For many years now we have offered a people tracing service. It’s popular with solicitors who might need to trace a respondant or a person left money in a will. Insurance companies and debt collection agencies also use us in some cases. Individuals often want to trace long-lost friends, missing family members or old school friends.
Most people think because we offer this service, we accept every request. But this isn’t the case. Why?
Tremark has always been mindful of the outcome of tracing a person, who may want to remain anonymous.
But up until 2018, there was no official regulation for the private security industry. This meant unscrupulous enquiry agents would operate without a thought for the person. Or, fear of any legal consequences arising from the way they carried out their enquiries.
Thankfully, this is no longer the case. In 2018 the General Data Protection Regulation (GDPR) became law.
The Data Protection Act gives all EU residents the right to control their personal data. The UK is still included in this.
The Act says that data must be processed transparently, fairly, and lawfully. It gives 6 legal bases which show how this can be done. They are:
Consent – You have obtained consent for data to be processed for a specific purpose. If you haven’t then you must look for a different base.
Performance of a Contract – The information must fulfil a contract you have with the individual
Legal Requirement – The information is needed to comply with a legal obligation. This could be in the case of an employment contract or a security issue
Vital Interest – The information is required to protect that person or any other person. This base is often used by police or hospitals when they need to carry out a life-saving procedure
Public Interest – The data is being used to carry out a task in the public interest. This is often used by local authorities or government entities
Legitimate Interest – Processing this data is necessary for the organisation to do its job without harming the freedom and rights of the person
Tremark, like other companies, can access data stored by companies and organisations. But they must demonstrate governance and compliance.
How do we demonstrate compliance and governance?
Firstly, we are operating without the person’s consent (we don’t know where they are yet, so we can’t ask). We can’t depend on the other 4 criteria either. So that leaves ‘Legitimate Interest.’ This is the basis we can rely on to do our work.
The next thing we must do is to show that the 3 requirements of ‘legitimate interest’ are being met. We must therefore confirm that:
1. The Purpose Test – It is in our interests to use the data and are we using it lawfully?
2. The Necessity Test – Are there any other alternatives we could use so that we are less obtrusive?
3. The Balancing Test – Will the use of their data annoy them or will they feel on balance, that tracing them has not put their privacy rights at risk. On balance, does our clients legitimate interest outweigh the subjects right to privacy?
We do this by conducting a legitimate interest assessment.
Here’s an example. A solicitor contacts us and explains his client, Mr Elliott, has left some money in his will for his step-son. They lost contact many years ago when Mr Elliott and the step-son’s mother divorced. Mr Elliott was very fond of the boy and as he has no other children he wants to leave his estate to him.
We conduct a legitimate interest assessment by checking that we can meet the 3 requirements of legitimate interest. In this case:
Yes, we are acting lawfully
No, there are no other alternatives we can use
Yes, we feel that the liklehood is that the setp-son will be pleased with the outcome of our enquiries and that there is minimal risk of damage or harm being caused by our processing of his data.
We can now accept the solicitor’s request for our tracing service. We are confident we are complying with the regulations set down by the GDPR Act.
When GDPR compliance isn’t so straightforward
However, take another example. Mr Lewis comes to us as a private individual and tells us he is keen to trace his daughter who left home 5 years ago. He and his wife are keen to make amends and they would like us to trace her so that they can do this.
We carry out a ‘legitimate interest assessment,’ as part of a Data Processing Impact assement, but when it comes to the final requirement there is a doubt. We cannot be 100% sure that Mr Lewis’ daughter would be happy to see her parents again. The daughters right to pricacy may be greater that the parents wish to make contact.
In this case, we agree to help Mr Lewis. But we explain to him that we can’t submit the details of our search to him. Nor can we provide him with his daughter’s whereabouts if we find her, unless his daugther provides us with her consent to provide him with her address.
Where this retrospective consent is not given, we confirm to Mr Lewis we have found her and then pass on a letter, phone number or email address to the daughter from Mr Lewis. It is then up to his daughter whether or not she wants to get in touch.
We still need to be paid. After all, we have done our job, but we are under no obligation to disclose her address or any other contact details.
So, as you can see, our tracing service won’t be suitable for every case. Bear in mind that we only work within the parameters of the law and adhere to the strict regulations of GDPR.
But if you need help tracing a person and we can fulfil the requirements of ‘legitimate interest’ we are happy to help.