Category: RIPA

Leading Surveillance Law Expert Joins the Act Now Team

Act Now Training welcomes solicitor and surveillance law expert, Naomi Mathews, to its team of associates. Naomi is a Senior Solicitor and a co-ordinating officer for RIPA at a large local authority in the Midlands. She is also the authority’s Data Protection Officer and Senior Responsible Officer for CCTV.

Naomi has extensive experience in all areas of information compliance and has helped prepare for  RIPA inspections both for the Office of Surveillance Commissioners and Investigatory Powers Commissioner’s Office (IPCO). She has worked as a defence solicitor in private practice and as a prosecutor for the local authority in a range of regulatory matters including Trading Standards, Health and Safety and Environmental prosecutions. Naomi has higher rights of audience to present cases in the Crown Court.

Naomi has many years of practical knowledge of RIPA and how to prepare for a successful prosecution/inspection. Her training has been commended by RIPA inspectors and she has also trained nationally. Naomi’s advice has helped Authorising Officers, Senior Responsible Officers and applicants understand the law and practicalities of covert surveillance. 

Like our other associates, Susan Wolf and Kate Grimley Evans, Naomi is a fee paid member of the Upper Tribunal assigned to the Administrative Appeals Chamber (Information Rights Jurisdiction and First Tier Tribunal General Regulatory Chamber (Information Rights Jurisdiction).

Ibrahim Hasan, director of Act Now Training, said:

“ I am pleased that Naomi has joined our team. We are impressed with her experience of RIPA and her practical approach to training which focuses on real life scenarios as opposed to just the law and guidance.”

Naomi will be delivering our full range of RIPA workshops as well developing new ones. She is also presenting a series of one hour webinars on RIPA and Social Media. If you would like Naomi to deliver customised in house training for your organisation, please get in touch for a quote. 

We Are Hiring!

Are you a surveillance law expert with a proven track record of delivering practical and engaging training on Part 2 of the Regulation of Investigatory Act 2000 (RIPA) and/or its Scottish equivalent (RIPSA)? 

Due to an increased demand, Act Now Training is recruiting trainers to join its team of experts who deliver in-house and external surveillance training courses throughout the UK and online. These range from one hour webinars to full day courses and aim to help local authority staff practically apply the legislation and prepare for Commissioner inspections.

With more courses planned for 2022, including some new ones, we need trainers who enjoy the challenge of explaining difficult concepts in a practical jargon-free way.

We have opportunities for full time trainers as well as those who wish to add an extra “string to their bow” without leaving their day job. You do not have to be a lawyer and indeed our current team includes an ex police officer and a data protection officer. What is important is that you have practical experience of working with surveillance legislation, have enthusiasm for the subject and want to deliver innovative training (not “death by PowerPoint”) to a range of audiences.

If you think you have what it takes to become an Act Now trainer, please get in touch with your CV explaining your RIPA/RIPSA knowledge and experience. A full privacy policy can be read on our website.

Act Now Launches New RIPA E Learning Course

Screenshot 2020-11-24 at 10.26.09

The Investigatory Powers Commissioner’s Office (IPCO), like its predecessor the Office of the Surveillance Commissioner(OSC), undertakes inspections of public authorities to ensure their compliance with Part 2 of the Regulation of Investigatory Act 2000 (RIPA).
A common feature of an IPCO report into a council is the highlighting of the lack of regular refresher training for those who undertake covert surveillance, including when using social media.  

The coronavirus pandemic as well as decreasing council budgets means that training staff is difficult to say the least. Social distancing and home working make face to face training impossible and live online training may not always be cost effective for those who need a quick refresher.  

Act Now Training is pleased to announce the launch of RIPA Essentials. This is a new e learning course, consisting of an animated video followed by an online quiz, designed to update local authority employees’ knowledge of Part 2 of RIPA which covers Directed Surveillance, Intrusive Surveillance and CHIS. Designed by our RIPA experts, Ibrahim Hasan and Steve Morris, it uses simple clear language and animation to make the complex simple. 

In just 30 minutes your employees can learn about the main provisions of Part 2 of RIPA including the different types of covert surveillance, the serious crime test and the authorisation process. It also covers how RIPA applies to social media monitoring and how to handle the product of surveillance having regard to data protection. All this at a time and in a place of your employees’ choosing. (See the full contents here.

Steve Morris said: 

“Ibrahim and I have over 40 years of experience in training and advising local authorities on covert surveillance and RIPA. We have used this experience, as well as the latest guidance from the Home Office and IPCO, to produce an online training course which is engaging, interactive and fun.” 

With full admin controls, RIPA Essentials will help you to build a RIPA compliance culture in your organisation and develop a workforce that is able to identify and address privacy risks when conducting surveillance. The course is specifically designed for local authority investigators including trading standards officers, environmental health officers, licensing officers, auditors and legal advisers.  

You can watch a demo of RIPA Essentials here. Prices start from as little as £69 plus vat per user. For a bespoke quote please get in touch

RIPA Essentials follows the successful launch of GDPR Essentials which has been used by our clients to train thousands of staff in the public and private sector.

New RIPA Codes of Practice for Surveillance and CHIS

Drohne

In August 2018 the revised Codes of Practice for Covert Surveillance and Property Interference and Covert Human Intelligence Sources (CHIS) were published. These contain substantial changes and additions which public authorities conducting surveillance under Part 2 of the Regulation of Investigatory Powers Act 2000 (RIPA) need to understand.

The codes provide guidance on when an application should be made for a RIPA authorisation, the procedures that must be followed before surveillance activity takes place and how to handle any information obtained through such activity. They are admissible as evidence in criminal and civil proceedings. Any court or tribunal considering such proceedings, including the Investigatory Powers Tribunal , as well as the Investigatory Powers Commissioner’s Office, responsible for overseeing the relevant powers and functions, may take the provisions of the codes into account.

Many of the changes in the revised codes reflect best practice guidance published in the OSC Procedures and Guidance Document, observations and commentary in OSC annual reports, and advice and guidance provided during inspections. The changes include amendments to the role of the Senior Responsible Officer and a new error reporting procedure. The codes also reflect developments in surveillance and monitoring – such as use of the internet and social media, drones, tracking devices etc. Here is a summary:

  1. Private information– further information and guidance relating to internet material and investigations.
  2. Tracking devices– clarification and further information
  3. Social media and internet research – Substantial new sections providing clarity and detail (read our blog post for more on this topic).
  4. Drones – A section providing guidance on the use of Aerial Surveillance Devices
  5. Intrusive surveillance– A further developed explanation
  6. General Observation Duties– Expanded section to include such activity on the internet
  7. Surveillance not core function– A section relating to covert surveillance for ‘non RIPA purposes’ (More on this topic in our blog post)
  8. CCTV and ANPR– Additional information relating to the deployment of these technologies and the relevant codes and oversight more here: (More on this topic )
  9. Necessity and proportionality– Expanded section.
  • Authorisation– New section explaining the requirement to present the circumstances in a fair and balanced manner
  • Collateral intrusion– Further explanation is provided
  • Handling of material obtained– Section relating to safeguards, retention and destruction of material
  • Third parties– more clarity relating to working with third parties, including those that are not public authorities
  • Reviews– Further detail relating to the review process requirements
  • Senior Responsible Officer– The section relating to the role of the SRO has been altered substantially and includes amendments to the role and responsibilities
  • Covert Surveillance of a CHIS– A new section dealing with this tactic
  • Renewals– A section that provides more information about the detail required
  • Record Keeping– This section has been expanded to provide more detail of requirements
  • Error Reporting– A new requirement introduced in the Investigatory Powers Act 2016. This section describes the types of errors and the reporting requirements, and how there is expected to be processes to identify if errors exist.
  • Privileged Information– A new section with more detail relating to safeguard requirements for such information.
  • Other Legislation– There is now a new section referring to the Criminal Procedure Investigations Act 1996and evidence.
  • Data Protection– A new section relating to the handling and management of material and referring to the Data Controller. (Read our blog poston GDPR and employee surveillance.)
  • Dissemination of Material– A new section relating to this aspect
  • Copying of Material– A new section relating to this aspect
  • Storage of Material– A new section relating to the secure storage of material obtained
  • Destruction of Material– Another new section relating to this aspect
  • Confidential or Privileged Material– This section has been expanded to provide more detailed information about requirements
     
  • Oversight– Section amended to reflect the role oversight role of the Investigatory Powers Commissioner’s Office, and their access to systems and material in order to fulfil the oversight role. (More on this subject here.) If you have a RIPA inspection coming up, read our guide
  • Complaints– This section is completely altered and provides additional information

On 30thApril 2018 the Investigatory Powers Tribunal awarded £46,694 to an individual who had complained about surveillance by British Transport Police (BTP). The determination was that that surveillance was unlawful as it had been conducted without a RIPA authorisation. BTP was criticised for amongst other things, lack of training and awareness of those involved in surveillance.

Our RIPA courses have been completely revised by our RIPA expert, Steve Morris, to include an explanation of the new codes of practice and recent developments.  If you would like an in house refresher training for your staff, please get in touch.

RIPA Surveillance Oversight and Inspection Regime Changes

canstockphoto19424111

By Steve Morris

On 1st September 2017 Lord Justice Fulford commenced his new role as the Investigatory Powers Commissioner. Assisted by the Investigatory Powers Commissioner’s Office (IPCO), he will undertake the oversight functions of three previous Commissioners under the Regulation of Investigatory Powers Act 2000 namely the Chief Surveillance Commissioner, Interception of Communications Commissioner and the Intelligence Services Commissioner.

This marks a major milestone in establishing a new oversight regime set out in the Investigatory Powers Act, which was given Royal Assent in 2016. The Act, amongst other things, provides new powers for the police to access communications data e.g. telephone records, internet usage information etc. More on the Act in further blog posts.

Not only does the new commissioner take over the inspection and oversight functions carried out by the previous commissioners, he takes on responsibility for the pre-approval of certain police activities authorised under the Police Act 1997.

The Investigatory Powers Commissioner’s Office will consist of around 70 staff. This will be made up of:

  • Around 15 Judicial Commissioners, current and recently retired High Court, Court of Appeal and Supreme Court Judges;
  • A Technical Advisory Panel, of scientific experts; and
  • Almost 50 official staff, including inspectors, lawyers and communications experts.

Over the next 12 months Judicial Commissioners will start to take on their prior approval functions relating to the Investigatory Powers Act 2016, including interception, equipment interference, bulk personal datasets, bulk acquisition of communications data, national security notices, technical capability notices and communications data retention notices. The Judicial Commissioners will be supported in this work by the Technology Advisory Panel.

What impact will this new commissioner have on local authority inspections under Part 2 of RIPA carried out previously by the Office of the Surveillance Commissioners (OSC)? I suspect not a lot. The same issues will be considered as previously. The final OSC annual report once again highlights the recurring issue of investigations using social networks e.g. Facebook.

If you have an inspection coming up read our guide here.

Steve Morris is a former police officer who delivers our RIPA Courses as well as a course on Internet Investigations.

Now is the time to consider refresher training for RIPA investigators and authorisers. Please see our full program of RIPA Courses which have been revised to take account of all the latest developments. We can also deliver these courses at your premises, tailored to the audience. Finally, if you want to avoid re inventing the wheel, our RIPA Policy and Procedures Toolkit gives you a standard policy as well as forms (with detailed notes to assist completion) for authorising RIPA and non-RIPA surveillance. Over 200 different organisations have bought this document (available on CD as well).

RIPA and Communications Data: IoCCo Annual Report

ripa24

 

 

 

 

 

 

 

 

 

 

 

 

In October 2015 the Prime Minister appointed Sir Stanley Burnton as the new Interception of Communications Commissioner replacing Sir Anthony May. Sir Stanley’s function is to keep under review the interception of communications and the acquisition and disclosure of communications data by public authorities under the Regulation of Investigatory Powers Act 2000 (RIPA).

Local authorities, as well as other agencies, have powers under Part I Chapter 2 of RIPA to acquire communications data from Communications Service Providers (CSPs). The definition of “communications data” includes information relating to the use of a communications service (e.g. phone, internet, post) but does not include the contents of the communication itself. It is broadly split into 3 categories: “traffic data” i.e. where a communication was made from, to whom and when; “service data” i.e. the use made of the service by any person e.g. itemised telephone records; “subscriber data” i.e. any other information that is held or obtained by a CSP on a person they provide a service to.

Some public authorities have access to all types of communications data e.g. the Police, the Ambulance Service and HM Revenues and Customs. Local authorities are restricted to subscriber and service use data and then only where it is required for the purpose of preventing or detecting crime or preventing disorder. For example, a benefit fraud investigator may be able to obtain an alleged fraudster’s mobile phone bill. As with other RIPA powers, e.g. Directed Surveillance under Part 2, there are forms to fill out and strict tests of necessity and proportionality to satisfy.

On 8th September 2016, Sir Stanley laid his 2015 annual report before Parliament. The report covers the period January to December 2015. Key findings around communications data powers include:

  • 761,702 items of communications data were acquired during 2015.
  • 48% of the items of communications data were traffic data, 2% service use information and 50% subscriber information.
  • 7% of the applications for communications data were made by police forces and law enforcement agencies, 5.7% by the intelligence agencies and 0.6% by local authorities and other public authorities.
  • Only 71 local authorities reported using these powers. The majority of these used them on less than 10 occasions.
  • Out of the 975 applications made by local authorities in 2015, Kent County Council made 107 of these whilst five councils made just 1 application each.

A big reason for the low use of these powers by local authorities is that, since 1st November 2012, they have had to obtain Magistrates’ approval for even the simplest communications data applications (e.g. mobile subscriber checks).

Another reason may be that since December 2015 last year, the Home Office has required councils to go through the National Anti Fraud Network to access communications data rather than make direct applications to CSPs. This has also made the internal SPoC’s (Single Point of Contact) role redundant. Consequently the Commissioner no longer conduct inspections of individual local  authorities; choosing to inspect NAFN instead.

In March 2015 a new Code of Practice for the Acquisition and Disclosure of Communications Data by public authorities came into force.  It contains several policy changes, which will require careful consideration.

When the Investigatory Powers Bill comes into force it will change the communications data access regime.  Read our blog and watch this space.

Do you make use of these powers and need refresher training? Act Now is running a live one hour webinar on this topic. We also offer a whole host of training in this area. Please visit our website to find out more!

OSC RIPA (Surveillance) Procedures and Guidance: A view from its former editor

ripa

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

For the first time, the Office of Surveillance Commissioners (OSC) has made its Procedures and Guidance (P&G) public (in electronic format).

The guidance is essential reading for public authorities, especially councils, who conduct surveillance under Part 2 of the Regulation of Investigatory Powers Act 2000 (RIPA) (Directed Surveillance, Intrusive Surveillance and the deployment of a Covert Human Intelligence Source (CHIS)). The guidance also covers Part III of RIPA and RIP(S)A and to Part III of the Police Act 1997. It does not provide guidance on interception and the obtaining of communications data requiring a RIPA/RIP(S)A warrant.

Why should you care?

For reasons which Steve Morris explains in his blog on the latest OSC report, you’re going to face some form of inspection whether or not you have or intend to conduct covert surveillance; so at least understand how that inspection will be approached.

Also, as the Chief Surveillance Commissioner emphasises, every public authority should have in place policies, procedures and training programmes to ensure that relevant legislation is complied with when a situation arises. The OSC P&G will help you understand when relevant situations arise and how they should be approached.

Failure to recognise when the protection of RIPA/RIP(S)A may be sought or to know how to respond in a manner compliant with legislation – that is claiming ignorance – is no longer an option!

Why does the document exist?

When I first joined the OSC there was a best practice document which I believe had been shared with law enforcement agencies. This, combined with inspection reports, did not appear to meet with unanimous approval.

The Police Service attempted to introduce its own ‘Key Principles’ document which was sufficiently inadequate to attract the comment that “this is why the police should not be left to interpret legislation!”

However, I hope that I am not criticised for saying that the Surveillance Commissioners were not entirely comfortable publishing generic principles; they were more accustomed to making judgments on the facts of specific cases.

It is no coincidence that the following disclaimer, changed little since the first edition, is given prominence: 

“The opinions expressed within the Interpretation Guidance section of this publication are those of the Surveillance Commissioners. The OSC is not a judicial authority. This Guidance simply indicates the way in which the Commissioners would be minded to construe particular statutory provisions. There is no statutory requirement to publish them but they are a response to frequent requests for guidance from public authorities or are matters raised or identified during the inspection process. In the absence of case law, they are the most reliable indicator of likely judicial interpretation. They are the basis upon which inspections will be conducted and performance assessed by the Office of Surveillance Commissioners. Applicants and Authorising Officers should take note of the interpretations when constructing and considering applications and authorisations for the use of covert powers.”

These are the Surveillance Commissioners’ views. It’s rare that a collective interpretation of law is construed by seven ex-Appeal Court judges and three ex-Circuit judges. During my time, issues were examined and discussed at length during meetings with Commissioners and inspectors. You can imagine that, as Editor, I have happy memories of ‘wordsmithing’ each entry to accommodate the wishes of eminent lawyers!

In effect it is the OSC’s ‘party line’ but the disclaimer should be read in conjunction with paragraph 12. It would be wrong to imply that every member of the OSC agrees with every word in the document, so it is necessary to remember that it is guidance which may easily be altered by facts specific to each case. This is why you’ll find phraseology such as “is capable of being construed as [a type of] surveillance” rather than the definitive “is [a type of] surveillance”. Each Surveillance Commissioner is able to exercise his own judgment when approving authorisations.

RIPA and RIP(S)A are permissive and discretionary powers; the onus is on an authorising officer to decide whether or not to grant an authorisation for covert conduct. Assistant Surveillance Commissioners and inspectors cannot dictate. The aim of the document is to provide a level of consistency in approach from the OSC.

Finally, it is not the task of the OSC to make law; its task is to interpret the law as it is written, not as the Commissioners or others may prefer it. So don’t accuse the OSC of promoting covert conduct which you don’t agree with!

Why publication was resisted?

Partly because of conflict with the Police Service in relation to the ‘Key Principles’ document, and in response to concerns that operational techniques would be exposed, it was decided that the P&G should not be made available to the public. My repeated requests to identify any operational technique in the document that hadn’t already been disclosed by enthusiastic senior investigating officers resulted in no applications. But it was decided that we relied on practitioner transparency which required trust that we would not inhibit legitimate techniques.

When serving in the OSC and today, I am sometimes disappointed with the understanding of some trainers and the quality of their training. Too often legislation, codes of practice and the P&G are regurgitated or misused for commercial gain without improving knowledge or practitioner performance. Sometimes challenging the P&G was used as enticement to attendance or purchase; we were concerned that alternative opinions undermined confidence in the OSC.

I can avow the time and effort that goes into the formulation of this guidance; there is good reason why phrases are used. To protect copyright, to avoid misinterpretation and to prevent others gaining financially from the immense effort of the OSC were, I confess, causes of reticence to provide the document to the public.

In hindsight I believe my advice to the Chief Surveillance Commissioner to prevent public disclosure was misguided. Copies leaked to trainers and OSC silence allowed the media and campaigners to inadequately interpret legislation and its use.

Discussions relating to the Investigatory Powers Bill indicate that the need for regulators to transparently demonstrate how they hold public authorities to account has been recognised. Making the P&G public is a positive step but I am surprised that it is free! It‘s a publication worthy of a charge.

Comparison

For the remainder of this post I compare the July 2016 version with its predecessor of December 2014. There are many notes useful to practitioners. If you have not read it at least once, you should. Numbers in parenthesis are the relevant note number.

Part 1 – Procedures

Part 1 Section 1 provides detail of how to contact the OSC and matters relating to inspection process and reporting. Part 1 Section 2 provides detail in relation to Commissioner approvals, which apply mainly to law enforcement agencies.

[7-8] Disclosure of inspection reports. This is not new but worth reiterating. There is no requirement – as stated in the Codes of Practice – to notify the OSC of an intention to publicly disclose an inspection report, nor does the OSC promote or discourage the practice. The decision whether or not to publish rests entirely with the chief officer of the public authority inspected.

Part 2 – Guidance

[75] “I am satisfied” and “I believe” Again, not new but important. Too often authorising officers provide insufficient rationale to support their judgment; relying on the details provided by the applicant. This guidance cautions against lax authorisations. The heading indicates an unexplained difference between RIPA and RIP(S)A which use different requirements. This is likely to be complicated further if the terms in the draft IP Bill are enacted. That Bill currently requires a designated officer to “consider”. I may write another article on the significance of these differences.

[87] Duration of authorisations and renewals. Added clarification to ensure that electronic systems date/time algorithms do not have the effect of “losing a day” of authorised conduct. This amendment probably reflects the law enforcement agencies tendency to use electronic systems to create and process applications and authorisations. A useful audit is provided by date stamps and automatically generated data which cannot be altered. There have obviously been instances where automatic dates are not accurate. This amendment indicates how an OSC inspector will regard the inaccuracy but it’s a hint that authorising officers should ensure that dates are accurate.

[93-98] Persons, groups, associates and vehicles. These notes provide guidance in to assist public authorities amend authorisations when details are not known at the outset. The final sentence of Note [96] is amended:

Deleted: “The AO should set parameters to limit surveillance and use review to avoid “mission creep”.

Inserted: “The AO should guide the operational commanders by setting contextual parameters for the use of the “link” approach.” (i.e. where a possible link has previously been identified between individuals to the common criminal purpose being identified.)

There is a new note [97].

“The Authorising Officer should be updated when it is planned to deploy equipment or surveillance against a freshly identified subject before such deployment is made, to enable him to consider whether this is within the terms of his original authorisation, necessary, proportionate and that any collateral intrusion (or interference) has been taken into account; alternatively, where operational demands make it impracticable for the Authorising Officer to be updated immediately, as soon as reasonably practicable thereafter. This is to ensure that the decision to deploy further devices or surveillance remains with the Authorising Officer and is not delegate to, or assumed by, another, such as the operational commander. Such reviews should be pertinent and can be done outwith the usual formal monthly written review process, provided that the details of the Authorising Officer’s decisions are recorded contemporaneously and formally updated at the next due review. Where the terms of an authorisation do not extend to interference to other subjects (criminal associates) or their property then a fresh authorisation, using the urgency provisions if necessary, will need to be sought.” (My emphasis)

[222-229] Authorisation of undercover officers (UCOs). Note [226] is amended to enable additional UCOs to be authorised by way of review but indicates that every UCO must be authorised for the correct duration. This reflects the reality that it is frequently necessary to introduce additional UCOs to an investigation (for example to support a legend). Often the identity of additional UCOs will not be known at the outset. Rather than insist on the added bureaucracy of a new authorisation, the Commissioners have indicated that amendment by review (providing the terms of the original authorisation allow it) will not be criticised.

[289] Covert Surveillance of Social Network Sites (SNS). I advise that all members of local authorities read paragraph 289 in entirety as it’s the conduct most likely to introduce RIPA/RIP(S)A compliance issues. It remains my view that too few public authorities recognise (either deliberately or in ignorance) that the ‘less intrusive’ means that have resulted in decreased authorisations may be the result of not authorising internet investigations on the belief that ‘open source’ or publicly available mitigates RIPA/RIP(S)A consideration. This note provides the OSC’s guidance. Sub-note [289.3] is amended as shown in bold type:

“It is not unlawful for a member of a public authority to set up a false identity but it is inadvisable for a member of a public authority to do so for a covert purpose without an authorisation for directed surveillance when private information is likely to be obtained. The SRO should be satisfied that there is a process in place to ensure compliance with the legislation. Using photographs of other persons without their permission to support the false identity infringes other laws.”

See also Ibrahim Hasan’ blog post on RIPA and social networks.

 

Conclusion

I hope that this background is useful. I hope that my reticence to persuade the former Chief Surveillance Commissioner to make the P&G available to the public is proven to be misguided. Publishing the document is a very positive move in my opinion and is a useful indicator that the Commissioners have come to terms with the need to be public-facing. I applaud the decision.

Disclaimer: Sam Lincoln is a former Chief Surveillance Inspector with the OSC. In that capacity he introduced the OSC Procedures and Guidance and edited it from 2006 to 2013. The opinions expressed in this post are his alone; he does not represent the OSC and OSC endorsement is neither sought nor implied.

Sam has designed our RIPA E-Learning Package which is an interactive online learning tool, ideal for those who need a RIPA refresher before an OSC inspection.

 

Like our image? It is available as an A3 Poster for the office, We have a small range of them for only £5 for three!  Take a look at the link below.

http://www.actnow.org.uk/posters

OSC Annual Report On Surveillance (RIPA) Published

 

canstockphoto8990372.jpg

Steve Morris

 

On the 7th July 2016 the Office of Surveillance Commissioners (OSC) published the 2015-2016 Annual Report.

The report covers the period from 1st April 2015 to 31st March 2016 and should be read by public authorities, especially councils, who conduct surveillance under Part 2 of the Regulation of Investigatory Powers Act 2000 (RIPA) (Directed Surveillance, Intrusive Surveillance and the deployment of a Covert Human Intelligence Source (CHIS)).

We have reviewed the report and below are summaries of comments and sections of particular relevance to public authorities other than law enforcement. (The section numbers from the report are quoted below so that reference to the complete text can be made.)

Reduced use by public authorities Section 2.3.

  • There is substantially reduced number of authorisations by public authorities, most notably local district and borough councils, who do not deploy their statutory powers, or do so very rarely indeed, and do not intend or expect to do so in future.

However, while they remain vested with these powers, the appropriate structures and training must continue to be in place so that if they come to be exercised, the exercise will be lawful.

This reduction could be related to the substantial budgetary cuts faced by councils and the requirement for Magistrates’ Approval (and other reforms), which took effect on 1st November 2012.

Changed arrangements for inspection of local authorities Section 2.10.

  • The OSC is to introduce a new system of inspection for some local authorities where the statutory powers have not been used at all, or have been very rarely used in the last three years since a previous inspection, the process will start on paper, with a request for information. An Inspector or Assistant Surveillance Commissioner will visit the authority if there has been any significant increase in the use of the statutory powers, or if the responses to the OSC paper give ground for concern, or if the authority itself requests a personal visit by an Inspector. There will be no automatic visit.

Irregularities Section 4.18.

  • The total number of reports of irregularities (100) continues to represent a tiny proportion of the total number of authorisations granted during the course of a year. The overwhelming majority are the result of human error.

Section 4.19.

  • Irregularities caused by human error reinforces the need for those with responsibilities for ensuring compliance with the statutory provisions to receive regular, updated training, together with the need for continuing robust oversight by senior officers and managers of the processes. In the case of enforcement agencies, including the police, both these requirements are understood. In relation to some of the public authorities which, facing strains on their financial resources either have ceased or virtually ceased to use the statutory powers, and do not envisage using them in the future, training arrangements can sometimes assume a lowly priority. The view of the OSC is that every single authority vested with the relevant statutory powers should have in place structures and training arrangements which will ensure that the exercise of any such powers, even if arising unexpectedly, will be lawful.

Use of covert powers by public authorities other than law enforcement agencies Section 5.10.

  • From the OSC point of view the principle is clear. The fact that a local authority has elected not to exercise the relevant statutory powers does not remove it from the inspection process. While it retains these powers, which may be exercised at any time, appropriate structures and officials with the requisite training are required.

The “virtual world” Section 2.8.

  • There is a shift towards criminal activity in or by the use of the “virtual world”. This increases the demands on those responsible for covert surveillance. They need an understanding of the technological advances and myriad types of communication and storage devices which are constantly being updated. They also need assistance about how the statutory powers available to them can or should be applied

Social Networks and the “virtual world” Section 5.17.

  • Patterns of criminal planning are changing to embrace technological advances. Criminals and terrorists are less likely to meet in public, in parked up cars, with police officers using binoculars and longsighted cameras to follow their movements. Social media and private electronic communications provide greater anonymity for the criminals, and enable their activities to proceed on a global scale. This issue was addressed by my predecessor in his last two reports, and the Surveillance Commissioners have issued guidance on the need for appropriate authorisations to cover these developments.

Extract from OSC Procedures & Guidance document

Covert surveillance of Social Networking Sites (SNS)

  1. The fact that digital investigation is routine or easy to conduct does not reduce the need for authorisation. Care must be taken to understand how the SNS being used works. Authorising Officers must not be tempted to assume that one service provider is the same as another or that the services provided by a single provider are the same.

288.1 Whilst it is the responsibility of an individual to set privacy settings to protect unsolicited access to private information, and even though data may be deemed published and no longer under the control of the author, it is unwise to regard it as ―open source, or publicly available; the author has a reasonable expectation of privacy if access controls are applied. In some cases data may be deemed private communication still in transmission (instant messages for example). Where privacy settings are available but not applied the data may be considered open source and an authorisation is not usually required. Repeat viewing of ―open source sites may constitute directed surveillance on a case by case basis and this should be borne in mind.

288.2 Providing there is no warrant authorising interception in accordance with section 48(4) of the 2000 Act, if it is necessary and proportionate for a public authority to breach covertly access controls, the minimum requirement is an authorisation for directed surveillance. An authorisation for the use and conduct of a CHIS is necessary if a relationship is established or maintained by a member of a public authority or by a person acting on its behalf (i.e. the activity is more than mere reading of the site‘s content).

288.3 It is not unlawful for a member of a public authority to set up a false identity but it is inadvisable for a member of a public authority to do so for a covert purpose without an authorisation for directed surveillance when private information is likely to be obtained. The SRO should be satisfied that there is a process in place to ensure compliance with the legislation. Using photographs of other persons without their permission to support the false identity infringes other laws.

288.4 A member of a public authority should not adopt the identity of a person known, or likely to be known, to the subject of interest or users of the site without authorisation, and without the consent of the person whose identity is used, and without considering the protection of that person. The consent must be explicit (i.e. the person from whom consent is sought must agree (preferably in writing) what is and is not to be done).

Section 5.18.

  • Inspectors and the Assistant Surveillance Commissioners pay particular attention to the way this developing method of criminal activity is kept under covert surveillance. The topic forms the basis for numerous requests for guidance. Perhaps the most significant feature is that investigating authorities cannot proceed on the basis that because social networking developed after much of the legislation came into force it is immunised from compliance with it. Requirements for appropriate authorisation may arise from the work done by those whose roles do not traditionally fall within RIPA or RIP(S)A. The necessary training and information must be addressed by the Senior Responsible Officer in each authority.

See our blog post on RIPA and social networks.

Common inspection findings Section 5.23

  • Some of the more common areas of criticism revealed in the inspection reports. They must be seen in context. In relation to law enforcement agencies, the standard of applications to and decisions of Authorising Officers for directed surveillance, property interference and intrusive surveillance are generally sound. Much of this is due to increased focus on the statutory requirements, clear internal leadership and investment in training.
  • The greatest complexity arises in the context of CHIS… In the context of social media in particular, it is sometimes difficult to recognise when a CHIS relationship has been established.

See our blog post on common inspection findings.

Section 5.24.

  • Some intelligence cases are too brief, others too long; most are of appropriate length; similarly with reviews, when a pertinent summary of what has happened since the latest update is required with, so far as possible, a simple explanation why the covert activity remains necessary and proportionate;
  • Occasional formulaic considerations given to the potential for collateral intrusion; for the OSC it remains a crucial feature that any authorisation for covert surveillance should be confined to those against whom there are grounds for suspicion, not their families or friends;
  • Authorisations for surveillance tactics and equipment use which, when reviews and cancellations are examined, appear to have been too widely drawn at the outset;
  • The conduct parameters for a CHIS are sometimes unclear and occasionally in such cases, the full extent of risks to the CHIS are insufficiently addressed, or, where the records are required by statute, left incomplete;
  • At cancellation, occasionally more detail is required from the Authorising Officer about the activity conducted, the value of the surveillance, the resulting product, and its management, and whether there has been any tangible or beneficial outcome, together with greater attention to any collateral intrusion;
  • In relation to public authorities the need for training for those vested with surveillance responsibilities is sometimes overlooked, particularly when budgets have been seriously depleted; in the case of adjacent local authorities training costs could perhaps be shared.

This is a summary of the detailed annual report – clearly the OSC places a high value on training (mentioned 19 times!), and indicates difficulties that arise as a result of not providing the training for all personnel involved or likely to be involved in authorised activity.

One emerging trend not addressed in the report is the rise in covert surveillance undertaken without the protection of RIPA when a local authority deems it necessary and proportionate to conduct covert surveillance in relation to preventing or detecting crime which does not meet the six month criteria, or a public authority deems it necessary and proportionate to conduct covert surveillance as part of it’s legitimate pursuit of responsibilities in relation to public safety, public health, regulation, and enforcement, in compliance with Article 8 Human Rights (commonly known as ‘non RIPA Surveillance’). See our blog post here for more on this issue.

Act Now’s programme of RIPA Courses  address all of the issues raised in the report, and those associated with non RIPA surveillance, research and gathering of intelligence as well as evidence from social media. If your training budget is an issue, our online RIPA training is worth trying out. Module 1 is free.

The OSC Procedures & Guidance document (July 2016) has now been re issued and is, for the first time, available to download from the OSC website.

Act Now also has a RIPA policy and procedures manual which is very useful for those revising their RIPA documents. It contains useful guidance for staff on when RIPA applies and how to complete the authorisation forms.

Raise awareness of RIPA in your organisation with our RIPA poster.

Steve Morris is a former police officer who delivers our RIPA Courses as well as a course on Internet Investigations.

Surveillance under RIPA: neither a strict legal framework nor rigorously overseen – Sam Lincoln

Interesting post from Sam Lincoln, an ex OSC Chief Inspector. Sam is the author of our RIPA E Learning course: http://www.actnow.org.uk/content/185

CCTV and the Law

By Steve Morris[ File # csp0356261, License # 1228612 ] Licensed through http://www.canstockphoto.com in accordance with the End User License Agreement (http://www.canstockphoto.com/legal.php) (c) Can Stock Photo Inc. / fintastique

The updated version of the Information Commissioner’s CCTV Code of Practice address the rising phenomena of surveillance technologies and methods. No longer are surveillance cameras passive image collectors, providing a resource for immediate use or historical evidence.

CCTV, ANPR, Body Worn Cameras, Aerial Drones, together with the associated analytical tools and software, are all technologies being used within many public and private sector organisations.

These technologies are invaluable for efficient and effective public protection as well as revenue collection and enforcement activities. Just one such example might be lone workers performing a caring function and for their safety, wearing audio and video recording equipment when they leave the safety of their own home. These persons then enter the private dwelling of a vulnerable person in need of assistance. In some instances the video and audio will be running throughout the whole of the attendance – often with a live feed to a control room. The benefits for the safety of the carer are clear, and the immediate response and advice by control room personnel is undoubtedly beneficial for the person requiring assistance. But this equipment is capturing images and conversation of an individual, and perhaps family and friends, within that person’s private home. The images and conversation, being witnessed by others many miles away is likely to be very intimate and private.

Does this vulnerable person or those responsible for them realise this is actually taking place?

Do they consent to it as a part of the provision of the service?

Before a public authority undertakes such activity it must conduct a privacy impact assessment, and perhaps obtain consent for the collection and processing of such information. Without such consideration – and a record of such assessment, then it might easily be argued that the organisation has not shown “Respect for the private life” in accordance with Article 8 of the European Convention on Human Rights, and the activity might be deemed to be unlawful – and indeed might be in breach of the Data Protection Act 1998. The Care Quality Commission has issued guidance on use of cameras in care homes.

The Surveillance Camera Commissioner, Tony Porter, pursuing compliance with a Code of Practice issued in accordance with the Protection of Freedoms Act has identified several aspects non-compliance when it comes to CCTV cameras:

  • Inadequate or non-existent privacy impact assessments
  • Equipment deployed with no respect or consideration for privacy or consideration for the benefit balanced with intrusion (proportionality)
  • Equipment in use not fit for purpose
  • Excessive use of surveillance
  • Removal of surveillance such as CCTV to reduce costs with little regard for the void left in relation to public safety and security

In a speech to the CCTV User Group, Mr Porter said budget cuts had led councils to decide to spend less on public space CCTV, meaning there was less money for staff training, poorer understanding of legal issues and a reduced service. He said councils could face greater scrutiny of their use of CCTV, including potential inspections and enforcement. Organisations should carry out annual reviews of their CCTV capacity but many failed to do so. He cited a West Midlands local authority which, upon review, reduced the number of ineffective cameras and saved £250,000 in the process.

Mr Porter, who has been in his post since March 2014, has written to council chief executives to remind them of the law and code of practice.

My latest series of one day CCTV law workshops examine the ‘surveillance landscape’ and the regulatory regime of the Information Commissioner, the Office of the Surveillance Commissioner, and the Surveillance Camera Commissioner. Attendees will be able to identify which regime(s) and codes of practice apply to their surveillance activity, and how to manage efficient, effective and lawful surveillance systems.

Steve Morris is an ex police officer and one of our expert surveillance law trainers. His CCTV law workshops take place in Manchester and London in October.