Act Now Training welcomes solicitor and surveillance law expert, Naomi Mathews, to its team of associates. Naomi is a Senior Solicitor and a co-ordinating officer for RIPA at a large local authority in the Midlands. She is also the authority’s Data Protection Officer and Senior Responsible Officer for CCTV.
Naomi has extensive experience in all areas of information compliance and has helped prepare for RIPA inspections both for the Office of Surveillance Commissioners and Investigatory Powers Commissioner’s Office (IPCO). She has worked as a defence solicitor in private practice and as a prosecutor for the local authority in a range of regulatory matters including Trading Standards, Health and Safety and Environmental prosecutions. Naomi has higher rights of audience to present cases in the Crown Court.
Naomi has many years of practical knowledge of RIPA and how to prepare for a successful prosecution/inspection. Her training has been commended by RIPA inspectors and she has also trained nationally. Naomi’s advice has helped Authorising Officers, Senior Responsible Officers and applicants understand the law and practicalities of covert surveillance.
Like our other associates, Susan Wolf and Kate Grimley Evans, Naomi is a fee paid member of the Upper Tribunal assigned to the Administrative Appeals Chamber (Information Rights Jurisdiction and First Tier Tribunal General Regulatory Chamber (Information Rights Jurisdiction).
Ibrahim Hasan, director of Act Now Training, said:
“ I am pleased that Naomi has joined our team. We are impressed with her experience of RIPA and her practical approach to training which focuses on real life scenarios as opposed to just the law and guidance.”
Naomi will be delivering our full range of RIPA workshops as well developing new ones. She is also presenting a series of one hour webinars on RIPA and Social Media. If you would like Naomi to deliver customised in house training for your organisation, please get in touch for a quote.
The guidance is essential reading for public authorities, especially councils, who conduct surveillance under Part 2 of the Regulation of Investigatory Powers Act 2000 (RIPA) (Directed Surveillance, Intrusive Surveillance and the deployment of a Covert Human Intelligence Source (CHIS)). The guidance also covers Part III of RIPA and RIP(S)A and to Part III of the Police Act 1997. It does not provide guidance on interception and the obtaining of communications data requiring a RIPA/RIP(S)A warrant.
Why should you care?
For reasons which Steve Morris explains in his blog on the latest OSC report, you’re going to face some form of inspection whether or not you have or intend to conduct covert surveillance; so at least understand how that inspection will be approached.
Also, as the Chief Surveillance Commissioner emphasises, every public authority should have in place policies, procedures and training programmes to ensure that relevant legislation is complied with when a situation arises. The OSC P&G will help you understand when relevant situations arise and how they should be approached.
Failure to recognise when the protection of RIPA/RIP(S)A may be sought or to know how to respond in a manner compliant with legislation – that is claiming ignorance – is no longer an option!
Why does the document exist?
When I first joined the OSC there was a best practice document which I believe had been shared with law enforcement agencies. This, combined with inspection reports, did not appear to meet with unanimous approval.
The Police Service attempted to introduce its own ‘Key Principles’ document which was sufficiently inadequate to attract the comment that “this is why the police should not be left to interpret legislation!”
However, I hope that I am not criticised for saying that the Surveillance Commissioners were not entirely comfortable publishing generic principles; they were more accustomed to making judgments on the facts of specific cases.
It is no coincidence that the following disclaimer, changed little since the first edition, is given prominence:
“The opinions expressed within the Interpretation Guidance section of this publication are those of the Surveillance Commissioners. The OSC is not a judicial authority. This Guidance simply indicates the way in which the Commissioners would be minded to construe particular statutory provisions. There is no statutory requirement to publish them but they are a response to frequent requests for guidance from public authorities or are matters raised or identified during the inspection process. In the absence of case law, they are the most reliable indicator of likely judicial interpretation. They are the basis upon which inspections will be conducted and performance assessed by the Office of Surveillance Commissioners. Applicants and Authorising Officers should take note of the interpretations when constructing and considering applications and authorisations for the use of covert powers.”
These are the Surveillance Commissioners’ views. It’s rare that a collective interpretation of law is construed by seven ex-Appeal Court judges and three ex-Circuit judges. During my time, issues were examined and discussed at length during meetings with Commissioners and inspectors. You can imagine that, as Editor, I have happy memories of ‘wordsmithing’ each entry to accommodate the wishes of eminent lawyers!
In effect it is the OSC’s ‘party line’ but the disclaimer should be read in conjunction with paragraph 12. It would be wrong to imply that every member of the OSC agrees with every word in the document, so it is necessary to remember that it is guidance which may easily be altered by facts specific to each case. This is why you’ll find phraseology such as “is capable of being construed as [a type of] surveillance” rather than the definitive “is [a type of] surveillance”. Each Surveillance Commissioner is able to exercise his own judgment when approving authorisations.
RIPA and RIP(S)A are permissive and discretionary powers; the onus is on an authorising officer to decide whether or not to grant an authorisation for covert conduct. Assistant Surveillance Commissioners and inspectors cannot dictate. The aim of the document is to provide a level of consistency in approach from the OSC.
Finally, it is not the task of the OSC to make law; its task is to interpret the law as it is written, not as the Commissioners or others may prefer it. So don’t accuse the OSC of promoting covert conduct which you don’t agree with!
Why publication was resisted?
Partly because of conflict with the Police Service in relation to the ‘Key Principles’ document, and in response to concerns that operational techniques would be exposed, it was decided that the P&G should not be made available to the public. My repeated requests to identify any operational technique in the document that hadn’t already been disclosed by enthusiastic senior investigating officers resulted in no applications. But it was decided that we relied on practitioner transparency which required trust that we would not inhibit legitimate techniques.
When serving in the OSC and today, I am sometimes disappointed with the understanding of some trainers and the quality of their training. Too often legislation, codes of practice and the P&G are regurgitated or misused for commercial gain without improving knowledge or practitioner performance. Sometimes challenging the P&G was used as enticement to attendance or purchase; we were concerned that alternative opinions undermined confidence in the OSC.
I can avow the time and effort that goes into the formulation of this guidance; there is good reason why phrases are used. To protect copyright, to avoid misinterpretation and to prevent others gaining financially from the immense effort of the OSC were, I confess, causes of reticence to provide the document to the public.
In hindsight I believe my advice to the Chief Surveillance Commissioner to prevent public disclosure was misguided. Copies leaked to trainers and OSC silence allowed the media and campaigners to inadequately interpret legislation and its use.
Discussions relating to the Investigatory Powers Bill indicate that the need for regulators to transparently demonstrate how they hold public authorities to account has been recognised. Making the P&G public is a positive step but I am surprised that it is free! It‘s a publication worthy of a charge.
Comparison
For the remainder of this post I compare the July 2016 version with its predecessor of December 2014. There are many notes useful to practitioners. If you have not read it at least once, you should. Numbers in parenthesis are the relevant note number.
Part 1 – Procedures
Part 1 Section 1 provides detail of how to contact the OSC and matters relating to inspection process and reporting. Part 1 Section 2 provides detail in relation to Commissioner approvals, which apply mainly to law enforcement agencies.
[7-8] Disclosure of inspection reports. This is not new but worth reiterating. There is no requirement – as stated in the Codes of Practice – to notify the OSC of an intention to publicly disclose an inspection report, nor does the OSC promote or discourage the practice. The decision whether or not to publish rests entirely with the chief officer of the public authority inspected.
Part 2 – Guidance
[75] “I am satisfied” and “I believe” Again, not new but important. Too often authorising officers provide insufficient rationale to support their judgment; relying on the details provided by the applicant. This guidance cautions against lax authorisations. The heading indicates an unexplained difference between RIPA and RIP(S)A which use different requirements. This is likely to be complicated further if the terms in the draft IP Bill are enacted. That Bill currently requires a designated officer to “consider”. I may write another article on the significance of these differences.
[87] Duration of authorisations and renewals. Added clarification to ensure that electronic systems date/time algorithms do not have the effect of “losing a day” of authorised conduct. This amendment probably reflects the law enforcement agencies tendency to use electronic systems to create and process applications and authorisations. A useful audit is provided by date stamps and automatically generated data which cannot be altered. There have obviously been instances where automatic dates are not accurate. This amendment indicates how an OSC inspector will regard the inaccuracy but it’s a hint that authorising officers should ensure that dates are accurate.
[93-98] Persons, groups, associates and vehicles. These notes provide guidance in to assist public authorities amend authorisations when details are not known at the outset. The final sentence of Note [96] is amended:
Deleted: “The AO should set parameters to limit surveillance and use review to avoid “mission creep”.
Inserted: “The AO should guide the operational commanders by setting contextual parameters for the use of the “link” approach.” (i.e. where a possible link has previously been identified between individuals to the common criminal purpose being identified.)
There is a new note [97].
“The Authorising Officer should be updated when it is planned to deploy equipment or surveillance against a freshly identified subject before such deployment is made, to enable him to consider whether this is within the terms of his original authorisation, necessary, proportionate and that any collateral intrusion (or interference) has been taken into account; alternatively, where operational demands make it impracticable for the Authorising Officer to be updated immediately, as soon as reasonably practicable thereafter. This is to ensure that the decision to deploy further devices or surveillance remains with the Authorising Officer and is not delegate to, or assumed by, another, such as the operational commander. Such reviews should be pertinent and can be done outwith the usual formal monthly written review process, provided that the details of the Authorising Officer’s decisions are recorded contemporaneously and formally updated at the next due review. Where the terms of an authorisation do not extend to interference to other subjects (criminal associates) or their property then a fresh authorisation, using the urgency provisions if necessary, will need to be sought.” (My emphasis)
[222-229] Authorisation of undercover officers (UCOs). Note [226] is amended to enable additional UCOs to be authorised by way of review but indicates that every UCO must be authorised for the correct duration. This reflects the reality that it is frequently necessary to introduce additional UCOs to an investigation (for example to support a legend). Often the identity of additional UCOs will not be known at the outset. Rather than insist on the added bureaucracy of a new authorisation, the Commissioners have indicated that amendment by review (providing the terms of the original authorisation allow it) will not be criticised.
[289] Covert Surveillance of Social Network Sites (SNS). I advise that all members of local authorities read paragraph 289 in entirety as it’s the conduct most likely to introduce RIPA/RIP(S)A compliance issues. It remains my view that too few public authorities recognise (either deliberately or in ignorance) that the ‘less intrusive’ means that have resulted in decreased authorisations may be the result of not authorising internet investigations on the belief that ‘open source’ or publicly available mitigates RIPA/RIP(S)A consideration. This note provides the OSC’s guidance. Sub-note [289.3] is amended as shown in bold type:
“It is not unlawful for a member of a public authority to set up a false identity but it is inadvisable for a member of a public authority to do so for a covert purpose without an authorisation for directed surveillance when private information is likely to be obtained. The SRO should be satisfied that there is a process in place to ensure compliance with the legislation. Using photographs of other persons without their permission to support the false identity infringes other laws.”
I hope that this background is useful. I hope that my reticence to persuade the former Chief Surveillance Commissioner to make the P&G available to the public is proven to be misguided. Publishing the document is a very positive move in my opinion and is a useful indicator that the Commissioners have come to terms with the need to be public-facing. I applaud the decision.
Disclaimer: Sam Lincoln is a former Chief Surveillance Inspector with the OSC. In that capacity he introduced the OSC Procedures and Guidance and edited it from 2006 to 2013. The opinions expressed in this post are his alone; he does not represent the OSC and OSC endorsement is neither sought nor implied.
Sam has designed our RIPA E-Learning Package which is an interactive online learning tool, ideal for those who need a RIPA refresher before an OSC inspection.
Like our image? It is available as an A3 Poster for the office, We have a small range of them for only £5 for three! Take a look at the link below.
The report covers the period from 1st April 2015 to 31st March 2016 and should be read by public authorities, especially councils, who conduct surveillance under Part 2 of the Regulation of Investigatory Powers Act 2000 (RIPA) (Directed Surveillance, Intrusive Surveillance and the deployment of a Covert Human Intelligence Source (CHIS)).
We have reviewed the report and below are summaries of comments and sections of particular relevance to public authorities other than law enforcement. (The section numbers from the report are quoted below so that reference to the complete text can be made.)
Reduced use by public authorities Section 2.3.
There is substantially reduced number of authorisations by public authorities, most notably local district and borough councils, who do not deploy their statutory powers, or do so very rarely indeed, and do not intend or expect to do so in future.
However, while they remain vested with these powers, the appropriate structures and training must continue to be in place so that if they come to be exercised, the exercise will be lawful.
This reduction could be related to the substantial budgetary cuts faced by councils and the requirement for Magistrates’ Approval (and other reforms), which took effect on 1st November 2012.
Changed arrangements for inspection of local authorities Section 2.10.
The OSC is to introduce a new system of inspection for some local authorities where the statutory powers have not been used at all, or have been very rarely used in the last three years since a previous inspection, the process will start on paper, with a request for information. An Inspector or Assistant Surveillance Commissioner will visit the authority if there has been any significant increase in the use of the statutory powers, or if the responses to the OSC paper give ground for concern, or if the authority itself requests a personal visit by an Inspector. There will be no automatic visit.
Irregularities Section 4.18.
The total number of reports of irregularities (100) continues to represent a tiny proportion of the total number of authorisations granted during the course of a year. The overwhelming majority are the result of human error.
Section 4.19.
Irregularities caused by human error reinforces the need for those with responsibilities for ensuring compliance with the statutory provisions to receive regular, updated training, together with the need for continuing robust oversight by senior officers and managers of the processes. In the case of enforcement agencies, including the police, both these requirements are understood. In relation to some of the public authorities which, facing strains on their financial resources either have ceased or virtually ceased to use the statutory powers, and do not envisage using them in the future, training arrangements can sometimes assume a lowly priority. The view of the OSC is that every single authority vested with the relevant statutory powers should have in place structures and training arrangements which will ensure that the exercise of any such powers, even if arising unexpectedly, will be lawful.
Use of covert powers by public authorities other than law enforcement agencies Section 5.10.
From the OSC point of view the principle is clear. The fact that a local authority has elected not to exercise the relevant statutory powers does not remove it from the inspection process. While it retains these powers, which may be exercised at any time, appropriate structures and officials with the requisite training are required.
The “virtual world” Section 2.8.
There is a shift towards criminal activity in or by the use of the “virtual world”. This increases the demands on those responsible for covert surveillance. They need an understanding of the technological advances and myriad types of communication and storage devices which are constantly being updated. They also need assistance about how the statutory powers available to them can or should be applied
Social Networks and the “virtual world” Section 5.17.
Patterns of criminal planning are changing to embrace technological advances. Criminals and terrorists are less likely to meet in public, in parked up cars, with police officers using binoculars and longsighted cameras to follow their movements. Social media and private electronic communications provide greater anonymity for the criminals, and enable their activities to proceed on a global scale. This issue was addressed by my predecessor in his last two reports, and the Surveillance Commissioners have issued guidance on the need for appropriate authorisations to cover these developments.
Extract from OSC Procedures & Guidance document
Covert surveillance of Social Networking Sites (SNS)
The fact that digital investigation is routine or easy to conduct does not reduce the need for authorisation. Care must be taken to understand how the SNS being used works. Authorising Officers must not be tempted to assume that one service provider is the same as another or that the services provided by a single provider are the same.
288.1 Whilst it is the responsibility of an individual to set privacy settings to protect unsolicited access to private information, and even though data may be deemed published and no longer under the control of the author, it is unwise to regard it as ―open source, or publicly available; the author has a reasonable expectation of privacy if access controls are applied. In some cases data may be deemed private communication still in transmission (instant messages for example). Where privacy settings are available but not applied the data may be considered open source and an authorisation is not usually required. Repeat viewing of ―open source sites may constitute directed surveillance on a case by case basis and this should be borne in mind.
288.2 Providing there is no warrant authorising interception in accordance with section 48(4) of the 2000 Act, if it is necessary and proportionate for a public authority to breach covertly access controls, the minimum requirement is an authorisation for directed surveillance. An authorisation for the use and conduct of a CHIS is necessary if a relationship is established or maintained by a member of a public authority or by a person acting on its behalf (i.e. the activity is more than mere reading of the site‘s content).
288.3 It is not unlawful for a member of a public authority to set up a false identity but it is inadvisable for a member of a public authority to do so for a covert purpose without an authorisation for directed surveillance when private information is likely to be obtained. The SRO should be satisfied that there is a process in place to ensure compliance with the legislation. Using photographs of other persons without their permission to support the false identity infringes other laws.
288.4 A member of a public authority should not adopt the identity of a person known, or likely to be known, to the subject of interest or users of the site without authorisation, and without the consent of the person whose identity is used, and without considering the protection of that person. The consent must be explicit (i.e. the person from whom consent is sought must agree (preferably in writing) what is and is not to be done).
Section 5.18.
Inspectors and the Assistant Surveillance Commissioners pay particular attention to the way this developing method of criminal activity is kept under covert surveillance. The topic forms the basis for numerous requests for guidance. Perhaps the most significant feature is that investigating authorities cannot proceed on the basis that because social networking developed after much of the legislation came into force it is immunised from compliance with it. Requirements for appropriate authorisation may arise from the work done by those whose roles do not traditionally fall within RIPA or RIP(S)A. The necessary training and information must be addressed by the Senior Responsible Officer in each authority.
Some of the more common areas of criticism revealed in the inspection reports. They must be seen in context. In relation to law enforcement agencies, the standard of applications to and decisions of Authorising Officers for directed surveillance, property interference and intrusive surveillance are generally sound. Much of this is due to increased focus on the statutory requirements, clear internal leadership and investment in training.
The greatest complexity arises in the context of CHIS… In the context of social media in particular, it is sometimes difficult to recognise when a CHIS relationship has been established.
Some intelligence cases are too brief, others too long; most are of appropriate length; similarly with reviews, when a pertinent summary of what has happened since the latest update is required with, so far as possible, a simple explanation why the covert activity remains necessary and proportionate;
Occasional formulaic considerations given to the potential for collateral intrusion; for the OSC it remains a crucial feature that any authorisation for covert surveillance should be confined to those against whom there are grounds for suspicion, not their families or friends;
Authorisations for surveillance tactics and equipment use which, when reviews and cancellations are examined, appear to have been too widely drawn at the outset;
The conduct parameters for a CHIS are sometimes unclear and occasionally in such cases, the full extent of risks to the CHIS are insufficiently addressed, or, where the records are required by statute, left incomplete;
At cancellation, occasionally more detail is required from the Authorising Officer about the activity conducted, the value of the surveillance, the resulting product, and its management, and whether there has been any tangible or beneficial outcome, together with greater attention to any collateral intrusion;
In relation to public authorities the need for training for those vested with surveillance responsibilities is sometimes overlooked, particularly when budgets have been seriously depleted; in the case of adjacent local authorities training costs could perhaps be shared.
This is a summary of the detailed annual report – clearly the OSC places a high value on training (mentioned 19 times!), and indicates difficulties that arise as a result of not providing the training for all personnel involved or likely to be involved in authorised activity.
One emerging trend not addressed in the report is the rise in covert surveillance undertaken without the protection of RIPA when a local authority deems it necessary and proportionate to conduct covert surveillance in relation to preventing or detecting crime which does not meet the six month criteria, or a public authority deems it necessary and proportionate to conduct covert surveillance as part of it’s legitimate pursuit of responsibilities in relation to public safety, public health, regulation, and enforcement, in compliance with Article 8 Human Rights (commonly known as ‘non RIPA Surveillance’). See our blog post here for more on this issue.
Act Now’s programme of RIPA Courses address all of the issues raised in the report, and those associated with non RIPA surveillance, research and gathering of intelligence as well as evidence from social media. If your training budget is an issue, our online RIPA training is worth trying out. Module 1 is free.
Act Now also has a RIPA policy and procedures manual which is very useful for those revising their RIPA documents. It contains useful guidance for staff on when RIPA applies and how to complete the authorisation forms.
Raise awareness of RIPA in your organisation with our RIPA poster.
Regular refresher training for those conducting covert surveillance under Part 2 of the Regulation of Investigatory Powers Act (RIPA) is a common recommendation by the Office of Surveillance Commissioners (OSC) following inspections. Up to now, public authorities have had a choice of sending their staff on external courses or engaging our RIPA experts to deliver customised in house training at their premises. Both these options have cost implications. Some authorities can only afford to train a handful of staff thereby running the risk of non compliance by others who may not know what RIPA is and when it is engaged.
Enter the new Act Now RIPA E Learning Course. From the comfort of their own desk public authority staff can now receive relevant and up to date training on covert surveillance regulated by Part 2 of RIPA (Directed Surveillance, CHIS and Intrusive Surveillance) including the authorisation process. From as little as £49 plus vat, five interactive modules can be accessed which have a stimulating and creative approach that engages and challenges the learner. Real-life scenarios, knowledge checks, case studies and examples are included to add relevance and increase comprehension and retention. A short final course assessment leads to a certificate.
This course is not just for new staff or those with little knowledge of RIPA. It will also help experience staff to refresh and update their knowledge as it takes into account the latest RIPA codes and new authorisation procedures. Those who are really confident can do the final course assessment first, to test and identify any gaps in their knowledge. These can then be filled by doing each module. The unscored quizzes and interactions within each module and the final scored assessment are designed to challenge even RIPA geeks!
Sam Lincoln, a former OSC chief inspector, has designed the course assisted by Ibrahim Hasan. Sam says:
“I was delighted to be commissioned by Ibrahim and his team at Act Now to produce this eLearning course. When I was Chief Inspector at the OSC I was aware that many local authorities, constrained by budget reductions, were attempting to provide their own training in-house. Despite valiant efforts the result was often regurgitation of the codes of practice and ‘death by PowerPoint’ lectures. I wanted to produce something that was more interesting and included interaction, feedback and assessment.”
Upon reviewing the course our RIPA expert and trainer, Steve Morris, said:
“I have had an opportunity to review the finished product and have to say it is a great mix of knowledge, animation and assessment, using many different learning delivery methods to keep the learner engaged. Sam provides clear well-paced narration and his choice of words make the modules easy to follow and understand. I would say the modules are ideal for anyone involved with the management and application of RIPA, whatever their position.”
The Act Now RIPA E Learning Course is suitable for staff in all public authorities but particularly those in local authorities working in trading standards, environmental health, planning, licensing and enforcement.
The key change is the need to ensure the independence of the Designated Person (DP). This is the person within the public authority who has to be satisfied that acquiring the communications data is necessary and proportionate and who signs off the application. Paragraph 3.12 of the new code states that DPs must be independent from operations and investigations when granting authorisations, or giving notices related to those operations.
This policy change was brought about in response to the European Court of Justice (ECJ) Judgment which struck down the Data Retention Directive (2006/24/EC) as the Directive did not include sufficient safeguards as to why and by whom such data may be accessed. The Judgment noted that the Directive contained no safeguards in relation to access to the retained data, including in relation to the independence of the person authorising access to the retained data.
The new code requires public authorities to satisfy the Interception of Communications Commissioner’s Office (IOCCO) that they have sufficient measures in place to ensure the DP’s independence. IOCCO have set out certain guidelines. In a nutshell, a DP must not be directly responsible for the operation or investigation (i.e. they should not have a strategic or tactical influence on the investigation). He/she should be far enough removed from the applicant’s line management chain which will normally mean they are not within the same department or unit. Applicants should not be able to choose who the DP will be on a case by case basis (save for in urgent circumstances). Finally, there should be a defined group of DPs in an organisation i.e. a recognised list defined by role and/or position.
Public authorities will need to ensure that they have a formal procedure setting out the arrangements in place to ensure independence. This will be examined by IOCCO during their inspection. It will also explore how the DPs are selected to consider applications and will audit compliance with the code.
There are exceptions to the rule of independence of DPs set out in the IOCCO Circular of the 1st June 2015 advising public authorities of the changes. These exceptions mainly relate to urgent authorisations and where very small teams of investigators mean that independence would be difficult. These exceptions will not normally apply to local authorities.
In all circumstances where public authorities use DPs who are not independent from an operation or investigation (save for the exceptions) this must be notified to the IOCCO at the next inspection. The details of the public authorities and the reasons such measures are being undertaken may be published and included in the IOCCO report.
What Should You Do Now?
Prepare for an IOCCO inspection. The Commissioner still inspects councils despite their infrequent use. Read here what a typical inspection involves.
Review your current DP authorisations and procedures. You may need to nominate additional (independent) DPs
Review training for DPs. Paragraph 3.8 of the code says:
“Individuals who undertake the role of a designated person must have current working knowledge of human rights principles and legislation, specifically those of necessity and proportionality, and how they apply to the acquisition of communications data under Chapter II and this code.”
Do all your DP’s have this knowledge to undertake their role?
Act Now is offering live and interactive webinars for DPs tailored to your organisation. The webinars last for one hour which include an online test. All participants receive a certificate of completion. Get in touch for a quote.
Local authorities have powers, under Part I Chapter 2 of the Regulation of Investigatory Powers Act 2000(RIPA), to acquire communications data from Communications Service Providers (CSPs). The definition of “communications data” includes information relating to the use of a communications service (e.g. phone, internet, post) but does not include the contents of the communication itself. It is broadly split into 3 categories: “traffic data” i.e. where a communication was made from, to whom and when; “service data” i.e. the use made of the service by any person e.g. itemised telephone records; “subscriber data” i.e. any other information that is held or obtained by a CSP on a person they provide a service to.
Some public authorities have access to all types of communications data e.g. police, ambulance service, HM Revenues and Customs. Local authorities are restricted to subscriber and service use data and even then only where it is required for the purpose of preventing or detecting crime or preventing disorder. For example, a benefit fraud investigator may be able to obtain an alleged fraudster’s mobile phone bill. As with other RIPA powers, e.g. Directed Surveillance, there are forms to fill out and strict tests of necessity and proportionality to satisfy.
The Prime Minister under Section 57(1) of RIPA 2000 appointed Sir Anthony May in January 2013 as the Interception of Communications Commissioner. His function is to keep under review the interception of communications and the acquisition and disclosure of communications data by intelligence agencies, police forces and other public authorities (including councils). He is required to make an annual report to the Prime Minister with respect to the carrying out of his functions.
In March the Commissioner’s Annual Report, covering the period January to December 2014, was laid before Parliament. (Read the useful summary produced by Big Brother Watch here). Key findings in relation to communications data are set out in the extract below:
Despite media headlines, local authorities now make little or no use of these powers. A big reason for this is that, since 1st November 2012, councils have had to obtain Magistrates’ approval for even the simplest communications data applications (e.g. mobile subscriber checks). (Read about the changes in detail here.) Another reason may be that since December last year, the Home Office has required councils to go through the National Anti Fraud Network to access communications data rather than make direct applications to CSPs. This has also made the internal SPoC’s (Single Point of Contact) role redundant.
The Commissioner also has the power to conduct inspections of public authorities using these powers. He still inspects councils despite their infrequent use. A typical inspection may include the following:
A review of the action points or recommendations from the previous inspection to check they have been implemented.
An audit of the information supplied by the CSPs detailing the requests that public authorities have made for disclosure of data. This information is compared against the applications held by the SPoC (Single Point of Contact) to verify that the necessary approvals were given to acquire the data.
Examination of individual applications to assess whether they were necessary in the first instance and then whether the requests met the necessity and proportionality requirements.
Scrutinising at least one investigation or operation from start to end to assess whether the communications data strategy and the justifications for acquiring all of the data were proportionate.
Examination of the urgent oral approvals to check the process was justified and used appropriately.
A review of the errors reported or recorded, including checking that the measures put in place to prevent recurrence are sufficient.
Act Now continues provides in house training on all aspects of covert surveillance under RIPA including accessing communications data. Get in touch for a quote.
By Sam Lincoln (Chief Surveillance Inspector 2006 – 2013)
Recently Ibrahim Hasan alerted you to the revisions of the two codes of practice underPart 2 of the Regulation of Investigatory Powers Act 2000 (RIPA) published on 10th December 2014. Ibrahim urged you to read them but I suspect that it wasn’t at the top of your ‘to do’ list over Christmas! So I’ve done the donkey work for you.
I approach the subject by addressing each of the two codes. Before I do, it’s worth saying that I compared the existing 2010 codes with the draft codes obtained from the Home Office website available at the time of writing. It may be worth checking to see if further amendments were made before publication. I ignore the frequent amendment resulting from changes to the names or amalgamation of public authorities (for example the formation of Police Scotland and the creation of the National Crime Agency).
If you are a member of a local authority, please don’t persuade yourself that the CHIS Code doesn’t apply to your authority. I think you’ll find that it does!
Covert Surveillance and Property Interference Code
Let’s begin with the Covert Surveillance and Property Interference Code. It might be worth having a copy (printed or online) handy as I’ll refer to relevant paragraph numbers in square brackets ([]):
[2.18] The first sentence is amended to account for the fact that some legal consultations which might otherwise be Directed Surveillance are now to be authorised as Intrusive Surveillance.
[2.24] Examples 3 and 4 have been amended. I am particularly uncomfortable with the amendment to Example 4 which relegates the requirement for an authorisation from “should be sought” to “should … be considered”. The inference is that planned covert surveillance of an individual suspected of shoplifting depends on the public authority deciding whether the individual has a reasonable expectation of privacy. Assessing what is reasonable and what is assumed by another person is open to challenge. It is because examples can mislead that the Office of Surveillance Commissioners (OSC), during my tenure, advised against the inclusion of examples. For this reason it’s vital that applicants and authorising officers note [1.7].
[2.27] This paragraph has been expanded to include guidance provided by the Surveillance Camera Code of Practice pursuant to the Protection of Freedoms Act. (More on CCTV here)
[2.29] This new paragraph provides important guidance regarding the need to consider whether an authorisation for either Directed Surveillance or a CHIS is required when using the Internet. As usual, it lacks the clarity usually sought by practitioners but it is clear that prior consideration should be given to the need for authorisation; it’s not acceptable to ignore this advice and I urge Senior Responsible Officers to ensure that they alert all public authority staff to its implications.
[2.30] The third bullet point of this paragraph is amended to differentiate between non-verbal and verbal noise.
[3.7] The original examples 2 and 3 are deleted. I suspect that the cause is that neither could be protected by a RIPA authorisation as a result of the 2010 Order. But then again, nor does Example 1!
[3.18] This is a new paragraph and covers the use of third party individuals or organisations (for example private investigators and internet researchers). They are acting as agents of the public authority and the need for relevant authorisation must not be ignored.
[3.22] The deletion of reference to Scottish public authorities suggests that there is no collaboration agreement with any public authorities in Scotland.
[3.30 – 3.33] These new paragraphs cover the changes to local authority authorisations of Directed Surveillance resulting from the Protection of Freedoms Act 2012. (More on the changes here)
[3.35] This paragraph amends the requirement for elected members to consider internal reports submitted on a ‘regular basis’ rather than at least quarterly. I’m personally disappointed that there’s no restriction on the detail of authorisations that elected members are entitled to see to prevent inadvertent compromise.
[4.1] The fourth sentence is amended slightly for grammatical effect it seems. The definition of a Member of Parliament is deleted and placed in the glossary at the back of the code.
[5.18] I recall that the OSC advised that there is no ‘legal’ requirement for any further details to be recorded and would have preferred the code to be more assertive. It’s disappointing that this advice is ignored.
[5.20] It isn’t clear why all of the footnotes relating to this paragraph are deleted.
[6.2] Is amended to include directed surveillance.
[7.8] This paragraph isn’t amended despite, to my knowledge, earlier criticism of the accuracy of its first sentence by the OSC. I am not a lawyer but, if I recall accurately, neither loss nor damage is necessary for there to be property interference. Subsequent analysis of a sample isn’t, of itself, surveillance; it’s the obtaining of the sample itself which may need authorisation.
[8.1] An additional sentence is added directing local authorities to the .gov.uk website for further guidance on the recording of magistrates’ decisions.
[8.2] A final bullet is included requiring local authorities to retain a copy of the Magistrates’ approval order in a centrally retrievable form. (more on the Magistrates’ approval process here)
[8.4] This is a new paragraph advising that it is desirable that relevant records should be retained, if possible, for up to five years.
CHIS Code of Practice
Let me turn now to the revised CHIS Code of Practice.
[2.4] This alerts the reader to the renaming of CHIS previously known as undercover officers to ‘relevant source’. Not a particularly helpful title. Contrary to this paragraph, not all references to undercover officers are amended in this revision of the Code.
[2.12] The final sentence of this paragraph is an important amendment. It alerts public authorities to the fact that the existence of a CHIS is not a choice for a public authority. Whether to authorise the use and conduct of a CHIS is a choice of course, but in my experience too often public authorities wished the problem away. In short, all public authorities must acknowledge that a CHIS may appear at any time and must have procedures in place to manage them in accordance with the law.
[2.14] This new paragraph obliges ‘relevant sources’ to comply with the College of Policing Code of Ethics.
[2.15] This is a new paragraph obliging the authorisation of activity known as ‘legend building’.
[2.16] This seems an unnecessary paragraph considering that types of human sources falling outside the CHIS definition are provided specific attention.
[2.17] This new paragraph introduces the concept of a public volunteer (with examples) in addition to the previously existing concept of a human source with a professional or statutory duty.
[3.12] This paragraph is amended in recognition that the 2013 Order introduced enhanced arrangements.
[3.22] The amendment to this paragraph emphasises that the enhanced arrangement for relevant sources relies on accurate recording of the length of deployment of each relevant source.
[3.26 – 3.27] This new section is specific to the use of CHIS by local authorities and the approval by magistrates. It highlights differences between authorities in England and Wales, Scotland, and Northern Ireland. Similar direction is provided to the need for elected member review but, as I was disappointed with the direction in the other Code, I believe that there is benefit in restricting the detail available to elected members in relation to the use and conduct of a CHIS to prevent compromise.
[4.3] This reminds the reader that ‘relevant sources’ are subject to enhanced arrangements when accessing legally privileged and other confidential information.
[4.31] There is an addition to cover the engagement of a member of a foreign law enforcement agency.
[4.32] The is an important new paragraph covering the considerations necessary to authorise the use and conduct of a CHIS for some online covert activity. It should be read in conjunction with [2.29] of the Covert Surveillance and Property Interference Code of Practice.
[5.10] This new paragraph clarifies the enhanced arrangements for relevant sources.
[5.15] Two sentences are added to this paragraph. The first states that local authorities are no longer able to orally authorise the use of RIPA techniques. The second relates to out of hours arrangements.
[5.16] An amendment to this paragraph introduces additional information to include at review; namely the information obtained from a CHIS and the reasons why executive action is not possible if that is the case (my italics are an addition).
[5.21 and 5.22 – 5.26] These new paragraphs relate to enhanced arrangements for the use and conduct of relevant sources. They provide detail regarding timings and, importantly, the calculation of total or accrued deployment or cumulative authorisation periods.
[5.29] An additional sentence requires an authorising officer to satisfy themselves that all welfare issues are addressed at the time of CHIS cancellation.
[5.30 – 5.31] These new paragraphs relate to the refusal of an Ordinary Surveillance Commissioner to approve a long term authorisation. Importantly, it obliges public authorities to plan for the safe extraction of a relevant source if an authorisation is refused.
[6.6] The addition of a final sentence recognises concerns raised by the OSC in relation to traditional police appointments and their responsibilities as defined by RIPA.
[7.3] Similar to [8.4] of the Covert Surveillance and Property Interference Code revision, this new paragraph (and amendment of [7.1] and [7.6]) recommends that relevant RIPA records should be retained for five years if possible.
[7.6] The addition of a bullet point requires that the decision of an Ordinary Surveillance Commissioner should be retained.
There is one other point I would like to make about the CHIS Code; there is no reference to the fact that the Protection of Freedoms Act 2012 did not restrict the use or conduct of a CHIS to the prevention or detection of crimes not attracting a six month sentence as it did for other types of covert surveillance.
What should you do now?
If you’ve got this far without falling asleep, you are obviously a person who takes RIPA seriously! It would be very helpful therefore if you ensure that your Senior Responsible Officer and all authorising officers are alerted to these amendments. I’m sure the OSC will check that policies are amended accordingly and that extant codes of practice are available and understood.
Copy this article by all means but please have the courtesy to accredit it properly!!
Sam Lincoln was formerly Chief Surveillance Inspector with the Office of Surveillance Commissioners for seven years. Please get in touch if you would like Sam to help you prepare for an OSC inspection by delivering customised training at your premises. We also have a full program of RIPA workshops in 2015 where we will examine the new codes in detail: http://www.actnow.org.uk/content/110