Category: Privacy

New RIPA Procedure Guidance: Magistrates’ Approval

Chapter 2 of Part 2 of the Protection of Freedoms Act 2012 (sections 37 and 38) comes into force on 1st November 2012. This changes the procedure for the authorisation of local authority surveillance under the Regulation for Investigatory Powers Act 2000 (RIPA).

From 1st November local authorities will be required to obtain the approval of a Justice of the Peace (JP) for the use of any one of the three covert investigatory techniques available to them under RIPA namely Directed Surveillance, the deployment of a Covert Human Intelligence Source (CHIS) and accessing communications data.

An approval is also required if an authorisation to use such techniques is being renewed. In each case, the role of the JP is to ensure that the correct procedures have been followed and the relevant factors have been taken account of. There is no requirement for the JP to consider either cancellations or internal reviews.For a full explanation of the 2012 Act and the new section 37 and 38 of RIPA read my article.

Home Office Guidance

The Home Office has now published its RIPA Magistrates’ Approval Guidance both for local authorities and the Magistrates’ Court. This guidance is non-statutory but provides advice on how local authorities can best approach these changes in law and the new arrangements that need to be put in place to implement them effectively.  It is supplementary to the legislation and to the two statutory Codes of Practice.

The New Magistrates’ Approval Process

  1. The first stage will be to apply for an internal authorisation in the usual way. Once it has been granted, the local authority will need to contact the local Magistrates Court to arrange a hearing.
  2. The hearing is a ‘legal proceeding’ and therefore local authority officers need to be formally designated to appear, be sworn in and present evidence or provide information as required by the JP. It is envisaged that the investigating officer will be best suited to fulfill this role. The local authority may consider it appropriate for the SPoC (Single Point of Contact) to attend for applications involving communications data.
  3. The local authority will provide the JP with a copy of the original RIPA authorisation or notice.  This forms the basis of the application to the JP and should contain all information that is relied upon. In addition, the local authority will provide the JP with two copies of a partially completed judicial application/order form (which is included in the Home Office Guidance).
  4. The hearing will be in private and heard by a single JP who will read and consider the RIPA authorisation or notice and the judicial application/order form.  He/she may have questions to clarify points or require additional reassurance on particular matters.  The forms and supporting papers must by themselves make the case.  It is not sufficient for the local authority to provide oral evidence where this is not reflected or supported in the papers provided.
  5.  The JP will consider whether he or she is satisfied that at the time the authorisation was granted or renewed or the notice was given or renewed, there were reasonable grounds for believing that the authorisation or notice was necessary and proportionate.  He/She will also consider whether there continues to be reasonable grounds.  In addition they must be satisfied that the person who granted the authorisation or gave the notice was an appropriate designated person within the local authority and the authorisation was made in accordance with any applicable legal restrictions, for example that the crime threshold for directed surveillance has been met (see below).
  6.  The order section of the above mentioned form will be completed by the JP and will be the official record of the his/her decision.  The local authority will need to retain a copy of the form after it has been signed by the JP.

The JP may decide to –

  • Approve the grant or renewal of an authorisation or notice

The grant or renewal of the RIPA authorisation or notice will then take effect and the local authority may proceed to use the technique in that particular case. The local authority will need to provide a copy of the order to the communications service provider (CSP), via the SPoC (Single Point of Contact), for all CD requests.

  • Refuse to approve the grant or renewal of an authorisation or notice

The RIPA authorisation or notice will not take effect and the local authority may not use the technique in that case.  Where an application has been refused the local authority may wish to consider the reasons for that refusal.  For example, a technical error in the form may be remedied without the local authority going through the internal authorisation process again.  The local authority may then wish to reapply for judicial approval once those steps have been taken.

  • Refuse to approve the grant or renewal and quash the authorisation or notice

This applies where a Magistrates’ court refuses to approve the grant, giving or renewal of an authorisation or notice and decides to quash the original authorisation or notice.The court must not exercise its power to quash that authorisation or notice unless the applicant has had at least two business days from the date of the refusal in which to make representations.

Appeals

A local authority may only appeal a JP’s decision on a point of law bymaking an application for judicial review in the High Court. The Investigatory Powers Tribunal (IPT) will continue to investigate complaints by individuals about the use of RIPA techniques by public bodies, including local authorities.  If, following a complaint to them, the IPT finds fault with a RIPA authorisation or notice it has the power to quash the JP’s order which approved the grant or renewal of the authorisation or notice. It can also award damages if it believes that an individual’s human rights have been violated by the public authority doing the surveillance.

Plan Now

Local authorities should Act Now to ensure they are ready for the new procedure. They should:

  1. Train staff – All investigators and authorising officers need to know about the new process. Those who will be attending court need to be trained in completing the new judicial application/order form.
  2. Designate staff who will be attending the Magistrates Court – The usual procedure would be for local authority Standing Orders to designate certain officers( including SPoCs) for the purpose of presenting RIPA cases to JPs under section 223 of the Local Government Act 1972.  A pool of suitable officers could be designated before 1st November and adjusted as appropriate throughout the year.
  3. Amend the RIPA Policy and Procedures to reflect the new process.

New Serious Crime Test The Regulation of Investigatory Powers (Directed Surveillance and Covert Human Intelligence Sources) (Amendment) Order 2012, SI 2012/1500  (“the 2012 Order”), was made on 11 June 2012 and will also come into force on 1 November 2012. Directed Surveillance will be made subject to a new Serious Crime Test. The days of councils authorising surveillance for dog fouling and littering will soon be over. More information here

Act Now can help you prepare for the new RIPA process. We have a new RIPA Policy and Procedures Toolkit as well as courses throughout the UK.

 If you would like advice on what needs to be done or customised in house training, please get in touch.

Mind the (Surveillance) Gap!

Before the 2010 election, both coalition parties made a big thing about “rolling back the Surveillance State.” They announced in the Coalition Agreement:

 “We will ban the use of powers in the Regulation of Investigatory Powers Act (RIPA) by councils, unless they are signed off by a magistrate and required for stopping serious crime.”

The first part of this commitment has been enacted via sections 37 and 38 of the Protection of Freedoms Act 2012 . This amends the Regulation of Investigatory Powers Act 2000 (RIPA) so as to require local authorities to obtain the approval of a Magistrate for the use of any one of the three covert investigatory techniques available to them under RIPA; namely Directed Surveillance, the deployment of a Covert Human Intelligence Source (CHIS) and accessing communications data. (Read our blog post for more on this requirement, which comes into force on 1st November).

The second part of the Coalition’s commitment also comes into force on the same day in the form of The Regulation of Investigatory Powers (Directed Surveillance and Covert Human Intelligence Sources) (Amendment) Order 2012, SI 2012/1500 (“the 2012 Order”).  This amends the Regulation of Investigatory Powers (Directed Surveillance and Covert Human Intelligence Sources) Order 2010, SI 2010/521 (“the 2010 Order”).

From 1st November 2012, local authority Authorising Officers may not authorise Directed Surveillance unless it is for the purpose of preventing or detecting a criminal offence and it meets the condition set out in New Article 7A(3)(a) or (b) of the 2010 Order. Those conditions are that the criminal offence which is sought to be prevented or detected is punishable, whether on summary conviction or on indictment, by a maximum term of at least 6 months of imprisonment, or would constitute an offence under sections 146, 147 or 147A of the Licensing Act 2003 or section 7 of the Children and Young Persons Act 1933 (offences involving sale of tobacco and alcohol to underage children).

The Government’s aim in passing the 2012 Order is explained in paragraph 7.2 of the explanatory memorandum :

“The additional restriction that is imposed through this statutory instrument on authorisations of directed surveillance by local authorities is imposed in response to public concern that some local authorities have used directed surveillance in trivial cases such as littering, dog control and school admission. This statutory instrument discharges a Government commitment to prevent local authority use of directed surveillance under RIPA unless required for the purposes of preventing or detecting the more serious kinds of criminal offences which local authorities investigate.”

Whilst the 2012 Order will certainly restrict councils authorising Directed Surveillance under RIPA, can it completely stop them doing covert surveillance when investigating “minor offences”? I do not think so.

RIPA is there to ensure that certain types of covert surveillance undertaken by public authorities is done in such as is human rights compliant. This is done through a system of (until now) internal authorisation from a senior officer. RIPA is permissive legislation. Authorisation under RIPA affords a public authority a defence under Section 27 i.e. the activity is lawful for all purposes. However, failure to obtain an authorisation does not make covert surveillance unlawful. Section 80 of RIPA states:

“Nothing in any of the provisions of this Act by virtue of which conduct of any description is or may be authorised by any warrant, authorisation or notice, or by virtue of which information may be obtained in any manner, shall be construed—

(a)as making it unlawful to engage in any conduct of that description which is not otherwise unlawful under this Act and would not be unlawful apart from this Act;

(b)as otherwise requiring—

(i)the issue, grant or giving of such a warrant, authorisation or notice, or

(ii)the taking of any step for or towards obtaining the authority of such a warrant, authorisation or notice,

before any such conduct of that description is engaged in; or

(c)as prejudicing any power to obtain information by any means not involving conduct that may be authorised under this Act.”

This point was explained more fully by the Investigatory Powers Tribunal in the case of C v The Police (Case No: IPT/03/32/H 14th November 2006 ):

Although RIPA provides a framework for obtaining internal authorisations of directed surveillance (and other forms of surveillance), there is no general prohibition in RIPA against conducting directed surveillance without RIPA  authorisation. RIPA does not require prior authorisation to be obtained by a public authority in order to carry out surveillance. Lack of authorisation under RIPA does not necessarily mean that the carrying out of directed surveillance is unlawful.

In making the 2012 Order, the Government has forgotten to do anything about section 80 of RIPA. They should have repealed or amended it in some way to achieve their aim. Section 80 means that the changes in the 2012 Order will not make surveillance for dog fouling and littering unlawful. All it will mean is that in such cases surveillance will not have the protection of RIPA (the defence in section 27). Local authorities will still be able use covert surveillance for such purposes as long as it is necessary and proportionate in accordance with Article 8 of the European Convention on Human Rights (right to privacy).

This point is made by the Chief Surveillance Commissioner in last year’s annual report (2010/2011):

“The higher threshold in the proposed legislation will reduce the number of cases in which local authorities have the protection of RIPA when conducting covert surveillance; it will not prevent the use of those tactics in cases where the threshold is not reached but where it may be necessary and proportionate to obtain evidence covertly and there will be no RIPA audit trail. Part I of RIPA makes unauthorised interception unlawful. In contrast, Part II makes authorised surveillance lawful but does not make unauthorised surveillance unlawful.”

In his latest annual report (2011/2012) he again acknowledges (at paragraph 5.22) that there is a gap in the law which allows public authorities to undertake covert surveillance (as long as it is human rights compliant) even though it may not be authorisable under RIPA:

“I occasionally encourage the use of similar authorisation mechanisms for activity which cannot be protected by the Acts (for example where covert techniques are used to identify a missing person when no crime is suspected). In these circumstances statutory definitions are met but none of the grounds specified in RIPA section 28(3) or RIP(S)A section 6(3), yet the human rights of the subject of surveillance must be considered. The authorisation process provides a useful audit of decisions and actions.”

So when the 2012 Order comes into force, we will have a void up to the 6 month threshold where Directed Surveillance will not be authorisable under RIPA but may still be desired to be undertaken by investigating officers. What to do? From the above it seems that surveillance can be done as long as it is necessary and proportionate and a proper paper audit trail exists. It may be a good idea to complete a “Non-RIPA authorisation form.” (We have one in our RIPA Policy and Procedure Toolkit).

Will local authorities decide to do “Non-RIPA Surveillance”? Many of the delegates on our training courses have said that they will. This does go against the will of the Government and the purpose behind the changes, BUT it is lawful.

So the question is – “No six month threshold but a need to do surveillance – Should you?”I would welcome colleagues’ thoughts. Please feel free to use the comment field below.

Act now can help you prepare for the new RIPA process. Our training courses run throughout the UK. If you would like customised in house training, please get in touch.

 

Judicial Approval for Council Surveillance

The Commencement Order for, amongst other things, the RIPA provisions within the Protection of Freedoms Act 2012 has now been made. This means that from 1st November 2012 all local authority surveillance will require judicial approval.

Chapter 2 of Part 2 of the 2012 Act (sections 37 and 38) amends the Regulation of Investigatory Powers Act 2000 (RIPA) so as to require local authorities to obtain the approval of a Magistrate for the use of any one of the three covert investigatory techniques available to them under RIPA namely Directed Surveillance, the deployment of a Covert Human Intelligence Source (CHIS) and accessing communications data. An approval is also required if an authorisation to use such techniques is being renewed. In each case, the role of the Magistrate is to ensure that the correct procedures have been followed and the relevant factors have been taken account of. The new provisions allow the Magistrate, on refusing an approval of an authorisation, to quash that authorisation.

For a full explanation of the new provisions click here

Note that 1st November also sees Directed Surveillance being made subject to a new Serious Crime Test. More information here

These provisions will be examined in our forthcoming RIPA update workshops. We also have a new RIPA Policy and Procedure Toolkit which will help.

Please get in touch if you would like customised in house training  on any aspects of the Act.

UPDATE (13/9/12)

The New Criminal Procedure Rules 2012 (coming into force on 1st October) provide more details about the procedure for seeking magistrates’ approval:

http://www.legislation.gov.uk/uksi/2012/1726/part/6/crossheading/6/made

We are still waiting though for the detailed guidance from the Home Office.

The 2012 Surveillance Commissioner Report

By Steve Morris

The Office of Surveillance Commissioners published its 2012 annual report (covering the period from 1st April 2011 to 31st March 2012) on 14th July 2011. The report details statistics relating to the use of Part 2 of RIPA by public authorities and information about how OSC conducts its oversight role. It highlights some important issues such as:

  • Collaborative Working – Departments, teams and various units within several authorities are pooling resources but then not obtaining authorisations and keeping records in relation to a proper designated authority (Sec 5.7)
  • There is a lack of awareness of what constitutes a CHIS and there is a likelihood that public authorities might have unauthorised CHIS activity being undertaken (Sec 5.14)
  • Authorising Officers are not making adequate provision for destruction of product that is collateral intrusion or of no value to the operation (Sec 5.16)
  • Some ‘open source’ internet research is being conducted which may actually meet the criteria of Directed Surveillance and therefore require authorisation (Sec 5.17)
  • Where there is an invasion of privacy and RIPA does not apply, due to all conditions not being met, then the OSC recommends use of the authorisation mechanism where Article 8 issues (privacy) should be considered (Sec 5.22)
  • ACPO (Association of Chief Police Officers) is reviewing the authorisation forms and it will also report on form redesign (Sec 5.25)

Our RIPA Courses already address these issues. Future courses are also being revised to take account of other recently announced changes affecting local authorities:

  • The Protection of Freedoms Act 2012 which received Royal Assent on 1st May 2012. The RIPA provisions in this Act are yet to come into force but when they do they will require local authorities to have all their RIPA surveillance authorisations (i.e. Directed Surveillance, CHIS and the acquisition of Communications Data) approved by a Magistrate before they take effect (Read more here).
  • From 1st November 2012, local authorities will face severe restrictions upon the grounds for which they can authorise Directed Surveillance under the RIPA. The days of local authorities being able to use surveillance powers to tackle dog fouling and littering offences will soon be over (Read more here).
  • The Communications Data Bill and the changes it will make to the communications data access regime (currently under Part 1 of Chapter 2 of RIPA)

Steve Morris is a former police officer who delivers our RIPA Courses as well as a course on Internet Investigations

Quantum Personal Data

It has been clear for some time that personal data leads a somewhat schizophrenic existence. So identical photographs can be personal data in the hands of the police, but not in the hands of a journalist. See the example on page 11 of the Information Commissioner’s technical guidance  “Determining what is personal data”, which leads him to conclude that “the same piece of data may be personal data in one party’s hands while it may not be personal data in another party’s hands”.

However it also now seems possible that determining whether something is personal data depends on what question you ask, even for the same data held by a single data controller. “Is this exempt from disclosure under FOI?” or “Is this disclosable to an applicant who makes a subject access request (SAR)?”. Like poor Schrödinger’s cat , until the question is posed the data may exist in an indeterminate ‘superposition of states’.  Similarly the answer to the first question may vary depending on whether the applicant was involved in the matter.

In a recent flurry of Decision Notices, of which FS50426097 is a typical example, the Information Commissioner (IC) asked the FOI question. The complainant had made a prior request to the police for detailed information about a forensic service provider, its machines and procedures. Subsequently, the applicant made a request for “any documentation in relation to communication with any third party in respect of the questions contained in my original FOIA request”. After internal review and upheld by the Information Commissioner in this and related decisions the police relied on s40(5)(a) and declined to confirm or deny whether it held the material, on the basis that if it did, it would be the personal data of the complainant. In effect saying that the complainant should have made an SAR, and presumably pay £10 for the privilege.

As the IC observed (my emphasis) “After careful consideration of the wording of the request, the Information Commissioner is satisfied that the complainant is, or would be, the subject of all of the information requested.” He concluded therefore that the authority was not required to comply with the obligation to confirm or deny whether it held the information, since this would itself involve the disclosure of personal data about the complainant – the s40(5)(a) exemption. Note that the IC appears to have made no examination of the information held, which appears to go against normal practice. There are a number of cases where authorities and their FOI officers have been criticised by the IC for making decisions on disclosure without ever looking at the material held.

Be that as it may, what will happen when the complainant, as it appears he has, makes his SAR? Pragmatically, having taken its stance and fee, the authority may well supply the requested information, subject to possibly removing any other person’s personal data under s7(4) Data Protection Act 1998. But step back a minute and assume that the police actually deal with the SAR in accordance with the strict legal position. What personal data is there ? Certainly information which identifies the complainant as the maker of the original FOI request. But what about all the content? The FOI request was not about a personal issue at all. The bulk of the material relating to such a request, particularly if dealt with on an applicant blind basis, will surely be about enquiries into what information was held, directly or on behalf of the authority, or about whether any such material (if it existed) was possibly exempt. That cannot be the personal data of the applicant even if, as the police indicated, it was “contained within files which are stored by reference to the applicant’s name”.

This would seem in SAR terms to be a classic Durant situation. To paraphrase Auld LJ from paragraphs 30-31 of the Durant judgement:

Just because the authority’s response to the request emanated from an FOI request by the complainant does not render information obtained or generated by that request, without more, his personal data. For the same reason, either on the issue as to whether a document contains “personal data” or as to whether it is part of a “relevant filing system”, the mere fact that a document is retrievable by reference to his name does not entitle him to a copy of it under the Act. In short the complainant does not get to first base in his claim against the authority because most of the further information sought, whether in computerised form or in manual files, is not his “personal data” within the definition in section 1(1). It is information about his FOI request and the objects of them, the authority and the forensic service provider respectively.

Now of course it may be that there is more personal data than this, particularly if the internal response to the request, ignoring the applicant blind principle, has focussed on the complainant, rather than the request, but the IC is in no position to make that judgement if he decides on the basis of the wording of the request, rather than a consideration of the information held. Possibly, considering the history of the complainant, the IC has assumed the purpose of the request is to find out how the authority was dealing with him, but there is no objective basis for that assumption.

A contrasting situation arises in the April 2012 Tribunal case of Efifiom Edem v IC . The Tribunal sought to apply the Durant criteria strictly in an FOI case. I will gloss over here the rather alarming addition of the word “adversely” to the Durant consideration of whether the processing affects someone’s privacy (paragraph 34), but would point out that if Edem is correctly decided it severely limits the ability of staff to access their ‘personal data’ under an SAR, as much of what may have been thought to be personal is not so, in fact . But for present purposes there is a huge gulf between the approach in Edem and in  FS50426097. Imagine for a moment that it was a third party, not the complainant, who made the second FOI request in  FS50426097 i.e. it was  typical meta-request about the handling of someone else’s earlier request. I do not believe for one moment one could argue that this request would fail under s40(2) as responding would disclose the personal data of the complainant. At worst the authority would redact the complainant’s identity and supply the rest of the information, and if that is done, the application of s40(5)(a) as a blanket when the complainant makes the request cannot be correct.

The definition of personal data is tricky enough as it is, but if the IC and Tribunal continue to determine the result based on the nature of the enquiry, data protection and FOI teams face some impossible dilemmas.

Philip Bradshaw is a former solicitor and local authority data protection officer. He now delivers our information law courses in Cardiff.

The Communications Data Bill: What Councils Need to Know

The Draft Communications Data Bill was laid before Parliament on 14th June 2012. The Bill provides an updated framework for ensuring the availability of communications data and its obtaining by public authorities. It will replace the communications data provisions within the Regulation of Investigatory Powers Act 2000 (RIPA).

The most controversial aspects of the Bill will enact proposals, announced in the Queen’s Speech in May, which will require Internet firms to give the Police, the Serious and Organised Crime Agency, the Intelligence Agencies and HM Revenue and Customs access to a wider range of communications data on demand and, in some cases, in real time. The Home Office says  that they are updating the law “in terms of social media and new devices”. Without action they say that there is a growing risk that crimes enabled by email and the Internet will go undetected and unpunished. However civil liberties groups, as well as Internet Service Providers have voiced concerns about the Bill from a privacy and technical perspective. See my previous blog entry  for a discussion about these concerns.

But what effect will the new Bill have on local authorities?

The Bill will replace Part 1 Chapter 2 of RIPA. Sections 21 to 25 of RIPA (and the Regulation of Investigatory Powers (Communications Data) Order 2010 (SI 2010/480)) currently set out who can access what type of communications data and for what purposes. This includes the police and security services as well as councils, government departments and various quangos. RIPA restricts access to the different types of communications data depending on the nature of the body requesting it and the reason for doing so.

The definition of “communications data” includes information relating to the use of a communications service (e.g telephone, internet and postal service) but does not include the contents of the communication itself.  Such data is broadly split into three categories: “traffic data” i.e. where a communication was made from, to whom and when; “service data” i.e. the use made of the service by any person e.g. itemised telephone records; “subscriber data” i.e. any other information that is held or obtained by an operator on a person they provide a service to.

Some public bodies already get access to all types of communications data e.g. police, security service, ambulance service, customs and excise. Local authorities are restricted to subscriber and service use data and even then only where it is necessary for the purpose of preventing or detecting crime or preventing disorder.

At present access to communications data is done on a system of self authorisation. There are forms to complete ((signed by a senior officer) and  tests of necessity and proportionality to satisfy. Notices have to be served on the service provider requesting the data.

The new Bill will broadly replicate the current system for accessing communications data by local authorities. There is no provision to widen the scope of the information available to councils or the grounds for doing so (unlike the police and law enforcement agencies mentioned above). However the Bill does replicate the changes to the local authority RIPA regime to be made by Protection of Freedoms Act 2012. In the future all local authority surveillance activity under RIPA, including a request for communications data (however minor), will have to be approved by a Magistrate. (See my earlier Blog Post for more detail about the 2012 Act.)

The Bill also implements a recommendation in the RIPA Review published by the Home Office on 26th January 2011.  This stated that the range of non-RIPA legislative frameworks by which communications data can in principle be acquired from Communication Service Providers “should be streamlined to ensure that as far as possible RIPA is the only mechanism by which communications data can be acquired.”

Clause 24 introduces Schedule 2 to the Bill which repeals certain general information powers so far as they enable public authorities to secure the disclosure by a telecommunications operator of communications data without the consent of the operator. This includes powers under the Trade Descriptions Act 1968, Environmental Protection Act 1990, Social Security Administration Act 1992 and the Enterprise Act 2002. Local authority officers in environmental health, trading standards and benefit fraud departments, who may not be have been using RIPA to gain access to communications data previously, will now need to get to grips with a new regime.

The Communications Data Bill will be subject to scrutiny by a joint parliamentary committee before the effort to bring the measures through Parliament and into law begins in earnest.  This comes on top of other recently announced changes to the criteria for local authority to authorise Directed Surveillance under Part 2 of RIPA.  The Home Office will have to issue a new code of practice and standard forms which Investigating Officers and their legal advisers will have to familiarise themselves with.

We have a series of courses on RIPA and Surveillance which cover all the recent changes to the RIPA regime including the Protection of Freedoms Act 2012. We also have a range online courses.

 

Act Now Book Draw – Week 8

The winner of last week’s Act Now Book Draw was Amy Ford from NHS Southampton City.

Next week’s book is Covert Investigation by Clive Harfield and Karen Harfield.

The next draw will take place on Wednesday 25th April at 9am. Click here to enter the draw.

If you enter the draw and win, you give us permission to let others know that you have won (by e mail, on our website and by Twitter). If you do not want us to do this, please do not enter the draw. Any information we receive through this free draw will not be used for any other purpose.

Breaking (In) News from Sky


Is the Sky about to fall in on Rupert Murdoch? Yet again another of his news outlets is accused of breaking the law in the pursuit of a good story. Where will it end? Yesterday Sky News admitted in a statement that it had hacked emails belonging to members of the public on two separate occasions.

One incident involved targeting the accounts of a suspected paedophile and his wife. The other one involved the “dead canoeist” John Darwin. His wife Anne collected more than £500,000 in life insurance payouts while he hid in their marital home.  The pair were found guilty of the deception in 2008. In the run-up to the trial former Sky News managing editor Simon Cole agreed North of England correspondent Gerard Tubb could hack into Darwins’ Yahoo! email account. The full story can be read on the Guardian website.

The interesting aspect, from a legal perspective, is the legal repercussions for Sky News. It has stated:

 “We stand by these actions as editorially justified and in the public interest.”

Note that it says editorially justified, not legally.  As will be explained below, the offences involved do not contain a public interest defence.

Accessing a person’s computer (directly or remotely) without their consent to read their emails is a criminal offence under the Computer Misuse Act 1990 which is punishable with a fine or a term of imprisonment of up to 12 months. Section 1 (1) of the Act contains the elements of the offence:

(1) A person is guilty of an offence if—

(a) he causes a computer to perform any function with intent to secure access to any program or data held in any computer or to enable any such access to be secured ;

(b) the access he intends to secure or to enable to be secured is unauthorised;

and

(c) he knows at the time when he causes the computer to perform the function that that is the case.

There is no public interest defence in the Computer Misuse Act. However section 11 states that no proceedings can be brought for a section 1 offence more than three years after the commission of the offence. Darwin’s emails were accessed in 2008 and therefore a prosecution under S.1 is not possible.

Sky may also have committed a criminal offence under Section 1 of the Regulation of Investigatory Powers Act 2000(RIPA).  Here there is not time limit for a prosecution. The Guardian reports:

“The broadcaster also published a voicemail message on its website, dated 19 May 2007, in which Anne Darwin is clearly heard leaving a message for her husband. The voicemail, part of an interactive graphic, ends with her saying “I’ll try and catch you tomorrow. Love you,” which the broadcaster said showed “she was doing as much of the running as he was”.”

Section 1 makes it a criminal offence to intercept a communication in the course of transmission.  The listening to stored voicemails as well as accessing stored e mails all potentially fall into this category. The maximum penalty for such an offence is two years imprisonment. Again there is no public interest defence.

Once again this case bring into focus the highly dubious tactics of the media when trying to obtain information “in the public interest”. The setting up of the Leveson Inquiry and the inquiry by the House of Commons Select Committee on Culture, Media and Sport meant that at first the primary concern was about allegations of phone hacking by the News of the World.  However it has now become clear that hacking phones was just one part of the unscrupulous journalist’s toolkit. It also included buying information from the police, blagging sensitive personal information from public and private sector organisations and the hacking politicians’ computers to gain access to  their e mails.

There is now a very strong case for tougher regulation of the media especially when it comes to covert surveillance activities. My view is that, amongst other things, they should be subject to more of the RIPA regime as at present they only have to comply with certain aspects (Part 1 Chapter 1 – Interception of Communications). (see my earlier blog post earlier Blog post  for more).

This is a difficult time for the Murdochs and  Sky News. The broadcaster’s parent company, BSkyB, is subject to a “fit and proper” investigation being conducted by the communications regulator, Ofcom, in the wake of the News of the World phone-hacking scandal. Cleveland police say that enquiries are ongoing into how the emails were obtained.

No doubt there is much more to come. As Kay Burley would say, “Stay with us…”

We have a serious of courses on RIPA and Surveillance which also over the changes in the Protection of Freedoms Bill.

See also our RIPA Forms Guidance Document.

We may pass your data to carefully selected third parties…

It started when I got a new Tesco credit card. The following day I went to an outlet retail park and bought a few T shirts from Cotton Traders, Craghoppers and similar stores. The next wednesday I received through the post a Craghoppers catalogue. I was intrigued. I’d used Craghoppers decades ago when I was young and fit but the only connection between me and them was my Tesco credit card. No-one in the retail park had asked for my address – they’d just taken payment. Had Tesco supplied my data to Craghoppers? I thought I’d find out. I made a subject access request to Craghoppers.

To  ‘customerservices@craghoppers.com’

Date Mon 18/04/2011 15:45

Dear Sir

My  address is xxxxxxxxxxxxxxxxxx. If you require anything further to validate this request please tell me.

Please supply me with any personal data you hold on me particularly about the mailing I have just received from you with the media code CE14 and 51574/38122A  516 in the right hand corner of the label.

Please tell me from where you obtained my address. This includes “any information available to the Data Controller as to the source of those data”. (Section 7 (1) (c) (ii) of Data Protection Act 1998).

Regards

Dear Mr xxxxxxxxx

Thank you for your recent email. The only information on our system is your name, address and details of an order you recently placed with us. It appears that until you placed this order none of your details were on our systems, this would indicate that the mailing data for the catalogue you received was sourced from a third party whom you have given permission to share your data. Your account now on our system does not have any mailing options activated.

If we can be of any further assistance please do not hesitate to contact us.

Kind regards

Craghoppers Customer Service Team

Hmmm. This says (I think) that until I bought a shirt (I’m a sucker for shirts) on Monday 18th April at 1552 they didn’t have any personal data on me at all. How then did they send me a catalogue?

I didn’t ask for my mailing options to be de-activated.

I never give my permission for a 3rd party to share my data (I am a DP freak)

It seems someone out there who is not Craghoppers sent me a Craghoppers catalogue. Hmmm… there’s work to do. Little did I realise it would mean many subject access requests and a story of subterfuge and data sharing…

Read more at  http://www.actnow.org.uk/media/articles/sar2012.pdf

What’s green & white and doesn’t sound like a Parrot.

My new i phone….

Google has decided it will change its privacy policy, well not so much change as start to enforce it. Basically all the information it has about you will be shared all across the Google platform unless you say no. This is a simplistic analysis and a much better one is at http://preview.tinyurl.com/7hb9jtg but Apple has decided on a different strategy.

They’ve implemented a new product called Siri. It allows you to talk to your i phone and set up meetings, send messages, add reminders etc all by just talking. It sends to Apple your first name, your nickname, your address book contacts, name, nicknames and relationship with you and your music preferences etc.  It’s grreeat.

Unfortunately it also renders my car’s hands free device useless in fact it turns it into a hands on device. I do the same as I usually do when driving – press a green button say who I want to phone and my Parrot dials the number. But with Siri on I go through the same routine and my car says to me “here’s that number you dialled” and requires me to locate my i phone, look at the screen and press the number to confirm it got it right and actually dial it (while crashing into the back of the car in front of me). I’ve gone from a hardcore parrot that did everything I wanted to a nanny Parrot that won’t allow me to do anything at all. (Sounds like a Disney movie with Robin Williams in the lead role).

It also allows me to moan “I was hands free and legal until Apple stepped in…”

No problem. I’ll turn off Siri while I’m in the car then it will work. Success. Why was I fretting? Such a simple fix.

Then I read the bumph on my phone about Siri and it says. “If you turn off Siri Apple will delete all your user data as well as your recent voice input data.”

So the database I’ve been building up which helps Siri know me and serve me as a good slave should is deleted from Apple’s database when I turn off Siri to use the hands free parrot in my car. Google keeps all my data forever even though I don’t want it to but Apple deletes it the instant I stop using one of its products. Every time I enable Siri again it’s like teaching a baby to speak.

No parrots were harmed in writing this article. And before you ask.  This parrot is no more! He has ceased to be! ‘E’s expired and gone to meet ‘is maker! ‘E’s a stiff! Bereft of life, ‘e rests in peace! If you hadn’t nailed ‘im to the perch ‘e’d be pushing up the daisies! ‘Is metabolic processes are now ‘istory! ‘E’s off the twig! ‘E’s kicked the bucket, ‘e’s shuffled off ‘is mortal coil, run down the curtain and joined the bleedin’ choir invisible!! THIS IS AN EX-PARROT!!