DPA – Your Front Page For Information Governance News

Supreme Court Rules on the Legality of Sharing Personal Data with the United States

bill-oxford-udXD2NrbXS8-unsplash

Could a recent Supreme Court decision on information sharing lead to “terrorists” escaping justice? Part 3 of the Data Protection Act 2018 (DPA) regulates the processing of personal data for law enforcement purposes by Competent Authorities which includes, amongst others, government departments and the police.

The case of Elgizouli (Appellant) v Secretary of State for the Home Department (Respondent) [2020] UKSC 10 is interesting because it examines the application of GDPR’s less well-known cousin to a complex situation involving the possible extradition of alleged terrorists to the United States. The Supreme Court ruled that the UK acted unlawfully by personal data with the US that could lead to the execution of two British citizens accused of being part of an Islamic State murder squad known as “The Beatles”. Seven justices concluded that the decision in 2018 by the Home Secretary breached Part 3 of the DPA.

Background

Shafee Elsheikh and Alexander Kotey are currently in US custody in Iraq having been linked to 27 murders in Syria carried out by “The Beatles”. In June 2015, the US made a mutual legal assistance (MLA) request to the UK in relation to an investigation into the activities of that group. The then Home Secretary, Sajid Javid, requested an assurance that any information the UK supplied would not be used by the US, directly or indirectly, in a prosecution that could lead to the imposition of the death penalty on the two men. The US refused to provide this assurance and, in June 2018, Mr Javid agreed to provide the information anyway.

Elsheikh’s mother, Maha Elgizouli, challenged (by way of judicial review) the Home Secretary’s decision to share that information with the US, not to prevent him from being prosecuted and jailed but, to protect him from the death penalty. Her claim was dismissed by the High Court, which certified two legal questions of public importance for the Supreme Court to answer:

Whether it is unlawful for the Secretary of State to exercise his power to provide an MLA so as to supply evidence to a foreign state that will facilitate the imposition of the death penalty in that state on the individual in respect of whom the evidence is sought.
Whether (and if so in what circumstances) it is lawful under Part 3 of the DPA, as interpreted in the light of relevant principles of EU data protection law, for law enforcement authorities in the UK to transfer personal data to law enforcement authorities abroad for use in capital criminal proceedings.

The Judgement

The Supreme Court allowed the appeal. Most of the Justices dismissed the challenge brought under the common law (question 1 above) to the Home Secretary’s decision but they unanimously held that the decision failed to comply with part 3 of the DPA (question 2). Data Protection professionals, especially those in law enforcement agencies, will be particularly interested in the court’s analysis of the rules relating to international transfers, as set out in Chapter 5 of the DPA

Section 73 of the DPA, like Article 49 of the GDPR, prohibits transfers of personal data to a third country unless a number of conditions are met. Condition two is that the transfer :

“(a) is based on an adequacy decision (see section 74),

(b) if not based on an adequacy decision, is based on there being appropriate safeguards (see section 75), or

(c) if not based on an adequacy decision or on there being appropriate safeguards, is based on special circumstances (see section 76)”

The court noted that the transfer in question was not based on an adequacy decision; nor was it based on appropriate safeguards which are set out in Section 75(1):

“A transfer of personal data to a third country or an international organisation is based on there being appropriate safeguards where—

(a) a legal instrument containing appropriate safeguards for the protection of personal data binds the intended recipient of the data, or

(b) the controller, having assessed all the circumstances surrounding transfers of that type of personal data to the third country or international organisation, concludes that appropriate safeguards exist to protect the data.”

The lawfulness of the transfer therefore stands or falls on the “special circumstances” condition in section 73. This will only apply, according to section 76, if the transfer is necessary for any of the following five purposes:

“(a) to protect the vital interests of the data subject or another person,

(b) to safeguard the legitimate interests of the data subject,

(c) for the prevention of an immediate and serious threat to the public security of a member State or a third country,

(d) in individual cases for any of the law enforcement purposes, or

(e) in individual cases for a legal purpose.”

The court ruled that a transfer on the basis of special circumstances can only occur following an assessment of what is strictly necessary. Such an assessment was not made by the Home Secretary before sharing the information with the US. Hence the transfer was unlawful. Lord Carnwath said:

“The decision was based on political expediency, rather than consideration of strict necessity under the statutory criteria.”

Furthermore, in relation to the special circumstances gateway, section 76(2) states:

“Subsection (1)(d) and (e) do not apply if the controller determines that fundamental rights and freedoms of the data subject override the public interest in the transfer”.

Lady Hale found that these “fundamental rights and freedoms” include the rights protected by the European Convention on Human Rights, the most fundamental of which is the right to life. This points towards an interpretation of section 76(2) which, even if an assessment had been made, would not allow the transfer of personal data to facilitate a prosecution which could result in the death penalty for UK citizens.

So there you have it; a very careful analysis by the Supreme Court of the international transfer provisions under Part 3 of the DPA. There must now be a further court decision over what the UK must do to comply with the law, including potentially asking the US to return the shared information. This could lead to the two individuals in question avoiding extradition to the US where they would, if convicted, face the death penalty. Of course, the UK government can still bring them back to the UK to face justice.

This and other developments will be discussed in our forthcoming information law webinars. We have created a policy pack containing essential document templates to help you meet the requirements of Part 3 of the DPA 2018.

A Matter of Priorities: FOI and DP Deadlines in a Pandemic

Photo by Oladimeji Ajegbile on Pexels.com

Responding to the Covid-19 pandemic is stretching our public services. Most obviously the NHS is diverting all the resources it can to meeting critical health needs. But local authorities are also struggling to maintain vital services in the face of unprecedented demands and staff who, if not already ill and self-isolating, are obliged to comply with social distancing measures. Other public authorities are facing logistical challenges in maintaining services and some are even having to put some staff on HMRC-funded furlough.

In such challenging circumstances, where does dealing with information requests under Freedom of Information and DataProtection laws sit in the scheme of priorities? Many authorities who are fortunate enough to have staff dedicated to handling FOI requests or data subject access requests will have re-tasked them to undertake more business-critical roles. Where staff have information request handling as only part of their role, other more pressing duties are likely to trump FOI and DP timescales. And where staff are working from home and access to premises either discouraged or forbidden, manual records may remain inaccessible for weeks or months to come. Where requests are made by post, they may be delivered to offices which will not be staffed for some time.

The response of the Scottish Government has been robust. On 1 April 2020, the Scottish Parliament passed the Coronavirus (Scotland) Bill which, while retaining the statutory requirement to “respond promptly”, extends the timescale for responding to requests under the Freedom of Information (Scotland) Act 2002 from twenty to sixty working days. Moreover, Part 2 of Schedule 6 provides a mechanism for the Scottish Ministers to allow Scottish public authorities to extend the timescale, subject to providing written notice to the applicant, by a further forty working days, where the authority “determines that it is not reasonably practicable to respond to the request within the relevant period because of… (a) the volume and complexity of the information requested, or (b) the overall number of requests being dealt with by the authority at the time that the request is made.”

The emergency legislation also allows the Scottish Information Commissioner to find that a public authority has not failed in their duties under FOISA if he is satisfied that the failure to respond within timescales was due to the impact of coronavirus and reasonable in the circumstances. The Scottish Information Commissioner for his part is keen to remind public authorities that their duty to respond promptly remains, that the measures are temporary, and that they do not extend to the Environmental Information (Scotland) Regulations 2004 (EISR).

Of course, the Scottish Parliament cannot legislate with regard to data protection (where EU and UK legislation applies) nor can it amend the timescales for requests under the EISR as they implement the obligations of the Aarhus Convention. But as far as they can do so, the Scottish Government and Parliament have sought to relax the demands of information requests in the face of the pandemic.

For data subject access requests under GDPR (or s 45 of the Data Protection Act 2018 where they relate to law enforcement processing) and requests under the Freedom of Information Act 2000, there is no relaxation of the law. This was despite the call to do so from some quarters, including the Local Government Association who called on Parliament to include measures “temporarily relaxing the requirements on councils in regard to GDPR and FOI”. We rely instead on flexibility from the Information Commissioner as regulator.

While the UK Government did not take the opportunity of the Coronavirus Act to take extend time limits(and would be unable to do so in any case with regard to GDPR as we are still in the transition period), the ICO has made clear they will not penalise organisations who have made understandable decisions to prioritise other tasks. As they state on their website, “We are a reasonable and pragmatic regulator, one that does not operate in isolation from matters of serious public concern. Regarding compliance with information rights work when assessing a complaint brought to us during this period, we will take into account the compelling public interest in the current health emergency.”

Organisations should therefore be reassured that they are unlikely to face official censure or significant public criticism if they make reasonable decisions to prioritise other tasks to protect and serve the public ahead of normal levels of service for FOI requests and subject access requests. If your organisation, almost inevitably, is finding it difficult to meet the timescales at this difficult time, we would suggest you take a common-sense and measured approach:

Make a record of your decisions to re-allocate resources from handling information rights requests to other service-delivery priorities;
Document the practical challenges (such as inaccessibility of manual records or post, and unavailability of key colleagues) which mean that it is “reasonable in all the circumstances” that the organisation is not able to meet normal levels of performance;
Manage the expectations of applicants through your website and in your acknowledgements of requests and your automated email responses, and continue to communicate with applicants as far as you are able to do so;
At the point at which your organisation, and the rest of humanity, is beginning to recover from the Covid-19 emergency, develop and document an action plan for addressing any backlog of requests which has built up.

At Act Now, we are passionate about the importance of information rights: They are at the heart of our democracy and our human rights. But the right to life must take priority over others, and we would be the first to recognise that organisations and individuals must make decisions which put people first, particularly at a time of global emergency.

Be kind and stay safe.

More on this and other developments in our FREE GDPR update webinar. Looking for a GDPR qualification from the comfort of your home office? Our GDPR Practitioner Certificate is now available as an online option.

The Data Protection Act 2018 – Pre and Post Brexit

The Data Protection Act 2018 (DPA 2018) came into force on 25^thMay 2018, alongside the General Data Protection Regulation (GDPR). Much has been written about it, both right and wrong.

The purpose of the DPA 2018 is nicely summarised by the Information Commissioner in her blog:

“The new Act updates data protection laws in the UK, and sits alongside the General Data Protection Regulation (GDPR) … The Act implements the EU Law Enforcement Directive, as well as extending domestic data protection laws to areas which are not covered by the GDPR.”

Part 2 of the Act supplements the GDPR i.e. it fills in some of the gaps by enacting “derogations”; where Members states are allowed to make their own rules e.g. about exemptions. This part has to be read alongside the GDPR.

Chapter 3 of Part 2 applies a broadly equivalent regime to certain types of processing to which the GDPR does not apply. For example, where personal data processing is related to immigration and to manual unstructured data (held by a public authority covered by FOI). The Act applies GDPR standards to such data whilst adjusting those that would not work in the national context.

Part 3 of the Act regulates the processing of personal data for law enforcement purposes implementing the Law Enforcement Directive (EU) 2016/680. The provisions here are a cut down version of GDPR. This part will only apply to competent authorities i.e. those that process personal data for the purposes of criminal offences or threats to public security e.g. the police, trading standards departments etc.

Read a full summary of the Act here.

What will happen to the Act and indeed GDPR post Brexit? Well this depends on whether we have a deal or no deal! More on our blog post here.

Act Now’s series of workshops on the DPA 2018 are proving very popular amongst GDPR practitioners. The next course in Belfast is fully booked. Forthcoming venues include London, Edinburgh, Leeds and Manchester. Our experts will explain the Act in detail in plain English busting some myths on the way and discussing what lies ahead in the post Brexit situation.

Book early to avoid disappointment. Click on the flyer below to see what we cover on the course.

Ibrahim Hasan is a solicitor and director of Act Now Training (www.actnow.org.uk)

Section 56 is here! Oh no it isn’t! Oh yes it is!

Section 56 prevents employers from requiring people to use their subject access rights under the DPA to obtain and then provide certain records, as a condition of employment. It also prevents contracts from requiring certain records as a condition for providing or receiving a service. Section 56 does not, however, prevent such requests where the record is required by law or is justified in the public interest.

Section 56 was due to be commenced on 1 December 2014. Commencement was delayed because of a technical issue encountered when finalising arrangement for introduction. This issue has now been resolved.

Section 56 was commenced on 10 March 2015. There is a SI 2015/312, entitled, ‘The Data Protection Act 1998 (Commencement No. 4) Order 2015′.

It makes it a criminal offence to require an individual to make a subject access request and supply it to a potential employer for the purpose of obtaining or continuing in employment. It also relates to a supplier of goods, facilities and services to the public who require the production of a record to access that service. The ICO webinar suggests insurance might be such a case. They also suggest it applies to volunteers who help your organisation even they may not be in employment.

Most practitioners called it Enforced Subject Access. In November 2014 the ICO ran a webinar outlining what this means and it’s worth look. See the webinar on youtube at https://www.youtube.com/watch?v=zTYBvr-tb5U. It’s 36 minutes long so set aside a lunch hour and buy your sandwich first. It does a good job looking into all the minor points and ends up with a few good examples of how it will be used.

It’s quite a logical and straightforward concept. Why on earth would you require someone to produce their police record to progress their application for employment? Certain jobs with vulnerable people involve disclosures from the Disclosure & Barring Service and Disclosure Scotland is widely used but employers in these area know about this. Making people outside these areas obtain and produce a relevant record is clearly wrong.

There are some defences to a Section 56 charge – the usual suspects of under enactment, rule of law, court and also in the public interest but specifically excludes prevention or detection of crime from the public interest.

Now it’s time to watch the webinar, download the ICO guidance from https://ico.org.uk/for-organisations/enforced-sar/ and wait for the first case involving section 56.

Looking for a DP qualification? The Act Now Data Protection Practitioner Certificate is a practical four day course. The syllabus is endorsed by the Centre for Information Rights based at the University of Winchester.

Information Governance in Health & Social Care Conference

Act Now is pleased to announce that it will be holding a major conference in the new year on the 24th of March entitled ‘Health Now – Information Governance in Health and Social Care – Where are we now?’ Speakers from the ICO, many areas of the NHS, NADPO and Act Now will be meeting in Leeds to discuss the future of information governance and patient care.

If you work in information governance, records management, data protection, freedom of information, IT, compliance, information and compliance management, data & information management then this is for you. Over 100 delegates are expected from Local and Central Government, Health and Social Care and associated sectors.

To download your advance copy of the conference flyer click here. With a delegate fee of only £199 we expect a high demand for places. Book Now for Health Now! See our other courses for the health and social care sector here.

Definition of Personal Data: Durant Revisited

December 2013 marked the 10-year anniversary of one of Data Protection’s most notorious developments, but it came and went without any great fanfare.

It’s not really surprising that the Information Commissioner’s Office (ICO) didn’t issue a press release celebrating the Durant judgment’s birthday, as they have been quietly attempting to erase it from history. The result of a long-running dispute between a former Barclays Bank customer and the now defunct Financial Services Authority, Durant v Financial Services Authority [2003] EWCA Civ 1746 was a significant case. The Court of Appeal judges took a sharp look at the definition of personal data, what kinds of manual files are covered by subject access, and the purposes for which subject access can be used – with controversial results. I happened to speak to a former colleague at the ICO a day after Durant was published, and he described the atmosphere as ‘panic’.

Some of Durant is helpful – the judgement proposes that personal data:

“should have the putative data subject as its focus rather than some other person with whom he may have been involved or some transaction or event in which he may have figured or have had an interest”.

Those who have worked on Data Protection for a long time will have encountered the view that the mere mention of a person’s name in an email meant that they were entitled to receive it. Durant torpedoed that notion. Other elements remain contentious – the ICO has never agreed with the assertion in paragraph 27 that subject access should not be used “to obtain discovery of documents that may assist him in litigation or complaints against third parties”, The new ICO Subject Access Code rejects this notion altogether, despite the fact that the lower courts have followed the principle every since. However, Durant’s most irksome element – ‘biographical significance’ – has been put in its place by the same court that invented it.

Mr Durant sought data about the FSA’s investigation into his complaints about Barclays, and his lawyers used an expansive interpretation of ‘personal data’ to stake his claim. The FSA’s focus was on Barclays and its practices, which meant that much of the correspondence Durant wanted was about the bank. He also wanted the names of the FSA staff that had dealt with his complaint. Unfortunately, Auld LJ linked the sensible idea of focus to a notion of ‘biographical significance’ test, stating that personal data must be “information that affects [a person’s] privacy, whether in his personal or family life, business or professional capacity”. This was a complicating and potentially unhelpful development. Focus makes sense – an email in which your name is mentioned in passing may well not be about you. But biographical significance is an unnecessary and restrictive innovation.

For example, when looking at a CCTV image with a person in the centre and bystanders in the background, the idea of ‘focus’ allows you to distinguish between the obvious subject of the image and the others. But asking whether the image is biographically significant raises the possibility that a clear picture of a living, identifiable person isn’t actually personal data if it has no private connotations. Is an image of me walking down the street biographically significant? Many have adopted biographical significance as a rule of thumb, a test to apply whenever the question of personal data was raised. In the public sector, it could mean that data about people that wasn’t biographically significant could be disclosed under the Freedom of Information Act 2000 (FOI) because it wasn’t technically ‘personal data’. In the private sector, anything not ‘biographically significant’ could be legally invisible, subject to none of Data Protection’s requirements.

The ICO’s approach to Durant – after the alleged panic subsided – was initially mixed, but for quite a few years it has been consistent. As some sort of riposte to Durant, in 2007 they published technical guidance on the meaning of ‘personal data’ called ‘Determining what is personal data’ – rather than Durant’s narrow, privacy-piercing interpretation. There are few references to Durant anywhere in the ICO’s output, but the technical guidance makes clear that testing ‘biographical significance’ is far from being an automatic or necessary step – it is for borderline cases when context and common sense don’t get you to the answer.

Many data controllers have been tempted to use Durant as a way of shrinking Data Protection down to a comfortable size. Indeed, when considering FOI cases involving personal data, the First Tier Tribunal appears to see the test as an inherent part of the decision, and biographical significance is often a feature of FOISA decisions by the Scottish Information Commissioner. Nevertheless, the ICO’s 2007 interpretation of Durant is logical. LJ Auld himself said that biographical significance was a notion “that may be of assistance” rather than a fundamental key to understanding personal data. Just as important was the balance provided by Buxton LJ, who noted at the end of the judgement that the tests were “a clear guide in borderline cases”. The Durant case was – in effect – about Mr Durant’s case, and didn’t change Data Protection as much as some have suggested.

For confirmation of this, fast-forward to Edem v IC & Financial Services Authority [2014] EWCA Civ 92, a Court of Appeal decision on a different case concerning another unhappy FSA (now the Financial Conduct Authority) complainant published this month. Mr Durant wanted to use Data Protection subject access to obtain his own data, and everything connected with it. Mr Edem wanted to use FOI to find out data about other people – specifically, the names and job titles of the junior staff who had dealt with his complaint. The FSA and Information Commissioner agreed that the data was personal, and that disclosure was unfair. So far, so uncontroversial. A spanner was thrown into the works by the First Tier Tribunal, to which Mr Edem appealed the ICO Decision. Using the biographical significance test, the FTT found that names and job titles were not biographically significant, and the focus of the information sought by Mr Edem was the investigation. The Edem FTT case was like a hall of mirrors, distorting and reflecting Durant to the extent that a type of information Mr Durant couldn’t get from the FSA under DP was now available to Mr Edem under FOI.

An appeal to the Upper Tribunal restored the ICO position, and so Mr Edem went to the Court of Appeal. A few cases – mainly resulting from appeals on FOISA decisions – have gone high enough in the UK court system to challenge Durant, but all skirted Durant itself. The Edem case was different – Durant and biographical significance had to be looked at head-on. The result is good news for common sense and data subjects, but bad for anyone who wants to finagle their way out of an awkward subject access request.

Paragraph 17 of the Edem Court of Appeal case isn’t the death knell for Durant, but it’s a healthy and heavy dose of context:

“The First Tier Tribunal were wrong to apply Auld LJ’s “notions” in this case”.

When trying to work out whether a person’s name is personal data, the Court says that biographical significance is irrelevant. The question is whether the data identifies a living individual, and without any complicating or contradictory factors, the data is all you need. My name is Tim Turner, and while that’s not enough to find the bearded Act Now Trainer on the internet (there are country singers and ice hockey players and the man who played the Invisible Man in TV in the 1950s to sort through), it’s easily enough to locate information about me in any of the places I have worked. The Court of Appeal in Edem wholly endorses the ICO view of biographical significance as an occasional add-on, and uses Buxton LJ’s comments from Durant itself to back up that approach.

If it was wrong to overplay the effect of Durant, it’s equally wrong to overplay Edem. For the public sector, Durant was always blunted by the onset of FOI – if you successfully argued that data wasn’t personal data about the subject access applicant, they could always ask for it under FOI. The new judgment doesn’t give new rights to data subjects or expand Data Protection’s reach. A person who wants to use Data Protection to get access to large amounts of information to which they have some loose or stretched connection will come to grief just as Mr Durant did. But the Edem case does restore logic – data that identifies a person, even in a relatively benign or innocuous way – is personal data. The Eight DP Principles apply. Even when at work and doing mundane professional tasks, the DPA is likely to be engaged. An apparent loophole has not been closed – the Edem case simply confirms that it was a lot smaller than it may have appeared. The ICO approach is vindicated, and both the First Tier Tribunal and bloody-minded data controllers may have to think again.

Tim Turner is one of Act Now’s well-known data protection experts. He will be considering this and other latest Data Protection developments in his forthcoming DP Update workshops . Read more of Tim’s expert analysis on his blog. Readers wanting to see how the Durant case has been applied in previous decisions should read Ezsias v The Welsh Ministers (2007).

The Communications Data Bill: What Councils Need to Know

The Draft Communications Data Bill was laid before Parliament on 14^th June 2012. The Bill provides an updated framework for ensuring the availability of communications data and its obtaining by public authorities. It will replace the communications data provisions within the Regulation of Investigatory Powers Act 2000 (RIPA).

The most controversial aspects of the Bill will enact proposals, announced in the Queen’s Speech in May, which will require Internet firms to give the Police, the Serious and Organised Crime Agency, the Intelligence Agencies and HM Revenue and Customs access to a wider range of communications data on demand and, in some cases, in real time. The Home Office says that they are updating the law “in terms of social media and new devices”. Without action they say that there is a growing risk that crimes enabled by email and the Internet will go undetected and unpunished. However civil liberties groups, as well as Internet Service Providers have voiced concerns about the Bill from a privacy and technical perspective. See my previous blog entry for a discussion about these concerns.

But what effect will the new Bill have on local authorities?

The Bill will replace Part 1 Chapter 2 of RIPA. Sections 21 to 25 of RIPA (and the Regulation of Investigatory Powers (Communications Data) Order 2010 (SI 2010/480)) currently set out who can access what type of communications data and for what purposes. This includes the police and security services as well as councils, government departments and various quangos. RIPA restricts access to the different types of communications data depending on the nature of the body requesting it and the reason for doing so.

The definition of “communications data” includes information relating to the use of a communications service (e.g telephone, internet and postal service) but does not include the contents of the communication itself. Such data is broadly split into three categories: “traffic data” i.e. where a communication was made from, to whom and when; “service data” i.e. the use made of the service by any person e.g. itemised telephone records; “subscriber data” i.e. any other information that is held or obtained by an operator on a person they provide a service to.

Some public bodies already get access to all types of communications data e.g. police, security service, ambulance service, customs and excise. Local authorities are restricted to subscriber and service use data and even then only where it is necessary for the purpose of preventing or detecting crime or preventing disorder.

At present access to communications data is done on a system of self authorisation. There are forms to complete ((signed by a senior officer) and tests of necessity and proportionality to satisfy. Notices have to be served on the service provider requesting the data.

The new Bill will broadly replicate the current system for accessing communications data by local authorities. There is no provision to widen the scope of the information available to councils or the grounds for doing so (unlike the police and law enforcement agencies mentioned above). However the Bill does replicate the changes to the local authority RIPA regime to be made by Protection of Freedoms Act 2012. In the future all local authority surveillance activity under RIPA, including a request for communications data (however minor), will have to be approved by a Magistrate. (See my earlier Blog Post for more detail about the 2012 Act.)

The Bill also implements a recommendation in the RIPA Review published by the Home Office on 26th January 2011. This stated that the range of non-RIPA legislative frameworks by which communications data can in principle be acquired from Communication Service Providers “should be streamlined to ensure that as far as possible RIPA is the only mechanism by which communications data can be acquired.”

Clause 24 introduces Schedule 2 to the Bill which repeals certain general information powers so far as they enable public authorities to secure the disclosure by a telecommunications operator of communications data without the consent of the operator. This includes powers under the Trade Descriptions Act 1968, Environmental Protection Act 1990, Social Security Administration Act 1992 and the Enterprise Act 2002. Local authority officers in environmental health, trading standards and benefit fraud departments, who may not be have been using RIPA to gain access to communications data previously, will now need to get to grips with a new regime.

The Communications Data Bill will be subject to scrutiny by a joint parliamentary committee before the effort to bring the measures through Parliament and into law begins in earnest. This comes on top of other recently announced changes to the criteria for local authority to authorise Directed Surveillance under Part 2 of RIPA. The Home Office will have to issue a new code of practice and standard forms which Investigating Officers and their legal advisers will have to familiarise themselves with.

We have a series of courses on RIPA and Surveillance which cover all the recent changes to the RIPA regime including the Protection of Freedoms Act 2012. We also have a range online courses.

To RIPA or Not To RIPA: Changes to Council Surveillance Powers

The days of local authorities being able to use surveillance powers to tackle dog fouling and littering offences will soon be over. From 1^st November 2012, local authorities will face severe restrictions upon the grounds for which they can authorise Directed Surveillance under the Regulation of Investigatory Powers Act 2000 (RIPA).

The Regulation of Investigatory Powers (Directed Surveillance and Covert Human Intelligence Sources) (Amendment) Order 2012, SI 2012/1500 (“the 2012 Order”), was made on 11 June 2012 and will come into force on 1 November 2012,

The 2012 Order amends the Regulation of Investigatory Powers (Directed Surveillance and Covert Human Intelligence Sources) Order 2010, SI 2010/521 (“the 2010 Order”), which prescribes which officers, within a public authority, have the power to grant authorisations for the carrying out of Directed Surveillance and the grounds, under Section 28(3) of RIPA, upon which authorisations can be granted. At present local authorities have one ground; where it is necessary “for the purpose of preventing or detecting crime or preventing disorder.” (Section 28(3)(b))

From 1^st November 2012, local authority Authorising Officers may not authorise Directed Surveillance unless it is for the purpose of preventing or detecting a criminal offence and it meets the condition set out in New Article 7A(3)(a) or (b) of the 2010 Order. Those conditions are that the criminal offence which is sought to be prevented or detected is punishable, whether on summary conviction or on indictment, by a maximum term of at least 6 months of imprisonment, or would constitute an offence under sections 146, 147 or 147A of the Licensing Act 2003 or section 7 of the Children and Young Persons Act 1933. The latter are all offences involving sale of tobacco and alcohol to underage children.

Background

These changes have not come out of the blue. Responding to media stories of councils misusing “anti terror laws” both coalition parties promised in their election manifestos to overhaul Part 2 of RIPA, which regulates local authorities, amongst others, when conducting covert surveillance on citizens. They argued that such surveillance was often used to investigate minor offences and in a disproportionate manner. The introduction of a Serious Crime Test for Directed Surveillance was recommended in the Home Office review of counter-terrorism and security powers published on 26th January 2011.

Directed Surveillance has been the subject of substantial debate and controversy. It is often conducted by local authorities to, amongst other things, investigate a benefit fraud or to collect evidence of anti-social behaviour. Typical methods include covertly following people, covertly taking photographs of them and using hidden cameras to record their movements. Introducing a six months imprisonment test will ensure that such techniques are no longer an option when local authorities are investigating “minor offences” such as dog fouling and littering.

But the 2012 Order also removes the second limb of Section 28(3)(b) (“preventing disorder”). Directed Surveillance for the purposes of tackling anti social behavior will no longer be able to be authorised unless of course the activity involves criminal offences involved carrying a maximum prison term of six months or more. How will this impact on the work of local authority Anti Social Behaviour Units?

There is an exception to the general rule though. Because of the importance of Directed Surveillance in corroborating investigations into underage sales of alcohol and tobacco, the Serious Crime Test will not be applied when Directed Surveillance is being done in these cases.

The other recommendation of the RIPA Review (Magistrate’s Approval) will be implemented via the Protection of Freedoms Act 2012 which received Royal Assent on 1^st May 2012. The RIPA provisions in this Act are yet to come into force but when they do they will require local authorities to have all their RIPA surveillance authorisations (i.e. Directed Surveillance, CHIS and the acquisition of Communications Data) approved by a Magistrate before they take effect. (Read more here: http://www.actnow.org.uk/content/47)

When the the Coalition Government published the Bill in February 2011, the Home Secretary, announced:

“The first duty of the state is the protection of its citizens, but this should never be an excuse for the government to intrude into peoples’ private lives. Snooping on the contents of families’ bins and security checking school-run mums are not necessary for public safety and this Bill will bring them to an end. I am bringing common sense back to public protection and freeing people to go about their daily lives without a fear that the state is monitoring them.”

Most local authorities feel that this is a disproportionate response to inaccurate media stories about their “overzealous” use of RIPA. The reality is that most authorities only use their powers in a handful of cases each year and only when there is no other viable means of investigating offences and then in a reasonable and proportionate manner. The latest available annual report by the Office of Surveillance Commissioners (2010/2011) states:

“Generally speaking, local authorities use RIPA/RIP(S)A powers sparingly with over 50% granting five or fewer directed surveillance authorisations during the reporting period. Some 16% granted none at all.”

The changes to be made to the local authority RIPA regime via the 2012 Order, as well as the Protection of Freedoms Act, will have a big impact on their investigation and enforcement activities. Now is the time to review RIPA processes and procedures and to make staff aware of the changing legal landscape.

We have a series of courses on RIPA and Surveillance which also cover the changes in the Protection of Freedoms Act. We can also provide in house customized training (e mail info@actnow.org.uk)

Sort of Fair Processing Notice

Walking through Huddersfield the other day I caught this interesting example of a fair processing notice. It was a bus shelter. The actual notice was well above the normal range of vision. (Which reminds me of an old joke. What lies on its back eight feet up in the air. Answer later.)

But how fair is this sign? Is it a fair processing notice informing data subjects that they might be being filmed? It has the magic acronym CCTV so there’s definitely a possibility that filming is taking place. But the other words seem to confuse the issue.

Anti-social behaviour is a crime. We’re not going to disagree with that are we? but it’s a statement of fact not really what’s needed on an FPN. You might as well say that Chelsea won the Champion’s League this year.

Plain Clothes Police Officers. So how do we know they are Police Officers? Do they wear a carnation in their lapel or are they really operating covertly? This phrase means that everyone on the streets may be a police officer. Is this fair? Or if covert operations are being undertaken why do we say that plain clothes police officers are in place. Isn’t covert er… wait for it… covert? Does RIPA ring a bell?

Or CCTV in use. Whoa let’s take a rain check. Either it is in use or it isn’t. If it is you put up signs saying who’s doing it, why and contact details. If it’s not you don’t. Or maybe it’s secret filming. Donnnngggg. (That’s an alliteration denoting the tolling of the RIPA bell)

Finally your behaviour could be under observation. Back to the previous paragraph. Either it is or it isn’t. If it is for general crime prevention purposes then put up signs. If it’s a covert operation pre-authorise it through your SPOC and don’t bother with signs.

And to finish off 7 (count them) individual organisations contributed to this sort of fair processing notice including some very well known ones. So 7 data protection persons gave their opinion on the poster. No-one thought it was a bit naff. Or maybe they didn’t ask the DP persons.

Take care in Huddersfield. They might be filming you (or not). Anyone at all could be a police officer. And Chelsea won the Champions League.

Ah yes the answer to the question.

What lies on its back eight feet up in the air. A dead spider.

New Data Sharing Laws: Too Far, Too Fast?

According a story in the Guardian newspaper last week, proposals to be published in May by the Cabinet Office minister, Francis Maude, are expected to make it easier for government and public-sector organisations to share confidential information supplied by the public.

“In May, we will publish proposals that will make data sharing easier – and, in particular, we will revisit the recommendations of the Walport-Thomas Review that would make it easier for legitimate requests for data sharing to be agreed with a view to considering their implementation,” said Maude, adding that current barriers between databases made it difficult for public sector workers to access relevant information.

“It’s clearly wrong to have social workers, doctors, dentists, Job Centres, the police all working in isolation on the same problems.”

The Guardian reported that the proposals are expected to include fast-track procedures for ministers to license the sharing of data in areas where it is currently prohibited, subject to privacy safeguards.

Maude has hit back at the reporting of the proposals. Whilst the detail is awaited, one has to wonder whether this is the right time to consider such measures. The recent announcement of a new law to require Internet firms to give intelligence agency, GCHQ, access to everyone’s communications data on demand and in real time as well as the ongoing controversy about the failure to regulate press intrusion has already raised concerns about the Government’s commitment to “roll back the surveillance state”.

Civil liberties campaigners are already saying that the new plans are further evidence of the revival of “The Database State” proposed by New Labour. In a recent article the Campaign Group, NO2ID, argued that the Government should establish clear guidelines on people’s rights to privacy to put a brake on official bodies sharing data.

This is not the first time that concerns have been raised about data sharing. In July 2008 “The Data Sharing Review Report” was written by the then Information Commissioner, Richard Thomas, and Wellcome Trust director, Mark Walport. In it they warned:

“The tenor of the government’s argument has focused closely on the benefits of data sharing, paying perhaps too little attention to the potential hazards associated with ambitious programmes of data sharing,” stated the report. “The government has consistently laid itself open to the criticism that it considers ‘data sharing’ in itself an unconditional good, and that it will go to considerable lengths to encourage data-sharing programmes, while paying insufficient heed to the corresponding risks or to people’s legitimate concerns.”

Is the current law not adequate to regulate yet allow responsible data sharing? The Data Protection Act 1998 (DPA) already governs all processing of personal data including the sharing of it. Whilst it is still conceived as a barrier, if properly understood, it can be a tool for responsible data sharing. Most public sector data sharing will be lawful if organisations comply with the Eight Data Protection Principles; particularly the First Principle which requires information to be processed fairly and lawfully. There are also numerous exemptions in the Act including where sharing is required for the purpose of prevention or detection of crime (section 29).

In May 2011, the Information Commissioner published a new statutory Code of Practice on data sharing. The Code explains how the DPA applies to the sharing of personal data both within and outside an organisation. It provides practical advice to the public, private and third sectors, and covers systematic data sharing arrangements as well as one off requests for information.

So is there really a need for a new law on data sharing? The Information Commissioner’s Office has issued a short statement on the proposals. Reading between the lines, it seems to be saying that the current law and the ICO Code are adequate. What do think?

Read our article for a full explanation of the ICO Data Sharing Code.

You can attend our full day Multi Agency Information Sharing workshops

We also have a one-hour online seminar on this subject.

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this: