RIPA Policy and Procedure Toolkit (November 2012)

Major changes to the local authority surveillance regime (under RIPA) come into force this today.

  • Local authorities will need to obtain Magistrates’ approval for all surveillance done under RIPA.
  • Directed Surveillance will be subject to a new serious crime test

For detailed discussion on the changes please see our blog:

http://actnowtraining.blog/2012/10/17/1st-november-d-day-for-council-surveillance/

Now is the time to revise your RIPA polices and procedures and make your staff aware of the new rules. Ibrahim Hasan, one of the UK’s leading writers and trainers on public sector surveillance, has developed a RIPA procedures and guidance toolkit to assist you. Why reinvent the wheel?

The toolkit includes an updated version of our previous RIPA Forms Guidance document, which was bought by over one hundred different organisations. In addition there are detailed guidance notes on deciding when surveillance is caught by RIPA, how to authorise it and what to do about surveillance which is not regulated by RIPA. The toolkit is written in straight forward language (avoiding legal jargon) and includes flowcharts to assist understanding. For more information click on the link below:

http://www.actnow.org.uk/content/116

There is a 20% discount for those who bought the previous RIPA Forms Guidance (now updated and included in this toolkit.)

Sat Nav Bad Day

In March 1998, High Court Judge Lord Justice Brown threw a claim out of court by the Police against a motorist who was caught using a Radar Detector. The Police claimed that under the Wireless Telegraphy Act of 1949, the motorist was illegally using the device. The Judge ruled that the Radar Detector did not actually receive any intelligible police information and that the Detector was only picking up the presence of radar and not any information within it. This case set a precedent and made the use of Radar Detectors legal in the UK. To over-rule this judgement, the Road Safety Act 2006 specifically bans the use of radar and laser detectors. Most drivers are happy with this situation. They know where cameras are because a fair processing notice is in place (to comply with principle 1 of the DPA) and this is usually a picture of an old fashioned camera recognised by millions. Even the mobile cameras that travel to different locations have their way of delivering an FPN although it is usually found on the web rather than in situ.

So we’re relatively happy. We know where all the speed cameras are and we see them in map books, on the net; We hear about mobile cameras on local radio and TV and we’re cool about it. We buy our TomToms and justify using them saying “it’s just an electronic version of publicly available database”. Then we go to France on holiday.

Since decree n°2012-3 was introduced on 3 January 2012 it has been illegal to be warned about the position of fixed or mobile speed cameras while you are driving in France. If your sat nav has this function and you continue to use the service, you risk a fine of up to €1500. Even if the device is switched off and not operational the possession of such witchcraft is the work of the devil. Ken Russell would have loved to have made a film about it. Good old data subjects from Blighty being thwarted by sneaky foreigners not even bothering to use Schedule 2 (6) just ignoring the rights of individuals and worse disapplying the Subject Information Provisions.

Initially this sounds quite tough. There have been discussions on the web, advice from motoring lobbys and horror stories of motorists having their boot searched by a bold gendarme emerging triumphantly from black plastic sacks of dirty washing with an old device and demanding instant payment of a fine. There is also the other view that the law is unenforceable; that Gendarmes cannot search for satnavs, cannot operate them if they see one as it is technically a computer and their common law powers don’t extend to interrogating them, they cannot check your smart phone for that app you downloaded for free…

The truth naturally lies in the middle. There’s been discussions between french satnav manufacturers and government (one french firm feared 2,000 job losses) and they’ve come up with a concept of danger zones. Instead of listing cameras they list danger zones where there may be a hazard (such as a level crossing or a school or where people might speed) and the satnav can issue a warning of the danger.

The french authorities meanwhile are pushing ahead with a programme of taking down existing signs warning of cameras; they are setting up new cameras and not telling drivers where they are and generally acting very french. Pah! I spit on your schedule 2 requirement.

Other solutions suggested in hyperspace include modifying your satnav camera POIs and labelling them lay bys. (or transport caffs); Registering your car in Lithuania; Buying your next satnav from France and specifying UK maps…(although we did hear that french spoken instructions interpret M25 as Monsieur Vingt Cinq) or exploring Germany which has excellent weissbier and many ancient castles.

Glossary.

A speed camera is un radar (pronounced rad – ah).
A satnav is a GPS (pronounced shay pay ess)
Zones of danger – zits noirs
Breathalyser is un alcooltest (did we forget to tell you that by law you must carry two of these in your car as well as a dayglo yellow vest for each passenger)

Useful phrases

  • Bordelle de merde, espece de radar
  • Fer cryin’ out loud a bloody speed camera
  • Est-ce qu’il y a une brasserie independante dans ce trou a rat, j’ai envie d’une biere?
  • Please direct me to a real ale pub if you have one in this dump of a town.
  • Va te faire cuire un oeuf, sale gendarme.
  • I don’t agree with you officer.

Bonnes Vacances!

1st November: D-Day for Council Surveillance

1st of November 2012 will see big changes in the way local authorities carry out surveillance under Regulation fo Investigatory Powers Act 2000 (RIPA):

1. Magistrates’ Approval for all Surveillance

Sections 37 and 38 of the Protection of Freedoms Act 2012 amends RIPA so as to require local authorities to obtain the approval of a Magistrate for the use of any one of the three covert investigatory techniques available to them under RIPA; namely Directed Surveillance, the deployment of a Covert Human Intelligence Source (CHIS) and accessing communications data. Click on the links below for more

Details of the new legal provisions

How to apply for Magistrates’ approval

RIPA Policy and Procedures Toolkit

2. New Serious Crime Test for Directed Surveillance

From 1st November 2012, local authority Authorising Officers may not authorise Directed Surveillance unless it is for the purpose of preventing or detecting a criminal offence which punishable by a maximum term of at least 6 months of imprisonment (subject to exceptions).

Details of the new test

Will councils still be able to do surveillance for “minor offences”?

Read my view here

How Act Now Can Help

1. New procedures and guidance will have to be issued – see our RIPA Policy and Procedures Toolkit

2. Officers will need to be made aware of the new procedures. See our training courses. If you would like customised in house training, please get in touch.

I hate my boss, I’m drunk, E’s are good and here’s my new mobile.

A delegate on a recent course after an animated discussion on social networking  sent us the following link to “We know what you’re doing… A social networking privacy experiment by Callum Haywood“.

To use the words of the site All data is pulled directly from Facebook, it is not censored, and it is publicly accessible via the Graph API” . In other words the site ‘reads’ status updates which are publicly accessible from Facebook and if they meet the right criteria it categorises them into the following 4 groups:

  • Those who ‘hate their boss’ (and are likely to get fired)
  • Those who are hungover
  • Those who use drugs or condone the use of drugs
  • Those who have a new phone number and have listed it publicly online

Some are fairly anonymous and private but now and again you do get enough information to track some one down with some low level googling. Here’s the link. Watch the video as well.

http://www.weknowwhatyouredoing.com/

 

New RIPA Procedure Guidance: Magistrates’ Approval

Chapter 2 of Part 2 of the Protection of Freedoms Act 2012 (sections 37 and 38) comes into force on 1st November 2012. This changes the procedure for the authorisation of local authority surveillance under the Regulation for Investigatory Powers Act 2000 (RIPA).

From 1st November local authorities will be required to obtain the approval of a Justice of the Peace (JP) for the use of any one of the three covert investigatory techniques available to them under RIPA namely Directed Surveillance, the deployment of a Covert Human Intelligence Source (CHIS) and accessing communications data.

An approval is also required if an authorisation to use such techniques is being renewed. In each case, the role of the JP is to ensure that the correct procedures have been followed and the relevant factors have been taken account of. There is no requirement for the JP to consider either cancellations or internal reviews.For a full explanation of the 2012 Act and the new section 37 and 38 of RIPA read my article.

Home Office Guidance

The Home Office has now published its RIPA Magistrates’ Approval Guidance both for local authorities and the Magistrates’ Court. This guidance is non-statutory but provides advice on how local authorities can best approach these changes in law and the new arrangements that need to be put in place to implement them effectively.  It is supplementary to the legislation and to the two statutory Codes of Practice.

The New Magistrates’ Approval Process

  1. The first stage will be to apply for an internal authorisation in the usual way. Once it has been granted, the local authority will need to contact the local Magistrates Court to arrange a hearing.
  2. The hearing is a ‘legal proceeding’ and therefore local authority officers need to be formally designated to appear, be sworn in and present evidence or provide information as required by the JP. It is envisaged that the investigating officer will be best suited to fulfill this role. The local authority may consider it appropriate for the SPoC (Single Point of Contact) to attend for applications involving communications data.
  3. The local authority will provide the JP with a copy of the original RIPA authorisation or notice.  This forms the basis of the application to the JP and should contain all information that is relied upon. In addition, the local authority will provide the JP with two copies of a partially completed judicial application/order form (which is included in the Home Office Guidance).
  4. The hearing will be in private and heard by a single JP who will read and consider the RIPA authorisation or notice and the judicial application/order form.  He/she may have questions to clarify points or require additional reassurance on particular matters.  The forms and supporting papers must by themselves make the case.  It is not sufficient for the local authority to provide oral evidence where this is not reflected or supported in the papers provided.
  5.  The JP will consider whether he or she is satisfied that at the time the authorisation was granted or renewed or the notice was given or renewed, there were reasonable grounds for believing that the authorisation or notice was necessary and proportionate.  He/She will also consider whether there continues to be reasonable grounds.  In addition they must be satisfied that the person who granted the authorisation or gave the notice was an appropriate designated person within the local authority and the authorisation was made in accordance with any applicable legal restrictions, for example that the crime threshold for directed surveillance has been met (see below).
  6.  The order section of the above mentioned form will be completed by the JP and will be the official record of the his/her decision.  The local authority will need to retain a copy of the form after it has been signed by the JP.

The JP may decide to –

  • Approve the grant or renewal of an authorisation or notice

The grant or renewal of the RIPA authorisation or notice will then take effect and the local authority may proceed to use the technique in that particular case. The local authority will need to provide a copy of the order to the communications service provider (CSP), via the SPoC (Single Point of Contact), for all CD requests.

  • Refuse to approve the grant or renewal of an authorisation or notice

The RIPA authorisation or notice will not take effect and the local authority may not use the technique in that case.  Where an application has been refused the local authority may wish to consider the reasons for that refusal.  For example, a technical error in the form may be remedied without the local authority going through the internal authorisation process again.  The local authority may then wish to reapply for judicial approval once those steps have been taken.

  • Refuse to approve the grant or renewal and quash the authorisation or notice

This applies where a Magistrates’ court refuses to approve the grant, giving or renewal of an authorisation or notice and decides to quash the original authorisation or notice.The court must not exercise its power to quash that authorisation or notice unless the applicant has had at least two business days from the date of the refusal in which to make representations.

Appeals

A local authority may only appeal a JP’s decision on a point of law bymaking an application for judicial review in the High Court. The Investigatory Powers Tribunal (IPT) will continue to investigate complaints by individuals about the use of RIPA techniques by public bodies, including local authorities.  If, following a complaint to them, the IPT finds fault with a RIPA authorisation or notice it has the power to quash the JP’s order which approved the grant or renewal of the authorisation or notice. It can also award damages if it believes that an individual’s human rights have been violated by the public authority doing the surveillance.

Plan Now

Local authorities should Act Now to ensure they are ready for the new procedure. They should:

  1. Train staff – All investigators and authorising officers need to know about the new process. Those who will be attending court need to be trained in completing the new judicial application/order form.
  2. Designate staff who will be attending the Magistrates Court – The usual procedure would be for local authority Standing Orders to designate certain officers( including SPoCs) for the purpose of presenting RIPA cases to JPs under section 223 of the Local Government Act 1972.  A pool of suitable officers could be designated before 1st November and adjusted as appropriate throughout the year.
  3. Amend the RIPA Policy and Procedures to reflect the new process.

New Serious Crime Test The Regulation of Investigatory Powers (Directed Surveillance and Covert Human Intelligence Sources) (Amendment) Order 2012, SI 2012/1500  (“the 2012 Order”), was made on 11 June 2012 and will also come into force on 1 November 2012. Directed Surveillance will be made subject to a new Serious Crime Test. The days of councils authorising surveillance for dog fouling and littering will soon be over. More information here

Act Now can help you prepare for the new RIPA process. We have a new RIPA Policy and Procedures Toolkit as well as courses throughout the UK.

 If you would like advice on what needs to be done or customised in house training, please get in touch.

Mind the (Surveillance) Gap!

Before the 2010 election, both coalition parties made a big thing about “rolling back the Surveillance State.” They announced in the Coalition Agreement:

 “We will ban the use of powers in the Regulation of Investigatory Powers Act (RIPA) by councils, unless they are signed off by a magistrate and required for stopping serious crime.”

The first part of this commitment has been enacted via sections 37 and 38 of the Protection of Freedoms Act 2012 . This amends the Regulation of Investigatory Powers Act 2000 (RIPA) so as to require local authorities to obtain the approval of a Magistrate for the use of any one of the three covert investigatory techniques available to them under RIPA; namely Directed Surveillance, the deployment of a Covert Human Intelligence Source (CHIS) and accessing communications data. (Read our blog post for more on this requirement, which comes into force on 1st November).

The second part of the Coalition’s commitment also comes into force on the same day in the form of The Regulation of Investigatory Powers (Directed Surveillance and Covert Human Intelligence Sources) (Amendment) Order 2012, SI 2012/1500 (“the 2012 Order”).  This amends the Regulation of Investigatory Powers (Directed Surveillance and Covert Human Intelligence Sources) Order 2010, SI 2010/521 (“the 2010 Order”).

From 1st November 2012, local authority Authorising Officers may not authorise Directed Surveillance unless it is for the purpose of preventing or detecting a criminal offence and it meets the condition set out in New Article 7A(3)(a) or (b) of the 2010 Order. Those conditions are that the criminal offence which is sought to be prevented or detected is punishable, whether on summary conviction or on indictment, by a maximum term of at least 6 months of imprisonment, or would constitute an offence under sections 146, 147 or 147A of the Licensing Act 2003 or section 7 of the Children and Young Persons Act 1933 (offences involving sale of tobacco and alcohol to underage children).

The Government’s aim in passing the 2012 Order is explained in paragraph 7.2 of the explanatory memorandum :

“The additional restriction that is imposed through this statutory instrument on authorisations of directed surveillance by local authorities is imposed in response to public concern that some local authorities have used directed surveillance in trivial cases such as littering, dog control and school admission. This statutory instrument discharges a Government commitment to prevent local authority use of directed surveillance under RIPA unless required for the purposes of preventing or detecting the more serious kinds of criminal offences which local authorities investigate.”

Whilst the 2012 Order will certainly restrict councils authorising Directed Surveillance under RIPA, can it completely stop them doing covert surveillance when investigating “minor offences”? I do not think so.

RIPA is there to ensure that certain types of covert surveillance undertaken by public authorities is done in such as is human rights compliant. This is done through a system of (until now) internal authorisation from a senior officer. RIPA is permissive legislation. Authorisation under RIPA affords a public authority a defence under Section 27 i.e. the activity is lawful for all purposes. However, failure to obtain an authorisation does not make covert surveillance unlawful. Section 80 of RIPA states:

“Nothing in any of the provisions of this Act by virtue of which conduct of any description is or may be authorised by any warrant, authorisation or notice, or by virtue of which information may be obtained in any manner, shall be construed—

(a)as making it unlawful to engage in any conduct of that description which is not otherwise unlawful under this Act and would not be unlawful apart from this Act;

(b)as otherwise requiring—

(i)the issue, grant or giving of such a warrant, authorisation or notice, or

(ii)the taking of any step for or towards obtaining the authority of such a warrant, authorisation or notice,

before any such conduct of that description is engaged in; or

(c)as prejudicing any power to obtain information by any means not involving conduct that may be authorised under this Act.”

This point was explained more fully by the Investigatory Powers Tribunal in the case of C v The Police (Case No: IPT/03/32/H 14th November 2006 ):

Although RIPA provides a framework for obtaining internal authorisations of directed surveillance (and other forms of surveillance), there is no general prohibition in RIPA against conducting directed surveillance without RIPA  authorisation. RIPA does not require prior authorisation to be obtained by a public authority in order to carry out surveillance. Lack of authorisation under RIPA does not necessarily mean that the carrying out of directed surveillance is unlawful.

In making the 2012 Order, the Government has forgotten to do anything about section 80 of RIPA. They should have repealed or amended it in some way to achieve their aim. Section 80 means that the changes in the 2012 Order will not make surveillance for dog fouling and littering unlawful. All it will mean is that in such cases surveillance will not have the protection of RIPA (the defence in section 27). Local authorities will still be able use covert surveillance for such purposes as long as it is necessary and proportionate in accordance with Article 8 of the European Convention on Human Rights (right to privacy).

This point is made by the Chief Surveillance Commissioner in last year’s annual report (2010/2011):

“The higher threshold in the proposed legislation will reduce the number of cases in which local authorities have the protection of RIPA when conducting covert surveillance; it will not prevent the use of those tactics in cases where the threshold is not reached but where it may be necessary and proportionate to obtain evidence covertly and there will be no RIPA audit trail. Part I of RIPA makes unauthorised interception unlawful. In contrast, Part II makes authorised surveillance lawful but does not make unauthorised surveillance unlawful.”

In his latest annual report (2011/2012) he again acknowledges (at paragraph 5.22) that there is a gap in the law which allows public authorities to undertake covert surveillance (as long as it is human rights compliant) even though it may not be authorisable under RIPA:

“I occasionally encourage the use of similar authorisation mechanisms for activity which cannot be protected by the Acts (for example where covert techniques are used to identify a missing person when no crime is suspected). In these circumstances statutory definitions are met but none of the grounds specified in RIPA section 28(3) or RIP(S)A section 6(3), yet the human rights of the subject of surveillance must be considered. The authorisation process provides a useful audit of decisions and actions.”

So when the 2012 Order comes into force, we will have a void up to the 6 month threshold where Directed Surveillance will not be authorisable under RIPA but may still be desired to be undertaken by investigating officers. What to do? From the above it seems that surveillance can be done as long as it is necessary and proportionate and a proper paper audit trail exists. It may be a good idea to complete a “Non-RIPA authorisation form.” (We have one in our RIPA Policy and Procedure Toolkit).

Will local authorities decide to do “Non-RIPA Surveillance”? Many of the delegates on our training courses have said that they will. This does go against the will of the Government and the purpose behind the changes, BUT it is lawful.

So the question is – “No six month threshold but a need to do surveillance – Should you?”I would welcome colleagues’ thoughts. Please feel free to use the comment field below.

Act now can help you prepare for the new RIPA process. Our training courses run throughout the UK. If you would like customised in house training, please get in touch.

 

Judicial Approval for Council Surveillance

The Commencement Order for, amongst other things, the RIPA provisions within the Protection of Freedoms Act 2012 has now been made. This means that from 1st November 2012 all local authority surveillance will require judicial approval.

Chapter 2 of Part 2 of the 2012 Act (sections 37 and 38) amends the Regulation of Investigatory Powers Act 2000 (RIPA) so as to require local authorities to obtain the approval of a Magistrate for the use of any one of the three covert investigatory techniques available to them under RIPA namely Directed Surveillance, the deployment of a Covert Human Intelligence Source (CHIS) and accessing communications data. An approval is also required if an authorisation to use such techniques is being renewed. In each case, the role of the Magistrate is to ensure that the correct procedures have been followed and the relevant factors have been taken account of. The new provisions allow the Magistrate, on refusing an approval of an authorisation, to quash that authorisation.

For a full explanation of the new provisions click here

Note that 1st November also sees Directed Surveillance being made subject to a new Serious Crime Test. More information here

These provisions will be examined in our forthcoming RIPA update workshops. We also have a new RIPA Policy and Procedure Toolkit which will help.

Please get in touch if you would like customised in house training  on any aspects of the Act.

UPDATE (13/9/12)

The New Criminal Procedure Rules 2012 (coming into force on 1st October) provide more details about the procedure for seeking magistrates’ approval:

http://www.legislation.gov.uk/uksi/2012/1726/part/6/crossheading/6/made

We are still waiting though for the detailed guidance from the Home Office.

The 2012 Surveillance Commissioner Report

By Steve Morris

The Office of Surveillance Commissioners published its 2012 annual report (covering the period from 1st April 2011 to 31st March 2012) on 14th July 2011. The report details statistics relating to the use of Part 2 of RIPA by public authorities and information about how OSC conducts its oversight role. It highlights some important issues such as:

  • Collaborative Working – Departments, teams and various units within several authorities are pooling resources but then not obtaining authorisations and keeping records in relation to a proper designated authority (Sec 5.7)
  • There is a lack of awareness of what constitutes a CHIS and there is a likelihood that public authorities might have unauthorised CHIS activity being undertaken (Sec 5.14)
  • Authorising Officers are not making adequate provision for destruction of product that is collateral intrusion or of no value to the operation (Sec 5.16)
  • Some ‘open source’ internet research is being conducted which may actually meet the criteria of Directed Surveillance and therefore require authorisation (Sec 5.17)
  • Where there is an invasion of privacy and RIPA does not apply, due to all conditions not being met, then the OSC recommends use of the authorisation mechanism where Article 8 issues (privacy) should be considered (Sec 5.22)
  • ACPO (Association of Chief Police Officers) is reviewing the authorisation forms and it will also report on form redesign (Sec 5.25)

Our RIPA Courses already address these issues. Future courses are also being revised to take account of other recently announced changes affecting local authorities:

  • The Protection of Freedoms Act 2012 which received Royal Assent on 1st May 2012. The RIPA provisions in this Act are yet to come into force but when they do they will require local authorities to have all their RIPA surveillance authorisations (i.e. Directed Surveillance, CHIS and the acquisition of Communications Data) approved by a Magistrate before they take effect (Read more here).
  • From 1st November 2012, local authorities will face severe restrictions upon the grounds for which they can authorise Directed Surveillance under the RIPA. The days of local authorities being able to use surveillance powers to tackle dog fouling and littering offences will soon be over (Read more here).
  • The Communications Data Bill and the changes it will make to the communications data access regime (currently under Part 1 of Chapter 2 of RIPA)

Steve Morris is a former police officer who delivers our RIPA Courses as well as a course on Internet Investigations

Quantum Personal Data

It has been clear for some time that personal data leads a somewhat schizophrenic existence. So identical photographs can be personal data in the hands of the police, but not in the hands of a journalist. See the example on page 11 of the Information Commissioner’s technical guidance  “Determining what is personal data”, which leads him to conclude that “the same piece of data may be personal data in one party’s hands while it may not be personal data in another party’s hands”.

However it also now seems possible that determining whether something is personal data depends on what question you ask, even for the same data held by a single data controller. “Is this exempt from disclosure under FOI?” or “Is this disclosable to an applicant who makes a subject access request (SAR)?”. Like poor Schrödinger’s cat , until the question is posed the data may exist in an indeterminate ‘superposition of states’.  Similarly the answer to the first question may vary depending on whether the applicant was involved in the matter.

In a recent flurry of Decision Notices, of which FS50426097 is a typical example, the Information Commissioner (IC) asked the FOI question. The complainant had made a prior request to the police for detailed information about a forensic service provider, its machines and procedures. Subsequently, the applicant made a request for “any documentation in relation to communication with any third party in respect of the questions contained in my original FOIA request”. After internal review and upheld by the Information Commissioner in this and related decisions the police relied on s40(5)(a) and declined to confirm or deny whether it held the material, on the basis that if it did, it would be the personal data of the complainant. In effect saying that the complainant should have made an SAR, and presumably pay £10 for the privilege.

As the IC observed (my emphasis) “After careful consideration of the wording of the request, the Information Commissioner is satisfied that the complainant is, or would be, the subject of all of the information requested.” He concluded therefore that the authority was not required to comply with the obligation to confirm or deny whether it held the information, since this would itself involve the disclosure of personal data about the complainant – the s40(5)(a) exemption. Note that the IC appears to have made no examination of the information held, which appears to go against normal practice. There are a number of cases where authorities and their FOI officers have been criticised by the IC for making decisions on disclosure without ever looking at the material held.

Be that as it may, what will happen when the complainant, as it appears he has, makes his SAR? Pragmatically, having taken its stance and fee, the authority may well supply the requested information, subject to possibly removing any other person’s personal data under s7(4) Data Protection Act 1998. But step back a minute and assume that the police actually deal with the SAR in accordance with the strict legal position. What personal data is there ? Certainly information which identifies the complainant as the maker of the original FOI request. But what about all the content? The FOI request was not about a personal issue at all. The bulk of the material relating to such a request, particularly if dealt with on an applicant blind basis, will surely be about enquiries into what information was held, directly or on behalf of the authority, or about whether any such material (if it existed) was possibly exempt. That cannot be the personal data of the applicant even if, as the police indicated, it was “contained within files which are stored by reference to the applicant’s name”.

This would seem in SAR terms to be a classic Durant situation. To paraphrase Auld LJ from paragraphs 30-31 of the Durant judgement:

Just because the authority’s response to the request emanated from an FOI request by the complainant does not render information obtained or generated by that request, without more, his personal data. For the same reason, either on the issue as to whether a document contains “personal data” or as to whether it is part of a “relevant filing system”, the mere fact that a document is retrievable by reference to his name does not entitle him to a copy of it under the Act. In short the complainant does not get to first base in his claim against the authority because most of the further information sought, whether in computerised form or in manual files, is not his “personal data” within the definition in section 1(1). It is information about his FOI request and the objects of them, the authority and the forensic service provider respectively.

Now of course it may be that there is more personal data than this, particularly if the internal response to the request, ignoring the applicant blind principle, has focussed on the complainant, rather than the request, but the IC is in no position to make that judgement if he decides on the basis of the wording of the request, rather than a consideration of the information held. Possibly, considering the history of the complainant, the IC has assumed the purpose of the request is to find out how the authority was dealing with him, but there is no objective basis for that assumption.

A contrasting situation arises in the April 2012 Tribunal case of Efifiom Edem v IC . The Tribunal sought to apply the Durant criteria strictly in an FOI case. I will gloss over here the rather alarming addition of the word “adversely” to the Durant consideration of whether the processing affects someone’s privacy (paragraph 34), but would point out that if Edem is correctly decided it severely limits the ability of staff to access their ‘personal data’ under an SAR, as much of what may have been thought to be personal is not so, in fact . But for present purposes there is a huge gulf between the approach in Edem and in  FS50426097. Imagine for a moment that it was a third party, not the complainant, who made the second FOI request in  FS50426097 i.e. it was  typical meta-request about the handling of someone else’s earlier request. I do not believe for one moment one could argue that this request would fail under s40(2) as responding would disclose the personal data of the complainant. At worst the authority would redact the complainant’s identity and supply the rest of the information, and if that is done, the application of s40(5)(a) as a blanket when the complainant makes the request cannot be correct.

The definition of personal data is tricky enough as it is, but if the IC and Tribunal continue to determine the result based on the nature of the enquiry, data protection and FOI teams face some impossible dilemmas.

Philip Bradshaw is a former solicitor and local authority data protection officer. He now delivers our information law courses in Cardiff.

The Communications Data Bill: What Councils Need to Know

The Draft Communications Data Bill was laid before Parliament on 14th June 2012. The Bill provides an updated framework for ensuring the availability of communications data and its obtaining by public authorities. It will replace the communications data provisions within the Regulation of Investigatory Powers Act 2000 (RIPA).

The most controversial aspects of the Bill will enact proposals, announced in the Queen’s Speech in May, which will require Internet firms to give the Police, the Serious and Organised Crime Agency, the Intelligence Agencies and HM Revenue and Customs access to a wider range of communications data on demand and, in some cases, in real time. The Home Office says  that they are updating the law “in terms of social media and new devices”. Without action they say that there is a growing risk that crimes enabled by email and the Internet will go undetected and unpunished. However civil liberties groups, as well as Internet Service Providers have voiced concerns about the Bill from a privacy and technical perspective. See my previous blog entry  for a discussion about these concerns.

But what effect will the new Bill have on local authorities?

The Bill will replace Part 1 Chapter 2 of RIPA. Sections 21 to 25 of RIPA (and the Regulation of Investigatory Powers (Communications Data) Order 2010 (SI 2010/480)) currently set out who can access what type of communications data and for what purposes. This includes the police and security services as well as councils, government departments and various quangos. RIPA restricts access to the different types of communications data depending on the nature of the body requesting it and the reason for doing so.

The definition of “communications data” includes information relating to the use of a communications service (e.g telephone, internet and postal service) but does not include the contents of the communication itself.  Such data is broadly split into three categories: “traffic data” i.e. where a communication was made from, to whom and when; “service data” i.e. the use made of the service by any person e.g. itemised telephone records; “subscriber data” i.e. any other information that is held or obtained by an operator on a person they provide a service to.

Some public bodies already get access to all types of communications data e.g. police, security service, ambulance service, customs and excise. Local authorities are restricted to subscriber and service use data and even then only where it is necessary for the purpose of preventing or detecting crime or preventing disorder.

At present access to communications data is done on a system of self authorisation. There are forms to complete ((signed by a senior officer) and  tests of necessity and proportionality to satisfy. Notices have to be served on the service provider requesting the data.

The new Bill will broadly replicate the current system for accessing communications data by local authorities. There is no provision to widen the scope of the information available to councils or the grounds for doing so (unlike the police and law enforcement agencies mentioned above). However the Bill does replicate the changes to the local authority RIPA regime to be made by Protection of Freedoms Act 2012. In the future all local authority surveillance activity under RIPA, including a request for communications data (however minor), will have to be approved by a Magistrate. (See my earlier Blog Post for more detail about the 2012 Act.)

The Bill also implements a recommendation in the RIPA Review published by the Home Office on 26th January 2011.  This stated that the range of non-RIPA legislative frameworks by which communications data can in principle be acquired from Communication Service Providers “should be streamlined to ensure that as far as possible RIPA is the only mechanism by which communications data can be acquired.”

Clause 24 introduces Schedule 2 to the Bill which repeals certain general information powers so far as they enable public authorities to secure the disclosure by a telecommunications operator of communications data without the consent of the operator. This includes powers under the Trade Descriptions Act 1968, Environmental Protection Act 1990, Social Security Administration Act 1992 and the Enterprise Act 2002. Local authority officers in environmental health, trading standards and benefit fraud departments, who may not be have been using RIPA to gain access to communications data previously, will now need to get to grips with a new regime.

The Communications Data Bill will be subject to scrutiny by a joint parliamentary committee before the effort to bring the measures through Parliament and into law begins in earnest.  This comes on top of other recently announced changes to the criteria for local authority to authorise Directed Surveillance under Part 2 of RIPA.  The Home Office will have to issue a new code of practice and standard forms which Investigating Officers and their legal advisers will have to familiarise themselves with.

We have a series of courses on RIPA and Surveillance which cover all the recent changes to the RIPA regime including the Protection of Freedoms Act 2012. We also have a range online courses.