Tag: DPA

The Communications Data Bill: What Councils Need to Know

The Draft Communications Data Bill was laid before Parliament on 14th June 2012. The Bill provides an updated framework for ensuring the availability of communications data and its obtaining by public authorities. It will replace the communications data provisions within the Regulation of Investigatory Powers Act 2000 (RIPA).

The most controversial aspects of the Bill will enact proposals, announced in the Queen’s Speech in May, which will require Internet firms to give the Police, the Serious and Organised Crime Agency, the Intelligence Agencies and HM Revenue and Customs access to a wider range of communications data on demand and, in some cases, in real time. The Home Office says  that they are updating the law “in terms of social media and new devices”. Without action they say that there is a growing risk that crimes enabled by email and the Internet will go undetected and unpunished. However civil liberties groups, as well as Internet Service Providers have voiced concerns about the Bill from a privacy and technical perspective. See my previous blog entry  for a discussion about these concerns.

But what effect will the new Bill have on local authorities?

The Bill will replace Part 1 Chapter 2 of RIPA. Sections 21 to 25 of RIPA (and the Regulation of Investigatory Powers (Communications Data) Order 2010 (SI 2010/480)) currently set out who can access what type of communications data and for what purposes. This includes the police and security services as well as councils, government departments and various quangos. RIPA restricts access to the different types of communications data depending on the nature of the body requesting it and the reason for doing so.

The definition of “communications data” includes information relating to the use of a communications service (e.g telephone, internet and postal service) but does not include the contents of the communication itself.  Such data is broadly split into three categories: “traffic data” i.e. where a communication was made from, to whom and when; “service data” i.e. the use made of the service by any person e.g. itemised telephone records; “subscriber data” i.e. any other information that is held or obtained by an operator on a person they provide a service to.

Some public bodies already get access to all types of communications data e.g. police, security service, ambulance service, customs and excise. Local authorities are restricted to subscriber and service use data and even then only where it is necessary for the purpose of preventing or detecting crime or preventing disorder.

At present access to communications data is done on a system of self authorisation. There are forms to complete ((signed by a senior officer) and  tests of necessity and proportionality to satisfy. Notices have to be served on the service provider requesting the data.

The new Bill will broadly replicate the current system for accessing communications data by local authorities. There is no provision to widen the scope of the information available to councils or the grounds for doing so (unlike the police and law enforcement agencies mentioned above). However the Bill does replicate the changes to the local authority RIPA regime to be made by Protection of Freedoms Act 2012. In the future all local authority surveillance activity under RIPA, including a request for communications data (however minor), will have to be approved by a Magistrate. (See my earlier Blog Post for more detail about the 2012 Act.)

The Bill also implements a recommendation in the RIPA Review published by the Home Office on 26th January 2011.  This stated that the range of non-RIPA legislative frameworks by which communications data can in principle be acquired from Communication Service Providers “should be streamlined to ensure that as far as possible RIPA is the only mechanism by which communications data can be acquired.”

Clause 24 introduces Schedule 2 to the Bill which repeals certain general information powers so far as they enable public authorities to secure the disclosure by a telecommunications operator of communications data without the consent of the operator. This includes powers under the Trade Descriptions Act 1968, Environmental Protection Act 1990, Social Security Administration Act 1992 and the Enterprise Act 2002. Local authority officers in environmental health, trading standards and benefit fraud departments, who may not be have been using RIPA to gain access to communications data previously, will now need to get to grips with a new regime.

The Communications Data Bill will be subject to scrutiny by a joint parliamentary committee before the effort to bring the measures through Parliament and into law begins in earnest.  This comes on top of other recently announced changes to the criteria for local authority to authorise Directed Surveillance under Part 2 of RIPA.  The Home Office will have to issue a new code of practice and standard forms which Investigating Officers and their legal advisers will have to familiarise themselves with.

We have a series of courses on RIPA and Surveillance which cover all the recent changes to the RIPA regime including the Protection of Freedoms Act 2012. We also have a range online courses.

 

To RIPA or Not To RIPA: Changes to Council Surveillance Powers

The days of local authorities being able to use surveillance powers to tackle dog fouling and littering offences will soon be over. From 1st November 2012, local authorities will face severe restrictions upon the grounds for which they can authorise Directed Surveillance under the Regulation of Investigatory Powers Act 2000 (RIPA).

The Regulation of Investigatory Powers (Directed Surveillance and Covert Human Intelligence Sources) (Amendment) Order 2012, SI 2012/1500  (“the 2012 Order”), was made on 11 June 2012 and will come into force on 1 November 2012,

The 2012 Order amends the Regulation of Investigatory Powers (Directed Surveillance and Covert Human Intelligence Sources) Order 2010, SI 2010/521 (“the 2010 Order”), which prescribes which officers, within a public authority, have the power to grant authorisations for the carrying out of Directed Surveillance and the grounds, under Section 28(3) of RIPA, upon which authorisations can be granted. At present local authorities have one ground; where it is necessary “for the purpose of preventing or detecting crime or preventing disorder.” (Section 28(3)(b))

From 1st November 2012, local authority Authorising Officers may not authorise Directed Surveillance unless it is for the purpose of preventing or detecting a criminal offence and it meets the condition set out in New Article 7A(3)(a) or (b) of the 2010 Order. Those conditions are that the criminal offence which is sought to be prevented or detected is punishable, whether on summary conviction or on indictment, by a maximum term of at least 6 months of imprisonment, or would constitute an offence under sections 146, 147 or 147A of the Licensing Act 2003 or section 7 of the Children and Young Persons Act 1933. The latter are all offences involving sale of tobacco and alcohol to underage children.

Background

These changes have not come out of the blue. Responding to media stories of councils misusing “anti terror laws” both coalition parties promised in their election manifestos to overhaul Part 2 of RIPA, which regulates local authorities, amongst others, when conducting covert surveillance on citizens. They argued that such surveillance was often used to investigate minor offences and in a disproportionate manner. The introduction of a Serious Crime Test for Directed Surveillance was recommended in the Home Office review of counter-terrorism and security powers published on 26th January 2011.

Directed Surveillance has been the subject of substantial debate and controversy. It is often conducted by local authorities to, amongst other things, investigate a benefit fraud or to collect evidence of anti-social behaviour. Typical methods include covertly following people, covertly taking photographs of them and using hidden cameras to record their movements. Introducing a six months imprisonment test will ensure that such techniques are no longer an option when local authorities are investigating “minor offences” such as dog fouling and littering.

But the 2012 Order also removes the second limb of Section 28(3)(b) (“preventing disorder”). Directed Surveillance for the purposes of tackling anti social behavior will no longer be able to be authorised unless of course the activity involves criminal offences involved carrying a maximum prison term of six months or more. How will this impact on the work of local authority Anti Social Behaviour Units?

There is an exception to the general rule though. Because of the importance of Directed Surveillance in corroborating investigations into underage sales of alcohol and tobacco, the Serious Crime Test will not be applied when Directed Surveillance is being done in these cases.

The other recommendation of the RIPA Review (Magistrate’s Approval) will be implemented via the Protection of Freedoms Act 2012 which received Royal Assent on 1st May 2012. The RIPA provisions in this Act are yet to come into force but when they do they will require local authorities to have all their RIPA surveillance authorisations (i.e. Directed Surveillance, CHIS and the acquisition of Communications Data) approved by a Magistrate before they take effect. (Read more here: http://www.actnow.org.uk/content/47)

When the the Coalition Government published the Bill in February 2011, the Home Secretary, announced:

“The first duty of the state is the protection of its citizens, but this should never be an excuse for the government to intrude into peoples’ private lives. Snooping on the contents of families’ bins and security checking school-run mums are not necessary for public safety and this Bill will bring them to an end. I am bringing common sense back to public protection and freeing people to go about their daily lives without a fear that the state is monitoring them.”

Most local authorities feel that this is a disproportionate response to inaccurate media stories about their “overzealous” use of RIPA. The reality is that most authorities only use their powers in a handful of cases each year and only when there is no other viable means of investigating offences and then in a reasonable and proportionate manner.  The latest available annual report by the Office of Surveillance Commissioners (2010/2011) states:

“Generally speaking, local authorities use RIPA/RIP(S)A powers sparingly with over 50% granting five or fewer directed surveillance authorisations during the reporting period. Some 16% granted none at all.”

The changes to be made to the local authority RIPA regime via the 2012 Order, as well as the Protection of Freedoms Act, will have a big impact on their investigation and enforcement activities.  Now is the time to review RIPA processes and procedures and to make staff aware of the changing legal landscape.

We have a series of courses on RIPA and Surveillance which also cover the changes in the Protection of Freedoms Act. We can also provide in house customized training (e mail info@actnow.org.uk)

 

Sort of Fair Processing Notice

Walking through Huddersfield the other day I caught this interesting example of a fair processing notice. It was a bus shelter. The actual notice was well above the normal range of vision. (Which reminds me of an old joke. What lies on its back eight feet up in the air.  Answer later.)

But how fair is this sign? Is it a fair processing notice informing data subjects that they might be being filmed? It has the magic acronym CCTV so there’s definitely a possibility that filming is taking place. But the other words seem to confuse the issue.

Anti-social behaviour is a crime. We’re not going to disagree with that are we? but it’s a statement of fact not really what’s needed on an FPN. You might as well say that Chelsea won the Champion’s League this year.

Plain Clothes Police Officers.  So how do we know they are Police Officers? Do they wear a carnation in their lapel or are they really operating covertly? This phrase means that everyone on the streets may be a police officer. Is this fair? Or if covert operations are being undertaken why do we say that plain clothes police officers are in place. Isn’t covert er… wait for it… covert? Does RIPA ring a bell?

Or CCTV in use.  Whoa let’s take a rain check.  Either it is in use or it isn’t. If it is you put up signs saying who’s doing it, why and contact details. If it’s not you don’t. Or maybe it’s secret filming. Donnnngggg. (That’s an alliteration denoting the tolling of the RIPA bell)

Finally your behaviour could be under observation. Back to the previous paragraph. Either it is or it isn’t. If it is for general crime prevention purposes then put up signs. If it’s a covert operation pre-authorise it through your SPOC and don’t bother with signs.

And to finish off 7 (count them) individual organisations contributed to this sort of fair processing notice including some very well known ones. So 7 data protection persons gave their opinion on the poster. No-one thought it was a bit naff.   Or maybe they didn’t ask the DP persons.

Take care in Huddersfield. They might be filming you (or not). Anyone at all could be a police officer. And Chelsea won the Champions League.

Ah yes the answer to the question.

What lies on its back eight feet up in the air. A dead spider.

New Data Sharing Laws: Too Far, Too Fast?

According a story in the Guardian newspaper last week, proposals to be published in May by the Cabinet Office minister, Francis Maude, are expected to make it easier for government and public-sector organisations to share confidential information supplied by the public.

“In May, we will publish proposals that will make data sharing easier – and, in particular, we will revisit the recommendations of the Walport-Thomas Review that would make it easier for legitimate requests for data sharing to be agreed with a view to considering their implementation,” said Maude, adding that current barriers between databases made it difficult for public sector workers to access relevant information.

“It’s clearly wrong to have social workers, doctors, dentists, Job Centres, the police all working in isolation on the same problems.”

The Guardian reported that the proposals are expected to include fast-track procedures for ministers to license the sharing of data in areas where it is currently prohibited, subject to privacy safeguards.

Maude has hit back at the reporting of the proposals. Whilst the detail is awaited, one has to wonder whether this is the right time to consider such measures. The recent announcement of a new law to require Internet firms to give intelligence agency, GCHQ, access to everyone’s communications data on demand and in real time as well as the ongoing controversy about the failure to regulate press intrusion has already raised concerns about the Government’s commitment to “roll back the surveillance state”.

Civil liberties campaigners are already saying that the new plans are further evidence of the revival of “The Database State” proposed by New Labour. In a recent article the Campaign Group, NO2ID, argued that the Government should establish clear guidelines on people’s rights to privacy to put a brake on official bodies sharing data.

This is not the first time that concerns have been raised about data sharing. In July 2008 “The Data Sharing Review Report” was written by the then Information Commissioner, Richard Thomas, and Wellcome Trust director, Mark Walport. In it they warned:

“The tenor of the government’s argument has focused closely on the benefits of data sharing, paying perhaps too little attention to the potential hazards associated with ambitious programmes of data sharing,” stated the report. “The government has consistently laid itself open to the criticism that it considers ‘data sharing’ in itself an unconditional good, and that it will go to considerable lengths to encourage data-sharing programmes, while paying insufficient heed to the corresponding risks or to people’s legitimate concerns.”

Is the current law not adequate to regulate yet allow responsible data sharing? The Data Protection Act 1998 (DPA) already governs all processing of personal data including the sharing of it. Whilst it is still conceived as a barrier, if properly understood, it can be a tool for responsible data sharing. Most public sector data sharing will be lawful if organisations comply with the Eight Data Protection Principles; particularly the First Principle which requires information to be processed fairly and lawfully. There are also numerous exemptions in the Act including where sharing is required for the purpose of prevention or detection of crime (section 29).

In May 2011, the Information Commissioner published a new statutory Code of Practice on data sharing. The Code explains how the DPA applies to the sharing of personal data both within and outside an organisation. It provides practical advice to the public, private and third sectors, and covers systematic data sharing arrangements as well as one off requests for information.

So is there really a need for a new law on data sharing? The Information Commissioner’s Office has issued a short statement on the proposals. Reading between the lines, it seems to be saying that the current law and the ICO Code are adequate. What do think?

Read our article for a full explanation of the ICO Data Sharing Code.

You can attend our full day Multi Agency Information Sharing workshops

We also have a one-hour online seminar on this subject.

Bigger Brother

The Coalition Agreement states that the government “will end the storage of internet and e mail records without good reason.”  This commitment is now in tatters as the Government wants the power to be able to monitor the calls, emails, texts and website visits of everyone in the UK.

The new law, which may be announced in the forthcoming Queen’s Speech in May, will require Internet firms to give intelligence agency, GCHQ, access to communications on demand, in real time. However it will not allow GCHQ to access the content of emails, calls or messages without a warrant. Civil liberties groups including Big Brother Watch have condemned this move as an unacceptable invasion of privacy.

At present Internet service providers are obliged to keep details of users’ web access, email and internet phone calls for 12 months, under the EU Data Retention Directive 2009. While they keep a limited amount of other data already on their own subscribers for billing and other commercial purposes, the new law will require them to store a much bigger volume of third party data such as that from Google Mail, Twitter, Skype and Facebook that crosses their servers every day.

This is not the first time this idea has been floated. In October 2010, the Government announced its intention to introduce the Interception Modernisation Programme, at a cost of  £2billion. This latest announcement seems to be the same project but renamed “the Communications Capabilities Development Programme (CCDP)”. Details of the scheme will be published within weeks and will build on Labour’s abandoned proposal  (which was heavily criticised by the Coalition partners at the time) to require communications service providers (CSPs) to collect and store the traffic details of all internet and mobile phone use, initially in a central database.

The Law

Access to Communications Data in the UK is already governed by Part 1 Chapter 2 of the Regulation of Investigatory Powers Act 2000 (RIPA) (sections 21-25). This sets out who can access what type of communications data and for what purposes. This includes the police and security services as well as councils, government departments and various quangos. The legislation restricts access to the different types of communications data depending on the nature of the body requesting it and the reason for doing so.

The definition of “communications data” includes information relating to the use of a communications service (e.g telephone, internet and postal service) but does not include the contents of the communication itself.  Such data is broadly split into three categories: “traffic data” i.e. where a communication was made from, to whom and when; “service data” i.e. the use made of the service by any person e.g. itemised telephone records; “subscriber data” i.e. any other information that is held or obtained by an operator on a person they provide a service to.

Some public bodies already get access to all types of communications data e.g. police, security service, ambulance service, customs and excise. Local authorities are restricted to subscriber and service use data and even then only where it is required for the purpose of preventing or detecting crime or preventing disorder.

At present access to communications data is done on a system of self authorisation. There are forms to fill (signed by a senior officer) out and  tests of necessity and proportionality to satisfy. Notices have to be served on the service provider requesting the data.

Real Time

It is unclear as to how the new proposals will be different from the current system. There is talk of the security services being able to access data in real time. The current system normally gives access to historic data. It does allow real time access to certain organisations (including the police and security services) but only in an emergency to save life or limb or in exceptionally urgent operations. The authorisation forms still have to be completed and signed and served later on though. Maybe they are suggesting that the security services get carte blanche direct access into communications service providers’ systems. This would be unprecedented and certainly “Orwellian” to say the least. The potential for abuse would be massive.

Updating the Law

The Home Office Minister says they are updating the law “in terms of social media and new devices” – it is widely expected to include things like Facebook and phone calls via web-based systems such as Skype. If this means the agencies knowing when an individual visits these sites this is already allowed under the current regime known as traffic data (web browsing information). If the new system goes further and allows agencies to look at actual webpages visited  within a domain (e.g Facebook) and calls made (e.g from Skype) this would be a big extension of existing powers and much more intrusive. It gives the possibility of building up a picture of someone’s lifestyle, their movements, contacts, interests etc.; potentially  vast a amount of information which, if it gets into the wrong hands, can be quite damaging to individuals.

Safeguards

At present the checks and balances are very weak (self authorisation followed by a notice to the CSP). The proposals, which talk of access in “real time” and “on demand”, require much stronger checks and balances.

If it is really necessary for GCHQ to have access to such a vast amount of information, it should be subject to judicial approval. This could be a similar system to the one which councils will be subject to as a result of the changes to the RIPA regime to be made by Protection of Freedoms Bill. In the future any local authority request for communications data (however minor) will have to be approved by a Magistrate. (See my earlier Blog Post for more detail about the Bill.) After all, the powers that the police and intelligence agencies have under RIPA to undertake surveillance and acquire communications data are much wider than those of local authorities.

There are also legitimate concerns about what would happen if the information held and accessed on individuals by GCHQ gets into the wrong hands. Can we really trust the law enforcement agencies not to mishandle such data? Only recently allegations have surfaced that that the police have been misusing their powers under RIPA to assist the tabloids to locate the whereabouts of celebrities and other persons of interest.

The Government needs to think carefully about its plans. If these new proposals are enacted there is a massive potential for misuse. It will provide a rich seem of information which may be bought by journalists from unscrupulous police and intelligence officers. This could lead to further erosion of trust in the police and Government. Of course “the Devil is in the detail” and we wait to see how the Government will address these concerns.

We have a series of courses on RIPA and Surveillance which also over the changes in the Protection of Freedoms Bill.

See also our RIPA Forms Guidance Document.