OSC RIPA (Surveillance) Procedures and Guidance: A view from its former editor

ripa

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

For the first time, the Office of Surveillance Commissioners (OSC) has made its Procedures and Guidance (P&G) public (in electronic format).

The guidance is essential reading for public authorities, especially councils, who conduct surveillance under Part 2 of the Regulation of Investigatory Powers Act 2000 (RIPA) (Directed Surveillance, Intrusive Surveillance and the deployment of a Covert Human Intelligence Source (CHIS)). The guidance also covers Part III of RIPA and RIP(S)A and to Part III of the Police Act 1997. It does not provide guidance on interception and the obtaining of communications data requiring a RIPA/RIP(S)A warrant.

Why should you care?

For reasons which Steve Morris explains in his blog on the latest OSC report, you’re going to face some form of inspection whether or not you have or intend to conduct covert surveillance; so at least understand how that inspection will be approached.

Also, as the Chief Surveillance Commissioner emphasises, every public authority should have in place policies, procedures and training programmes to ensure that relevant legislation is complied with when a situation arises. The OSC P&G will help you understand when relevant situations arise and how they should be approached.

Failure to recognise when the protection of RIPA/RIP(S)A may be sought or to know how to respond in a manner compliant with legislation – that is claiming ignorance – is no longer an option!

Why does the document exist?

When I first joined the OSC there was a best practice document which I believe had been shared with law enforcement agencies. This, combined with inspection reports, did not appear to meet with unanimous approval.

The Police Service attempted to introduce its own ‘Key Principles’ document which was sufficiently inadequate to attract the comment that “this is why the police should not be left to interpret legislation!”

However, I hope that I am not criticised for saying that the Surveillance Commissioners were not entirely comfortable publishing generic principles; they were more accustomed to making judgments on the facts of specific cases.

It is no coincidence that the following disclaimer, changed little since the first edition, is given prominence: 

“The opinions expressed within the Interpretation Guidance section of this publication are those of the Surveillance Commissioners. The OSC is not a judicial authority. This Guidance simply indicates the way in which the Commissioners would be minded to construe particular statutory provisions. There is no statutory requirement to publish them but they are a response to frequent requests for guidance from public authorities or are matters raised or identified during the inspection process. In the absence of case law, they are the most reliable indicator of likely judicial interpretation. They are the basis upon which inspections will be conducted and performance assessed by the Office of Surveillance Commissioners. Applicants and Authorising Officers should take note of the interpretations when constructing and considering applications and authorisations for the use of covert powers.”

These are the Surveillance Commissioners’ views. It’s rare that a collective interpretation of law is construed by seven ex-Appeal Court judges and three ex-Circuit judges. During my time, issues were examined and discussed at length during meetings with Commissioners and inspectors. You can imagine that, as Editor, I have happy memories of ‘wordsmithing’ each entry to accommodate the wishes of eminent lawyers!

In effect it is the OSC’s ‘party line’ but the disclaimer should be read in conjunction with paragraph 12. It would be wrong to imply that every member of the OSC agrees with every word in the document, so it is necessary to remember that it is guidance which may easily be altered by facts specific to each case. This is why you’ll find phraseology such as “is capable of being construed as [a type of] surveillance” rather than the definitive “is [a type of] surveillance”. Each Surveillance Commissioner is able to exercise his own judgment when approving authorisations.

RIPA and RIP(S)A are permissive and discretionary powers; the onus is on an authorising officer to decide whether or not to grant an authorisation for covert conduct. Assistant Surveillance Commissioners and inspectors cannot dictate. The aim of the document is to provide a level of consistency in approach from the OSC.

Finally, it is not the task of the OSC to make law; its task is to interpret the law as it is written, not as the Commissioners or others may prefer it. So don’t accuse the OSC of promoting covert conduct which you don’t agree with!

Why publication was resisted?

Partly because of conflict with the Police Service in relation to the ‘Key Principles’ document, and in response to concerns that operational techniques would be exposed, it was decided that the P&G should not be made available to the public. My repeated requests to identify any operational technique in the document that hadn’t already been disclosed by enthusiastic senior investigating officers resulted in no applications. But it was decided that we relied on practitioner transparency which required trust that we would not inhibit legitimate techniques.

When serving in the OSC and today, I am sometimes disappointed with the understanding of some trainers and the quality of their training. Too often legislation, codes of practice and the P&G are regurgitated or misused for commercial gain without improving knowledge or practitioner performance. Sometimes challenging the P&G was used as enticement to attendance or purchase; we were concerned that alternative opinions undermined confidence in the OSC.

I can avow the time and effort that goes into the formulation of this guidance; there is good reason why phrases are used. To protect copyright, to avoid misinterpretation and to prevent others gaining financially from the immense effort of the OSC were, I confess, causes of reticence to provide the document to the public.

In hindsight I believe my advice to the Chief Surveillance Commissioner to prevent public disclosure was misguided. Copies leaked to trainers and OSC silence allowed the media and campaigners to inadequately interpret legislation and its use.

Discussions relating to the Investigatory Powers Bill indicate that the need for regulators to transparently demonstrate how they hold public authorities to account has been recognised. Making the P&G public is a positive step but I am surprised that it is free! It‘s a publication worthy of a charge.

Comparison

For the remainder of this post I compare the July 2016 version with its predecessor of December 2014. There are many notes useful to practitioners. If you have not read it at least once, you should. Numbers in parenthesis are the relevant note number.

Part 1 – Procedures

Part 1 Section 1 provides detail of how to contact the OSC and matters relating to inspection process and reporting. Part 1 Section 2 provides detail in relation to Commissioner approvals, which apply mainly to law enforcement agencies.

[7-8] Disclosure of inspection reports. This is not new but worth reiterating. There is no requirement – as stated in the Codes of Practice – to notify the OSC of an intention to publicly disclose an inspection report, nor does the OSC promote or discourage the practice. The decision whether or not to publish rests entirely with the chief officer of the public authority inspected.

Part 2 – Guidance

[75] “I am satisfied” and “I believe” Again, not new but important. Too often authorising officers provide insufficient rationale to support their judgment; relying on the details provided by the applicant. This guidance cautions against lax authorisations. The heading indicates an unexplained difference between RIPA and RIP(S)A which use different requirements. This is likely to be complicated further if the terms in the draft IP Bill are enacted. That Bill currently requires a designated officer to “consider”. I may write another article on the significance of these differences.

[87] Duration of authorisations and renewals. Added clarification to ensure that electronic systems date/time algorithms do not have the effect of “losing a day” of authorised conduct. This amendment probably reflects the law enforcement agencies tendency to use electronic systems to create and process applications and authorisations. A useful audit is provided by date stamps and automatically generated data which cannot be altered. There have obviously been instances where automatic dates are not accurate. This amendment indicates how an OSC inspector will regard the inaccuracy but it’s a hint that authorising officers should ensure that dates are accurate.

[93-98] Persons, groups, associates and vehicles. These notes provide guidance in to assist public authorities amend authorisations when details are not known at the outset. The final sentence of Note [96] is amended:

Deleted: “The AO should set parameters to limit surveillance and use review to avoid “mission creep”.

Inserted: “The AO should guide the operational commanders by setting contextual parameters for the use of the “link” approach.” (i.e. where a possible link has previously been identified between individuals to the common criminal purpose being identified.)

There is a new note [97].

“The Authorising Officer should be updated when it is planned to deploy equipment or surveillance against a freshly identified subject before such deployment is made, to enable him to consider whether this is within the terms of his original authorisation, necessary, proportionate and that any collateral intrusion (or interference) has been taken into account; alternatively, where operational demands make it impracticable for the Authorising Officer to be updated immediately, as soon as reasonably practicable thereafter. This is to ensure that the decision to deploy further devices or surveillance remains with the Authorising Officer and is not delegate to, or assumed by, another, such as the operational commander. Such reviews should be pertinent and can be done outwith the usual formal monthly written review process, provided that the details of the Authorising Officer’s decisions are recorded contemporaneously and formally updated at the next due review. Where the terms of an authorisation do not extend to interference to other subjects (criminal associates) or their property then a fresh authorisation, using the urgency provisions if necessary, will need to be sought.” (My emphasis)

[222-229] Authorisation of undercover officers (UCOs). Note [226] is amended to enable additional UCOs to be authorised by way of review but indicates that every UCO must be authorised for the correct duration. This reflects the reality that it is frequently necessary to introduce additional UCOs to an investigation (for example to support a legend). Often the identity of additional UCOs will not be known at the outset. Rather than insist on the added bureaucracy of a new authorisation, the Commissioners have indicated that amendment by review (providing the terms of the original authorisation allow it) will not be criticised.

[289] Covert Surveillance of Social Network Sites (SNS). I advise that all members of local authorities read paragraph 289 in entirety as it’s the conduct most likely to introduce RIPA/RIP(S)A compliance issues. It remains my view that too few public authorities recognise (either deliberately or in ignorance) that the ‘less intrusive’ means that have resulted in decreased authorisations may be the result of not authorising internet investigations on the belief that ‘open source’ or publicly available mitigates RIPA/RIP(S)A consideration. This note provides the OSC’s guidance. Sub-note [289.3] is amended as shown in bold type:

“It is not unlawful for a member of a public authority to set up a false identity but it is inadvisable for a member of a public authority to do so for a covert purpose without an authorisation for directed surveillance when private information is likely to be obtained. The SRO should be satisfied that there is a process in place to ensure compliance with the legislation. Using photographs of other persons without their permission to support the false identity infringes other laws.”

See also Ibrahim Hasan’ blog post on RIPA and social networks.

 

Conclusion

I hope that this background is useful. I hope that my reticence to persuade the former Chief Surveillance Commissioner to make the P&G available to the public is proven to be misguided. Publishing the document is a very positive move in my opinion and is a useful indicator that the Commissioners have come to terms with the need to be public-facing. I applaud the decision.

Disclaimer: Sam Lincoln is a former Chief Surveillance Inspector with the OSC. In that capacity he introduced the OSC Procedures and Guidance and edited it from 2006 to 2013. The opinions expressed in this post are his alone; he does not represent the OSC and OSC endorsement is neither sought nor implied.

Sam has designed our RIPA E-Learning Package which is an interactive online learning tool, ideal for those who need a RIPA refresher before an OSC inspection.

 

Like our image? It is available as an A3 Poster for the office, We have a small range of them for only £5 for three!  Take a look at the link below.

http://www.actnow.org.uk/posters

Facebook, Social Networks and the Need for RIPA Authorisations

canstockphoto12584745By Ibrahim Hasan

Increasingly local authorities are turning to the online world, especially social media, when conducting investigations. There is some confusion as to whether the viewing of suspects’ Facebook accounts and other social networks requires an authorisation under Part 2 of the Regulation of Investigatory Powers Act 2000 (RIPA). In his latest annual report the Chief Surveillance Commissioner states (paragraph 5.42):

“Perhaps more than ever, public authorities now make use of the wide availability of details about individuals, groups or locations that are provided on social networking sites and a myriad of other means of open communication between people using the Internet and their mobile communication devices. I repeat my view that just because this material is out in the open, does not render it fair game. The Surveillance Commissioners have provided guidance that certain activities will require authorisation under RIPA or RIP(S)A and this includes repetitive viewing of what are deemed to be “open source” sites for the purpose of intelligence gathering and data collation.”

Careful analysis of the legislation suggests that whilst such activity may be surveillance, within the meaning of RIPA (see S.48(2)), not all of it will require a RIPA authorisation. Of course RIPA geeks will know that RIPA is permissive legislation anyway and so the failure to obtain authorisation does not render surveillance automatically unlawful (see Section 80).

There are two types of surveillance, which may be involved when examining a suspect’s Facebook or other social network pages; namely Directed Surveillance and the deployment of a Covert Human Intelligence Source (CHIS). Section 26 of the Act states that surveillance has to be covert for it to be directed:

“surveillance is covert if, and only if, it is carried out in a manner that is calculated to ensure that persons who are subject to the surveillance are unaware that it is or may be taking place” (my emphasis)

If an investigator decides to browse a suspect’s public blog, website or “open” Facebook page (i.e. where access is not restricted to “friends”, subscribers or followers) how can that be said to be covert? It does not matter how often the site is accessed as long as the investigator is not taking steps to hide his/her activity from the suspect. The fact that the suspect is not told does about the “surveillance” does not make it covert. Note the words in the definition of covert; “unaware that it is or may be taking place.” If a suspect chooses to publish information online they can expect the whole world to read it including law enforcement and council investigators. If he/she wants or expects privacy it is open to them to use the available privacy settings on their blog or social network.

The Commissioner stated in last year’s annual report:

“5.31 In cash-strapped public authorities, it might be tempting to conduct on line investigations from a desktop, as this saves time and money, and often provides far more detail about someone’s personal lifestyle, employment, associates, etc. But just because one can, does not mean one should. The same considerations of privacy, and especially collateral intrusion against innocent parties, must be applied regardless of the technological advances.” (my emphasis)

I agree with the last part of this statement. The gathering and use of online personal information by public authorities will still engage Human Rights particularly the right to privacy under Article 8 of the European Convention on Human Rights. To ensure such rights are respected the Data Protection Act 1998 must be complied with. A case in point is the monitoring last year of Sara Ryan’s blog by Southern Health NHS Trust. Our data protection expert Tim Turner wrote recently about the data protection implications of this kind of monitoring.

Where online surveillance involves employees then the Information Commissioner’s Office’s (ICO) Employment Practices Code (part 3) will apply. This requires an impact assessment to be done before the surveillance is undertaken to consider, amongst other things, necessity, proportionality and collateral intrusion. Whilst the code is not law, it will be taken into account by the ICO and the courts when deciding whether the DPA has been complied with. In December 2014, Caerphilly County Borough Council signed an undertaking after an ICO investigation found that the Council’s surveillance of an employee , suspected of fraudulently claiming to be sick, had breached the DPA.

Facebook Friends – A Friend Indeed

Of course the situation will be different if an investigator needs to become a “friend’ of a person on Facebook in order to communicate with them and get access to their profile and activity pages. For example, local authority trading standards officers often use fake profiles when investigating the sale of counterfeit goods on social networks. In order to see what is on sale they have to have permission from the suspect. This, in my view, does engage RIPA as it involves the deployment of a CHIS defined in section 26(8):

“For the purposes of this Part a person is a covert human intelligence source if—

(a) he establishes or maintains a personal or other relationship with a person for the covert purpose of facilitating the doing of anything falling within paragraph (b) or (c);

(b) he covertly uses such a relationship to obtain information or to provide access to any information to another person; or

(c) he covertly discloses information obtained by the use of such a relationship, or as a consequence of the existence of such a relationship”  (my emphasis)

Here we have a situation where a relationship (albeit not personal) is formed using a fake online profile to covertly obtain information for a covert purpose. In the case of a local authority, this CHIS will not only have to be internally authorised but also, since 1st November 2012, approved by a Magistrate.

This is a complex area and staff who do not work with RIPA on a daily basis can be forgiven for failing to see the RIPA implications of their investigations. From the Chief Surveillance Commissioner’s comments (below) in his annual report, it seems advisable for all public authorities to have in place a corporate policy and training programme on the use of social media in investigations:

“5.44 Many local authorities have not kept pace with these developments. My inspections have continued to find instances where social networking sites have been accessed, albeit with the right intentions for an investigative approach, without any corporate direction, oversight or regulation. This is a matter that every Senior Responsible Officer should ensure is addressed, lest activity is being undertaken that ought to be authorised, to ensure that the right to privacy and matters of collateral intrusion have been adequately considered and staff are not placed at risk by their actions and to ensure that ensuing prosecutions are based upon admissible evidence.”

We have a workshop on investigating E – Crime and Social Networking Sites, which considers all the RIPA implications of such activities. It can also be delivered in house.

In conclusion, my view is that RIPA does not apply to the mere viewing of “open” websites and social network profiles. However in all cases the privacy implications have to be considered carefully and compliance with the Data Protection Act is essential.

Ibrahim will be looking at this issue in depth in our forthcoming webinars.

Looking to update/refresh your colleagues’ RIPA Knowledge. Try our RIPA E Learning Course. Module 1 is free.

We also have a full program of RIPA Courses and our RIPA Policy and Procedures Toolkit contains standard policies as well as forms (with detailed notes to assist completion).

Office of Surveillance Commissioners (OSC) Annual RIPA Report (2015) – Key Points

file2871316133148

The Chief Surveillance Commissioner, Sir Christopher Rose, published his final annual report on 25th June 2015. A lot of the report is typical of someone in his position who is leaving office, having a few parting moans. Then again, a £56,000 maintenance fee from the Home Office (paragraph 3.3) for a relatively simple website is well worth moaning about)!

The report covers the period from 1st April 2014 to 31st March 2015 and should be read by public authorities, especially councils, who conduct surveillance under Part 2 of the Regulation of Investigatory Powers Act 2000 (RIPA) (Directed Surveillance, Intrusive Surveillance and the deployment of a Covert Human Intelligence Source (CHIS)). It details statistics relating to the use of these tactics and information about how the Office of Surveillance Commissioners (OSC) conducts its oversight role.

Non-law enforcement agencies (including councils) authorised Directed Surveillance on 2207 occasions in the reporting period. The Department for Work and Pensions completed 25% of these. This continues a downward trend over the last few years. Last year there were 4,412 of such authorisations. Much of this downward trend is due to the continued impact of the changes, which took effect on 1st November 2012; namely magistrates’ approval for council surveillance and a new six-month threshold test for Directed Surveillance.

A total of 373 authorisations were presented to a magistrate for approval under The Protection of Freedoms Act 2012 during the reporting period. Just 17 were rejected. The Commissioner continues to be sceptical about the need for the changes saying, “I remain to be convinced of the value of this additional approval procedure which, obviously, promotes delay.”

The Commissioner, just like in his previous report, has expressed concern about the level of RIPA knowledge amongst magistrates:

“I have good reason to believe that training provision for magistrates in relation to RIPA and The Protection of Freedoms Act 2012 has been minimal and several councils have ended up providing this themselves to enable the new procedure to work effectively: this is commendable but not, presumably, what Parliament contemplated.” (Para 5.27)

Social Networks

The Commissioner advises caution when conducting online investigations especially where this involves examining social networking sites. A RIPA authorisation may be required in some cases:

“5.42 Perhaps more than ever, public authorities now make use of the wide availability of details about individuals, groups or locations that are provided on social networking sites and a myriad of other means of open communication between people using the Internet and their mobile communication devices. I repeat my view that just because this material is out in the open, does not render it fair game. The Surveillance Commissioners have provided guidance that certain activities will require authorisation under RIPA or RIP(S)A and this includes repetitive viewing of what are deemed to be “open source” sites for the purpose of intelligence gathering and data collation.”

From the Commissioner’s comments at paragraph 5.44 it seems advisable that councils should have in place a corporate policy and training programme on the use of social media in investigations:

“Many local authorities have not kept pace with these developments. My inspections have continued to find instances where social networking sites have been accessed, albeit with the right intentions for an investigative approach, without any corporate direction, oversight or regulation. This is a matter that every Senior Responsible Officer should ensure is addressed, lest activity is being undertaken that ought to be authorised, to ensure that the right to privacy and matters of collateral intrusion have been adequately considered and staff are not placed at risk by their actions and to ensure that ensuing prosecutions are based upon admissible evidence.”

We have a workshop on investigating E – Crime and Social Networking Sites, which considers all the RIPA implications of such activities.

Common inspection findings

At paragraph 5.47 of the report, the Commissioner lists the main issues that he has commented upon in his inspection reports:

  • Unsubstantiated and brief, or, conversely, excessively detailed intelligence cases
  • Over-formulaic consideration of potential collateral intrusion and an explanation of how this will be managed
  • Limited proportionality arguments by both applicants and Authorising Officers – the four key considerations (identified by my Commissioners and adopted within the Home Office Codes of Practice), if addressed in turn, should provide a suitably reasoned argument
  • More surveillance tactics and equipment authorised at the outset than appear to have been utilised when reviews and cancellations are examined
  • A regurgitation of the original application content at reviews, including a “cut and paste” proportionality entry that fails to address why the activity is still justified, in place of a meaningful update to the Authorising Officer about what has taken place in the intervening period
  • At cancellation, a rarity of meaningful detail for the Authorising Officer about the activity conducted, any collateral intrusion that has occurred, the value of the surveillance and the resultant product; and whether there has been any tangible outcome
  • Similarly, paltry input by Authorising Officers at cancellation as to the outcome and how product must be managed, and any comment about the use or otherwise of all that had been originally argued for and authorised
  • In the case of higher level authorisations for property interference and intrusive surveillance, an over-reliance by Senior Authorising Officers on pre-­prepared entries that alter little from case to case, or at times, regardless of who is acting as the Authorising Officer
  • In those same cases, often poorly articulated personal considerations as to the matters of necessity, collateral intrusion and proportionality; no or few entries at reviews; and little meaningful comment at cancellation
  • On the CHIS documentation, less common, but still encountered, the failure to authorise a CHIS promptly as soon as they have met the criteria; and in many cases (more typically within the non-law enforcement agencies) a failure to recognise or be alive to the possibility that someone may have met those criteria
  • A huge variation in the standard of risk assessments, whereby some provide an excellent “pen picture” of the individual concerned and the associated risks, whilst others can be over-generic and are not timeously updated to enable the Authorising Officer to identify emergent risks
  • Discussions that take place between the Authorising Officer and those charged with the management of the CHIS under Section 29(5) of RIPA are not always captured in an auditable manner for later recall or evidence, though this is starting to improve following our advice
  • As resources become stretched within police forces, the deputy to the person charged with responsibilities for CHIS under Section 29(5)(b) often undertakes those functions: as with an Authorising Officer, this is a responsibility which cannot be shared or delegated

Finally the Commissioner says that during inspections his staff have found that there is “a continuing lack, in many public authorities, of on-going refresher training for officers who may have been trained many years ago, or who have not been eligible for specialised training by dint of career progression or role.”

Those who have an OSC inspection in the Autumn should read Sam Lincoln’s e book which he has written for us entitled “How To Impress An OSC Inspector.” Get in touch if you want a free copy.

Last year new codes of practice under Part 2 of RIPA were introduced.

STOP PRESS… STOP PRESS… STOP PRESS… STOP PRESS…

ONLINE RIPA TRAINING

Looking for an e-learning solution for your RIPA training needs? http://www.actnow.org.uk/content/185

———————————————————————————————————-

Now is the time to consider refresher training for RIPA investigators and authorisers. We have a full program of RIPA Courses and can also deliver these at your premises, tailored to the audience. If you want to avoid re inventing the wheel, our RIPA Policy and Procedures Toolkit gives you a standard policy as well as forms (with detailed notes to assist completion) for authorising RIPA and non-RIPA surveillance.

Ex Chief Surveillance Inspector (OSC) Joins Act Now Team

Sam_Lincoln_smallAct Now Training is pleased to announce that Sam Lincoln has joined our team of trainers.

Together with, Ibrahim Hasan and Steve Morris, Sam will deliver high quality training and consultancy services in the field of surveillance law particularly on Part 2 of the Regulation of Investigatory Powers Act 2000 (Directed Surveillance, Intrusive Surveillance and CHIS).

Sam was formerly Chief Surveillance Inspector with the Office of Surveillance Commissioners for seven years.

The Chief Surveillance Commissioner said of him:

“He is of complete integrity, hardworking, conscientious, highly intelligent and immensely knowledgeable about the law and practice of covert surveillance by public authorities.”

Sam has a unique perspective on covert surveillance law and practice. During 28 years commissioned service, he served for 18 years in military intelligence in staff, operational command and training appointments many in the covert domain.

Sam’s relevant other work experience includes:

  • Commanding Officer, Defence Human Intelligence training school
  • Editor of the OSC Procedures and Guidance publication
  • Speaker (often keynote) at national and local RIPA conferences
  • Visiting lecturer College of Policing RIPA Authorising Officer course
  • International trainer and consultant, Danish Emergency Management Agency
  • Design and delivery of the European Commission civil protection information management and security courses

Sam is currently working with Act Now to develop an online training module for front line staff on covert surveillance and RIPA. We would be happy to hear from any local authorities who are interested in being a test site for this.

Please get in touch if you would like to engage Sam to deliver in house customised RIPA training. With seven years experience of working for the OSC, conducting and coordinating RIPA inspections, he is in a unique position to be able to help your organisation prepare for an OSC inspection.

PS – Don’t forget, the new RIPA Codes of Practice came into force on 10th December 2014. Read more here.

OSC Annual RIPA Report (2014) – Key Points

file0001162281290

The Chief Surveillance Commissioner published his annual report on 4th September 2014. The report covers the period from 1st April 2013 to 31st March 2014 and is essential reading for those public authorities, especially councils, who conduct surveillance under Part 2 of the Regulation of Investigatory Powers Act 2000 (RIPA) (Directed Surveillance, Intrusive Surveillance and the deployment of a Covert Human Intelligence Source (CHIS)). The report details statistics relating to the use of these tactics and information about how the Office of Surveillance Commissioners (OSC) conducts its oversight role.

Non-law enforcement agencies (including councils) authorised Directed Surveillance on 4,412 occasions in the reporting period. This continues a downward trend over the last few years. Last year there were 5,827 of such authorisations. 75% of these were completed by the Department for Work and Pensions.

The report also considers the changes, which took effect on 1st November 2012; namely magistrates’ approval for council surveillance and a new six-month threshold test for Directed Surveillance. There were 517 approval requests made to a magistrate in the reporting period of which only 26 were rejected. On the whole the changes are working well but the Chief Surveillance Commissioner has expressed concern about the level of RIPA knowledge amongst magistrates:

“What has become clear is that the knowledge and understanding of RIPA among magistrates and their staff varies widely. Adequate training of magistrates is a matter for others, but I highlight the need. The public is not well served if, through lack of experience or training, magistrates are not equipped effectively to exercise the oversight responsibility, which the legislation requires. I am aware, for example, of one magistrate having granted an approval for activity retrospectively, and another having signed a formal notice despite it having been erroneously completed by the applicant with details of a different case altogether.” (Para 3.10)

The Commissioner notes a continuing steady decline in the use of Directed Surveillance by local councils which may, or may not, have resulted from the introduction of the need to seek a magistrate’s approval. In one borough council there had been 47 directed surveillance authorisations between 2010 and the introduction of The Protection of Freedoms Act 2012 and none in the 16 months thereafter. (It is important to note that, as the Commissioner pointed out at paragraph 5.5 of last year’s report, RIPA is permissive legislation and there may be occasions where surveillance outside the scope of RIPA may be required. He pointed to the IPT decision in BA and others v Cleveland Police (IPT/11/129/CH). This is in keeping with Ibrahim Hasan’s view as explained previously on this blog. )

Where councils have continued to use their RIPA powers, the OSC has identified a lack of a corporate approach to the new process. Some councils have established or used existing relationships with their local magistrates’ court to ensure that both parties were prepared for the impact of the new Act; some have gone so far as to provide a training input to local magistrates and their clerks, so they understand RIPA and the type of case and associated documentation which will be presented to them. (The Home Office guidance document is a good place to start for authorities new to the approval process.)

Social Networks

The Commissioner draws special attention in his report to the use of the Internet for investigations, particularly involving social networking sites:

“5.30. This is now a deeply embedded means of communication between people and one that public authorities can exploit for investigative purposes. I am reasonably satisfied that there is now a heightened awareness of the use of the tactic and the advisable authorisations under RIPA that should be considered. Although there remains a significant debate as to how anything made publicly available in this medium can be considered private, my Commissioners remain of the view that the repeat viewing of individual “open source” sites for the purpose of intelligence gathering and data collation should be considered within the context of the protection that RIPA affords to such activity.”

The Commissioner advises caution when conducting online investigations:

“5.31. In cash-strapped public authorities, it might be tempting to conduct on line investigations from a desktop, as this saves time and money, and often provides far more detail about someone’s personal lifestyle, employment, associates, etc. But just because one can, does not mean one should. The same considerations of privacy, and especially collateral intrusion against innocent parties, must be applied regardless of the technological advances.”

He goes on to suggest that a RIPA authorisation may be required for some online investigations:

“5.32. Access to social networking sites by investigators in all public authorities is something we examine on inspections. Many, particularly the law enforcement agencies, now have national and local guidance available for their officers and staff. However, many local authorities and government departments have still to recognise the potential for inadvertent or inappropriate use of the sites in their investigative and enforcement role. Whilst many have warned their staff of the dangers of using social media from the perspective of personal security and to avoid any corporate damage, the potential need for a RIPA authorisation has not been so readily explained.

5.33. I strongly advise all public authorities empowered to use RIPA to have in place a corporate policy on the use of social media in investigations. Some public authorities have also found it sensible to run an awareness campaign, with an amnesty period for declarations of any unauthorised activity or where, for example, officers have created false personae to disguise their on line activities.”

We have a workshop on investigating E – Crime and Social Networking Sites, which considers all the RIPA implications of such activities.

Common inspection findings

Over the past year, the OSC has carried out in excess of 140 council inspections in England and Wales. At paragraph 5.37 of the report, the Commissioner lists the main issues that he has commented upon in his inspection reports:

· Unsubstantiated and brief, or, conversely, excessively detailed intelligence cases

· Poor and over-formulaic consideration of potential collateral intrusion and how this will be managed

· Poor proportionality arguments by both applicants and Authorising Officers – the four key considerations (identified by my Commissioners and adopted within the Home Office Codes of Practice) are often not fully addressed

· A surfeit of surveillance tactics and equipment being requested and granted but rarely fully used when reviews and cancellations are examined

· At cancellation, a lack of adequate, meaningful update for the Authorising Officer to assess the activity conducted, any collateral intrusion that has occurred, the value of the surveillance and the resultant product; with, often, a similarly paltry input by Authorising Officers as to the outcome and how product must be managed

· On the CHIS documentation, a failure to authorise a CHIS promptly as soon as they have met the criteria; and in many cases (more typically within the non-law enforcement agencies) a failure to recognise or be alive to the possibility that someone may have met those criteria

· Some risk assessments can be over-generic and not timeously updated to enable the Authorising Officer to identify emergent risks

· Discussions that take place between the Authorising Officer and those charged with the management of the CHIS under Section 29(5) of RIPA are not always captured in an auditable manner for later recall or evidence

· As resources become stretched within police forces, the deputy to the person charged with responsibilities for CHIS under Section 29(5)(b) often undertakes those functions: as with an Authorising Officer, this is a responsibility which cannot be shared or delegated

· Outside pure documentary issues, a lack, in some public authorities, of ongoing refresher training for those that require it; and a need for an improved level of personal engagement in the oversight process by the Senior Responsible Officer.

Now is the time to consider refresher training for RIPA investigators and authorisers. We have a full program of RIPA Courses and can also deliver these at your premises, tailored to the audience. If you want to avoid re inventing the wheel, our RIPA Policy and Procedures Toolkit gives you a standard policy as well as forms (with detailed notes to assist completion) for authorising RIPA and non-RIPA surveillance. There is substantial discount for orders received before 30th September 2014.

RIPA Part 2 Inspections: Common Criticisms by the OSC

examThe Office of Surveillance Commissioners (OSC) is responsible for overseeing the use of covert surveillance by designated public authorities by carrying out regular inspections. (Appendix E of the Chief Surveillance Commissioner’s Annual Report (2012-13) lists those whom the OSC inspects and how often.) In the UK the inspections check councils’ compliance with Part 2 of the Regulation of Investigatory Powers Act 2000(RIPA) (and in Scotland The Regulation of Investigatory Powers (Scotland) Act 2000 (RIP(S)A)) for use directed surveillance, intrusive surveillance and covert human intelligence sources (CHIS).

As part of our provision of tailored in house training, we have to read OSC inspection reports. The following is a list of common mistakes highlighted by the OSC. They are not attributable to any particular organisation.

FORMS

  • Use of out of date forms
  • No Unique Reference Number (URN)
  • Not amending forms so that only those grounds are present which are available to the public authority e.g. councils – preventing or detecting crime
  • Pre completed forms
  • Use of cut and paste in boxes/repetitive narrative

AUTHORISATION PROCESS

  • Rubber stamping – no real thought given to authorisation
  • Necessity, proportionality and collateral intrusion not fully understood/considered by investigators and authorisers
  • Likelihood of obtaining Confidential Information not fully considered
  • Some ‘open source’ internet research is being conducted which may actually meet the criteria of Directed Surveillance and therefore require authorisation
  • Confusion re: reviews and renewals
  • Lack of understanding of when a person is a CHIS
  • Two many Authorising Officers
  • Authorising Officers are not making adequate provision for destruction of product that is collateral intrusion or of no value to the operation
  • Several authorities are pooling resources but then not obtaining authorisations and keeping records in relation to a proper designated authority
  • Confusion about interference with property powers under Police Act 
1997
  • NB councils cannot do this
  • More robust management and quality assurance procedures required 


RECORD KEEPING

  • Central records not compliant with the Code of Practice
  • Inadequate monitoring, recording and audit of surveillance equipment
  • Inadequate handling and storage of surveillance product/evidence 


POLICIES AND PROCEDURE DOCUMENTS

  • Inadequate/no RIPA policy
  • In adequate guidance document (or out of date)
  • No CCTV protocol/procedure
  • OSC may wish to visit your CCTV control room

TRAINING AND AWARENESS

  • Inadequate training
  • Lack of regular training/refresher trainer
  • Inadequate record of those who have been trained
  • OSC may ask to see recent training materials

If you are considering refresher training for RIPA investigators and authorisers, please see our full program of RIPA Courses and our online webinars. We can also deliver tailored in house training at your premises.

Ever since the changes to the council surveillance regime, which came into force on 1st November 2012, the OSC has taken an interest in ensuring councils do not authorise surveillance under RIPA for “minor offences.” In addition they have been keen to ensure that council’s have an agreed protocol and procedure for presenting authorisation applications to the Magistrates’ Courts. Finally where surveillance needs to be done outside the scope of RIPA then a Non RIPA authorisation policy should be implemented and followed.

Do your RIPA documents need revision? Avoid re inventing the wheel! Our RIPA Policy and Procedures Toolkit gives you a standard policy as well as forms (with detailed notes to assist completion) for authorising RIPA and non-RIPA surveillance. Over 200 different organisations have bought this document (available on CD as well).

%d bloggers like this: