Category: RIPA

Facebook, Social Networks and the Need for RIPA Authorisations

canstockphoto12584745By Ibrahim Hasan

Increasingly local authorities are turning to the online world, especially social media, when conducting investigations. There is some confusion as to whether the viewing of suspects’ Facebook accounts and other social networks requires an authorisation under Part 2 of the Regulation of Investigatory Powers Act 2000 (RIPA). In his latest annual report the Chief Surveillance Commissioner states (paragraph 5.42):

“Perhaps more than ever, public authorities now make use of the wide availability of details about individuals, groups or locations that are provided on social networking sites and a myriad of other means of open communication between people using the Internet and their mobile communication devices. I repeat my view that just because this material is out in the open, does not render it fair game. The Surveillance Commissioners have provided guidance that certain activities will require authorisation under RIPA or RIP(S)A and this includes repetitive viewing of what are deemed to be “open source” sites for the purpose of intelligence gathering and data collation.”

Careful analysis of the legislation suggests that whilst such activity may be surveillance, within the meaning of RIPA (see S.48(2)), not all of it will require a RIPA authorisation. Of course RIPA geeks will know that RIPA is permissive legislation anyway and so the failure to obtain authorisation does not render surveillance automatically unlawful (see Section 80).

There are two types of surveillance, which may be involved when examining a suspect’s Facebook or other social network pages; namely Directed Surveillance and the deployment of a Covert Human Intelligence Source (CHIS). Section 26 of the Act states that surveillance has to be covert for it to be directed:

“surveillance is covert if, and only if, it is carried out in a manner that is calculated to ensure that persons who are subject to the surveillance are unaware that it is or may be taking place” (my emphasis)

If an investigator decides to browse a suspect’s public blog, website or “open” Facebook page (i.e. where access is not restricted to “friends”, subscribers or followers) how can that be said to be covert? It does not matter how often the site is accessed as long as the investigator is not taking steps to hide his/her activity from the suspect. The fact that the suspect is not told does about the “surveillance” does not make it covert. Note the words in the definition of covert; “unaware that it is or may be taking place.” If a suspect chooses to publish information online they can expect the whole world to read it including law enforcement and council investigators. If he/she wants or expects privacy it is open to them to use the available privacy settings on their blog or social network.

The Commissioner stated in last year’s annual report:

“5.31 In cash-strapped public authorities, it might be tempting to conduct on line investigations from a desktop, as this saves time and money, and often provides far more detail about someone’s personal lifestyle, employment, associates, etc. But just because one can, does not mean one should. The same considerations of privacy, and especially collateral intrusion against innocent parties, must be applied regardless of the technological advances.” (my emphasis)

I agree with the last part of this statement. The gathering and use of online personal information by public authorities will still engage Human Rights particularly the right to privacy under Article 8 of the European Convention on Human Rights. To ensure such rights are respected the Data Protection Act 1998 must be complied with. A case in point is the monitoring last year of Sara Ryan’s blog by Southern Health NHS Trust. Our data protection expert Tim Turner wrote recently about the data protection implications of this kind of monitoring.

Where online surveillance involves employees then the Information Commissioner’s Office’s (ICO) Employment Practices Code (part 3) will apply. This requires an impact assessment to be done before the surveillance is undertaken to consider, amongst other things, necessity, proportionality and collateral intrusion. Whilst the code is not law, it will be taken into account by the ICO and the courts when deciding whether the DPA has been complied with. In December 2014, Caerphilly County Borough Council signed an undertaking after an ICO investigation found that the Council’s surveillance of an employee , suspected of fraudulently claiming to be sick, had breached the DPA.

Facebook Friends – A Friend Indeed

Of course the situation will be different if an investigator needs to become a “friend’ of a person on Facebook in order to communicate with them and get access to their profile and activity pages. For example, local authority trading standards officers often use fake profiles when investigating the sale of counterfeit goods on social networks. In order to see what is on sale they have to have permission from the suspect. This, in my view, does engage RIPA as it involves the deployment of a CHIS defined in section 26(8):

“For the purposes of this Part a person is a covert human intelligence source if—

(a) he establishes or maintains a personal or other relationship with a person for the covert purpose of facilitating the doing of anything falling within paragraph (b) or (c);

(b) he covertly uses such a relationship to obtain information or to provide access to any information to another person; or

(c) he covertly discloses information obtained by the use of such a relationship, or as a consequence of the existence of such a relationship”  (my emphasis)

Here we have a situation where a relationship (albeit not personal) is formed using a fake online profile to covertly obtain information for a covert purpose. In the case of a local authority, this CHIS will not only have to be internally authorised but also, since 1st November 2012, approved by a Magistrate.

This is a complex area and staff who do not work with RIPA on a daily basis can be forgiven for failing to see the RIPA implications of their investigations. From the Chief Surveillance Commissioner’s comments (below) in his annual report, it seems advisable for all public authorities to have in place a corporate policy and training programme on the use of social media in investigations:

“5.44 Many local authorities have not kept pace with these developments. My inspections have continued to find instances where social networking sites have been accessed, albeit with the right intentions for an investigative approach, without any corporate direction, oversight or regulation. This is a matter that every Senior Responsible Officer should ensure is addressed, lest activity is being undertaken that ought to be authorised, to ensure that the right to privacy and matters of collateral intrusion have been adequately considered and staff are not placed at risk by their actions and to ensure that ensuing prosecutions are based upon admissible evidence.”

We have a workshop on investigating E – Crime and Social Networking Sites, which considers all the RIPA implications of such activities. It can also be delivered in house.

In conclusion, my view is that RIPA does not apply to the mere viewing of “open” websites and social network profiles. However in all cases the privacy implications have to be considered carefully and compliance with the Data Protection Act is essential.

Ibrahim will be looking at this issue in depth in our forthcoming webinars.

Looking to update/refresh your colleagues’ RIPA Knowledge. Try our RIPA E Learning Course. Module 1 is free.

We also have a full program of RIPA Courses and our RIPA Policy and Procedures Toolkit contains standard policies as well as forms (with detailed notes to assist completion).

New RIPA E-Learning Course

capture-20150824-141930

Regular refresher training for those conducting covert surveillance under Part 2 of the Regulation of Investigatory Powers Act (RIPA) is a common recommendation by the Office of Surveillance Commissioners (OSC) following inspections. Up to now, public authorities have had a choice of sending their staff on external courses or engaging our RIPA experts to deliver customised in house training at their premises. Both these options have cost implications. Some authorities can only afford to train a handful of staff thereby running the risk of non compliance by others who may not know what RIPA is and when it is engaged.

Enter the new Act Now RIPA E Learning Course. From the comfort of their own desk public authority staff can now receive relevant and up to date training on covert surveillance regulated by Part 2 of RIPA (Directed Surveillance, CHIS and Intrusive Surveillance) including the authorisation process. From as little as £49 plus vat, five interactive modules can be accessed which have a stimulating and creative approach that engages and challenges the learner. Real-life scenarios, knowledge checks, case studies and examples are included to add relevance and increase comprehension and retention. A short final course assessment leads to a certificate.

This course is not just for new staff or those with little knowledge of RIPA. It will also help experience staff to refresh and update their knowledge as it takes into account the latest RIPA codes and new authorisation procedures. Those who are really confident can do the final course assessment first, to test and identify any gaps in their knowledge. These can then be filled by doing each module. The unscored quizzes and interactions within each module and the final scored assessment are designed to challenge even RIPA geeks!

Sam Lincoln, a former OSC chief inspector, has designed the course assisted by Ibrahim Hasan. Sam says:

“I was delighted to be commissioned by Ibrahim and his team at Act Now to produce this eLearning course. When I was Chief Inspector at the OSC I was aware that many local authorities, constrained by budget reductions, were attempting to provide their own training in-house. Despite valiant efforts the result was often regurgitation of the codes of practice and ‘death by PowerPoint’ lectures. I wanted to produce something that was more interesting and included interaction, feedback and assessment.”

Upon reviewing the course our RIPA expert and trainer, Steve Morris, said:

“I have had an opportunity to review the finished product and have to say it is a great mix of knowledge, animation and assessment, using many different learning delivery methods to keep the learner engaged. Sam provides clear well-paced narration and his choice of words make the modules easy to follow and understand. I would say the modules are ideal for anyone involved with the management and application of RIPA, whatever their position.”

The Act Now RIPA E Learning Course is suitable for staff in all public authorities but particularly those in local authorities working in trading standards, environmental health, planning, licensing and enforcement.

Want to know more? Watch module 1 for FREE and join our live demonstration webinar.

Office of Surveillance Commissioners (OSC) Annual RIPA Report (2015) – Key Points

file2871316133148

The Chief Surveillance Commissioner, Sir Christopher Rose, published his final annual report on 25th June 2015. A lot of the report is typical of someone in his position who is leaving office, having a few parting moans. Then again, a £56,000 maintenance fee from the Home Office (paragraph 3.3) for a relatively simple website is well worth moaning about)!

The report covers the period from 1st April 2014 to 31st March 2015 and should be read by public authorities, especially councils, who conduct surveillance under Part 2 of the Regulation of Investigatory Powers Act 2000 (RIPA) (Directed Surveillance, Intrusive Surveillance and the deployment of a Covert Human Intelligence Source (CHIS)). It details statistics relating to the use of these tactics and information about how the Office of Surveillance Commissioners (OSC) conducts its oversight role.

Non-law enforcement agencies (including councils) authorised Directed Surveillance on 2207 occasions in the reporting period. The Department for Work and Pensions completed 25% of these. This continues a downward trend over the last few years. Last year there were 4,412 of such authorisations. Much of this downward trend is due to the continued impact of the changes, which took effect on 1st November 2012; namely magistrates’ approval for council surveillance and a new six-month threshold test for Directed Surveillance.

A total of 373 authorisations were presented to a magistrate for approval under The Protection of Freedoms Act 2012 during the reporting period. Just 17 were rejected. The Commissioner continues to be sceptical about the need for the changes saying, “I remain to be convinced of the value of this additional approval procedure which, obviously, promotes delay.”

The Commissioner, just like in his previous report, has expressed concern about the level of RIPA knowledge amongst magistrates:

“I have good reason to believe that training provision for magistrates in relation to RIPA and The Protection of Freedoms Act 2012 has been minimal and several councils have ended up providing this themselves to enable the new procedure to work effectively: this is commendable but not, presumably, what Parliament contemplated.” (Para 5.27)

Social Networks

The Commissioner advises caution when conducting online investigations especially where this involves examining social networking sites. A RIPA authorisation may be required in some cases:

“5.42 Perhaps more than ever, public authorities now make use of the wide availability of details about individuals, groups or locations that are provided on social networking sites and a myriad of other means of open communication between people using the Internet and their mobile communication devices. I repeat my view that just because this material is out in the open, does not render it fair game. The Surveillance Commissioners have provided guidance that certain activities will require authorisation under RIPA or RIP(S)A and this includes repetitive viewing of what are deemed to be “open source” sites for the purpose of intelligence gathering and data collation.”

From the Commissioner’s comments at paragraph 5.44 it seems advisable that councils should have in place a corporate policy and training programme on the use of social media in investigations:

“Many local authorities have not kept pace with these developments. My inspections have continued to find instances where social networking sites have been accessed, albeit with the right intentions for an investigative approach, without any corporate direction, oversight or regulation. This is a matter that every Senior Responsible Officer should ensure is addressed, lest activity is being undertaken that ought to be authorised, to ensure that the right to privacy and matters of collateral intrusion have been adequately considered and staff are not placed at risk by their actions and to ensure that ensuing prosecutions are based upon admissible evidence.”

We have a workshop on investigating E – Crime and Social Networking Sites, which considers all the RIPA implications of such activities.

Common inspection findings

At paragraph 5.47 of the report, the Commissioner lists the main issues that he has commented upon in his inspection reports:

  • Unsubstantiated and brief, or, conversely, excessively detailed intelligence cases
  • Over-formulaic consideration of potential collateral intrusion and an explanation of how this will be managed
  • Limited proportionality arguments by both applicants and Authorising Officers – the four key considerations (identified by my Commissioners and adopted within the Home Office Codes of Practice), if addressed in turn, should provide a suitably reasoned argument
  • More surveillance tactics and equipment authorised at the outset than appear to have been utilised when reviews and cancellations are examined
  • A regurgitation of the original application content at reviews, including a “cut and paste” proportionality entry that fails to address why the activity is still justified, in place of a meaningful update to the Authorising Officer about what has taken place in the intervening period
  • At cancellation, a rarity of meaningful detail for the Authorising Officer about the activity conducted, any collateral intrusion that has occurred, the value of the surveillance and the resultant product; and whether there has been any tangible outcome
  • Similarly, paltry input by Authorising Officers at cancellation as to the outcome and how product must be managed, and any comment about the use or otherwise of all that had been originally argued for and authorised
  • In the case of higher level authorisations for property interference and intrusive surveillance, an over-reliance by Senior Authorising Officers on pre-­prepared entries that alter little from case to case, or at times, regardless of who is acting as the Authorising Officer
  • In those same cases, often poorly articulated personal considerations as to the matters of necessity, collateral intrusion and proportionality; no or few entries at reviews; and little meaningful comment at cancellation
  • On the CHIS documentation, less common, but still encountered, the failure to authorise a CHIS promptly as soon as they have met the criteria; and in many cases (more typically within the non-law enforcement agencies) a failure to recognise or be alive to the possibility that someone may have met those criteria
  • A huge variation in the standard of risk assessments, whereby some provide an excellent “pen picture” of the individual concerned and the associated risks, whilst others can be over-generic and are not timeously updated to enable the Authorising Officer to identify emergent risks
  • Discussions that take place between the Authorising Officer and those charged with the management of the CHIS under Section 29(5) of RIPA are not always captured in an auditable manner for later recall or evidence, though this is starting to improve following our advice
  • As resources become stretched within police forces, the deputy to the person charged with responsibilities for CHIS under Section 29(5)(b) often undertakes those functions: as with an Authorising Officer, this is a responsibility which cannot be shared or delegated

Finally the Commissioner says that during inspections his staff have found that there is “a continuing lack, in many public authorities, of on-going refresher training for officers who may have been trained many years ago, or who have not been eligible for specialised training by dint of career progression or role.”

Those who have an OSC inspection in the Autumn should read Sam Lincoln’s e book which he has written for us entitled “How To Impress An OSC Inspector.” Get in touch if you want a free copy.

Last year new codes of practice under Part 2 of RIPA were introduced.

STOP PRESS… STOP PRESS… STOP PRESS… STOP PRESS…

ONLINE RIPA TRAINING

Looking for an e-learning solution for your RIPA training needs? http://www.actnow.org.uk/content/185

———————————————————————————————————-

Now is the time to consider refresher training for RIPA investigators and authorisers. We have a full program of RIPA Courses and can also deliver these at your premises, tailored to the audience. If you want to avoid re inventing the wheel, our RIPA Policy and Procedures Toolkit gives you a standard policy as well as forms (with detailed notes to assist completion) for authorising RIPA and non-RIPA surveillance.

New RIPA Communications Data Code of Practice

In March 2015 a new Code of Practice for the Acquisition and Disclosure of Communications Data by public authorities, including councils, under Part I Chapter 2 of the Regulation of Investigatory Powers Act 2000(RIPA), came into force.  It contains several policy changes, which will require careful consideration.

The key change is the need to ensure the independence of the Designated Person (DP). This is the person within the public authority who has to be satisfied that acquiring the communications data is necessary and proportionate and who signs off the application. Paragraph 3.12 of the new code states that DPs must be independent from operations and investigations when granting authorisations, or giving notices related to those operations.

This policy change was brought about in response to the European Court of Justice (ECJ) Judgment which struck down the Data Retention Directive (2006/24/EC) as the Directive did not include sufficient safeguards as to why and by whom such data may be accessed. The Judgment noted that the Directive contained no safeguards in relation to access to the retained data, including in relation to the independence of the person authorising access to the retained data.

The new code requires public authorities to satisfy the Interception of Communications Commissioner’s Office (IOCCO) that they have sufficient measures in place to ensure the DP’s independence. IOCCO have set out certain guidelines. In a nutshell, a DP must not be directly responsible for the operation or investigation (i.e. they should not have a strategic or tactical influence on the investigation). He/she should be far enough removed from the applicant’s line management chain which will normally mean they are not within the same department or unit. Applicants should not be able to choose who the DP will be on a case by case basis (save for in urgent circumstances). Finally, there should be a defined group of DPs in an organisation i.e. a recognised list defined by role and/or position.

Public authorities will need to ensure that they have a formal procedure setting out the arrangements in place to ensure independence. This will be examined by IOCCO during their inspection. It will also explore how the DPs are selected to consider applications and will audit compliance with the code.

There are exceptions to the rule of independence of DPs set out in the IOCCO Circular of the 1st June 2015 advising public authorities of the changes. These exceptions mainly relate to urgent authorisations and where very small teams of investigators mean that independence would be difficult. These exceptions will not normally apply to local authorities.

In all circumstances where public authorities use DPs who are not independent from an operation or investigation (save for the exceptions) this must be notified to the IOCCO at the next inspection. The details of the public authorities and the reasons such measures are being undertaken may be published and included in the IOCCO report.

What Should You Do Now?

  1. Prepare for an IOCCO inspection. The Commissioner still inspects councils despite their infrequent use. Read here what a typical inspection involves.
  1. Review your current DP authorisations and procedures. You may need to nominate additional (independent) DPs
  1. Review training for DPs. Paragraph 3.8 of the code says:

“Individuals who undertake the role of a designated person must  have current working knowledge of human rights principles and  legislation, specifically those of necessity and proportionality, and how they apply to the acquisition of communications data under Chapter II and this code.”

Do all your DP’s have this knowledge to undertake their role?

Act Now is offering live and interactive webinars for DPs tailored to your organisation. The webinars last for one hour which include an online test. All participants receive a certificate of completion. Get in touch for a quote.

How To Impress An OSC Inspector – Free E Book

How to impress an OSC inspector

In recent weeks reports reviewing RIPA by the Independent Reviewer of Terrorism and the Royal United Services Institute have been published. Both reports emphasised the need for clearer law and stronger oversight.

Some may presume that their recommendations persuade the Government to replace the Regulation of Investigatory Powers Act (RIPA), its amendments and related legislation, with something entirely new. That presumption may prove accurate.

However, I believe that any replacement is unlikely to substantially adjust the basic tenet of RIPA which is founded on Human Rights legislation. In particular, it is likely to retain the basic principles of necessity and proportionality along with the requirement for public authorities to produce a verifiable and contemporaneous audit of decisions and actions.

Whether or not local authorities in United Kingdom will be enabled by similar discretionary power remains to be seen. But if the effect of the Protection of Freedoms Act is illustrative, taking away the protection of law does not necessarily prevent covert surveillance conducted intentionally or accidentally. It merely removes protection from liability … neither public authorities nor citizens are properly protected.

Unless, as is the case with an interception, forms of covert surveillance are made unlawful without a warrant or authorisation, it is likely that investigatory powers will remain discretionary. Discretion – even if later approved by a designated official external to the relevant investigating authority – attracts misuse by officials if not official misuse.

The demand for better oversight is a key recommendation in both reports and there is an increasing expectation that the public is better informed regarding the potential for or actual abuse of discretionary powers.

Suffice to say that the Office of Surveillance Commissioners, or a body with similar or enhanced responsibility, will remain. Inspection is likely to be a key method to assess compliance and performance.

Impressing an inspector – and thus providing a mechanism to protect reputation and improve trust – should remain a concern to all those who are enabled to conduct surveillance covertly.

In my new E Book “How To Impress An OSC Inspector”, I provide my personal insights regarding how a local authority might best approach an OSC inspection. The information in the book remains relevant regardless of future change to legislation. It is directed at local authorities but is relevant to other public authorities.

You can download the E Book here.

I would be interested in your views. Please feel free to comment (below) or directly by email.

Sam Lincoln was formerly Chief Surveillance Inspector with the Office of Surveillance Commissioners for seven years.

STOP PRESS… STOP PRESS… STOP PRESS… STOP PRESS…

ONLINE RIPA TRAINING

Looking for an e-learning solution for your RIPA training needs? http://www.actnow.org.uk/content/185

———————————————————————————————————-

Act Now has revised its RIPA Policy and Procedures Toolkit gives you a standard policy as well as forms (with detailed notes to assist completion) for authorising RIPA and non-RIPA surveillance. Now is the time to consider refresher training for RIPA investigators and authorisers. We have a full program of RIPA Courses and can also deliver these at your premises, tailored to the audience.

RIPA and Communications Data: 2014 Annual Report

 

 

Local authorities have powers, under Part I Chapter 2 of the Regulation of Investigatory Powers Act 2000(RIPA), to acquire communications data from Communications Service Providers (CSPs). The definition of “communications data” includes information relating to the use of a communications service (e.g. phone, internet, post) but does not include the contents of the communication itself. It is broadly split into 3 categories: “traffic data” i.e. where a communication was made from, to whom and when; “service data” i.e. the use made of the service by any person e.g. itemised telephone records; “subscriber data” i.e. any other information that is held or obtained by a CSP on a person they provide a service to.

Some public authorities have access to all types of communications data e.g. police, ambulance service, HM Revenues and Customs. Local authorities are restricted to subscriber and service use data and even then only where it is required for the purpose of preventing or detecting crime or preventing disorder. For example, a benefit fraud investigator may be able to obtain an alleged fraudster’s mobile phone bill. As with other RIPA powers, e.g. Directed Surveillance, there are forms to fill out and strict tests of necessity and proportionality to satisfy.

The Prime Minister under Section 57(1) of RIPA 2000 appointed Sir Anthony May in January 2013 as the Interception of Communications Commissioner. His function is to keep under review the interception of communications and the acquisition and disclosure of communications data by intelligence agencies, police forces and other public authorities (including councils). He is required to make an annual report to the Prime Minister with respect to the carrying out of his functions.

In March the Commissioner’s Annual Report, covering the period January to December 2014, was laid before Parliament. (Read the useful summary produced by Big Brother Watch here). Key findings in relation to communications data are set out in the extract below:

RIPA

Despite media headlines, local authorities now make little or no use of these powers. A big reason for this is that, since 1st November 2012, councils have had to obtain Magistrates’ approval for even the simplest communications data applications (e.g. mobile subscriber checks). (Read about the changes in detail here.) Another reason may be that since December last year, the Home Office has required councils to go through the National Anti Fraud Network to access communications data rather than make direct applications to CSPs. This has also made the internal SPoC’s (Single Point of Contact) role redundant.

The Commissioner also has the power to conduct inspections of public authorities using these powers. He still inspects councils despite their infrequent use. A typical inspection may include the following:

  • A review of the action points or recommendations from the previous inspection to check they have been implemented.
  • An audit of the information supplied by the CSPs detailing the requests that public authorities have made for disclosure of data. This information is compared against the applications held by the SPoC (Single Point of Contact) to verify that the necessary approvals were given to acquire the data.
  • Examination of individual applications to assess whether they were necessary in the first instance and then whether the requests met the necessity and proportionality requirements.
  • Scrutinising at least one investigation or operation from start to end to assess whether the communications data strategy and the justifications for acquiring all of the data were proportionate.
  • Examination of the urgent oral approvals to check the process was justified and used appropriately.
  • A review of the errors reported or recorded, including checking that the measures put in place to prevent recurrence are sufficient.

Act Now continues provides in house training on all aspects of covert surveillance under RIPA including accessing communications data. Get in touch for a quote.

Revised RIPA Policy and Procedures Toolkit (2015)

capture-20150313-134335

The local authority surveillance regime((under the Regulation of Investigatory Powers Act 2000, (RIPA)) has seen a number of developments in the past few years. These include:

  • Since 1st November 2012, whenever exercising any powers under RIPA (doing Directed Surveillance, deploying a CHIS or accessing Communications Data) councils have had to obtain Magistrates’ approval. Directed Surveillance has also been made the subject of a new Serious Crime Test (Read about the changes in detail here). On the whole the changes are working well.
  • On 10th December 2014 revised versions of two RIPA codes of practice  RIPA codes of practice came into force.
  • More guidance has been published by the Information Commissioner on what to do when covert surveillance is not regulated by RIPA.
  • The Office of Surveillance Commissioners  continues to highlight poor form filling and record  keeping in his annual reports.

Now is the time to revise your RIPA policies and procedures to take account of these developments.

The revised Act Now RIPA procedures and guidance toolkit includes an updated version of our previous RIPA Forms Guidance document, which was bought by over one hundred different organisations. In addition there are detailed guidance notes on deciding when surveillance is caught by RIPA, how to authorise it and what to do about surveillance which is not regulated by RIPA. The toolkit is written in straightforward language (avoiding legal jargon) and includes flowcharts to assist understanding.

The full contents list includes:

Updated – Completing the RIPA Forms

  • Procedure for completing the forms
  • Common mistakes
  • All Directed Surveillance forms with full notes to assist completion
  • All CHIS forms with full notes to assist completion

Seeking Magistrates’ Approval

  • Step by step guide to the process
  • Judicial application/order form with full notes to assist completion

Updated – Undertaking Non RIPA Surveillance

  • When it is appropriate
  • Non – RIPA Surveillance Authorisation Form
  • New Non – RIPA Surveillance Cancellation Form

New – Employee Surveillance Guidance

  • When it is appropriate
  • Complying with the Data Protection Act 1998
  • The latest ICO decision
  • Privacy Impact Assessments

More here: http://www.actnow.org.uk/content/117

The normal price of the toolkit is £199 plus vat for a hard copy and £399 plus vat for an electronic version (plus hard copy) with a licence to make additional hard copies and to upload the toolkit on to an intranet site (for internal use only).

DISCOUNT – If you bought the previous the version on the toolkit you qualify for a 20% discount.

Scottish colleagues can buy the RIP(S)A version of the toolkit here: http://www.actnow.org.uk/content/84

For those of you looking for refresher training in this area, we have a full program of public workshops. We can also bring the training to you for a customised in house training course. Please get in touch for a quote.

CCTV Surveillance: Getting It Right

Steve Morris writes…

“I keep six honest serving men, they taught me all I know, their names are what, why, when, how, where and who…”

“I know a person small, she keeps ten million serving-men who get no rest at all! – One million how’s, two million where’s, and seven million whys!”

Rudyard Kipling 1902

Well it’s 2015 and we have an estimated 6 million (give or take a million or so!) surveillance cameras within the UK regulated sector, and that does not include those installed by private individuals. Cameras are no longer stuck on the end of poles recording peoples’ movements. They are worn by officials, installed on public transport and can even predict peoples’ behaviour.

Image technology has advanced tremendously in recent years. Data captured by CCTV systems is often automatically interacting with other databases with the capability of providing very intrusive information about the private lives and activities of innocent individuals as well as offenders and those that pose a risk to society.

We are also going through economically difficult times. CCTV and other surveillance technology can be seen a cost effective answer to the resource problem. However, without careful planning and regular review, it can be a costly option that might in fact provide little or no benefit and/or land an organisation in trouble with the various regulators in this sector. The Information Commissioner’s Office (ICO) has taken enforcement action involving both number plate recognition systems and cameras  recording customers’ conversations in taxis.

The ICO is not the only regulator in this area. The Surveillance Camera Commissioner is tasked with raising awareness of the Surveillance Camera Code. Made pursuant to the Protection of Freedoms Act 2012 it governs the use of surveillance camera systems including CCTV and Automatic Number Plate Recognition (ANPR) operated by the police and councils in England and Wales.

The Office of the Surveillance Commissioner has oversight in relation to the covert surveillance under Part 2 of the Regulation of Investigatory Powers Act 2000  (RIPA). This often involves the deployment of covert CCTV cameras. Recently Ibrahim Hasan alerted you to the revisions of the two RIPA codes of practice.

So why quote Rudyard Kipling’s poem from 1902?

The overall question revolves around whether a ‘scatter gun approach’ (obtaining lots of private data from lots of cameras) is actually a practical, cost effective use of resources. Furthermore is this approach a lawful, necessary and proportionate approach to addressing a ‘pressing social need’ or problem? Or would a smaller number of cameras providing images and data of the quality required, when it is required, be a better use of resources?

Compliance with the various codes and laws which govern CCTV, is easy if key questions are addressed at the outset:

  1. What is the pressing social need or lawful grounds for the CCTV surveillance activity? What type(s) of devices and system is appropriate? What personal data is going to be collected? What policies and processes should we have?
  2. Why do we need this surveillance in this place? Why is surveillance the option we have chosen?
  3. When should the system be capturing and recording information? When is it right to share this information?
  4. How will the system be managed? How much private information are we obtaining about individuals? How will we ensure it is kept secure?
  5. Where will the cameras be positioned? Where will we store the data?
  6. Who will we be watching? Who will have access to the collected information?

Looking for an opportunity to discuss these questions and many others, and to examine the regulatory requirements in relation to the decision making process? Attend one of my CCTV workshops and be brought right up to date with the latest laws, codes of practice and guidance.

Steve Morris is an ex police officer and one of our experts in surveillance law trainers.

Staff Surveillance: It’s a Data Protection Issue

Increasingly affordable surveillance technology means that more and more employers are turning to surveillance to catch errant or work shy employees. But confusion still reigns as to which legislation applies and what can be done lawfully.

If employee surveillance is conducted by a public authority and involves covert techniques or equipment, it is easy to assume that Part 2 of the Regulation of Investigatory Powers Act 2000 (“RIPA”) applies. However, the Investigatory Powers Tribunal has ruled in the past that not all covert surveillance of employees is regulated by RIPA (See C v The Police and the Secretary of State for the Home Department (14th November 2006, No: IPT/03/32/H), discussed in our previous blog post on employee surveillance.)

All employers, whether in the public or the private sector, have to respect their employees’ right to privacy under Article 8 of the European Convention on Human Rights. This means that the surveillance must be carried out in a manner that is in accordance with the law and is necessary and proportionate (see Copland v UK (3rd April 2007 ECHR).

During the course of the surveillance, the employer will inevitably be gathering personal data about employees. Consideration therefore has to be given to the provisions of the Data Protection Act 1998 (DPA). Compliance with the DPA will also help demonstrate that the surveillance is human rights compliant since protection of individuals’ privacy is a cornerstone of the DPA.

The Information Commissioner’s Office’s (ICO) Employment Practices Code, which covers surveillance of employees at work. The code covers all types of employee surveillance from video monitoring and vehicle tracking to email and internet surveillance. Whilst the code is not law, it will be taken into account by the Information Commissioner and the courts whether deciding whether the DPA has been complied with.

In December 2014, Caerphilly County Borough Council signed an undertaking after an ICO investigation found that the Council’s surveillance of an employee , suspected of fraudulently claiming to be sick, had breached the DPA.

The council’s decision to authorise the surveillance was based on anecdotal evidence and was begun only four weeks into the employee’s sickness absence. No other measures were taken to discuss the employee’s absence before the decision to deploy covert surveillance. The surveillance report, which was produced by a private company, was never used. The ICO determined the council did not have sufficient grounds to undertake the surveillance, especially at such an early stage of the employee’s absence.

The council has undertaken that, in future, it will carry out an impact assessment, (as required by the code) in every case of employee surveillance. This will consider whether the adverse impact of the surveillance on the employee(s) is justified by the benefits to the employer and others. Such an impact assessment must also:

  • clearly identify the purpose(s) behind the surveillance and the benefits it is likely to deliver,
  • identify any likely adverse impact of the surveillance,
  • consider alternatives to surveillance or different ways in which it can be carried out
  • take into account the obligations that arise from the surveillance, and
  • judge whether the surveillance is justified.

This assessment is best done in writing using a “Non-RIPA” surveillance form (Our RIPA Policy and Procedures Toolkit contains such a form).

Furthermore the council agreed some general principles which are useful for all employers to note when deciding to conduct covert surveillance of employees:

  • Senior management should authorise any covert monitoring. In doing so they must satisfy themselves that there are grounds for suspecting criminal activity or equivalent malpractice (i.e. serious but non-criminal employee misbehaviour, such as fraudulently claiming sick pay) and that notifying individuals about the monitoring would prejudice its prevention or detection.
  • Such covert monitoring should only be used in exceptional circumstances, as it will be rare for covert monitoring of employees to be justified.
  • Ensure that any covert monitoring is strictly targeted at obtaining evidence within a set timeframe and that the covert monitoring does not continue after the investigation is complete.
  • Do not use covert audio or video monitoring in areas which workers would genuinely and reasonably expect to be private.
  • If a private investigator is employed to collect information on workers covertly make sure there is a contract in place that requires the private investigator to only collect information in a way that satisfies the employer’s obligations under the Act.
  • Check any arrangements for employing private investigators to ensure your contracts with them impose requirements on the investigator to only collect and use information on workers in accordance with your instructions and to keep the information secure.
  • Ensure that information obtained through covert monitoring is used only for the prevention or detection of criminal activity or equivalent malpractice.
  • Disregard and, where feasible, delete other information collected in the course of monitoring unless it reveals information that no employer could reasonably be expected to ignore.

Employee surveillance is a legal minefield. RIPA may not always apply but compliance with the DPA and the Employment Practices Code will ensure that it is human rights compliant and that adverse headlines are avoided.

Act Now can help you get to grips with this difficult area. Please see our full program of surveillance law courses which can also be customised and delivered at your premises.

The New RIPA Surveillance Codes: Key Changes

By Sam Lincoln (Chief Surveillance Inspector 2006 – 2013)

Featured imageRecently Ibrahim Hasan alerted you to the revisions of the two codes of practice underPart 2 of the Regulation of Investigatory Powers Act 2000 (RIPA) published on 10th December 2014. Ibrahim urged you to read them but I suspect that it wasn’t at the top of your ‘to do’ list over Christmas! So I’ve done the donkey work for you.

A cursory examination suggests that the revised codes simply implement the amendments to RIPA resulting from the legislation enacted since the last codes were published namely: the Regulation of Investigatory Powers (Extension of Authorisation Provisions: Legal Consultations) Order 2010; to the Protection of Freedoms Act 2012; and the Regulation of Investigatory Powers (Covert Human Intelligence Sources: Relevant Sources) Order 2013. But there are some interesting and important changes.

I approach the subject by addressing each of the two codes. Before I do, it’s worth saying that I compared the existing 2010 codes with the draft codes obtained from the Home Office website available at the time of writing. It may be worth checking to see if further amendments were made before publication. I ignore the frequent amendment resulting from changes to the names or amalgamation of public authorities (for example the formation of Police Scotland and the creation of the National Crime Agency).

If you are a member of a local authority, please don’t persuade yourself that the CHIS Code doesn’t apply to your authority. I think you’ll find that it does!

Covert Surveillance and Property Interference Code

Let’s begin with the Covert Surveillance and Property Interference Code. It might be worth having a copy (printed or online) handy as I’ll refer to relevant paragraph numbers in square brackets ([]):

[2.18] The first sentence is amended to account for the fact that some legal consultations which might otherwise be Directed Surveillance are now to be authorised as Intrusive Surveillance.

[2.24] Examples 3 and 4 have been amended. I am particularly uncomfortable with the amendment to Example 4 which relegates the requirement for an authorisation from “should be sought” to “should … be considered”. The inference is that planned covert surveillance of an individual suspected of shoplifting depends on the public authority deciding whether the individual has a reasonable expectation of privacy. Assessing what is reasonable and what is assumed by another person is open to challenge. It is because examples can mislead that the Office of Surveillance Commissioners (OSC), during my tenure, advised against the inclusion of examples. For this reason it’s vital that applicants and authorising officers note [1.7].

[2.27] This paragraph has been expanded to include guidance provided by the Surveillance Camera Code of Practice pursuant to the Protection of Freedoms Act. (More on CCTV here)

[2.29] This new paragraph provides important guidance regarding the need to consider whether an authorisation for either Directed Surveillance or a CHIS is required when using the Internet. As usual, it lacks the clarity usually sought by practitioners but it is clear that prior consideration should be given to the need for authorisation; it’s not acceptable to ignore this advice and I urge Senior Responsible Officers to ensure that they alert all public authority staff to its implications.

[2.30] The third bullet point of this paragraph is amended to differentiate between non-verbal and verbal noise.

[3.7] The original examples 2 and 3 are deleted. I suspect that the cause is that neither could be protected by a RIPA authorisation as a result of the 2010 Order. But then again, nor does Example 1!

[3.18] This is a new paragraph and covers the use of third party individuals or organisations (for example private investigators and internet researchers). They are acting as agents of the public authority and the need for relevant authorisation must not be ignored.

[3.22] The deletion of reference to Scottish public authorities suggests that there is no collaboration agreement with any public authorities in Scotland.

[3.30 – 3.33] These new paragraphs cover the changes to local authority authorisations of Directed Surveillance resulting from the Protection of Freedoms Act 2012. (More on the changes here)

[3.35] This paragraph amends the requirement for elected members to consider internal reports submitted on a ‘regular basis’ rather than at least quarterly. I’m personally disappointed that there’s no restriction on the detail of authorisations that elected members are entitled to see to prevent inadvertent compromise.

[4.1] The fourth sentence is amended slightly for grammatical effect it seems. The definition of a Member of Parliament is deleted and placed in the glossary at the back of the code.

[5.18] I recall that the OSC advised that there is no ‘legal’ requirement for any further details to be recorded and would have preferred the code to be more assertive. It’s disappointing that this advice is ignored.

[5.20] It isn’t clear why all of the footnotes relating to this paragraph are deleted.

[6.2] Is amended to include directed surveillance.

[7.8] This paragraph isn’t amended despite, to my knowledge, earlier criticism of the accuracy of its first sentence by the OSC. I am not a lawyer but, if I recall accurately, neither loss nor damage is necessary for there to be property interference. Subsequent analysis of a sample isn’t, of itself, surveillance; it’s the obtaining of the sample itself which may need authorisation.

[8.1] An additional sentence is added directing local authorities to the .gov.uk website for further guidance on the recording of magistrates’ decisions.

[8.2] A final bullet is included requiring local authorities to retain a copy of the Magistrates’ approval order in a centrally retrievable form. (more on the Magistrates’ approval process here)

[8.4] This is a new paragraph advising that it is desirable that relevant records should be retained, if possible, for up to five years.

CHIS Code of Practice

Let me turn now to the revised CHIS Code of Practice.

[2.4] This alerts the reader to the renaming of CHIS previously known as undercover officers to ‘relevant source’. Not a particularly helpful title. Contrary to this paragraph, not all references to undercover officers are amended in this revision of the Code.

[2.12] The final sentence of this paragraph is an important amendment. It alerts public authorities to the fact that the existence of a CHIS is not a choice for a public authority. Whether to authorise the use and conduct of a CHIS is a choice of course, but in my experience too often public authorities wished the problem away. In short, all public authorities must acknowledge that a CHIS may appear at any time and must have procedures in place to manage them in accordance with the law.

[2.14] This new paragraph obliges ‘relevant sources’ to comply with the College of Policing Code of Ethics.

[2.15] This is a new paragraph obliging the authorisation of activity known as ‘legend building’.

[2.16] This seems an unnecessary paragraph considering that types of human sources falling outside the CHIS definition are provided specific attention.

[2.17] This new paragraph introduces the concept of a public volunteer (with examples) in addition to the previously existing concept of a human source with a professional or statutory duty.

[3.12] This paragraph is amended in recognition that the 2013 Order introduced enhanced arrangements.

[3.22] The amendment to this paragraph emphasises that the enhanced arrangement for relevant sources relies on accurate recording of the length of deployment of each relevant source.

[3.26 – 3.27] This new section is specific to the use of CHIS by local authorities and the approval by magistrates. It highlights differences between authorities in England and Wales, Scotland, and Northern Ireland. Similar direction is provided to the need for elected member review but, as I was disappointed with the direction in the other Code, I believe that there is benefit in restricting the detail available to elected members in relation to the use and conduct of a CHIS to prevent compromise.

[4.3] This reminds the reader that ‘relevant sources’ are subject to enhanced arrangements when accessing legally privileged and other confidential information.

[4.31] There is an addition to cover the engagement of a member of a foreign law enforcement agency.

[4.32] The is an important new paragraph covering the considerations necessary to authorise the use and conduct of a CHIS for some online covert activity. It should be read in conjunction with [2.29] of the Covert Surveillance and Property Interference Code of Practice.

[5.10] This new paragraph clarifies the enhanced arrangements for relevant sources.

[5.15] Two sentences are added to this paragraph. The first states that local authorities are no longer able to orally authorise the use of RIPA techniques. The second relates to out of hours arrangements.

[5.16] An amendment to this paragraph introduces additional information to include at review; namely the information obtained from a CHIS and the reasons why executive action is not possible if that is the case (my italics are an addition).

[5.21 and 5.22 – 5.26] These new paragraphs relate to enhanced arrangements for the use and conduct of relevant sources. They provide detail regarding timings and, importantly, the calculation of total or accrued deployment or cumulative authorisation periods.

[5.29] An additional sentence requires an authorising officer to satisfy themselves that all welfare issues are addressed at the time of CHIS cancellation.

[5.30 – 5.31] These new paragraphs relate to the refusal of an Ordinary Surveillance Commissioner to approve a long term authorisation. Importantly, it obliges public authorities to plan for the safe extraction of a relevant source if an authorisation is refused.

[6.6] The addition of a final sentence recognises concerns raised by the OSC in relation to traditional police appointments and their responsibilities as defined by RIPA.

[7.3] Similar to [8.4] of the Covert Surveillance and Property Interference Code revision, this new paragraph (and amendment of [7.1] and [7.6]) recommends that relevant RIPA records should be retained for five years if possible.

[7.6] The addition of a bullet point requires that the decision of an Ordinary Surveillance Commissioner should be retained.

There is one other point I would like to make about the CHIS Code; there is no reference to the fact that the Protection of Freedoms Act 2012 did not restrict the use or conduct of a CHIS to the prevention or detection of crimes not attracting a six month sentence as it did for other types of covert surveillance.

What should you do now?

If you’ve got this far without falling asleep, you are obviously a person who takes RIPA seriously! It would be very helpful therefore if you ensure that your Senior Responsible Officer and all authorising officers are alerted to these amendments. I’m sure the OSC will check that policies are amended accordingly and that extant codes of practice are available and understood.

Copy this article by all means but please have the courtesy to accredit it properly!!

Sam Lincoln was formerly Chief Surveillance Inspector with the Office of Surveillance Commissioners for seven years. Please get in touch if you would like Sam to help you prepare for an OSC inspection by delivering customised training at your premises. We also have a full program of RIPA workshops in 2015 where we will examine the new codes in detail: http://www.actnow.org.uk/content/110

STOP PRESS… STOP PRESS… STOP PRESS… STOP PRESS…

ONLINE RIPA TRAINING

Looking for an e-learning solution for your RIPA training needs? http://www.actnow.org.uk/content/185

———————————————————————————————————-