Author: actnowtraining

Act Now Training is Europe's leading provider of information governance training, serving government agencies, multinational corporations, financial institutions, and corporate law firms. Our associates have decades of information governance experience. We pride ourselves on delivering high quality training that is practical and makes the complex simple. Our extensive programme ranges from short webinars and one day workshops through to higher level practitioner certificate courses delivered online or in the classroom.

I hate my boss, I’m drunk, E’s are good and here’s my new mobile.

A delegate on a recent course after an animated discussion on social networking  sent us the following link to “We know what you’re doing… A social networking privacy experiment by Callum Haywood“.

To use the words of the site All data is pulled directly from Facebook, it is not censored, and it is publicly accessible via the Graph API” . In other words the site ‘reads’ status updates which are publicly accessible from Facebook and if they meet the right criteria it categorises them into the following 4 groups:

  • Those who ‘hate their boss’ (and are likely to get fired)
  • Those who are hungover
  • Those who use drugs or condone the use of drugs
  • Those who have a new phone number and have listed it publicly online

Some are fairly anonymous and private but now and again you do get enough information to track some one down with some low level googling. Here’s the link. Watch the video as well.

http://www.weknowwhatyouredoing.com/

 

New RIPA Procedure Guidance: Magistrates’ Approval

Chapter 2 of Part 2 of the Protection of Freedoms Act 2012 (sections 37 and 38) comes into force on 1st November 2012. This changes the procedure for the authorisation of local authority surveillance under the Regulation for Investigatory Powers Act 2000 (RIPA).

From 1st November local authorities will be required to obtain the approval of a Justice of the Peace (JP) for the use of any one of the three covert investigatory techniques available to them under RIPA namely Directed Surveillance, the deployment of a Covert Human Intelligence Source (CHIS) and accessing communications data.

An approval is also required if an authorisation to use such techniques is being renewed. In each case, the role of the JP is to ensure that the correct procedures have been followed and the relevant factors have been taken account of. There is no requirement for the JP to consider either cancellations or internal reviews.For a full explanation of the 2012 Act and the new section 37 and 38 of RIPA read my article.

Home Office Guidance

The Home Office has now published its RIPA Magistrates’ Approval Guidance both for local authorities and the Magistrates’ Court. This guidance is non-statutory but provides advice on how local authorities can best approach these changes in law and the new arrangements that need to be put in place to implement them effectively.  It is supplementary to the legislation and to the two statutory Codes of Practice.

The New Magistrates’ Approval Process

  1. The first stage will be to apply for an internal authorisation in the usual way. Once it has been granted, the local authority will need to contact the local Magistrates Court to arrange a hearing.
  2. The hearing is a ‘legal proceeding’ and therefore local authority officers need to be formally designated to appear, be sworn in and present evidence or provide information as required by the JP. It is envisaged that the investigating officer will be best suited to fulfill this role. The local authority may consider it appropriate for the SPoC (Single Point of Contact) to attend for applications involving communications data.
  3. The local authority will provide the JP with a copy of the original RIPA authorisation or notice.  This forms the basis of the application to the JP and should contain all information that is relied upon. In addition, the local authority will provide the JP with two copies of a partially completed judicial application/order form (which is included in the Home Office Guidance).
  4. The hearing will be in private and heard by a single JP who will read and consider the RIPA authorisation or notice and the judicial application/order form.  He/she may have questions to clarify points or require additional reassurance on particular matters.  The forms and supporting papers must by themselves make the case.  It is not sufficient for the local authority to provide oral evidence where this is not reflected or supported in the papers provided.
  5.  The JP will consider whether he or she is satisfied that at the time the authorisation was granted or renewed or the notice was given or renewed, there were reasonable grounds for believing that the authorisation or notice was necessary and proportionate.  He/She will also consider whether there continues to be reasonable grounds.  In addition they must be satisfied that the person who granted the authorisation or gave the notice was an appropriate designated person within the local authority and the authorisation was made in accordance with any applicable legal restrictions, for example that the crime threshold for directed surveillance has been met (see below).
  6.  The order section of the above mentioned form will be completed by the JP and will be the official record of the his/her decision.  The local authority will need to retain a copy of the form after it has been signed by the JP.

The JP may decide to –

  • Approve the grant or renewal of an authorisation or notice

The grant or renewal of the RIPA authorisation or notice will then take effect and the local authority may proceed to use the technique in that particular case. The local authority will need to provide a copy of the order to the communications service provider (CSP), via the SPoC (Single Point of Contact), for all CD requests.

  • Refuse to approve the grant or renewal of an authorisation or notice

The RIPA authorisation or notice will not take effect and the local authority may not use the technique in that case.  Where an application has been refused the local authority may wish to consider the reasons for that refusal.  For example, a technical error in the form may be remedied without the local authority going through the internal authorisation process again.  The local authority may then wish to reapply for judicial approval once those steps have been taken.

  • Refuse to approve the grant or renewal and quash the authorisation or notice

This applies where a Magistrates’ court refuses to approve the grant, giving or renewal of an authorisation or notice and decides to quash the original authorisation or notice.The court must not exercise its power to quash that authorisation or notice unless the applicant has had at least two business days from the date of the refusal in which to make representations.

Appeals

A local authority may only appeal a JP’s decision on a point of law bymaking an application for judicial review in the High Court. The Investigatory Powers Tribunal (IPT) will continue to investigate complaints by individuals about the use of RIPA techniques by public bodies, including local authorities.  If, following a complaint to them, the IPT finds fault with a RIPA authorisation or notice it has the power to quash the JP’s order which approved the grant or renewal of the authorisation or notice. It can also award damages if it believes that an individual’s human rights have been violated by the public authority doing the surveillance.

Plan Now

Local authorities should Act Now to ensure they are ready for the new procedure. They should:

  1. Train staff – All investigators and authorising officers need to know about the new process. Those who will be attending court need to be trained in completing the new judicial application/order form.
  2. Designate staff who will be attending the Magistrates Court – The usual procedure would be for local authority Standing Orders to designate certain officers( including SPoCs) for the purpose of presenting RIPA cases to JPs under section 223 of the Local Government Act 1972.  A pool of suitable officers could be designated before 1st November and adjusted as appropriate throughout the year.
  3. Amend the RIPA Policy and Procedures to reflect the new process.

New Serious Crime Test The Regulation of Investigatory Powers (Directed Surveillance and Covert Human Intelligence Sources) (Amendment) Order 2012, SI 2012/1500  (“the 2012 Order”), was made on 11 June 2012 and will also come into force on 1 November 2012. Directed Surveillance will be made subject to a new Serious Crime Test. The days of councils authorising surveillance for dog fouling and littering will soon be over. More information here

Act Now can help you prepare for the new RIPA process. We have a new RIPA Policy and Procedures Toolkit as well as courses throughout the UK.

 If you would like advice on what needs to be done or customised in house training, please get in touch.

Mind the (Surveillance) Gap!

Before the 2010 election, both coalition parties made a big thing about “rolling back the Surveillance State.” They announced in the Coalition Agreement:

 “We will ban the use of powers in the Regulation of Investigatory Powers Act (RIPA) by councils, unless they are signed off by a magistrate and required for stopping serious crime.”

The first part of this commitment has been enacted via sections 37 and 38 of the Protection of Freedoms Act 2012 . This amends the Regulation of Investigatory Powers Act 2000 (RIPA) so as to require local authorities to obtain the approval of a Magistrate for the use of any one of the three covert investigatory techniques available to them under RIPA; namely Directed Surveillance, the deployment of a Covert Human Intelligence Source (CHIS) and accessing communications data. (Read our blog post for more on this requirement, which comes into force on 1st November).

The second part of the Coalition’s commitment also comes into force on the same day in the form of The Regulation of Investigatory Powers (Directed Surveillance and Covert Human Intelligence Sources) (Amendment) Order 2012, SI 2012/1500 (“the 2012 Order”).  This amends the Regulation of Investigatory Powers (Directed Surveillance and Covert Human Intelligence Sources) Order 2010, SI 2010/521 (“the 2010 Order”).

From 1st November 2012, local authority Authorising Officers may not authorise Directed Surveillance unless it is for the purpose of preventing or detecting a criminal offence and it meets the condition set out in New Article 7A(3)(a) or (b) of the 2010 Order. Those conditions are that the criminal offence which is sought to be prevented or detected is punishable, whether on summary conviction or on indictment, by a maximum term of at least 6 months of imprisonment, or would constitute an offence under sections 146, 147 or 147A of the Licensing Act 2003 or section 7 of the Children and Young Persons Act 1933 (offences involving sale of tobacco and alcohol to underage children).

The Government’s aim in passing the 2012 Order is explained in paragraph 7.2 of the explanatory memorandum :

“The additional restriction that is imposed through this statutory instrument on authorisations of directed surveillance by local authorities is imposed in response to public concern that some local authorities have used directed surveillance in trivial cases such as littering, dog control and school admission. This statutory instrument discharges a Government commitment to prevent local authority use of directed surveillance under RIPA unless required for the purposes of preventing or detecting the more serious kinds of criminal offences which local authorities investigate.”

Whilst the 2012 Order will certainly restrict councils authorising Directed Surveillance under RIPA, can it completely stop them doing covert surveillance when investigating “minor offences”? I do not think so.

RIPA is there to ensure that certain types of covert surveillance undertaken by public authorities is done in such as is human rights compliant. This is done through a system of (until now) internal authorisation from a senior officer. RIPA is permissive legislation. Authorisation under RIPA affords a public authority a defence under Section 27 i.e. the activity is lawful for all purposes. However, failure to obtain an authorisation does not make covert surveillance unlawful. Section 80 of RIPA states:

“Nothing in any of the provisions of this Act by virtue of which conduct of any description is or may be authorised by any warrant, authorisation or notice, or by virtue of which information may be obtained in any manner, shall be construed—

(a)as making it unlawful to engage in any conduct of that description which is not otherwise unlawful under this Act and would not be unlawful apart from this Act;

(b)as otherwise requiring—

(i)the issue, grant or giving of such a warrant, authorisation or notice, or

(ii)the taking of any step for or towards obtaining the authority of such a warrant, authorisation or notice,

before any such conduct of that description is engaged in; or

(c)as prejudicing any power to obtain information by any means not involving conduct that may be authorised under this Act.”

This point was explained more fully by the Investigatory Powers Tribunal in the case of C v The Police (Case No: IPT/03/32/H 14th November 2006 ):

Although RIPA provides a framework for obtaining internal authorisations of directed surveillance (and other forms of surveillance), there is no general prohibition in RIPA against conducting directed surveillance without RIPA  authorisation. RIPA does not require prior authorisation to be obtained by a public authority in order to carry out surveillance. Lack of authorisation under RIPA does not necessarily mean that the carrying out of directed surveillance is unlawful.

In making the 2012 Order, the Government has forgotten to do anything about section 80 of RIPA. They should have repealed or amended it in some way to achieve their aim. Section 80 means that the changes in the 2012 Order will not make surveillance for dog fouling and littering unlawful. All it will mean is that in such cases surveillance will not have the protection of RIPA (the defence in section 27). Local authorities will still be able use covert surveillance for such purposes as long as it is necessary and proportionate in accordance with Article 8 of the European Convention on Human Rights (right to privacy).

This point is made by the Chief Surveillance Commissioner in last year’s annual report (2010/2011):

“The higher threshold in the proposed legislation will reduce the number of cases in which local authorities have the protection of RIPA when conducting covert surveillance; it will not prevent the use of those tactics in cases where the threshold is not reached but where it may be necessary and proportionate to obtain evidence covertly and there will be no RIPA audit trail. Part I of RIPA makes unauthorised interception unlawful. In contrast, Part II makes authorised surveillance lawful but does not make unauthorised surveillance unlawful.”

In his latest annual report (2011/2012) he again acknowledges (at paragraph 5.22) that there is a gap in the law which allows public authorities to undertake covert surveillance (as long as it is human rights compliant) even though it may not be authorisable under RIPA:

“I occasionally encourage the use of similar authorisation mechanisms for activity which cannot be protected by the Acts (for example where covert techniques are used to identify a missing person when no crime is suspected). In these circumstances statutory definitions are met but none of the grounds specified in RIPA section 28(3) or RIP(S)A section 6(3), yet the human rights of the subject of surveillance must be considered. The authorisation process provides a useful audit of decisions and actions.”

So when the 2012 Order comes into force, we will have a void up to the 6 month threshold where Directed Surveillance will not be authorisable under RIPA but may still be desired to be undertaken by investigating officers. What to do? From the above it seems that surveillance can be done as long as it is necessary and proportionate and a proper paper audit trail exists. It may be a good idea to complete a “Non-RIPA authorisation form.” (We have one in our RIPA Policy and Procedure Toolkit).

Will local authorities decide to do “Non-RIPA Surveillance”? Many of the delegates on our training courses have said that they will. This does go against the will of the Government and the purpose behind the changes, BUT it is lawful.

So the question is – “No six month threshold but a need to do surveillance – Should you?”I would welcome colleagues’ thoughts. Please feel free to use the comment field below.

Act now can help you prepare for the new RIPA process. Our training courses run throughout the UK. If you would like customised in house training, please get in touch.

 

Judicial Approval for Council Surveillance

The Commencement Order for, amongst other things, the RIPA provisions within the Protection of Freedoms Act 2012 has now been made. This means that from 1st November 2012 all local authority surveillance will require judicial approval.

Chapter 2 of Part 2 of the 2012 Act (sections 37 and 38) amends the Regulation of Investigatory Powers Act 2000 (RIPA) so as to require local authorities to obtain the approval of a Magistrate for the use of any one of the three covert investigatory techniques available to them under RIPA namely Directed Surveillance, the deployment of a Covert Human Intelligence Source (CHIS) and accessing communications data. An approval is also required if an authorisation to use such techniques is being renewed. In each case, the role of the Magistrate is to ensure that the correct procedures have been followed and the relevant factors have been taken account of. The new provisions allow the Magistrate, on refusing an approval of an authorisation, to quash that authorisation.

For a full explanation of the new provisions click here

Note that 1st November also sees Directed Surveillance being made subject to a new Serious Crime Test. More information here

These provisions will be examined in our forthcoming RIPA update workshops. We also have a new RIPA Policy and Procedure Toolkit which will help.

Please get in touch if you would like customised in house training  on any aspects of the Act.

UPDATE (13/9/12)

The New Criminal Procedure Rules 2012 (coming into force on 1st October) provide more details about the procedure for seeking magistrates’ approval:

http://www.legislation.gov.uk/uksi/2012/1726/part/6/crossheading/6/made

We are still waiting though for the detailed guidance from the Home Office.

The 2012 Surveillance Commissioner Report

By Steve Morris

The Office of Surveillance Commissioners published its 2012 annual report (covering the period from 1st April 2011 to 31st March 2012) on 14th July 2011. The report details statistics relating to the use of Part 2 of RIPA by public authorities and information about how OSC conducts its oversight role. It highlights some important issues such as:

  • Collaborative Working – Departments, teams and various units within several authorities are pooling resources but then not obtaining authorisations and keeping records in relation to a proper designated authority (Sec 5.7)
  • There is a lack of awareness of what constitutes a CHIS and there is a likelihood that public authorities might have unauthorised CHIS activity being undertaken (Sec 5.14)
  • Authorising Officers are not making adequate provision for destruction of product that is collateral intrusion or of no value to the operation (Sec 5.16)
  • Some ‘open source’ internet research is being conducted which may actually meet the criteria of Directed Surveillance and therefore require authorisation (Sec 5.17)
  • Where there is an invasion of privacy and RIPA does not apply, due to all conditions not being met, then the OSC recommends use of the authorisation mechanism where Article 8 issues (privacy) should be considered (Sec 5.22)
  • ACPO (Association of Chief Police Officers) is reviewing the authorisation forms and it will also report on form redesign (Sec 5.25)

Our RIPA Courses already address these issues. Future courses are also being revised to take account of other recently announced changes affecting local authorities:

  • The Protection of Freedoms Act 2012 which received Royal Assent on 1st May 2012. The RIPA provisions in this Act are yet to come into force but when they do they will require local authorities to have all their RIPA surveillance authorisations (i.e. Directed Surveillance, CHIS and the acquisition of Communications Data) approved by a Magistrate before they take effect (Read more here).
  • From 1st November 2012, local authorities will face severe restrictions upon the grounds for which they can authorise Directed Surveillance under the RIPA. The days of local authorities being able to use surveillance powers to tackle dog fouling and littering offences will soon be over (Read more here).
  • The Communications Data Bill and the changes it will make to the communications data access regime (currently under Part 1 of Chapter 2 of RIPA)

Steve Morris is a former police officer who delivers our RIPA Courses as well as a course on Internet Investigations

Quantum Personal Data

It has been clear for some time that personal data leads a somewhat schizophrenic existence. So identical photographs can be personal data in the hands of the police, but not in the hands of a journalist. See the example on page 11 of the Information Commissioner’s technical guidance  “Determining what is personal data”, which leads him to conclude that “the same piece of data may be personal data in one party’s hands while it may not be personal data in another party’s hands”.

However it also now seems possible that determining whether something is personal data depends on what question you ask, even for the same data held by a single data controller. “Is this exempt from disclosure under FOI?” or “Is this disclosable to an applicant who makes a subject access request (SAR)?”. Like poor Schrödinger’s cat , until the question is posed the data may exist in an indeterminate ‘superposition of states’.  Similarly the answer to the first question may vary depending on whether the applicant was involved in the matter.

In a recent flurry of Decision Notices, of which FS50426097 is a typical example, the Information Commissioner (IC) asked the FOI question. The complainant had made a prior request to the police for detailed information about a forensic service provider, its machines and procedures. Subsequently, the applicant made a request for “any documentation in relation to communication with any third party in respect of the questions contained in my original FOIA request”. After internal review and upheld by the Information Commissioner in this and related decisions the police relied on s40(5)(a) and declined to confirm or deny whether it held the material, on the basis that if it did, it would be the personal data of the complainant. In effect saying that the complainant should have made an SAR, and presumably pay £10 for the privilege.

As the IC observed (my emphasis) “After careful consideration of the wording of the request, the Information Commissioner is satisfied that the complainant is, or would be, the subject of all of the information requested.” He concluded therefore that the authority was not required to comply with the obligation to confirm or deny whether it held the information, since this would itself involve the disclosure of personal data about the complainant – the s40(5)(a) exemption. Note that the IC appears to have made no examination of the information held, which appears to go against normal practice. There are a number of cases where authorities and their FOI officers have been criticised by the IC for making decisions on disclosure without ever looking at the material held.

Be that as it may, what will happen when the complainant, as it appears he has, makes his SAR? Pragmatically, having taken its stance and fee, the authority may well supply the requested information, subject to possibly removing any other person’s personal data under s7(4) Data Protection Act 1998. But step back a minute and assume that the police actually deal with the SAR in accordance with the strict legal position. What personal data is there ? Certainly information which identifies the complainant as the maker of the original FOI request. But what about all the content? The FOI request was not about a personal issue at all. The bulk of the material relating to such a request, particularly if dealt with on an applicant blind basis, will surely be about enquiries into what information was held, directly or on behalf of the authority, or about whether any such material (if it existed) was possibly exempt. That cannot be the personal data of the applicant even if, as the police indicated, it was “contained within files which are stored by reference to the applicant’s name”.

This would seem in SAR terms to be a classic Durant situation. To paraphrase Auld LJ from paragraphs 30-31 of the Durant judgement:

Just because the authority’s response to the request emanated from an FOI request by the complainant does not render information obtained or generated by that request, without more, his personal data. For the same reason, either on the issue as to whether a document contains “personal data” or as to whether it is part of a “relevant filing system”, the mere fact that a document is retrievable by reference to his name does not entitle him to a copy of it under the Act. In short the complainant does not get to first base in his claim against the authority because most of the further information sought, whether in computerised form or in manual files, is not his “personal data” within the definition in section 1(1). It is information about his FOI request and the objects of them, the authority and the forensic service provider respectively.

Now of course it may be that there is more personal data than this, particularly if the internal response to the request, ignoring the applicant blind principle, has focussed on the complainant, rather than the request, but the IC is in no position to make that judgement if he decides on the basis of the wording of the request, rather than a consideration of the information held. Possibly, considering the history of the complainant, the IC has assumed the purpose of the request is to find out how the authority was dealing with him, but there is no objective basis for that assumption.

A contrasting situation arises in the April 2012 Tribunal case of Efifiom Edem v IC . The Tribunal sought to apply the Durant criteria strictly in an FOI case. I will gloss over here the rather alarming addition of the word “adversely” to the Durant consideration of whether the processing affects someone’s privacy (paragraph 34), but would point out that if Edem is correctly decided it severely limits the ability of staff to access their ‘personal data’ under an SAR, as much of what may have been thought to be personal is not so, in fact . But for present purposes there is a huge gulf between the approach in Edem and in  FS50426097. Imagine for a moment that it was a third party, not the complainant, who made the second FOI request in  FS50426097 i.e. it was  typical meta-request about the handling of someone else’s earlier request. I do not believe for one moment one could argue that this request would fail under s40(2) as responding would disclose the personal data of the complainant. At worst the authority would redact the complainant’s identity and supply the rest of the information, and if that is done, the application of s40(5)(a) as a blanket when the complainant makes the request cannot be correct.

The definition of personal data is tricky enough as it is, but if the IC and Tribunal continue to determine the result based on the nature of the enquiry, data protection and FOI teams face some impossible dilemmas.

Philip Bradshaw is a former solicitor and local authority data protection officer. He now delivers our information law courses in Cardiff.

The Communications Data Bill: What Councils Need to Know

The Draft Communications Data Bill was laid before Parliament on 14th June 2012. The Bill provides an updated framework for ensuring the availability of communications data and its obtaining by public authorities. It will replace the communications data provisions within the Regulation of Investigatory Powers Act 2000 (RIPA).

The most controversial aspects of the Bill will enact proposals, announced in the Queen’s Speech in May, which will require Internet firms to give the Police, the Serious and Organised Crime Agency, the Intelligence Agencies and HM Revenue and Customs access to a wider range of communications data on demand and, in some cases, in real time. The Home Office says  that they are updating the law “in terms of social media and new devices”. Without action they say that there is a growing risk that crimes enabled by email and the Internet will go undetected and unpunished. However civil liberties groups, as well as Internet Service Providers have voiced concerns about the Bill from a privacy and technical perspective. See my previous blog entry  for a discussion about these concerns.

But what effect will the new Bill have on local authorities?

The Bill will replace Part 1 Chapter 2 of RIPA. Sections 21 to 25 of RIPA (and the Regulation of Investigatory Powers (Communications Data) Order 2010 (SI 2010/480)) currently set out who can access what type of communications data and for what purposes. This includes the police and security services as well as councils, government departments and various quangos. RIPA restricts access to the different types of communications data depending on the nature of the body requesting it and the reason for doing so.

The definition of “communications data” includes information relating to the use of a communications service (e.g telephone, internet and postal service) but does not include the contents of the communication itself.  Such data is broadly split into three categories: “traffic data” i.e. where a communication was made from, to whom and when; “service data” i.e. the use made of the service by any person e.g. itemised telephone records; “subscriber data” i.e. any other information that is held or obtained by an operator on a person they provide a service to.

Some public bodies already get access to all types of communications data e.g. police, security service, ambulance service, customs and excise. Local authorities are restricted to subscriber and service use data and even then only where it is necessary for the purpose of preventing or detecting crime or preventing disorder.

At present access to communications data is done on a system of self authorisation. There are forms to complete ((signed by a senior officer) and  tests of necessity and proportionality to satisfy. Notices have to be served on the service provider requesting the data.

The new Bill will broadly replicate the current system for accessing communications data by local authorities. There is no provision to widen the scope of the information available to councils or the grounds for doing so (unlike the police and law enforcement agencies mentioned above). However the Bill does replicate the changes to the local authority RIPA regime to be made by Protection of Freedoms Act 2012. In the future all local authority surveillance activity under RIPA, including a request for communications data (however minor), will have to be approved by a Magistrate. (See my earlier Blog Post for more detail about the 2012 Act.)

The Bill also implements a recommendation in the RIPA Review published by the Home Office on 26th January 2011.  This stated that the range of non-RIPA legislative frameworks by which communications data can in principle be acquired from Communication Service Providers “should be streamlined to ensure that as far as possible RIPA is the only mechanism by which communications data can be acquired.”

Clause 24 introduces Schedule 2 to the Bill which repeals certain general information powers so far as they enable public authorities to secure the disclosure by a telecommunications operator of communications data without the consent of the operator. This includes powers under the Trade Descriptions Act 1968, Environmental Protection Act 1990, Social Security Administration Act 1992 and the Enterprise Act 2002. Local authority officers in environmental health, trading standards and benefit fraud departments, who may not be have been using RIPA to gain access to communications data previously, will now need to get to grips with a new regime.

The Communications Data Bill will be subject to scrutiny by a joint parliamentary committee before the effort to bring the measures through Parliament and into law begins in earnest.  This comes on top of other recently announced changes to the criteria for local authority to authorise Directed Surveillance under Part 2 of RIPA.  The Home Office will have to issue a new code of practice and standard forms which Investigating Officers and their legal advisers will have to familiarise themselves with.

We have a series of courses on RIPA and Surveillance which cover all the recent changes to the RIPA regime including the Protection of Freedoms Act 2012. We also have a range online courses.

 

To RIPA or Not To RIPA: Changes to Council Surveillance Powers

The days of local authorities being able to use surveillance powers to tackle dog fouling and littering offences will soon be over. From 1st November 2012, local authorities will face severe restrictions upon the grounds for which they can authorise Directed Surveillance under the Regulation of Investigatory Powers Act 2000 (RIPA).

The Regulation of Investigatory Powers (Directed Surveillance and Covert Human Intelligence Sources) (Amendment) Order 2012, SI 2012/1500  (“the 2012 Order”), was made on 11 June 2012 and will come into force on 1 November 2012,

The 2012 Order amends the Regulation of Investigatory Powers (Directed Surveillance and Covert Human Intelligence Sources) Order 2010, SI 2010/521 (“the 2010 Order”), which prescribes which officers, within a public authority, have the power to grant authorisations for the carrying out of Directed Surveillance and the grounds, under Section 28(3) of RIPA, upon which authorisations can be granted. At present local authorities have one ground; where it is necessary “for the purpose of preventing or detecting crime or preventing disorder.” (Section 28(3)(b))

From 1st November 2012, local authority Authorising Officers may not authorise Directed Surveillance unless it is for the purpose of preventing or detecting a criminal offence and it meets the condition set out in New Article 7A(3)(a) or (b) of the 2010 Order. Those conditions are that the criminal offence which is sought to be prevented or detected is punishable, whether on summary conviction or on indictment, by a maximum term of at least 6 months of imprisonment, or would constitute an offence under sections 146, 147 or 147A of the Licensing Act 2003 or section 7 of the Children and Young Persons Act 1933. The latter are all offences involving sale of tobacco and alcohol to underage children.

Background

These changes have not come out of the blue. Responding to media stories of councils misusing “anti terror laws” both coalition parties promised in their election manifestos to overhaul Part 2 of RIPA, which regulates local authorities, amongst others, when conducting covert surveillance on citizens. They argued that such surveillance was often used to investigate minor offences and in a disproportionate manner. The introduction of a Serious Crime Test for Directed Surveillance was recommended in the Home Office review of counter-terrorism and security powers published on 26th January 2011.

Directed Surveillance has been the subject of substantial debate and controversy. It is often conducted by local authorities to, amongst other things, investigate a benefit fraud or to collect evidence of anti-social behaviour. Typical methods include covertly following people, covertly taking photographs of them and using hidden cameras to record their movements. Introducing a six months imprisonment test will ensure that such techniques are no longer an option when local authorities are investigating “minor offences” such as dog fouling and littering.

But the 2012 Order also removes the second limb of Section 28(3)(b) (“preventing disorder”). Directed Surveillance for the purposes of tackling anti social behavior will no longer be able to be authorised unless of course the activity involves criminal offences involved carrying a maximum prison term of six months or more. How will this impact on the work of local authority Anti Social Behaviour Units?

There is an exception to the general rule though. Because of the importance of Directed Surveillance in corroborating investigations into underage sales of alcohol and tobacco, the Serious Crime Test will not be applied when Directed Surveillance is being done in these cases.

The other recommendation of the RIPA Review (Magistrate’s Approval) will be implemented via the Protection of Freedoms Act 2012 which received Royal Assent on 1st May 2012. The RIPA provisions in this Act are yet to come into force but when they do they will require local authorities to have all their RIPA surveillance authorisations (i.e. Directed Surveillance, CHIS and the acquisition of Communications Data) approved by a Magistrate before they take effect. (Read more here: http://www.actnow.org.uk/content/47)

When the the Coalition Government published the Bill in February 2011, the Home Secretary, announced:

“The first duty of the state is the protection of its citizens, but this should never be an excuse for the government to intrude into peoples’ private lives. Snooping on the contents of families’ bins and security checking school-run mums are not necessary for public safety and this Bill will bring them to an end. I am bringing common sense back to public protection and freeing people to go about their daily lives without a fear that the state is monitoring them.”

Most local authorities feel that this is a disproportionate response to inaccurate media stories about their “overzealous” use of RIPA. The reality is that most authorities only use their powers in a handful of cases each year and only when there is no other viable means of investigating offences and then in a reasonable and proportionate manner.  The latest available annual report by the Office of Surveillance Commissioners (2010/2011) states:

“Generally speaking, local authorities use RIPA/RIP(S)A powers sparingly with over 50% granting five or fewer directed surveillance authorisations during the reporting period. Some 16% granted none at all.”

The changes to be made to the local authority RIPA regime via the 2012 Order, as well as the Protection of Freedoms Act, will have a big impact on their investigation and enforcement activities.  Now is the time to review RIPA processes and procedures and to make staff aware of the changing legal landscape.

We have a series of courses on RIPA and Surveillance which also cover the changes in the Protection of Freedoms Act. We can also provide in house customized training (e mail info@actnow.org.uk)

 

FOI Review : What to Expect

Last year the Justice Select Committee, chaired by Sir Alan Beith, launched a call for written evidence for its post-legislative scrutiny of the Freedom of Information Act 2000 (FOI). The Committee invited written evidence on the following issues (although those responding were free to discuss other matters):

  • Does the Freedom of Information Act work effectively?
  • What are the strengths and weaknesses of the Freedom of Information Act?
  • Is the Freedom of Information Act operating in the way that it was intended to?

The Committee has now finished hearing oral evidence. Its website contains more details including dates of hearings as well as uncorrected transcripts of evidence. Whilst much has been written and submitted to the Committee about what changes the Government should make to the FOI regime, some changes are more likely to be recommended by it than others:

1. A new exemption for Frivolous Requests

The Information Commissioner’s Office (ICO) has told the Committee (and a recent conference) that it would be in favour of an exemption being introduced to alleviate the burden of frivolous requests e.g. for zombie invasion plans.

My view is that this is a sacrificial lamb being offered by the ICO to try and deflect some of the recent criticism directed towards it. Public authorities have claimed that the ICO is not doing enough to help them at a time when they are being inundated with nuisance requests that clearly have no purpose or value. However the Committee may feel it needs to go further to address such concerns.

2. A Change to the Costs Regime

Many of those that have responded to the Committee’s call for evidence, have expressed concern about the sheer cost of dealing with FOI requests, although the basis of calculation of some of the figures seem highly dubious. It is likely that changes are made to allow more activities to be included as part of the costs limit of £450/£600 limit (under the Freedom of Information and Data Protection (Appropriate Limit and Fees) Regulations 2004) including perhaps the time it takes to redact exempt information from a document before disclosing the latter.

It seems that the Government is already pre judging the outcome of the Committee’s report. According to a BBC Newsnight report on 5th April 2012, a new fees regime could be introduced to reduce the number of FOI requests. Different tariffs could be used to charge different types of requestors. For more on this read Jonathan Baines excellent guest post for the Save FOI Blog.

3. A new Cabinet Minutes Exemption

The previous Government has on two occasions used the ministerial veto (under section 53) to exempt disclosure of cabinet minutes.  On 24th February 2009 the then Lord Chancellor, Jack Straw, issued the first ever ministerial veto  (See Cabinet Office and Christopher Lamb v IC (EA/2008/0024 & 0029)) when the Tribunal decided to uphold the ruling by the Information Commissioner that minutes of cabinet meetings from 2003 discussing the Iraq War should be disclosed.  On 10th December 2009, Mr Straw did the same again in respect of a decision of the Commissioner (Cabinet Office FS50100665) requiring disclosure of minutes of the Cabinet Ministerial Committee on devolution to Scotland and Wales and the English Regions in 1997.

Dominic Grieve, the Attorney General, also used the veto to block release of Cabinet Minutes relating to Scottish and Welsh Devolution. Recently the Health Secretary, Andrew Lansley, caused controversy when he used the veto to block access to the NHS Risk Register. On each occasion the veto has been used, the Commissioner has issued a report to Parliament expressing disappointment. However recently he has said that if the Government feels strongly about Cabinet Minutes being kept secret then an absolute exemption should be introduced. Bearing in mind what the Prime Minister and Lord O’ Donnel (the former head of the civil service) have said about FOI recently, this is a strong possibility.

4. Other Possible Changes

Looking at the various submissions to the Committee especially those from the ICO, it is also likely that statutory limits for Internal Reviews and the public interest test are recommended to avoid delays in dealing with requests. It may also be recommended that now FOI has bedded in, the role of the Qualified Person (under section 36) be removed so that there is no delay in Refusal Notices being issued where this exemption is claimed.

The Committee is due to report before the Summer Recess of Parliament.

Ibrahim Hasan is doing a web seminar on the changes to the FOI, DPA and RIPA regime to be made by the Protection of Freedoms Act. Click Here  for more information.

Sort of Fair Processing Notice

Walking through Huddersfield the other day I caught this interesting example of a fair processing notice. It was a bus shelter. The actual notice was well above the normal range of vision. (Which reminds me of an old joke. What lies on its back eight feet up in the air.  Answer later.)

But how fair is this sign? Is it a fair processing notice informing data subjects that they might be being filmed? It has the magic acronym CCTV so there’s definitely a possibility that filming is taking place. But the other words seem to confuse the issue.

Anti-social behaviour is a crime. We’re not going to disagree with that are we? but it’s a statement of fact not really what’s needed on an FPN. You might as well say that Chelsea won the Champion’s League this year.

Plain Clothes Police Officers.  So how do we know they are Police Officers? Do they wear a carnation in their lapel or are they really operating covertly? This phrase means that everyone on the streets may be a police officer. Is this fair? Or if covert operations are being undertaken why do we say that plain clothes police officers are in place. Isn’t covert er… wait for it… covert? Does RIPA ring a bell?

Or CCTV in use.  Whoa let’s take a rain check.  Either it is in use or it isn’t. If it is you put up signs saying who’s doing it, why and contact details. If it’s not you don’t. Or maybe it’s secret filming. Donnnngggg. (That’s an alliteration denoting the tolling of the RIPA bell)

Finally your behaviour could be under observation. Back to the previous paragraph. Either it is or it isn’t. If it is for general crime prevention purposes then put up signs. If it’s a covert operation pre-authorise it through your SPOC and don’t bother with signs.

And to finish off 7 (count them) individual organisations contributed to this sort of fair processing notice including some very well known ones. So 7 data protection persons gave their opinion on the poster. No-one thought it was a bit naff.   Or maybe they didn’t ask the DP persons.

Take care in Huddersfield. They might be filming you (or not). Anyone at all could be a police officer. And Chelsea won the Champions League.

Ah yes the answer to the question.

What lies on its back eight feet up in the air. A dead spider.

%d bloggers like this: