Year: 2015

CCTV Surveillance: Getting It Right

Steve Morris writes…

“I keep six honest serving men, they taught me all I know, their names are what, why, when, how, where and who…”

“I know a person small, she keeps ten million serving-men who get no rest at all! – One million how’s, two million where’s, and seven million whys!”

Rudyard Kipling 1902

Well it’s 2015 and we have an estimated 6 million (give or take a million or so!) surveillance cameras within the UK regulated sector, and that does not include those installed by private individuals. Cameras are no longer stuck on the end of poles recording peoples’ movements. They are worn by officials, installed on public transport and can even predict peoples’ behaviour.

Image technology has advanced tremendously in recent years. Data captured by CCTV systems is often automatically interacting with other databases with the capability of providing very intrusive information about the private lives and activities of innocent individuals as well as offenders and those that pose a risk to society.

We are also going through economically difficult times. CCTV and other surveillance technology can be seen a cost effective answer to the resource problem. However, without careful planning and regular review, it can be a costly option that might in fact provide little or no benefit and/or land an organisation in trouble with the various regulators in this sector. The Information Commissioner’s Office (ICO) has taken enforcement action involving both number plate recognition systems and cameras  recording customers’ conversations in taxis.

The ICO is not the only regulator in this area. The Surveillance Camera Commissioner is tasked with raising awareness of the Surveillance Camera Code. Made pursuant to the Protection of Freedoms Act 2012 it governs the use of surveillance camera systems including CCTV and Automatic Number Plate Recognition (ANPR) operated by the police and councils in England and Wales.

The Office of the Surveillance Commissioner has oversight in relation to the covert surveillance under Part 2 of the Regulation of Investigatory Powers Act 2000  (RIPA). This often involves the deployment of covert CCTV cameras. Recently Ibrahim Hasan alerted you to the revisions of the two RIPA codes of practice.

So why quote Rudyard Kipling’s poem from 1902?

The overall question revolves around whether a ‘scatter gun approach’ (obtaining lots of private data from lots of cameras) is actually a practical, cost effective use of resources. Furthermore is this approach a lawful, necessary and proportionate approach to addressing a ‘pressing social need’ or problem? Or would a smaller number of cameras providing images and data of the quality required, when it is required, be a better use of resources?

Compliance with the various codes and laws which govern CCTV, is easy if key questions are addressed at the outset:

  1. What is the pressing social need or lawful grounds for the CCTV surveillance activity? What type(s) of devices and system is appropriate? What personal data is going to be collected? What policies and processes should we have?
  2. Why do we need this surveillance in this place? Why is surveillance the option we have chosen?
  3. When should the system be capturing and recording information? When is it right to share this information?
  4. How will the system be managed? How much private information are we obtaining about individuals? How will we ensure it is kept secure?
  5. Where will the cameras be positioned? Where will we store the data?
  6. Who will we be watching? Who will have access to the collected information?

Looking for an opportunity to discuss these questions and many others, and to examine the regulatory requirements in relation to the decision making process? Attend one of my CCTV workshops and be brought right up to date with the latest laws, codes of practice and guidance.

Steve Morris is an ex police officer and one of our experts in surveillance law trainers.

Freedom of Information Case-law Roundup

Big Railroad Model-3

Section 5 of the Freedom of Information Act (FOI) enables the Secretary of State to designate a body as a public authority if it appears to the Secretary of State :

(a)… to exercise functions of a public nature, or

(b) is providing under a contract made with a public authority any service whose provision is a function of that authority.

The Freedom of Information (Designation as Public Authorities) Order 2015 was recently debated in the House of Lords. It will make Network Rail subject to FOI from March 2015. Much has been said about extending the reach of FOI to private companies delivering public services. Don’t expect anything to happen before the election.

Fees and 16

How far does a public authority have to go in providing advice and assistance to an applicant whose request is over the fees threshold (£450/£600)?

On 22nd October 2014, in Commissioner of Police for the Metropolis v The Information Commissioner and Donnie Mackenzie, [2014] UKUT 479 (AAC) , the Upper Tribunal ruled that the standard imposed by section 16 is set at a relatively low level. It agreed with the First Tier Tribunal (Information Rights) (FTT), in Beckles v Information Commissioner (EA/2011/0073 & 0074), that:

“S.16 requires a public authority, whether before or after the request is made, to suggest obvious alternative formulations of the request which will enable it to supply the core of the information sought within the cost limits. It is not required to exercise its imagination to proffer other possible solutions to the problem.”

Time limits

Section 10(1) of FOI sets out the time limit for dealing with a request for information:

“a public authority must comply…promptly and in any event not later than the twentieth working day following the date of receipt.”

Under the Environmental Information Regulations (EIR) the response to a request must be made “as soon as possible and no longer than 20 working days after the date of receipt”. In Keating v Information Commissioner and Oxford City Council (EA/2013/0226) the FTT said that whether it is an FOI or EIR request the principle is the same:

“In our judgement, whichever time limit applies, it is necessary to be realistic. Whilst both pieces of legislation contemplate a speedy response, the urgency intended is not such as to require a public authority to “drop everything” in order to reply.”

We now have a binding authority for this principle, in the form of an Upper Tribunal decision (John v ICO & Ofsted 2014 UKUT 444 AAC.).

Third Party Personal Data

Section 40 provides an exemption from disclosure of personal data about the requestor as well as that of third parties. With regards to the latter, the public authority must show that disclosure would breach of one of the Data Protection Principles (usually the first one). In the absence of consent this usually requires consideration of condition 6(1) of Schedule 2 of the Data Protection Act 1998:

“The processing is necessary for the purposes of legitimate interests pursued by the data controller or by the third party or parties to whom the data are disclosed, except where the processing is unwarranted in any particular case by reason of prejudice to the rights and freedoms or legitimate interests of the data subject.”

In a recent Upper Tribunal Decision, Goldsmith International Business School v IC and Home Office (GIA/1643/2014), the judge endorsed the ICO’s 8 rules when applying the test in condition 6. These are essential reading for all FOI officers.

Names of legal Advisers

Names of staff are clearly personal data. We have examined the application of section 40(2) in a number of FTT decisions (read our blog post here). The test is, is there a legitimate interest in knowing the names and is disclosure necessary to satisfy that interest?

In November 2014 the FTT (in Timothy Couzens v IC EA/2014/0146) upheld the Care Quality Commission’s refusal to supply the names of individuals who provided it with legal advice on the de-registration of a care agency. The FTT found that Couzens had “provided no persuasive argument that disclosure of the names in question would contribute to transparency, given that the substance of the legal advice has been disclosed, as a result of the CQC waiving its right to rely upon the exemption provided by FOIA section 42 (legal professional privilege).”

Staff Salaries

Is there a difference between a request for salaries of administrative staff and that of academics in a university?

Yes, according to a recent FTT decision involving King’s College, London (EA/2014/0054). The case concerned a request to the college for the job titles and departments of those staff (academic and none academic) earning over £100,000 per annum, in bands of £10,000. The FTT ruled that salaries of most non-academic staff employed by the college should be disclosed. Read this excellent analysis by lawyers at SGH Martineau.

Local authority colleagues will know that a certain amount of salary information has to be proactively published in compliance with the Local Government Transparency Code.

Motive Blind

FOI is normally motive and purpose blind. The FTT decision in Hepple v IC and Durham County Council (EA/2013/0168) shows that this is not an absolute rule.

The background is that the Council received an FOI request for a copy of the investigators’ report into a disciplinary incident at a pupil referral unit run by the council. At that time, disciplinary proceedings were pending against each of the suspended members of staff.

The council refused the request, relying on a number of exemptions including section 38 (health and safety). The FTT upheld the decision of the ICO on this point mainly because the requester had sent text messages to some of the individuals involved “with the purpose of menacing those whose addresses the Appellant had acquired”. The FTT said “assessing an information request on this “motive blind” basis ought not to prevent us from considering the potential risk to safety posed by the requester him/herself”.

Legal Advice

The Section 42 exemption is often relied upon by public authorities when refusing to disclose legal advice. It is a qualified exemption. A few decisions have required disclosure of legal advice on public interest grounds but these have been few and far between. Indeed, following the Tribunal decision in Bellamy v The Information Commissioner which stated that there is an inherent public interest in maintaining privilege, most authorities were almost treating section 42 as an absolute exemption.

A September 2014 decision of the FTT reminds us that the public interest in disclosing legal advice has to be considered carefully. The Bingham Centre for the Rule of Law v Information Commissioner (EA/2014/0097) concerned a request to the Home Office for independent legal advice, which was referred to in a Home Office report, entitled “Intercept as Evidence.” The FTT disagreed with the ICO’s decision giving more weight to public interest factors in favour of disclosure.

Ibrahim Hasan will be discussing these and other recent FOI decisions in his FOI Update workshop . If you want an internationally recognised qualification in FOI, please consider our BCS FOI Certificate course.

A Decade of FOI in Scotland: Celebrating Success, Securing Rights for the Future

Erin Ferguson examines the Scottish Information Commissioner’s special report…capture-20150211-092345

Freedom of information (FOI) legislation has recently celebrated its tenth anniversary in the United Kingdom. Overall, the UK FOI regime has been deemed successful. 400,000 requests for information have been made in the past ten years, leading to some notable disclosures and helping to establish a greater culture of transparency in public services.

Nevertheless, the Scottish Information Commissioner Rosemary Agnew recently warned that the scope of FOI in Scotland (under the Freedom of Information (Scotland) Act 2002) has reduced and that people now have less access to information than they did a decade ago.

On 19 January Agnew published a special report entitled “FOI 10 Years On: Are the Right Organisations Covered?” The report is limited to the Scottish experience, but addresses a challenge faced throughout the UK. That is, how can FOI obligations be extended to cover the wide range of organisations that now have responsibility for public service delivery?

Agnew called the introduction and implementation of the FOI Act one of Scotland’s “major success stories,” but warned that changes in public service delivery are eroding information access rights. As functions are outsourced or transferred to arm’s-length organisations, they no longer fall within the scope of the FOI Act. The transfer of social housing, for example, from local authorities to housing associations means that 15,000 households in Scotland have now lost information access rights. This affects not only access to information, but also access to justice. The loss of appeal rights to the Scottish Information Commissioner means that the public are faced with the more costly option of appealing through the courts. It is clear that FOI plays an important role in encouraging transparency and promoting civic engagement, so how can this be preserved?

The report noted that the FOI Act was introduced with the intention of extending coverage to additional bodies. A Section 5 Order allows Ministers to designate additional organisations as public bodies, but Agnew reported that this mechanism has been ‘woefully underused.’ Ministers have only exercised these powers on a handful of occasions (e.g. on 1st April 2014), and whilst it is difficult to say why they have not made greater use of this mechanism, the report speculated that lack of political will and misunderstandings over what constitute a public function might be among the reasons. Therefore, Ministers will need support in order to make greater use of the Section 5 Order.

Whereas previous debates on whether to extend FOI coverage have focused too narrowly on the structure of institutions and how they are funded, greater consideration should be given to the nature of the functions performed. As it is ultimately up to the Ministers to decide what constitutes a function of a public nature, a factor based approach can help to determine whether an organisation should be designated a public body for FOI purposes. Factors would include whether the organisation is taking the place of a public authority in carrying out a particular function and whether the functions are derived from or underpinned by statute. (A full list of factors can be found on p.18 of the report.)

The factor based approach would make the designation of additional bodies more open and transparent, and might also help to alleviate some of the challenges that have arisen from extending FOI coverage. Academies and Free Schools, for example, were brought in under the UK FOI Act in 2010. Since then, there have been some notable releases of information, but also some well-known instances in which information has been withheld, leading to lengthy appeals. The Department for Education (DfE) has withheld information on free school applications, relying on exemptions under Section 35 (information related to formulation of government policy) and Section 43 (information likely to prejudice the commercial interests of any party) to withhold information. Although this is merely one example and should not be understood of evidence of a widespread phenomenon, it does demonstrate that a tension remains when balancing the public interest in disclosure against the public interest in withholding information. Will extending FOI coverage to additional bodies simply lead to greater use of exemptions? Or will the factor based approach help to clarify which functions should be covered and why?

There is no straightforward answer to these questions, but the report suggested that support for newly designated bodies can help to ensure smoother implementation. Likewise, the public will need support as the gaps and inconsistencies created by changing models of service delivery has led to some confusion over which rights they hold. After all, as page 9 of the report says, ‘the existence of a right is one thing; making it straightforward to use is something else entirely.’

Erin Ferguson is a PhD Researcher at University of Strathclyde Law School. She blogs (http://www.erincferguson.com) and tweets (https://twitter.com/fergusonerin).

Act Now Training runs the Practitioner Certificate in the Freedom of Information (Scotland) Act 2002 which is endorsed by the Centre for FOI (based at Dundee University). The course structure is designed to thoroughly examine the law as well as the practical aspects of dealing with FOISA (and EI(S)R) requests on a day-to-day level. Read what the tutor has to say and have a go at the FOISA test.

The ‘Big Regulation’: big progress or big elephant? @privacyminion on the draft EU DP Regulation

So time has gone on a little bit and we are now 3 years down the line from when the European Commission released its proposed revised Data Protection framework on January 25th 2012. Some may say that progress has been slow but is that truly the case? We appear to have come a long way from a proposal that was written off as a “non-starter” to a piece of legislation that has seen more political discussion and campaigning than any other piece of legislation in the EU’s history.

So where are we then? In my last post (and apologies that it has been a while since my last post) we went through some of the key agreed texts from the European Parliament and outlined what the next steps in the Regulation’s journey might be. On the whole the ‘official’ actions coming out of the EU have been quiet over the last 10 months or so mainly due to the changes in Parliament Members and the change to the European Presidency.

On December 4-5 2014 at the Justice and Home Affairs Council meeting several of the key points around the Regulation were discussed. While official statements were limited there were some key areas that were discussed and some ‘formal’ stances announced.

‘One Stop Shop’: On the whole the Council and Parliament seem in favour of this idea however there is still intense discussion around how this will be implemented in practice. What is certain however is that both the Parliament and Council won’t allow for the Commission to have the final say on EU wide Data Protection issues as proposed in the Commission’s text. Very much a “we will have anything except that” view point. All institutions however have agreed that DP Authorities will and indeed do need more resources and technical capability.

Right to erasure, data access, and correction:  The contested so-called “right to be forgotten” has been limited by the Parliament so that only those publishing personal data in breach of data protection law are obliged to ensure every copy is deleted. The regulation currently seems to call for a meaningful balance between freedom of expression and freedom of information on the one hand, and the protection of personal data on the other. While there is an understanding in Parliament that the “right to be de-listed” as spelt out in the Google Spain judgement of the European Court of Justice in May 2014 is already contained in the text, the Council is still discussing the need to add specific wording.

Informed consent: Data Subjects essentially must be informed about what happens with their data, and they must (in principle at least) consciously agree to the data processing that is outlined (or indeed reject it without suffering harm by doing so). While the Parliament text insists on “explicit” consent as proposed by the Commission, the Council’s current version of the draft law proposes a more vague “unambiguous” consent, which seems to allow for interpretation on obtaining consent.

Legitimate Interest: The Parliament has narrowed down the “legitimate interest” of the data controller (which would allow for data collection and processing without consent) to what can reasonably be expected by the data subjects affected. The Council however are currently discussing allowing a change of the purpose of the data processing based on “legitimate interest” of the data controller. There are calls from supporters of the original text for this notion to be dropped as they state it weakens the individual’s rights under the regulation however such a hardening of legitimate interests does has massive impacts for industries that currently use legitimate interests under the current EU Directive. For example, the credit referencing industry in the UK.

Data Transfers: The Parliament continues to insist that companies are not allowed to hand over data from Europe directly to third countries´ authorities unless it is under a mutual legal assistance treaty or similar instrument based on European law. The original text contained wording to enhance this protection however this was removed after a period of lobbying by the US government. It made it back in to the Parliament’s text however doesn’t seem to be accepted for inclusion in the Council’s draft. After the Snowden revelations however there appears to be agreement that something is needed to protect against unlawful transfers of personal data.

Sanctions: The Commission originally proposed sanctions of up to two per cent of global annual turnover, and the Council seems to want to stick to this. The Parliament text looked to raise the possible sanctions to up to five per cent of the global annual turnover, or 100 Million Euros. It is unclear if the Council will support such a high percentage however it is widely accepted that such tough sanctions will discourage companies wilfully or neglectfully breaching data protection laws.

Coming up for 2015 so far we know that in March 12-13 the Council has issued a provisional agenda for the Next Justice and Home Affairs Council meeting and the DP Regulation is on there for further discussion (as it a lot of other legislation due for discussion). The Council still has not committed to a concrete timeline for coming to an approved updated Regulation text but given the current timelines and activity over that time I wouldn’t expect an agreed text until either late this year or early 2016.

Once the Council has agreed the text we then go into a ‘tri-party’ negotiation between the Council, the Parliament and the Commission. So we have come a long way, but still not far enough to have a good or ‘reasonably solid’ idea of what a final draft of the Regulation will look like. One thing is certain however, is that far from this being a “non-starter” or an elephant in the room, Data Protection is very much on everyone’s mind and this will come into force one way or another.

Scott Sammons is Senior Privacy Consultant at Ernst and Young and blogs under the name @privacyminion . Scott is on the Exam Board for the Act Now Data Protection Practitioner Certificate which is a qualification designed to give candidates a head start in understanding and implementing the proposed EU Data Protection Regulation.

To Brunei and Back – A tale of training far far away

IMG_6506Ibrahim Hasan reports on his recent trip to Brunei…

On Friday (29th January) Paul Gibbons and I returned from Brunei after delivering data protection audit training to government staff. We had a truly memorable trip. The hospitality, generosity and warmth of the Brunei people ensured that we made some fantastic new friends.

We delivered a two-day course to twelve staff (Information Security Officers (ISOs)) working in various government agencies including education, health and immigration. Whilst Brunei does not have data protection legislation, it does have a Data Protection Policy which applies to all government agencies. This is loosely based on the UK Data Protection Act and has been signed off at the highest level. All agencies are required to comply with the policy but there is no regulator like our Information Commissioner. Having said there was a real commitment on the part of the delegates and the organisers to implement best data protection practice.

IMG_6443

Having successfully completed the course, the ISOs will now audit government agencies to assess levels of compliance. They have been trained to consider DP policies and procedures as well as staff knowledge and awareness. They will produce a report which will be considered by the head of each agency.

The delegates seemed to really enjoy the course and even laughed at Paul’s jokes! Feedback was very positive with some encouraging testimonials :

“An inspiring workshop. The presenter was well understood, friendly and approachable.” HBHM, Health Technology Dept., Ministry of Health

“The experienced tutor and facilitator provided me with clear knowledge and awareness of Data Protection. I’m truly grateful for this experience.” NK, Public Services Department

“An eye-opening course…I am glad I attended this course.” HNHA, Department of Labour, Ministry of Home Affairs

“Good and interactive explanation/briefing on the Data Protection Policy.” DPHAI, Land Transport Department

In addition to the formal training there were some lively discussions during the breaks about the different approaches to Data Protection in the UK and Brunei. Other important subjects for discussion included the relative success of Liverpool, Arsenal and Manchester United!

This training was phase 2 of our Brunei consultancy project. Phase 1 involved developing a Data Protection Audit Manual, drafted by our colleague Tim Turner, based on the Brunei Data Protection Policy. This included guidance on DP audit planning, preparation and the use of DP audit templates. Many delegates commented that the manual was clear, comprehensive and very easy to follow.

This is one of many recent consultancy projects we have conducted. It enhances our reputation as one of the UK’s leading providers of in house training and consultancy in information law and information management. As more countries enact data protection legislation, we hope to be at the forefront of developing products and services that will enable those working in this field to develop their skills. Watch this space!

But all work and no play makes Jack a dull boy! Whilst the tourism industry in Brunei is not as developed as its neighbour Malaysia, there is still plenty to see and do (and eat). There are some stunning mosques which will impress people of all faiths and none.

IMG_6548

The food is a tasty mix of traditional Malay cuisine as well as dishes influenced by the many Chinese and Indians who have settled in Brunei. You can enjoy the delicious (and very cheap) street food in the Night Market or dine in style in the many upmarket restaurants. There is something for all tastes and budgets.

We also took the opportunity to ride a water taxi to the historic water village of Kampong Ayar. Over 1000 years old it boasts 500 houses built on stilts in the river. A further trip up the river allowed us to see a few monkeys and the odd (less cuddly) crocodile!

P1040519

Brunei is a fantastic country and well worth an inclusion on a Far East holiday itinerary. Want to see more photos? See our Twitter feed or search the hashtag “#ActNowinBrunei”.

Finally we would like to thank all our friends in Brunei who organised and attended this training and made us feel so much at home. Keep in touch.

Please take a moment to browse our in house training and consultancy pages. Feel free to get in touch to discuss your requirements in this area.

Staff Surveillance: It’s a Data Protection Issue

Increasingly affordable surveillance technology means that more and more employers are turning to surveillance to catch errant or work shy employees. But confusion still reigns as to which legislation applies and what can be done lawfully.

If employee surveillance is conducted by a public authority and involves covert techniques or equipment, it is easy to assume that Part 2 of the Regulation of Investigatory Powers Act 2000 (“RIPA”) applies. However, the Investigatory Powers Tribunal has ruled in the past that not all covert surveillance of employees is regulated by RIPA (See C v The Police and the Secretary of State for the Home Department (14th November 2006, No: IPT/03/32/H), discussed in our previous blog post on employee surveillance.)

All employers, whether in the public or the private sector, have to respect their employees’ right to privacy under Article 8 of the European Convention on Human Rights. This means that the surveillance must be carried out in a manner that is in accordance with the law and is necessary and proportionate (see Copland v UK (3rd April 2007 ECHR).

During the course of the surveillance, the employer will inevitably be gathering personal data about employees. Consideration therefore has to be given to the provisions of the Data Protection Act 1998 (DPA). Compliance with the DPA will also help demonstrate that the surveillance is human rights compliant since protection of individuals’ privacy is a cornerstone of the DPA.

The Information Commissioner’s Office’s (ICO) Employment Practices Code, which covers surveillance of employees at work. The code covers all types of employee surveillance from video monitoring and vehicle tracking to email and internet surveillance. Whilst the code is not law, it will be taken into account by the Information Commissioner and the courts whether deciding whether the DPA has been complied with.

In December 2014, Caerphilly County Borough Council signed an undertaking after an ICO investigation found that the Council’s surveillance of an employee , suspected of fraudulently claiming to be sick, had breached the DPA.

The council’s decision to authorise the surveillance was based on anecdotal evidence and was begun only four weeks into the employee’s sickness absence. No other measures were taken to discuss the employee’s absence before the decision to deploy covert surveillance. The surveillance report, which was produced by a private company, was never used. The ICO determined the council did not have sufficient grounds to undertake the surveillance, especially at such an early stage of the employee’s absence.

The council has undertaken that, in future, it will carry out an impact assessment, (as required by the code) in every case of employee surveillance. This will consider whether the adverse impact of the surveillance on the employee(s) is justified by the benefits to the employer and others. Such an impact assessment must also:

  • clearly identify the purpose(s) behind the surveillance and the benefits it is likely to deliver,
  • identify any likely adverse impact of the surveillance,
  • consider alternatives to surveillance or different ways in which it can be carried out
  • take into account the obligations that arise from the surveillance, and
  • judge whether the surveillance is justified.

This assessment is best done in writing using a “Non-RIPA” surveillance form (Our RIPA Policy and Procedures Toolkit contains such a form).

Furthermore the council agreed some general principles which are useful for all employers to note when deciding to conduct covert surveillance of employees:

  • Senior management should authorise any covert monitoring. In doing so they must satisfy themselves that there are grounds for suspecting criminal activity or equivalent malpractice (i.e. serious but non-criminal employee misbehaviour, such as fraudulently claiming sick pay) and that notifying individuals about the monitoring would prejudice its prevention or detection.
  • Such covert monitoring should only be used in exceptional circumstances, as it will be rare for covert monitoring of employees to be justified.
  • Ensure that any covert monitoring is strictly targeted at obtaining evidence within a set timeframe and that the covert monitoring does not continue after the investigation is complete.
  • Do not use covert audio or video monitoring in areas which workers would genuinely and reasonably expect to be private.
  • If a private investigator is employed to collect information on workers covertly make sure there is a contract in place that requires the private investigator to only collect information in a way that satisfies the employer’s obligations under the Act.
  • Check any arrangements for employing private investigators to ensure your contracts with them impose requirements on the investigator to only collect and use information on workers in accordance with your instructions and to keep the information secure.
  • Ensure that information obtained through covert monitoring is used only for the prevention or detection of criminal activity or equivalent malpractice.
  • Disregard and, where feasible, delete other information collected in the course of monitoring unless it reveals information that no employer could reasonably be expected to ignore.

Employee surveillance is a legal minefield. RIPA may not always apply but compliance with the DPA and the Employment Practices Code will ensure that it is human rights compliant and that adverse headlines are avoided.

Act Now can help you get to grips with this difficult area. Please see our full program of surveillance law courses which can also be customised and delivered at your premises.

New Transparency Code for Smaller Authorities

file0001686927828In October 2014 the Department for Communities and Local Government (DCLG), published an updated version of the Local Government Transparency Code . This applies in England only and replaces the previous version. The code requires councils (as well as, amongst others, National Park Authorities, Fire and Waste Authorities and Integrated Transport Authorities) to proactively publish certain categories information (in Part 2 of the code) whilst also recommending that they go beyond the minimum (in part 3 of the code). Read more about the code here.

But what of smaller public authorities and parish councils? On 10th March 2014 the Government launched a consultation on a draft transparency code for such organisations, which will act as a substitute for routine external audit.

On 17th December 2014 the DCLG finally published the Transparency Code for Smaller Authorities. This code applies to the following types of authorities with an annual turnover not exceeding £25,000:

  • parish councils
  • internal drainage boards
  • charter trustees
  • port health authorities

This code is issued to meet “the government’s desire to place more power into citizens’ hands to increase democratic accountability.” However it is published initially as recommended practice, although the Secretary of State told Parliament on 17th December that he intends to make the code mandatory by the start of the 2015 financial year.

The Local Audit and Accountability Act 2014 sets out a new audit framework for public authorities which are currently covered by the Audit Commission regime. Under this new framework smaller authorities will be exempt from routine external audit. In place of routine audit, they will be subject to the new transparency requirements laid out in this code. This will enable local electors and ratepayers to access relevant information about the authorities’ accounts and governance.

Part 2 of the code sets out the information to be published:

  1. all items of expenditure above £100 (see paragraphs 13 – 15);
  2. end of year accounts (see paragraphs 16 and 17),
  3. annual governance statement (see paragraphs 18and 19),
  4. internal audit report (see paragraphs 20 – 22),
  5. list of councillor or member responsibilities (see paragraph 23)
  6. the details of public land and building assets (see paragraphs 24 – 27)
  7. Minutes, agendas and meeting papers of formal meetings (see paragraphs 29 and 30)

The code states that the information specified must be published on a website which is publicly accessible and free of charge. This could be on the authority’s own website or that of the billing authority in its area (district or London borough or unitary council).

Ibrahim Hasan will be discussing both transparency codes in his forthcoming live and interactive one-hour web seminar.

The New RIPA Surveillance Codes: Key Changes

By Sam Lincoln (Chief Surveillance Inspector 2006 – 2013)

Featured imageRecently Ibrahim Hasan alerted you to the revisions of the two codes of practice underPart 2 of the Regulation of Investigatory Powers Act 2000 (RIPA) published on 10th December 2014. Ibrahim urged you to read them but I suspect that it wasn’t at the top of your ‘to do’ list over Christmas! So I’ve done the donkey work for you.

A cursory examination suggests that the revised codes simply implement the amendments to RIPA resulting from the legislation enacted since the last codes were published namely: the Regulation of Investigatory Powers (Extension of Authorisation Provisions: Legal Consultations) Order 2010; to the Protection of Freedoms Act 2012; and the Regulation of Investigatory Powers (Covert Human Intelligence Sources: Relevant Sources) Order 2013. But there are some interesting and important changes.

I approach the subject by addressing each of the two codes. Before I do, it’s worth saying that I compared the existing 2010 codes with the draft codes obtained from the Home Office website available at the time of writing. It may be worth checking to see if further amendments were made before publication. I ignore the frequent amendment resulting from changes to the names or amalgamation of public authorities (for example the formation of Police Scotland and the creation of the National Crime Agency).

If you are a member of a local authority, please don’t persuade yourself that the CHIS Code doesn’t apply to your authority. I think you’ll find that it does!

Covert Surveillance and Property Interference Code

Let’s begin with the Covert Surveillance and Property Interference Code. It might be worth having a copy (printed or online) handy as I’ll refer to relevant paragraph numbers in square brackets ([]):

[2.18] The first sentence is amended to account for the fact that some legal consultations which might otherwise be Directed Surveillance are now to be authorised as Intrusive Surveillance.

[2.24] Examples 3 and 4 have been amended. I am particularly uncomfortable with the amendment to Example 4 which relegates the requirement for an authorisation from “should be sought” to “should … be considered”. The inference is that planned covert surveillance of an individual suspected of shoplifting depends on the public authority deciding whether the individual has a reasonable expectation of privacy. Assessing what is reasonable and what is assumed by another person is open to challenge. It is because examples can mislead that the Office of Surveillance Commissioners (OSC), during my tenure, advised against the inclusion of examples. For this reason it’s vital that applicants and authorising officers note [1.7].

[2.27] This paragraph has been expanded to include guidance provided by the Surveillance Camera Code of Practice pursuant to the Protection of Freedoms Act. (More on CCTV here)

[2.29] This new paragraph provides important guidance regarding the need to consider whether an authorisation for either Directed Surveillance or a CHIS is required when using the Internet. As usual, it lacks the clarity usually sought by practitioners but it is clear that prior consideration should be given to the need for authorisation; it’s not acceptable to ignore this advice and I urge Senior Responsible Officers to ensure that they alert all public authority staff to its implications.

[2.30] The third bullet point of this paragraph is amended to differentiate between non-verbal and verbal noise.

[3.7] The original examples 2 and 3 are deleted. I suspect that the cause is that neither could be protected by a RIPA authorisation as a result of the 2010 Order. But then again, nor does Example 1!

[3.18] This is a new paragraph and covers the use of third party individuals or organisations (for example private investigators and internet researchers). They are acting as agents of the public authority and the need for relevant authorisation must not be ignored.

[3.22] The deletion of reference to Scottish public authorities suggests that there is no collaboration agreement with any public authorities in Scotland.

[3.30 – 3.33] These new paragraphs cover the changes to local authority authorisations of Directed Surveillance resulting from the Protection of Freedoms Act 2012. (More on the changes here)

[3.35] This paragraph amends the requirement for elected members to consider internal reports submitted on a ‘regular basis’ rather than at least quarterly. I’m personally disappointed that there’s no restriction on the detail of authorisations that elected members are entitled to see to prevent inadvertent compromise.

[4.1] The fourth sentence is amended slightly for grammatical effect it seems. The definition of a Member of Parliament is deleted and placed in the glossary at the back of the code.

[5.18] I recall that the OSC advised that there is no ‘legal’ requirement for any further details to be recorded and would have preferred the code to be more assertive. It’s disappointing that this advice is ignored.

[5.20] It isn’t clear why all of the footnotes relating to this paragraph are deleted.

[6.2] Is amended to include directed surveillance.

[7.8] This paragraph isn’t amended despite, to my knowledge, earlier criticism of the accuracy of its first sentence by the OSC. I am not a lawyer but, if I recall accurately, neither loss nor damage is necessary for there to be property interference. Subsequent analysis of a sample isn’t, of itself, surveillance; it’s the obtaining of the sample itself which may need authorisation.

[8.1] An additional sentence is added directing local authorities to the .gov.uk website for further guidance on the recording of magistrates’ decisions.

[8.2] A final bullet is included requiring local authorities to retain a copy of the Magistrates’ approval order in a centrally retrievable form. (more on the Magistrates’ approval process here)

[8.4] This is a new paragraph advising that it is desirable that relevant records should be retained, if possible, for up to five years.

CHIS Code of Practice

Let me turn now to the revised CHIS Code of Practice.

[2.4] This alerts the reader to the renaming of CHIS previously known as undercover officers to ‘relevant source’. Not a particularly helpful title. Contrary to this paragraph, not all references to undercover officers are amended in this revision of the Code.

[2.12] The final sentence of this paragraph is an important amendment. It alerts public authorities to the fact that the existence of a CHIS is not a choice for a public authority. Whether to authorise the use and conduct of a CHIS is a choice of course, but in my experience too often public authorities wished the problem away. In short, all public authorities must acknowledge that a CHIS may appear at any time and must have procedures in place to manage them in accordance with the law.

[2.14] This new paragraph obliges ‘relevant sources’ to comply with the College of Policing Code of Ethics.

[2.15] This is a new paragraph obliging the authorisation of activity known as ‘legend building’.

[2.16] This seems an unnecessary paragraph considering that types of human sources falling outside the CHIS definition are provided specific attention.

[2.17] This new paragraph introduces the concept of a public volunteer (with examples) in addition to the previously existing concept of a human source with a professional or statutory duty.

[3.12] This paragraph is amended in recognition that the 2013 Order introduced enhanced arrangements.

[3.22] The amendment to this paragraph emphasises that the enhanced arrangement for relevant sources relies on accurate recording of the length of deployment of each relevant source.

[3.26 – 3.27] This new section is specific to the use of CHIS by local authorities and the approval by magistrates. It highlights differences between authorities in England and Wales, Scotland, and Northern Ireland. Similar direction is provided to the need for elected member review but, as I was disappointed with the direction in the other Code, I believe that there is benefit in restricting the detail available to elected members in relation to the use and conduct of a CHIS to prevent compromise.

[4.3] This reminds the reader that ‘relevant sources’ are subject to enhanced arrangements when accessing legally privileged and other confidential information.

[4.31] There is an addition to cover the engagement of a member of a foreign law enforcement agency.

[4.32] The is an important new paragraph covering the considerations necessary to authorise the use and conduct of a CHIS for some online covert activity. It should be read in conjunction with [2.29] of the Covert Surveillance and Property Interference Code of Practice.

[5.10] This new paragraph clarifies the enhanced arrangements for relevant sources.

[5.15] Two sentences are added to this paragraph. The first states that local authorities are no longer able to orally authorise the use of RIPA techniques. The second relates to out of hours arrangements.

[5.16] An amendment to this paragraph introduces additional information to include at review; namely the information obtained from a CHIS and the reasons why executive action is not possible if that is the case (my italics are an addition).

[5.21 and 5.22 – 5.26] These new paragraphs relate to enhanced arrangements for the use and conduct of relevant sources. They provide detail regarding timings and, importantly, the calculation of total or accrued deployment or cumulative authorisation periods.

[5.29] An additional sentence requires an authorising officer to satisfy themselves that all welfare issues are addressed at the time of CHIS cancellation.

[5.30 – 5.31] These new paragraphs relate to the refusal of an Ordinary Surveillance Commissioner to approve a long term authorisation. Importantly, it obliges public authorities to plan for the safe extraction of a relevant source if an authorisation is refused.

[6.6] The addition of a final sentence recognises concerns raised by the OSC in relation to traditional police appointments and their responsibilities as defined by RIPA.

[7.3] Similar to [8.4] of the Covert Surveillance and Property Interference Code revision, this new paragraph (and amendment of [7.1] and [7.6]) recommends that relevant RIPA records should be retained for five years if possible.

[7.6] The addition of a bullet point requires that the decision of an Ordinary Surveillance Commissioner should be retained.

There is one other point I would like to make about the CHIS Code; there is no reference to the fact that the Protection of Freedoms Act 2012 did not restrict the use or conduct of a CHIS to the prevention or detection of crimes not attracting a six month sentence as it did for other types of covert surveillance.

What should you do now?

If you’ve got this far without falling asleep, you are obviously a person who takes RIPA seriously! It would be very helpful therefore if you ensure that your Senior Responsible Officer and all authorising officers are alerted to these amendments. I’m sure the OSC will check that policies are amended accordingly and that extant codes of practice are available and understood.

Copy this article by all means but please have the courtesy to accredit it properly!!

Sam Lincoln was formerly Chief Surveillance Inspector with the Office of Surveillance Commissioners for seven years. Please get in touch if you would like Sam to help you prepare for an OSC inspection by delivering customised training at your premises. We also have a full program of RIPA workshops in 2015 where we will examine the new codes in detail: http://www.actnow.org.uk/content/110

STOP PRESS… STOP PRESS… STOP PRESS… STOP PRESS…

ONLINE RIPA TRAINING

Looking for an e-learning solution for your RIPA training needs? http://www.actnow.org.uk/content/185

———————————————————————————————————-