code requires one wherever processing is likely to be high risk, and says covert surveillance and tracking will always require one. Transparency exceptions exist, for instance where telling the subject would seriously impair the purpose, or where the person simply cannot be located yet, but relying on them still demands a documented assessment.

At Tremark a DPIA sits behind every relevant instruction as standard. If a supplier cannot show you what their impact assessment looks like, they are probably not doing them.

8

Subject access requests and disclosure risks

Subjects of investigations sometimes make subject access requests, occasionally as a tactic. A SAR to your investigator, or to your firm, can in principle reach investigation material, which makes people understandably nervous.

The law provides targeted exemptions. Personal data covered by legal professional privilege is exempt from the right of access, and further exemptions apply where disclosure would prejudice crime prevention or the conduct of legal proceedings. The Code expects members to understand these exemptions and apply them carefully rather than reflexively.

The discipline that makes exemptions work is good record-keeping: knowing what was collected, for what purpose, and under which instruction. That is precisely the documentation the Code audits, and it is what turns a stressful SAR into an administrative task.

9

Monitoring, complaints and what happens on breach

A code without teeth is marketing. This one has an enforcement structure: the Monitoring Body audits members annually against the Code Member Criteria, investigates complaints, and operates an infringement matrix running from corrective action through suspension to removal from the register.

Individuals can complain directly to the Monitoring Body about a member's data handling, and the ICO retains all its usual powers on top. Nothing in the Code shields a member from regulatory enforcement; membership simply evidences a serious, audited attempt to get things right, which the ICO will weigh in the member's favour or against it accordingly.

One limit worth knowing: the Code cannot be used as a safeguard for transferring personal data outside the UK. International work still needs its own transfer mechanism.

10

Due diligence: what to ask before you instruct

The Code effectively hands you a supplier questionnaire. Before placing sensitive work, it is reasonable to ask any investigator the following, and to expect crisp answers.

  • Status. Are you an ABI member or Code Member, and can I verify that on the register?
  • Roles. For this instruction, are you acting as our processor, a controller, or a joint controller, and where is that recorded?
  • Assessments. Will a DPIA and legitimate interests assessment sit behind this work, and can extracts be produced if challenged?
  • Security. What certifications back your handling of our data, such as ISO 27001 and Cyber Essentials?
  • Retention and breach. How long is case material kept, and what is your breach notification process?

A compliant firm will answer these in minutes, because the documentation already exists. Hesitation is your answer too.

Complete

You know the Code. Most instructing firms do not.

That knowledge is a genuine advantage: it lets you brief compliantly, choose suppliers on evidence rather than price, and answer your own clients' data protection questions with confidence. Test what stuck with five quick questions below.

Quick knowledge check

Five short questions on what you have just read. Takes about a minute, no sign up needed.

Your Testimonials

What legal professionals say about us

Trusted by solicitors, insolvency practitioners and insurers across the UK.

Common Questions

Frequently asked questions

Practical answers about the ABI Code and what it means when you instruct an investigator.

Membership is voluntary, but once a firm joins, compliance is a condition of staying on the register. The underlying obligations come from the UK GDPR and the Data Protection Act 2018, which bind every investigator regardless. The Code translates that law into audited, sector-specific requirements.
No. Your firm remains responsible for its own role in the processing, typically as a controller of the client matter. What a Code Member gives you is a supplier whose side of the processing is documented and independently audited, which substantially reduces your supply chain risk.
ABI membership is the professional body status, with vetting, a code of ethics and Law Society endorsement history. Code Membership is a separate, ICO-recognised data protection status monitored by the SSAIB. A firm can hold either or both; Tremark's principals are ABI members and the firm operates to the Code's standards.
Yes, in practice. If the investigator acts as your processor, Article 28 of the UK GDPR makes specific written terms mandatory. If they act as a controller or joint controller, you should still have a written arrangement recording roles, responsibilities and how individuals' rights will be handled.
Often, yes, but only within limits. The law allows privacy information to be withheld where providing it is impossible, would involve disproportionate effort, or would seriously impair the purpose, for example tipping off a fraud suspect. The Code requires that reliance on these exceptions is justified and documented, usually through a DPIA.
The Monitoring Body can require corrective action, suspend the member or remove them from the register under a published infringement matrix. The ICO's enforcement powers sit on top of that, and the regulator will factor the Monitoring Body's findings into any action of its own.
Yes. Surveillance is treated as high-risk invisible processing. The Code requires a DPIA in every case, a documented lawful basis and legitimate interests assessment, and clear justification that the method is necessary and proportionate to the purpose.
The ABI maintains a public register of members and Code Members on its website. Checking it takes a minute and is a sensible standard step in supplier due diligence, alongside asking for certificates such as ISO 27001.

Get in touch

Tell us what you need and one of our team will come back to you promptly.

    Need documents served or a subject traced?

    Our nationwide network of agents and in-house investigations team support law firms, insolvency practitioners and insurers every day. Send over your instruction, or call us for a same-day quote.

    Get in touch

    Tell us what you need and one of our team will come back to you promptly.