Category: OSC

New RIPA Codes come into force on 10th December 2014

file000640591433

On 10th December 2014 revised versions of the two codes of practice under Part 2 of the Regulation of Investigatory Powers Act 2000 (RIPA) will come into force. This will be as a result of two statutory instruments made on 19th November 2014 namely; the Regulation of Investigatory Powers (Covert Surveillance and Property Interference: Code of Practice) Order 2014 and the Regulation of Investigatory Powers (Covert Human Intelligence Sources: Code of Practice) Order 2014.

The revised codes are essential reading for those public authorities, especially councils, who conduct surveillance (Directed Surveillance, Intrusive Surveillance and the deployment of a Covert Human Intelligence Source (CHIS)). They take account of the changes, which took effect on 1st November 2012; namely magistrates’ approval for council surveillance and a new six-month threshold test for Directed Surveillance.

CCTV is a hot topic. Following complaints by Big Brother Watch, the Information Commissioner’s Office (ICO) has taken enforcement action involving both number plate recognition cameras and cameras recording people’s conversations in taxis. On 15th October 2014, the ICO published its 44 page code of practice on surveillance cameras and personal information. Revised paragraph 2.27 of the covert surveillance code draws attention to the importance of complying with the Data Protection Act and consequently the ICO code as well as the Surveillance Camera Code, when using overt CCTV cameras for surveillance. The Surveillance Camera Code, came into force last year and was made pursuant to the Protection of Freedoms Act 2012 (PoFA). It governs the use of surveillance camera systems including CCTV and Automatic Number Plate Recognition (ANPR) and applies to local authorities and policing authorities in England and Wales.

As regards the legal effects of the Surveillance Camera Code:

“A failure on the part of any person to act in accordance with any provision of this code does not of itself make that person liable to criminal or civil proceedings. This code is, however, admissible in evidence in criminal or civil proceedings, and a court or tribunal may take into account a failure by a relevant authority to have regard to the code in determining a question in any such proceedings” (paragraph 1.16 of the PoFA code).

The Surveillance Camera Commissioner has been appointed by the Home Secretary but has no enforcement or inspection powers unlike the ICO. He “should consider how best to ensure that relevant authorities are aware of their duty to have regard for the Code and how best to encourage its voluntary adoption by other operators of surveillance camera systems” (paragraph 5.3 of the PoFA code). (see our workshop on the Surveillance Camera Code)

The Chief Surveillance Commissioner in his annual report, published on 4th September 2014, drew special attention to the use of the Internet for investigations, particularly involving social networking sites. He suggests that a RIPA authorisation may be required for some online investigations. (See our detailed blog post on the OSC report.) Paragraph 2.29 of the revised covert surveillance code states:

“2.29 The use of the internet may be required to gather information prior to and/or during an operation, which may amount to directed surveillance. Whenever a public authority intends to use the internet as part of an investigation, they must first consider whether the proposed activity is likely to interfere with a person’s Article 8 rights, including the effect of any collateral intrusion. Any activity likely to interfere with an individual’s Article 8 rights should only be used when necessary and proportionate to meet the objectives of a specific case. Where it is considered that private information is likely to be obtained, an authorisation (combined or separate) must be sought as set out elsewhere in this Code. Where an investigator may need to communicate covertly online, for example contacting individuals using social media websites, a CHIS authorisation should be considered.”

Paragraph 4.32 of the revised CHIS code states:

“4.32 The use of the internet may be required to gather information prior to and/ or during a CHIS operation, which may amount to directed surveillance. Alternatively the CHIS may need to communicate online, for example this may involve contacting individuals using social media websites. Whenever a public authority intends to use the internet as part of an investigation, they must first consider whether the proposed activity is likely to interfere with a person’s Article 8 rights, including the effect of any collateral intrusion. Any activity likely to interfere with an individual’s Article 8 rights should only be used when necessary and proportionate to meet the objectives of a specific case. Where it is considered that private information is likely to be obtained, an authorisation (combined or separate) must be sought as set out elsewhere in this Code.”

We have a workshop on investigating E – Crime and Social Networking Sites, which considers all the RIPA implications of such activities.

On the keeping of records both revised RIPA codes state that, although records are only required to be retained for at least three years, it is desirable, if possible, to retain records for up to five years. Finally both revisions confirm that local authorities are no longer able to orally authorise the use of RIPA techniques and that “Out of hours arrangements should be in place with HMCS to deal with out of hours applications.”

These are the main changes to the RIPA codes. We have prepared a detailed document setting out all the changes. Please e-mail us (info@actnow.org.uk) if you would like a copy.

Act Now will be revising its RIPA Policy and Procedures Toolkit to take account of the RIPA codes. The toolkit gives you a standard policy as well as forms (with detailed notes to assist completion) for authorising RIPA and non-RIPA surveillance. Now is the time to consider refresher training for RIPA investigators and authorisers. We have a full program of RIPA Courses and can also deliver these at your premises, tailored to the audience.

OSC Annual RIPA Report (2014) – Key Points

file0001162281290

The Chief Surveillance Commissioner published his annual report on 4th September 2014. The report covers the period from 1st April 2013 to 31st March 2014 and is essential reading for those public authorities, especially councils, who conduct surveillance under Part 2 of the Regulation of Investigatory Powers Act 2000 (RIPA) (Directed Surveillance, Intrusive Surveillance and the deployment of a Covert Human Intelligence Source (CHIS)). The report details statistics relating to the use of these tactics and information about how the Office of Surveillance Commissioners (OSC) conducts its oversight role.

Non-law enforcement agencies (including councils) authorised Directed Surveillance on 4,412 occasions in the reporting period. This continues a downward trend over the last few years. Last year there were 5,827 of such authorisations. 75% of these were completed by the Department for Work and Pensions.

The report also considers the changes, which took effect on 1st November 2012; namely magistrates’ approval for council surveillance and a new six-month threshold test for Directed Surveillance. There were 517 approval requests made to a magistrate in the reporting period of which only 26 were rejected. On the whole the changes are working well but the Chief Surveillance Commissioner has expressed concern about the level of RIPA knowledge amongst magistrates:

“What has become clear is that the knowledge and understanding of RIPA among magistrates and their staff varies widely. Adequate training of magistrates is a matter for others, but I highlight the need. The public is not well served if, through lack of experience or training, magistrates are not equipped effectively to exercise the oversight responsibility, which the legislation requires. I am aware, for example, of one magistrate having granted an approval for activity retrospectively, and another having signed a formal notice despite it having been erroneously completed by the applicant with details of a different case altogether.” (Para 3.10)

The Commissioner notes a continuing steady decline in the use of Directed Surveillance by local councils which may, or may not, have resulted from the introduction of the need to seek a magistrate’s approval. In one borough council there had been 47 directed surveillance authorisations between 2010 and the introduction of The Protection of Freedoms Act 2012 and none in the 16 months thereafter. (It is important to note that, as the Commissioner pointed out at paragraph 5.5 of last year’s report, RIPA is permissive legislation and there may be occasions where surveillance outside the scope of RIPA may be required. He pointed to the IPT decision in BA and others v Cleveland Police (IPT/11/129/CH). This is in keeping with Ibrahim Hasan’s view as explained previously on this blog. )

Where councils have continued to use their RIPA powers, the OSC has identified a lack of a corporate approach to the new process. Some councils have established or used existing relationships with their local magistrates’ court to ensure that both parties were prepared for the impact of the new Act; some have gone so far as to provide a training input to local magistrates and their clerks, so they understand RIPA and the type of case and associated documentation which will be presented to them. (The Home Office guidance document is a good place to start for authorities new to the approval process.)

Social Networks

The Commissioner draws special attention in his report to the use of the Internet for investigations, particularly involving social networking sites:

“5.30. This is now a deeply embedded means of communication between people and one that public authorities can exploit for investigative purposes. I am reasonably satisfied that there is now a heightened awareness of the use of the tactic and the advisable authorisations under RIPA that should be considered. Although there remains a significant debate as to how anything made publicly available in this medium can be considered private, my Commissioners remain of the view that the repeat viewing of individual “open source” sites for the purpose of intelligence gathering and data collation should be considered within the context of the protection that RIPA affords to such activity.”

The Commissioner advises caution when conducting online investigations:

“5.31. In cash-strapped public authorities, it might be tempting to conduct on line investigations from a desktop, as this saves time and money, and often provides far more detail about someone’s personal lifestyle, employment, associates, etc. But just because one can, does not mean one should. The same considerations of privacy, and especially collateral intrusion against innocent parties, must be applied regardless of the technological advances.”

He goes on to suggest that a RIPA authorisation may be required for some online investigations:

“5.32. Access to social networking sites by investigators in all public authorities is something we examine on inspections. Many, particularly the law enforcement agencies, now have national and local guidance available for their officers and staff. However, many local authorities and government departments have still to recognise the potential for inadvertent or inappropriate use of the sites in their investigative and enforcement role. Whilst many have warned their staff of the dangers of using social media from the perspective of personal security and to avoid any corporate damage, the potential need for a RIPA authorisation has not been so readily explained.

5.33. I strongly advise all public authorities empowered to use RIPA to have in place a corporate policy on the use of social media in investigations. Some public authorities have also found it sensible to run an awareness campaign, with an amnesty period for declarations of any unauthorised activity or where, for example, officers have created false personae to disguise their on line activities.”

We have a workshop on investigating E – Crime and Social Networking Sites, which considers all the RIPA implications of such activities.

Common inspection findings

Over the past year, the OSC has carried out in excess of 140 council inspections in England and Wales. At paragraph 5.37 of the report, the Commissioner lists the main issues that he has commented upon in his inspection reports:

· Unsubstantiated and brief, or, conversely, excessively detailed intelligence cases

· Poor and over-formulaic consideration of potential collateral intrusion and how this will be managed

· Poor proportionality arguments by both applicants and Authorising Officers – the four key considerations (identified by my Commissioners and adopted within the Home Office Codes of Practice) are often not fully addressed

· A surfeit of surveillance tactics and equipment being requested and granted but rarely fully used when reviews and cancellations are examined

· At cancellation, a lack of adequate, meaningful update for the Authorising Officer to assess the activity conducted, any collateral intrusion that has occurred, the value of the surveillance and the resultant product; with, often, a similarly paltry input by Authorising Officers as to the outcome and how product must be managed

· On the CHIS documentation, a failure to authorise a CHIS promptly as soon as they have met the criteria; and in many cases (more typically within the non-law enforcement agencies) a failure to recognise or be alive to the possibility that someone may have met those criteria

· Some risk assessments can be over-generic and not timeously updated to enable the Authorising Officer to identify emergent risks

· Discussions that take place between the Authorising Officer and those charged with the management of the CHIS under Section 29(5) of RIPA are not always captured in an auditable manner for later recall or evidence

· As resources become stretched within police forces, the deputy to the person charged with responsibilities for CHIS under Section 29(5)(b) often undertakes those functions: as with an Authorising Officer, this is a responsibility which cannot be shared or delegated

· Outside pure documentary issues, a lack, in some public authorities, of ongoing refresher training for those that require it; and a need for an improved level of personal engagement in the oversight process by the Senior Responsible Officer.

Now is the time to consider refresher training for RIPA investigators and authorisers. We have a full program of RIPA Courses and can also deliver these at your premises, tailored to the audience. If you want to avoid re inventing the wheel, our RIPA Policy and Procedures Toolkit gives you a standard policy as well as forms (with detailed notes to assist completion) for authorising RIPA and non-RIPA surveillance. There is substantial discount for orders received before 30th September 2014.