Category: Surveillance

Apprentice Case Study – Meet Natasha

In 2022, Act Now Training teamed up with Damar to deliver the new Data Protection and Information Governance Practitioner Apprenticeship. The aim is to develop individuals into accomplished data protection and information governance practitioners with the knowledge, skills and competencies to address future IG challenges. Two years on, over 130 apprentices are currently on the programme with the first cohort about to undertake the end point assessment.

Data Protection and Information Governance Apprentice, Natasha Lock, is an integral part of the Governance and Compliance team at the University of Lincoln. With the Data Protection and Digital Information (No.2) Bill set to make changes to the UK data protection regime, Natasha talks to us about why this is a great area to work in and how the apprenticeship route has been particularly beneficial for her.

How did you get onto the apprenticeship?

“I was already working at the university as an Information Compliance Officer when the opportunity for a staff apprenticeship came up.

“The process was swift and straightforward, and I was enrolled on the Data Protection and Information Governance Apprenticeship within three months of enquiring.”

How has the apprenticeship helped you?

“I started with a good understanding of the UK Data Protection legislation but my knowledge has grown significantly, and now I’m coming to the end of my level 4 apprenticeship, I’ve gained so much more insight and my confidence has grown.

“As a university, we hold vast amounts of data. My apprenticeship is allowing me to solve the challenge of data retention and implement better measures to retain, destroy and archive information. I have developed a greater understanding of the legislative requirements we must adhere to as a public sector institute and how to reduce and assess data protection risks.

“I love the fact that I can study whilst still doing my job. The flexibility works for me because I can go through course materials at my own pace. I really feel like I have a brilliant work/life/study balance.

“The University of Lincoln and Damar Training have been fantastic in supporting me. I get along with my coach, Tracey, so well. She is very friendly and personable and has enabled my creativity to flow.

“The course is very interactive, and I’ve found the forums with other apprentices to be a very useful way of sharing knowledge, ideas and stories.

“I’m enjoying it so much and people have noticed that my confidence has grown. I wouldn’t have had that without doing this apprenticeship. I’ve now got my sights on doing a law degree or law apprenticeship in the future.”

Abi Slater, Information Compliance Manager at Lincoln University, said: “It has been great to see how much Natasha has developed over the course of the apprenticeship. I believe the apprenticeship has provided Natasha with the knowledge and skills required to advance in her data protection career and the support from her coach at Damar Training has been excellent.

“I would encourage anyone with an interest in data protection and information governance to consider this apprenticeship.”

Tracey Coetzee, Coach at Damar Training said: “The Data Protection and Information Governance Apprenticeship was only approved by the Institute of Apprenticeships in 2022, and its delightful to see apprentices flourishing on the programme.

“From cyber security to managing data protection risks, this programme is upskilling participants and adding value to both private and public sector organisations and we’re thrilled to see the first cohort, including Natasha, approach the completion of their training.”

If you are interested in the DP and IG Apprenticeship, please see our website for more details and get in touch to discuss further.

Leading Surveillance Law Expert Joins the Act Now Team

Act Now Training welcomes solicitor and surveillance law expert, Naomi Mathews, to its team of associates. Naomi is a Senior Solicitor and a co-ordinating officer for RIPA at a large local authority in the Midlands. She is also the authority’s Data Protection Officer and Senior Responsible Officer for CCTV.

Naomi has extensive experience in all areas of information compliance and has helped prepare for  RIPA inspections both for the Office of Surveillance Commissioners and Investigatory Powers Commissioner’s Office (IPCO). She has worked as a defence solicitor in private practice and as a prosecutor for the local authority in a range of regulatory matters including Trading Standards, Health and Safety and Environmental prosecutions. Naomi has higher rights of audience to present cases in the Crown Court.

Naomi has many years of practical knowledge of RIPA and how to prepare for a successful prosecution/inspection. Her training has been commended by RIPA inspectors and she has also trained nationally. Naomi’s advice has helped Authorising Officers, Senior Responsible Officers and applicants understand the law and practicalities of covert surveillance. 

Like our other associates, Susan Wolf and Kate Grimley Evans, Naomi is a fee paid member of the Upper Tribunal assigned to the Administrative Appeals Chamber (Information Rights Jurisdiction and First Tier Tribunal General Regulatory Chamber (Information Rights Jurisdiction).

Ibrahim Hasan, director of Act Now Training, said:

“ I am pleased that Naomi has joined our team. We are impressed with her experience of RIPA and her practical approach to training which focuses on real life scenarios as opposed to just the law and guidance.”

Naomi will be delivering our full range of RIPA workshops as well developing new ones. She is also presenting a series of one hour webinars on RIPA and Social Media. If you would like Naomi to deliver customised in house training for your organisation, please get in touch for a quote. 

Ring Doorbells, Domestic CCTV and GDPR

The Daily Mail reports today that, “A female doctor is set to be paid more than £100,000 after a judge ruled that her neighbour’s Ring smart doorbell cameras breached her privacy in a landmark legal battle which could pave the way for thousands of lawsuits over the Amazon-owned device.”

Dr Mary Fairhurst, the Claimant, alleged that she was forced to move out of her home because the internet-connected cameras are so “intrusive”. She also said that the Defendant, Mr Woodard, had harassed her by becoming “aggressive” when she complained to him.

A judge at Oxford County Court, ruled yesterday that Jon Woodard’s use of his Ring cameras amounted to harassment, nuisance and a breach of data protection laws. The Daily Sage goes on to say:

“Yesterday’s ruling is thought to be the first of its kind in the UK and could set precedent for more than 100,000 owners of the Ring doorbell nationally.”

Before Ring doorbell owners rush out to dismantle their devices, let’s pause and reflect on this story. This was not about one person using a camera to watch their house or protect their motorbike. The Defendant had set up a network of cameras around his property which could also be used to watch his neighbour’s comings and goings. 

Careful reading of the judgement leads one to conclude that the legal action brought by the Claimant was really about the use of domestic cameras in such a way as to make a neighbour feel harassed and distressed. She was primarily arguing for protection and relief under the Protection from Harassment Act 1997 and the civil tort of nuisance. Despite the Daily Mail’s sensational headline, the judgement does not put domestic CCTV camera or Ring doorbell owners at risk of paying out thousands of pounds in compensation (as long as they don’t use the cameras to harass their neighbours!). However, it does require owners to think about the legal implications of their systems. Let’s examine the data protection angle.

Firstly, the UK GDPR can apply to domestic CCTV and door camera systems. After all, the owners of such systems are processing personal data (images and even voice recordings) about visitors to their property as well as passers-by and others caught in the systems’ peripheral vision.  However, on the face of it, a domestic system should be covered by Article 2(2)(a) of the UK GDPR which says the law does not apply to “processing of personal data by an individual in the course of purely personal or household activity.” Recital 18 explains further:

“This Regulation does not apply to the processing of personal data by a natural person in the course of a purely personal or household activity and thus with no connection to a professional or commercial activity. Personal or household activities could include correspondence and the holding of addresses, or social networking and online activity undertaken within the context of such activities.”

The judge in this case concluded that the camera system, set up by the Defendant, had collected data outside the boundaries of his property and, in the case of one specific camera, “it had a very wide field of view and captured the Claimant’s personal data as she drove in and out of the car park.” This would take the system outside of the personal and household exemption quoted above, as confirmed by the Information Commissioner’s CCTV guidance:

“If you set up your system so it captures only images within the boundary of your private domestic property (including your garden), then the data protection laws will not apply to you.

But what if your system captures images of people outside the boundary of your private domestic property – for example, in neighbours’ homes or gardens, shared spaces, or on a public footpath or a street?

Then the General Data Protection Regulation (GDPR) and the Data Protection Act 2018 (DPA18) will apply to you, and you will need to ensure your use of CCTV complies with these laws.”

Once a residential camera system comes under the provisions of the UK GDPR then of course the owner has to comply with all the Data Protection Principles including the obligation to be transparent (through privacy notices) and to ensure that the data processing is adequate, relevant and not excessive. Data Subjects also have rights in relation to their data including to see a copy of it and ask for it to be deleted (subject to some exemptions).

Judge Clarke said the Defendant had “sought to actively mislead the Claimant about how and whether the cameras operated and what they captured.” This suggests a breach of the First Principle (lawfulness and transparency). There were also concerns about the amount of data some of the cameras captured (Fourth Principle).

Let’s now turn to the level of compensation which could be awarded to the Claimant. Article 82 of the UK GDPR does contain a free standing right for a Data Subject to sue for compensation where they have suffered material or non-material damage, including distress, as a result of a breach of the legislation. However, the figure mentioned by the Daily Mail headline of £100,000 seems far-fetched even for a breach of harassment and nuisance laws let alone GDPR on its own. The court will have to consider evidence of the duration of the breach and the level of damage and distress cause to the Claimant. 

This judgement does not mean that Ring door camera owners should rush out to dismantle them before passing dog walkers make compensation claims. It does though require owners to think carefully about the citing of cameras, the adequacy of notices and the impact of their system on their neighbour’s privacy. 

The Daily Mail story follows yesterday’s BBC website feature about footballers attempting to use GDPR to control use of their performance data (see yesterday’s blog and Ibrahim Hasan’s BBC interview). Early Christmas gifts for data protection professionals to help them highlight the importance and topicality of what they do!

This and other GDPR developments will be discussed in detail on our forthcoming GDPR Update workshop. We have a few places left on our Advanced Certificate in GDPR Practice course starting in November.

Act Now Launches New RIPA E Learning Course

Screenshot 2020-11-24 at 10.26.09

The Investigatory Powers Commissioner’s Office (IPCO), like its predecessor the Office of the Surveillance Commissioner(OSC), undertakes inspections of public authorities to ensure their compliance with Part 2 of the Regulation of Investigatory Act 2000 (RIPA).
A common feature of an IPCO report into a council is the highlighting of the lack of regular refresher training for those who undertake covert surveillance, including when using social media.  

The coronavirus pandemic as well as decreasing council budgets means that training staff is difficult to say the least. Social distancing and home working make face to face training impossible and live online training may not always be cost effective for those who need a quick refresher.  

Act Now Training is pleased to announce the launch of RIPA Essentials. This is a new e learning course, consisting of an animated video followed by an online quiz, designed to update local authority employees’ knowledge of Part 2 of RIPA which covers Directed Surveillance, Intrusive Surveillance and CHIS. Designed by our RIPA experts, Ibrahim Hasan and Steve Morris, it uses simple clear language and animation to make the complex simple. 

In just 30 minutes your employees can learn about the main provisions of Part 2 of RIPA including the different types of covert surveillance, the serious crime test and the authorisation process. It also covers how RIPA applies to social media monitoring and how to handle the product of surveillance having regard to data protection. All this at a time and in a place of your employees’ choosing. (See the full contents here.

Steve Morris said: 

“Ibrahim and I have over 40 years of experience in training and advising local authorities on covert surveillance and RIPA. We have used this experience, as well as the latest guidance from the Home Office and IPCO, to produce an online training course which is engaging, interactive and fun.” 

With full admin controls, RIPA Essentials will help you to build a RIPA compliance culture in your organisation and develop a workforce that is able to identify and address privacy risks when conducting surveillance. The course is specifically designed for local authority investigators including trading standards officers, environmental health officers, licensing officers, auditors and legal advisers.  

You can watch a demo of RIPA Essentials here. Prices start from as little as £69 plus vat per user. For a bespoke quote please get in touch

RIPA Essentials follows the successful launch of GDPR Essentials which has been used by our clients to train thousands of staff in the public and private sector.

New RIPA Codes of Practice for Surveillance and CHIS

Drohne

In August 2018 the revised Codes of Practice for Covert Surveillance and Property Interference and Covert Human Intelligence Sources (CHIS) were published. These contain substantial changes and additions which public authorities conducting surveillance under Part 2 of the Regulation of Investigatory Powers Act 2000 (RIPA) need to understand.

The codes provide guidance on when an application should be made for a RIPA authorisation, the procedures that must be followed before surveillance activity takes place and how to handle any information obtained through such activity. They are admissible as evidence in criminal and civil proceedings. Any court or tribunal considering such proceedings, including the Investigatory Powers Tribunal , as well as the Investigatory Powers Commissioner’s Office, responsible for overseeing the relevant powers and functions, may take the provisions of the codes into account.

Many of the changes in the revised codes reflect best practice guidance published in the OSC Procedures and Guidance Document, observations and commentary in OSC annual reports, and advice and guidance provided during inspections. The changes include amendments to the role of the Senior Responsible Officer and a new error reporting procedure. The codes also reflect developments in surveillance and monitoring – such as use of the internet and social media, drones, tracking devices etc. Here is a summary:

  1. Private information– further information and guidance relating to internet material and investigations.
  2. Tracking devices– clarification and further information
  3. Social media and internet research – Substantial new sections providing clarity and detail (read our blog post for more on this topic).
  4. Drones – A section providing guidance on the use of Aerial Surveillance Devices
  5. Intrusive surveillance– A further developed explanation
  6. General Observation Duties– Expanded section to include such activity on the internet
  7. Surveillance not core function– A section relating to covert surveillance for ‘non RIPA purposes’ (More on this topic in our blog post)
  8. CCTV and ANPR– Additional information relating to the deployment of these technologies and the relevant codes and oversight more here: (More on this topic )
  9. Necessity and proportionality– Expanded section.
  • Authorisation– New section explaining the requirement to present the circumstances in a fair and balanced manner
  • Collateral intrusion– Further explanation is provided
  • Handling of material obtained– Section relating to safeguards, retention and destruction of material
  • Third parties– more clarity relating to working with third parties, including those that are not public authorities
  • Reviews– Further detail relating to the review process requirements
  • Senior Responsible Officer– The section relating to the role of the SRO has been altered substantially and includes amendments to the role and responsibilities
  • Covert Surveillance of a CHIS– A new section dealing with this tactic
  • Renewals– A section that provides more information about the detail required
  • Record Keeping– This section has been expanded to provide more detail of requirements
  • Error Reporting– A new requirement introduced in the Investigatory Powers Act 2016. This section describes the types of errors and the reporting requirements, and how there is expected to be processes to identify if errors exist.
  • Privileged Information– A new section with more detail relating to safeguard requirements for such information.
  • Other Legislation– There is now a new section referring to the Criminal Procedure Investigations Act 1996and evidence.
  • Data Protection– A new section relating to the handling and management of material and referring to the Data Controller. (Read our blog poston GDPR and employee surveillance.)
  • Dissemination of Material– A new section relating to this aspect
  • Copying of Material– A new section relating to this aspect
  • Storage of Material– A new section relating to the secure storage of material obtained
  • Destruction of Material– Another new section relating to this aspect
  • Confidential or Privileged Material– This section has been expanded to provide more detailed information about requirements
     
  • Oversight– Section amended to reflect the role oversight role of the Investigatory Powers Commissioner’s Office, and their access to systems and material in order to fulfil the oversight role. (More on this subject here.) If you have a RIPA inspection coming up, read our guide
  • Complaints– This section is completely altered and provides additional information

On 30thApril 2018 the Investigatory Powers Tribunal awarded £46,694 to an individual who had complained about surveillance by British Transport Police (BTP). The determination was that that surveillance was unlawful as it had been conducted without a RIPA authorisation. BTP was criticised for amongst other things, lack of training and awareness of those involved in surveillance.

Our RIPA courses have been completely revised by our RIPA expert, Steve Morris, to include an explanation of the new codes of practice and recent developments.  If you would like an in house refresher training for your staff, please get in touch.

Book Review: Blackstone’s’ Guide to the Investigatory Powers Act 2016 by Simon McKay (@simonmckay)

Screen Shot 2018-02-28 at 12.09.50

The Investigatory Powers Act received Royal Assent on 29 November 2016.

Nicknamed “the Snoopers’ Charter”, the Act provides that communications service providers may be required by the Secretary of State to retain communications data, for up to 12 months, where it is considered necessary and proportionate to do so and where that decision has been approved by a Judicial Commissioner.

Specified public authorities, including the police, the security and intelligence agencies as well as local authorities, may acquire communications data from a telecommunications operator or postal operator where it is both necessary and proportionate to do so, for specified purposes.

The Government says that retention of, and ability to access, communications data is an essential tool for law enforcement and national security investigations. It is used to investigate crime, keep children safe, support or disprove alibis and link a suspect to a particular crime scene, amongst many other purposes. Sometimes communications data is the only way to identify offenders, particularly where offences are committed online, such as child sexual exploitation or fraud.

However, there have been concerns around the balance between privacy and security in the Act. In January 2018 a Court of Appeal ruling found the Data Retention and Investigatory Powers Act (DRIPA) – a previous law covering state surveillance, which has been expanded upon with the Investigatory Powers Act – is unlawful.

The court ruled that the legislation violated UK citizens’ human rights (Article 8 of the European Convention on Human Rights)  by collecting internet activity and phone records and letting public bodies grant themselves access to these personal details with no suspicion of serious crime and no independent sign-off. The court said that the Act will have to be “urgently changed” as a result.

Fresh amendments were also proposed by the government in November 2017 following a European court ruling which said that the “general and indiscriminate retention” of personal communications data by police and security services “cannot be considered justified within a democratic society”.

Blackstone’s’ Guide to the Investigatory Powers Act 2016 is written by Simon Mckay, a barrister and surveillance law expert. It is is an excellent guide to this complicated piece of legislation.

It starts with a very useful chapter on the history and background to the Act, which is important to read, in order to understand where the Government is coming from with this controversial legislation. Subsequent chapters discuss in detail, amongst other things, the processes and pitfalls in relation to the interception of communications, access to communications data and retention of data and equipment interference. Each chapter does not just refer the reader to the Act but also discusses other relevant legislation as well as caselaw from UK and European courts.

Part 1, Chapter 2 of the Regulation of Investigatory Powers Act (RIPA),  provided a framework for the lawful acquisition and disclosure of communications data by law enforcement agencies as well as other public bodies including councils. This part of RIPA has now been replaced by Part 3 of the Investigatory Powers Act. Chapter 4 of the book explains the process in detail and the familiar RIPA concepts of notices and authorisations.

Section 73-75 of the Act places restrictions on local authorities’ ability to acquire communications and data. Experienced practitioners, with a knowledge of RIPA, will not be surprised by the restrictions which include a need for high-level internal authorisation and magistrates’ approval. Of course with the new Act there are now new oversight arrangements, which are explained in Chapter 9.

If you are involved in advising or training on surveillance and investigations law, this book will be a valuable addition to your library. It also contains a copy of the Act.

RIPA Surveillance Oversight and Inspection Regime Changes

canstockphoto19424111

By Steve Morris

On 1st September 2017 Lord Justice Fulford commenced his new role as the Investigatory Powers Commissioner. Assisted by the Investigatory Powers Commissioner’s Office (IPCO), he will undertake the oversight functions of three previous Commissioners under the Regulation of Investigatory Powers Act 2000 namely the Chief Surveillance Commissioner, Interception of Communications Commissioner and the Intelligence Services Commissioner.

This marks a major milestone in establishing a new oversight regime set out in the Investigatory Powers Act, which was given Royal Assent in 2016. The Act, amongst other things, provides new powers for the police to access communications data e.g. telephone records, internet usage information etc. More on the Act in further blog posts.

Not only does the new commissioner take over the inspection and oversight functions carried out by the previous commissioners, he takes on responsibility for the pre-approval of certain police activities authorised under the Police Act 1997.

The Investigatory Powers Commissioner’s Office will consist of around 70 staff. This will be made up of:

  • Around 15 Judicial Commissioners, current and recently retired High Court, Court of Appeal and Supreme Court Judges;
  • A Technical Advisory Panel, of scientific experts; and
  • Almost 50 official staff, including inspectors, lawyers and communications experts.

Over the next 12 months Judicial Commissioners will start to take on their prior approval functions relating to the Investigatory Powers Act 2016, including interception, equipment interference, bulk personal datasets, bulk acquisition of communications data, national security notices, technical capability notices and communications data retention notices. The Judicial Commissioners will be supported in this work by the Technology Advisory Panel.

What impact will this new commissioner have on local authority inspections under Part 2 of RIPA carried out previously by the Office of the Surveillance Commissioners (OSC)? I suspect not a lot. The same issues will be considered as previously. The final OSC annual report once again highlights the recurring issue of investigations using social networks e.g. Facebook.

If you have an inspection coming up read our guide here.

Steve Morris is a former police officer who delivers our RIPA Courses as well as a course on Internet Investigations.

Now is the time to consider refresher training for RIPA investigators and authorisers. Please see our full program of RIPA Courses which have been revised to take account of all the latest developments. We can also deliver these courses at your premises, tailored to the audience. Finally, if you want to avoid re inventing the wheel, our RIPA Policy and Procedures Toolkit gives you a standard policy as well as forms (with detailed notes to assist completion) for authorising RIPA and non-RIPA surveillance. Over 200 different organisations have bought this document (available on CD as well).

OSC RIPA (Surveillance) Procedures and Guidance: A view from its former editor

ripa

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

For the first time, the Office of Surveillance Commissioners (OSC) has made its Procedures and Guidance (P&G) public (in electronic format).

The guidance is essential reading for public authorities, especially councils, who conduct surveillance under Part 2 of the Regulation of Investigatory Powers Act 2000 (RIPA) (Directed Surveillance, Intrusive Surveillance and the deployment of a Covert Human Intelligence Source (CHIS)). The guidance also covers Part III of RIPA and RIP(S)A and to Part III of the Police Act 1997. It does not provide guidance on interception and the obtaining of communications data requiring a RIPA/RIP(S)A warrant.

Why should you care?

For reasons which Steve Morris explains in his blog on the latest OSC report, you’re going to face some form of inspection whether or not you have or intend to conduct covert surveillance; so at least understand how that inspection will be approached.

Also, as the Chief Surveillance Commissioner emphasises, every public authority should have in place policies, procedures and training programmes to ensure that relevant legislation is complied with when a situation arises. The OSC P&G will help you understand when relevant situations arise and how they should be approached.

Failure to recognise when the protection of RIPA/RIP(S)A may be sought or to know how to respond in a manner compliant with legislation – that is claiming ignorance – is no longer an option!

Why does the document exist?

When I first joined the OSC there was a best practice document which I believe had been shared with law enforcement agencies. This, combined with inspection reports, did not appear to meet with unanimous approval.

The Police Service attempted to introduce its own ‘Key Principles’ document which was sufficiently inadequate to attract the comment that “this is why the police should not be left to interpret legislation!”

However, I hope that I am not criticised for saying that the Surveillance Commissioners were not entirely comfortable publishing generic principles; they were more accustomed to making judgments on the facts of specific cases.

It is no coincidence that the following disclaimer, changed little since the first edition, is given prominence: 

“The opinions expressed within the Interpretation Guidance section of this publication are those of the Surveillance Commissioners. The OSC is not a judicial authority. This Guidance simply indicates the way in which the Commissioners would be minded to construe particular statutory provisions. There is no statutory requirement to publish them but they are a response to frequent requests for guidance from public authorities or are matters raised or identified during the inspection process. In the absence of case law, they are the most reliable indicator of likely judicial interpretation. They are the basis upon which inspections will be conducted and performance assessed by the Office of Surveillance Commissioners. Applicants and Authorising Officers should take note of the interpretations when constructing and considering applications and authorisations for the use of covert powers.”

These are the Surveillance Commissioners’ views. It’s rare that a collective interpretation of law is construed by seven ex-Appeal Court judges and three ex-Circuit judges. During my time, issues were examined and discussed at length during meetings with Commissioners and inspectors. You can imagine that, as Editor, I have happy memories of ‘wordsmithing’ each entry to accommodate the wishes of eminent lawyers!

In effect it is the OSC’s ‘party line’ but the disclaimer should be read in conjunction with paragraph 12. It would be wrong to imply that every member of the OSC agrees with every word in the document, so it is necessary to remember that it is guidance which may easily be altered by facts specific to each case. This is why you’ll find phraseology such as “is capable of being construed as [a type of] surveillance” rather than the definitive “is [a type of] surveillance”. Each Surveillance Commissioner is able to exercise his own judgment when approving authorisations.

RIPA and RIP(S)A are permissive and discretionary powers; the onus is on an authorising officer to decide whether or not to grant an authorisation for covert conduct. Assistant Surveillance Commissioners and inspectors cannot dictate. The aim of the document is to provide a level of consistency in approach from the OSC.

Finally, it is not the task of the OSC to make law; its task is to interpret the law as it is written, not as the Commissioners or others may prefer it. So don’t accuse the OSC of promoting covert conduct which you don’t agree with!

Why publication was resisted?

Partly because of conflict with the Police Service in relation to the ‘Key Principles’ document, and in response to concerns that operational techniques would be exposed, it was decided that the P&G should not be made available to the public. My repeated requests to identify any operational technique in the document that hadn’t already been disclosed by enthusiastic senior investigating officers resulted in no applications. But it was decided that we relied on practitioner transparency which required trust that we would not inhibit legitimate techniques.

When serving in the OSC and today, I am sometimes disappointed with the understanding of some trainers and the quality of their training. Too often legislation, codes of practice and the P&G are regurgitated or misused for commercial gain without improving knowledge or practitioner performance. Sometimes challenging the P&G was used as enticement to attendance or purchase; we were concerned that alternative opinions undermined confidence in the OSC.

I can avow the time and effort that goes into the formulation of this guidance; there is good reason why phrases are used. To protect copyright, to avoid misinterpretation and to prevent others gaining financially from the immense effort of the OSC were, I confess, causes of reticence to provide the document to the public.

In hindsight I believe my advice to the Chief Surveillance Commissioner to prevent public disclosure was misguided. Copies leaked to trainers and OSC silence allowed the media and campaigners to inadequately interpret legislation and its use.

Discussions relating to the Investigatory Powers Bill indicate that the need for regulators to transparently demonstrate how they hold public authorities to account has been recognised. Making the P&G public is a positive step but I am surprised that it is free! It‘s a publication worthy of a charge.

Comparison

For the remainder of this post I compare the July 2016 version with its predecessor of December 2014. There are many notes useful to practitioners. If you have not read it at least once, you should. Numbers in parenthesis are the relevant note number.

Part 1 – Procedures

Part 1 Section 1 provides detail of how to contact the OSC and matters relating to inspection process and reporting. Part 1 Section 2 provides detail in relation to Commissioner approvals, which apply mainly to law enforcement agencies.

[7-8] Disclosure of inspection reports. This is not new but worth reiterating. There is no requirement – as stated in the Codes of Practice – to notify the OSC of an intention to publicly disclose an inspection report, nor does the OSC promote or discourage the practice. The decision whether or not to publish rests entirely with the chief officer of the public authority inspected.

Part 2 – Guidance

[75] “I am satisfied” and “I believe” Again, not new but important. Too often authorising officers provide insufficient rationale to support their judgment; relying on the details provided by the applicant. This guidance cautions against lax authorisations. The heading indicates an unexplained difference between RIPA and RIP(S)A which use different requirements. This is likely to be complicated further if the terms in the draft IP Bill are enacted. That Bill currently requires a designated officer to “consider”. I may write another article on the significance of these differences.

[87] Duration of authorisations and renewals. Added clarification to ensure that electronic systems date/time algorithms do not have the effect of “losing a day” of authorised conduct. This amendment probably reflects the law enforcement agencies tendency to use electronic systems to create and process applications and authorisations. A useful audit is provided by date stamps and automatically generated data which cannot be altered. There have obviously been instances where automatic dates are not accurate. This amendment indicates how an OSC inspector will regard the inaccuracy but it’s a hint that authorising officers should ensure that dates are accurate.

[93-98] Persons, groups, associates and vehicles. These notes provide guidance in to assist public authorities amend authorisations when details are not known at the outset. The final sentence of Note [96] is amended:

Deleted: “The AO should set parameters to limit surveillance and use review to avoid “mission creep”.

Inserted: “The AO should guide the operational commanders by setting contextual parameters for the use of the “link” approach.” (i.e. where a possible link has previously been identified between individuals to the common criminal purpose being identified.)

There is a new note [97].

“The Authorising Officer should be updated when it is planned to deploy equipment or surveillance against a freshly identified subject before such deployment is made, to enable him to consider whether this is within the terms of his original authorisation, necessary, proportionate and that any collateral intrusion (or interference) has been taken into account; alternatively, where operational demands make it impracticable for the Authorising Officer to be updated immediately, as soon as reasonably practicable thereafter. This is to ensure that the decision to deploy further devices or surveillance remains with the Authorising Officer and is not delegate to, or assumed by, another, such as the operational commander. Such reviews should be pertinent and can be done outwith the usual formal monthly written review process, provided that the details of the Authorising Officer’s decisions are recorded contemporaneously and formally updated at the next due review. Where the terms of an authorisation do not extend to interference to other subjects (criminal associates) or their property then a fresh authorisation, using the urgency provisions if necessary, will need to be sought.” (My emphasis)

[222-229] Authorisation of undercover officers (UCOs). Note [226] is amended to enable additional UCOs to be authorised by way of review but indicates that every UCO must be authorised for the correct duration. This reflects the reality that it is frequently necessary to introduce additional UCOs to an investigation (for example to support a legend). Often the identity of additional UCOs will not be known at the outset. Rather than insist on the added bureaucracy of a new authorisation, the Commissioners have indicated that amendment by review (providing the terms of the original authorisation allow it) will not be criticised.

[289] Covert Surveillance of Social Network Sites (SNS). I advise that all members of local authorities read paragraph 289 in entirety as it’s the conduct most likely to introduce RIPA/RIP(S)A compliance issues. It remains my view that too few public authorities recognise (either deliberately or in ignorance) that the ‘less intrusive’ means that have resulted in decreased authorisations may be the result of not authorising internet investigations on the belief that ‘open source’ or publicly available mitigates RIPA/RIP(S)A consideration. This note provides the OSC’s guidance. Sub-note [289.3] is amended as shown in bold type:

“It is not unlawful for a member of a public authority to set up a false identity but it is inadvisable for a member of a public authority to do so for a covert purpose without an authorisation for directed surveillance when private information is likely to be obtained. The SRO should be satisfied that there is a process in place to ensure compliance with the legislation. Using photographs of other persons without their permission to support the false identity infringes other laws.”

See also Ibrahim Hasan’ blog post on RIPA and social networks.

 

Conclusion

I hope that this background is useful. I hope that my reticence to persuade the former Chief Surveillance Commissioner to make the P&G available to the public is proven to be misguided. Publishing the document is a very positive move in my opinion and is a useful indicator that the Commissioners have come to terms with the need to be public-facing. I applaud the decision.

Disclaimer: Sam Lincoln is a former Chief Surveillance Inspector with the OSC. In that capacity he introduced the OSC Procedures and Guidance and edited it from 2006 to 2013. The opinions expressed in this post are his alone; he does not represent the OSC and OSC endorsement is neither sought nor implied.

Sam has designed our RIPA E-Learning Package which is an interactive online learning tool, ideal for those who need a RIPA refresher before an OSC inspection.

 

Like our image? It is available as an A3 Poster for the office, We have a small range of them for only £5 for three!  Take a look at the link below.

http://www.actnow.org.uk/posters

OSC Annual Report On Surveillance (RIPA) Published

 

canstockphoto8990372.jpg

Steve Morris

 

On the 7th July 2016 the Office of Surveillance Commissioners (OSC) published the 2015-2016 Annual Report.

The report covers the period from 1st April 2015 to 31st March 2016 and should be read by public authorities, especially councils, who conduct surveillance under Part 2 of the Regulation of Investigatory Powers Act 2000 (RIPA) (Directed Surveillance, Intrusive Surveillance and the deployment of a Covert Human Intelligence Source (CHIS)).

We have reviewed the report and below are summaries of comments and sections of particular relevance to public authorities other than law enforcement. (The section numbers from the report are quoted below so that reference to the complete text can be made.)

Reduced use by public authorities Section 2.3.

  • There is substantially reduced number of authorisations by public authorities, most notably local district and borough councils, who do not deploy their statutory powers, or do so very rarely indeed, and do not intend or expect to do so in future.

However, while they remain vested with these powers, the appropriate structures and training must continue to be in place so that if they come to be exercised, the exercise will be lawful.

This reduction could be related to the substantial budgetary cuts faced by councils and the requirement for Magistrates’ Approval (and other reforms), which took effect on 1st November 2012.

Changed arrangements for inspection of local authorities Section 2.10.

  • The OSC is to introduce a new system of inspection for some local authorities where the statutory powers have not been used at all, or have been very rarely used in the last three years since a previous inspection, the process will start on paper, with a request for information. An Inspector or Assistant Surveillance Commissioner will visit the authority if there has been any significant increase in the use of the statutory powers, or if the responses to the OSC paper give ground for concern, or if the authority itself requests a personal visit by an Inspector. There will be no automatic visit.

Irregularities Section 4.18.

  • The total number of reports of irregularities (100) continues to represent a tiny proportion of the total number of authorisations granted during the course of a year. The overwhelming majority are the result of human error.

Section 4.19.

  • Irregularities caused by human error reinforces the need for those with responsibilities for ensuring compliance with the statutory provisions to receive regular, updated training, together with the need for continuing robust oversight by senior officers and managers of the processes. In the case of enforcement agencies, including the police, both these requirements are understood. In relation to some of the public authorities which, facing strains on their financial resources either have ceased or virtually ceased to use the statutory powers, and do not envisage using them in the future, training arrangements can sometimes assume a lowly priority. The view of the OSC is that every single authority vested with the relevant statutory powers should have in place structures and training arrangements which will ensure that the exercise of any such powers, even if arising unexpectedly, will be lawful.

Use of covert powers by public authorities other than law enforcement agencies Section 5.10.

  • From the OSC point of view the principle is clear. The fact that a local authority has elected not to exercise the relevant statutory powers does not remove it from the inspection process. While it retains these powers, which may be exercised at any time, appropriate structures and officials with the requisite training are required.

The “virtual world” Section 2.8.

  • There is a shift towards criminal activity in or by the use of the “virtual world”. This increases the demands on those responsible for covert surveillance. They need an understanding of the technological advances and myriad types of communication and storage devices which are constantly being updated. They also need assistance about how the statutory powers available to them can or should be applied

Social Networks and the “virtual world” Section 5.17.

  • Patterns of criminal planning are changing to embrace technological advances. Criminals and terrorists are less likely to meet in public, in parked up cars, with police officers using binoculars and longsighted cameras to follow their movements. Social media and private electronic communications provide greater anonymity for the criminals, and enable their activities to proceed on a global scale. This issue was addressed by my predecessor in his last two reports, and the Surveillance Commissioners have issued guidance on the need for appropriate authorisations to cover these developments.

Extract from OSC Procedures & Guidance document

Covert surveillance of Social Networking Sites (SNS)

  1. The fact that digital investigation is routine or easy to conduct does not reduce the need for authorisation. Care must be taken to understand how the SNS being used works. Authorising Officers must not be tempted to assume that one service provider is the same as another or that the services provided by a single provider are the same.

288.1 Whilst it is the responsibility of an individual to set privacy settings to protect unsolicited access to private information, and even though data may be deemed published and no longer under the control of the author, it is unwise to regard it as ―open source, or publicly available; the author has a reasonable expectation of privacy if access controls are applied. In some cases data may be deemed private communication still in transmission (instant messages for example). Where privacy settings are available but not applied the data may be considered open source and an authorisation is not usually required. Repeat viewing of ―open source sites may constitute directed surveillance on a case by case basis and this should be borne in mind.

288.2 Providing there is no warrant authorising interception in accordance with section 48(4) of the 2000 Act, if it is necessary and proportionate for a public authority to breach covertly access controls, the minimum requirement is an authorisation for directed surveillance. An authorisation for the use and conduct of a CHIS is necessary if a relationship is established or maintained by a member of a public authority or by a person acting on its behalf (i.e. the activity is more than mere reading of the site‘s content).

288.3 It is not unlawful for a member of a public authority to set up a false identity but it is inadvisable for a member of a public authority to do so for a covert purpose without an authorisation for directed surveillance when private information is likely to be obtained. The SRO should be satisfied that there is a process in place to ensure compliance with the legislation. Using photographs of other persons without their permission to support the false identity infringes other laws.

288.4 A member of a public authority should not adopt the identity of a person known, or likely to be known, to the subject of interest or users of the site without authorisation, and without the consent of the person whose identity is used, and without considering the protection of that person. The consent must be explicit (i.e. the person from whom consent is sought must agree (preferably in writing) what is and is not to be done).

Section 5.18.

  • Inspectors and the Assistant Surveillance Commissioners pay particular attention to the way this developing method of criminal activity is kept under covert surveillance. The topic forms the basis for numerous requests for guidance. Perhaps the most significant feature is that investigating authorities cannot proceed on the basis that because social networking developed after much of the legislation came into force it is immunised from compliance with it. Requirements for appropriate authorisation may arise from the work done by those whose roles do not traditionally fall within RIPA or RIP(S)A. The necessary training and information must be addressed by the Senior Responsible Officer in each authority.

See our blog post on RIPA and social networks.

Common inspection findings Section 5.23

  • Some of the more common areas of criticism revealed in the inspection reports. They must be seen in context. In relation to law enforcement agencies, the standard of applications to and decisions of Authorising Officers for directed surveillance, property interference and intrusive surveillance are generally sound. Much of this is due to increased focus on the statutory requirements, clear internal leadership and investment in training.
  • The greatest complexity arises in the context of CHIS… In the context of social media in particular, it is sometimes difficult to recognise when a CHIS relationship has been established.

See our blog post on common inspection findings.

Section 5.24.

  • Some intelligence cases are too brief, others too long; most are of appropriate length; similarly with reviews, when a pertinent summary of what has happened since the latest update is required with, so far as possible, a simple explanation why the covert activity remains necessary and proportionate;
  • Occasional formulaic considerations given to the potential for collateral intrusion; for the OSC it remains a crucial feature that any authorisation for covert surveillance should be confined to those against whom there are grounds for suspicion, not their families or friends;
  • Authorisations for surveillance tactics and equipment use which, when reviews and cancellations are examined, appear to have been too widely drawn at the outset;
  • The conduct parameters for a CHIS are sometimes unclear and occasionally in such cases, the full extent of risks to the CHIS are insufficiently addressed, or, where the records are required by statute, left incomplete;
  • At cancellation, occasionally more detail is required from the Authorising Officer about the activity conducted, the value of the surveillance, the resulting product, and its management, and whether there has been any tangible or beneficial outcome, together with greater attention to any collateral intrusion;
  • In relation to public authorities the need for training for those vested with surveillance responsibilities is sometimes overlooked, particularly when budgets have been seriously depleted; in the case of adjacent local authorities training costs could perhaps be shared.

This is a summary of the detailed annual report – clearly the OSC places a high value on training (mentioned 19 times!), and indicates difficulties that arise as a result of not providing the training for all personnel involved or likely to be involved in authorised activity.

One emerging trend not addressed in the report is the rise in covert surveillance undertaken without the protection of RIPA when a local authority deems it necessary and proportionate to conduct covert surveillance in relation to preventing or detecting crime which does not meet the six month criteria, or a public authority deems it necessary and proportionate to conduct covert surveillance as part of it’s legitimate pursuit of responsibilities in relation to public safety, public health, regulation, and enforcement, in compliance with Article 8 Human Rights (commonly known as ‘non RIPA Surveillance’). See our blog post here for more on this issue.

Act Now’s programme of RIPA Courses  address all of the issues raised in the report, and those associated with non RIPA surveillance, research and gathering of intelligence as well as evidence from social media. If your training budget is an issue, our online RIPA training is worth trying out. Module 1 is free.

The OSC Procedures & Guidance document (July 2016) has now been re issued and is, for the first time, available to download from the OSC website.

Act Now also has a RIPA policy and procedures manual which is very useful for those revising their RIPA documents. It contains useful guidance for staff on when RIPA applies and how to complete the authorisation forms.

Raise awareness of RIPA in your organisation with our RIPA poster.

Steve Morris is a former police officer who delivers our RIPA Courses as well as a course on Internet Investigations.

Monitoring Staff Use of Social Networks: The Human Rights Implications

canstockphoto9076695

According to a recent FOI request made by BBC Radio 5 live, last year there was a rise in the number of UK council staff suspended after being accused of breaking social media rules. Many employers, both in the public and the private sector, now monitor staff use of social media within the office environment. The possibilities are endless but care must be taken not to overstep the legal limits.

All employers have to respect their employees’ right to privacy under Article 8 of the European Convention on Human Rights (ECHR).  This means that any surveillance or monitoring must be carried out in a manner that is in accordance with the law and is necessary and proportionate (see Copland v UK (3rd April 2007 ECHR))

A January 2016 judgment of the European Court of Human Rights show that a careful balancing exercise needs to be undertaken when applying the law (Barbulescu v Romania (application 61496/08). In this case, the employer had asked employees such as the applicant to set up Yahoo! messenger accounts for work purposes. Its policies clearly prohibited the use of such work accounts for personal matters. The employer suspected the applicant of misusing his account, so it monitored his messages for a period during July 2007 without his knowledge.

The employer accused the applicant of using his messenger account for personal purposes; he denied this until he was presented with a 45-page printout of his messages with various people, some of which were of an intimate nature. The employer had also accessed his private messenger account (though it did not make use of the contents).

The applicant was sacked for breach of company policy. When he challenged his dismissal before the courts, his employer relied on the print out of his messages as evidence. He argued that, in accessing and using those personal messages, the employer had breached his right to privacy under Article 8 ECHR.

The Court accepted the applicant’s privacy rights were engaged in this case. However the employer’s monitoring was limited in scope and proportionate. It is reasonable for an employer to verify that employees are completing their professional tasks during working hours. Key considerations were:

  • The emails at the centre of the debate had been sent via a Yahoo Messenger account that was created, at the employer’s request, for the specific purpose of responding to client enquiries.
  • The employee’s personal communications came to light only as a result of the employer accessing communications that were expected to contain only business related materials and had therefore been accessed legitimately.
  • The employer operated a clear internal policy prohibiting employees from using the internet for personal and non-business related reasons.
  • The case highlights the need for companies to have a clear internet and electronic communications policy and the importance of such a policy being communicated to employees.

When monitoring employees, the employer will inevitably be gathering personal data about employees and so consideration also has to be given to the provisions of the Data Protection Act 1998 (DPA). The Information Commissioner’s Office’s (ICO) Employment Practices Code, includes a section on surveillance of employees at work. In December 2014, Caerphilly County Borough Council signed an undertaking after an ICO investigation found that the Council’s surveillance of an employee, suspected of fraudulently claiming to be sick, had breached the DPA.

Compliance with the DPA will also help demonstrate that the surveillance is human rights compliant since protection of individuals’ privacy is a cornerstone of the DPA. Of course the data protection angle will bite harder when the new EU Data Protection Regulation comes into force in 2018. Failure to comply could lead to a fine of up to 20 million Euros or 4% of global annual turnover.

Act Now has a range of workshops relating to surveillance and monitoring both within and outside the workplace. Our products include a RIPA polices and procedures toolkit and e-learning modules.