Legal & Regulatory Framework

The UK GDPR is the primary data protection framework in the United Kingdom. It sets out the principles that must govern the processing of personal data, the rights of individuals whose data is processed, and the obligations of those who process it.

Key principles relevant to investigation work: personal data must be processed lawfully, fairly, and transparently; collected for specified, explicit, and legitimate purposes; adequate, relevant, and limited to what is necessary; and kept no longer than necessary.

We rely on legitimate interests as our lawful basis for processing personal data in most investigation contexts, having assessed that our clients' legitimate interests are not overridden by the rights and freedoms of data subjects.

The Data Protection Act 2018 supplements and tailors the UK GDPR for the United Kingdom. It provides additional provisions for specific processing contexts and sets out exemptions that may apply in certain circumstances.

Of particular relevance, the DPA 2018 includes provisions that can affect how subject access requests are handled where complying with them would prejudice the purposes of an ongoing investigation. The Act also establishes the Information Commissioner's Office (ICO) as the UK's independent supervisory authority for data protection.

RIPA regulates the interception of communications, the acquisition of communications data, and covert surveillance. It was primarily designed to govern the activities of public authorities and confers specific powers on those bodies.

Private investigators are not public authorities under RIPA and therefore cannot lawfully intercept communications or access private communications data. This is a firm boundary in our work: we do not intercept phone calls, emails, or other private communications.

RIPA is nonetheless directly relevant because courts will consider whether investigation methods were proportionate and necessary when assessing the admissibility and legality of evidence.

The Investigatory Powers Act 2016 updated and expanded the framework for state surveillance powers. Like RIPA, it primarily applies to public authorities and does not confer powers on private investigators.

It reinforces the legal framework within which all surveillance activity in the UK must operate, and defines what kinds of data collection and interception are reserved exclusively for state actors.

The Human Rights Act 1998 incorporates the rights set out in the European Convention on Human Rights into UK law. The right most directly relevant is Article 8 — the right to respect for private and family life.

Article 8 does not provide an absolute right to privacy. Interference may be lawful where it pursues a legitimate aim and is necessary and proportionate. This proportionality test is central to how we assess any proposed investigation method: we will not use methods that are more intrusive than necessary.

Evidence obtained through disproportionate or unlawful intrusion may be inadmissible and could expose those who obtained it to civil or criminal liability.

The Protection from Harassment Act 1997 creates civil and criminal liability for a course of conduct that amounts to harassment. It is relevant to our work in two ways: it constrains surveillance operations (persistent surveillance could constitute harassment), and it is frequently the basis on which clients instruct us to gather evidence.

The Computer Misuse Act 1990 creates criminal offences for unauthorised access to computer material. This is a firm boundary for our cyber investigation work: we do not access computer systems, accounts, or data without lawful authorisation.

Our cyber and OSINT investigations rely exclusively on open-source information, passive observation, and data that is publicly accessible or to which we have been granted authorised access. We will not accept instructions that would require us to do otherwise.

For an employer to dismiss fairly on grounds of misconduct following an investigation, they must demonstrate: a genuine belief in the employee's guilt; that this belief was based on reasonable grounds; and that a reasonable investigation was carried out — the standard from British Home Stores v Burchell [1980] ICR 303. Our investigation reports are structured with this standard in mind.

The Equality Act 2010 is relevant in two respects: the investigation process itself must not discriminate on the basis of protected characteristics; and we may be instructed to investigate allegations of discrimination or harassment in the workplace. Our reports focus on conduct and evidence rather than characteristics of individuals.

The Fraud Act 2006 creates a general offence of fraud by false representation, by failing to disclose information, or by abuse of position. It is the primary legislation under which many matters our clients ask us to investigate are criminal offences. Evidence gathered may support a complaint to the police, civil proceedings for recovery of losses, or internal disciplinary action.

Where we become aware of possible money laundering in the course of an investigation, we may be required to make a Suspicious Activity Report (SAR) to the National Crime Agency. We take legal advice on our obligations in any case where this arises. We will not inform a subject that a SAR has been, or may be, made, as doing so could constitute a tipping-off offence.

The Online Safety Act 2023 creates new communications offences including sending communications that are false with intent to cause harm. It is relevant to our cyber harassment and online threat investigation services — clients who are victims of online harassment may have recourse under these new offences, and our investigations are designed to gather evidence in a form that supports complaints and proceedings.

The Malicious Communications Act 1988 makes it an offence to send communications that are indecent, grossly offensive, threatening, or false — where the sender's purpose is to cause distress or anxiety. This is one of the primary legislative bases for criminal complaints arising from online harassment and threatening communications.

Section 78 gives courts discretion to exclude prosecution evidence where its admission would have an adverse effect on the fairness of proceedings. Evidence gathered by private investigators has been admitted in UK criminal proceedings where it was obtained lawfully and without entrapment or oppressive conduct. We conduct investigations in a manner designed to withstand this scrutiny.

The SIA operates a licensing regime for a number of security roles. A licensing requirement for private investigators was provided for under the Act but has not yet been brought into force. As of 2026, private investigators are not currently required to hold an SIA licence to operate lawfully in the UK.

We monitor developments in the regulation of the industry closely, and we are committed to operating to the standards that a licensing regime would require, regardless of whether they are currently mandatory.