Tag: RIPA

RIPA and Communications Data: 2014 Annual Report

 

 

Local authorities have powers, under Part I Chapter 2 of the Regulation of Investigatory Powers Act 2000(RIPA), to acquire communications data from Communications Service Providers (CSPs). The definition of “communications data” includes information relating to the use of a communications service (e.g. phone, internet, post) but does not include the contents of the communication itself. It is broadly split into 3 categories: “traffic data” i.e. where a communication was made from, to whom and when; “service data” i.e. the use made of the service by any person e.g. itemised telephone records; “subscriber data” i.e. any other information that is held or obtained by a CSP on a person they provide a service to.

Some public authorities have access to all types of communications data e.g. police, ambulance service, HM Revenues and Customs. Local authorities are restricted to subscriber and service use data and even then only where it is required for the purpose of preventing or detecting crime or preventing disorder. For example, a benefit fraud investigator may be able to obtain an alleged fraudster’s mobile phone bill. As with other RIPA powers, e.g. Directed Surveillance, there are forms to fill out and strict tests of necessity and proportionality to satisfy.

The Prime Minister under Section 57(1) of RIPA 2000 appointed Sir Anthony May in January 2013 as the Interception of Communications Commissioner. His function is to keep under review the interception of communications and the acquisition and disclosure of communications data by intelligence agencies, police forces and other public authorities (including councils). He is required to make an annual report to the Prime Minister with respect to the carrying out of his functions.

In March the Commissioner’s Annual Report, covering the period January to December 2014, was laid before Parliament. (Read the useful summary produced by Big Brother Watch here). Key findings in relation to communications data are set out in the extract below:

RIPA

Despite media headlines, local authorities now make little or no use of these powers. A big reason for this is that, since 1st November 2012, councils have had to obtain Magistrates’ approval for even the simplest communications data applications (e.g. mobile subscriber checks). (Read about the changes in detail here.) Another reason may be that since December last year, the Home Office has required councils to go through the National Anti Fraud Network to access communications data rather than make direct applications to CSPs. This has also made the internal SPoC’s (Single Point of Contact) role redundant.

The Commissioner also has the power to conduct inspections of public authorities using these powers. He still inspects councils despite their infrequent use. A typical inspection may include the following:

  • A review of the action points or recommendations from the previous inspection to check they have been implemented.
  • An audit of the information supplied by the CSPs detailing the requests that public authorities have made for disclosure of data. This information is compared against the applications held by the SPoC (Single Point of Contact) to verify that the necessary approvals were given to acquire the data.
  • Examination of individual applications to assess whether they were necessary in the first instance and then whether the requests met the necessity and proportionality requirements.
  • Scrutinising at least one investigation or operation from start to end to assess whether the communications data strategy and the justifications for acquiring all of the data were proportionate.
  • Examination of the urgent oral approvals to check the process was justified and used appropriately.
  • A review of the errors reported or recorded, including checking that the measures put in place to prevent recurrence are sufficient.

Act Now continues provides in house training on all aspects of covert surveillance under RIPA including accessing communications data. Get in touch for a quote.

Revised RIPA Policy and Procedures Toolkit (2015)

capture-20150313-134335

The local authority surveillance regime((under the Regulation of Investigatory Powers Act 2000, (RIPA)) has seen a number of developments in the past few years. These include:

  • Since 1st November 2012, whenever exercising any powers under RIPA (doing Directed Surveillance, deploying a CHIS or accessing Communications Data) councils have had to obtain Magistrates’ approval. Directed Surveillance has also been made the subject of a new Serious Crime Test (Read about the changes in detail here). On the whole the changes are working well.
  • On 10th December 2014 revised versions of two RIPA codes of practice  RIPA codes of practice came into force.
  • More guidance has been published by the Information Commissioner on what to do when covert surveillance is not regulated by RIPA.
  • The Office of Surveillance Commissioners  continues to highlight poor form filling and record  keeping in his annual reports.

Now is the time to revise your RIPA policies and procedures to take account of these developments.

The revised Act Now RIPA procedures and guidance toolkit includes an updated version of our previous RIPA Forms Guidance document, which was bought by over one hundred different organisations. In addition there are detailed guidance notes on deciding when surveillance is caught by RIPA, how to authorise it and what to do about surveillance which is not regulated by RIPA. The toolkit is written in straightforward language (avoiding legal jargon) and includes flowcharts to assist understanding.

The full contents list includes:

Updated – Completing the RIPA Forms

  • Procedure for completing the forms
  • Common mistakes
  • All Directed Surveillance forms with full notes to assist completion
  • All CHIS forms with full notes to assist completion

Seeking Magistrates’ Approval

  • Step by step guide to the process
  • Judicial application/order form with full notes to assist completion

Updated – Undertaking Non RIPA Surveillance

  • When it is appropriate
  • Non – RIPA Surveillance Authorisation Form
  • New Non – RIPA Surveillance Cancellation Form

New – Employee Surveillance Guidance

  • When it is appropriate
  • Complying with the Data Protection Act 1998
  • The latest ICO decision
  • Privacy Impact Assessments

More here: http://www.actnow.org.uk/content/117

The normal price of the toolkit is £199 plus vat for a hard copy and £399 plus vat for an electronic version (plus hard copy) with a licence to make additional hard copies and to upload the toolkit on to an intranet site (for internal use only).

DISCOUNT – If you bought the previous the version on the toolkit you qualify for a 20% discount.

Scottish colleagues can buy the RIP(S)A version of the toolkit here: http://www.actnow.org.uk/content/84

For those of you looking for refresher training in this area, we have a full program of public workshops. We can also bring the training to you for a customised in house training course. Please get in touch for a quote.

CCTV Surveillance: Getting It Right

Steve Morris writes…

“I keep six honest serving men, they taught me all I know, their names are what, why, when, how, where and who…”

“I know a person small, she keeps ten million serving-men who get no rest at all! – One million how’s, two million where’s, and seven million whys!”

Rudyard Kipling 1902

Well it’s 2015 and we have an estimated 6 million (give or take a million or so!) surveillance cameras within the UK regulated sector, and that does not include those installed by private individuals. Cameras are no longer stuck on the end of poles recording peoples’ movements. They are worn by officials, installed on public transport and can even predict peoples’ behaviour.

Image technology has advanced tremendously in recent years. Data captured by CCTV systems is often automatically interacting with other databases with the capability of providing very intrusive information about the private lives and activities of innocent individuals as well as offenders and those that pose a risk to society.

We are also going through economically difficult times. CCTV and other surveillance technology can be seen a cost effective answer to the resource problem. However, without careful planning and regular review, it can be a costly option that might in fact provide little or no benefit and/or land an organisation in trouble with the various regulators in this sector. The Information Commissioner’s Office (ICO) has taken enforcement action involving both number plate recognition systems and cameras  recording customers’ conversations in taxis.

The ICO is not the only regulator in this area. The Surveillance Camera Commissioner is tasked with raising awareness of the Surveillance Camera Code. Made pursuant to the Protection of Freedoms Act 2012 it governs the use of surveillance camera systems including CCTV and Automatic Number Plate Recognition (ANPR) operated by the police and councils in England and Wales.

The Office of the Surveillance Commissioner has oversight in relation to the covert surveillance under Part 2 of the Regulation of Investigatory Powers Act 2000  (RIPA). This often involves the deployment of covert CCTV cameras. Recently Ibrahim Hasan alerted you to the revisions of the two RIPA codes of practice.

So why quote Rudyard Kipling’s poem from 1902?

The overall question revolves around whether a ‘scatter gun approach’ (obtaining lots of private data from lots of cameras) is actually a practical, cost effective use of resources. Furthermore is this approach a lawful, necessary and proportionate approach to addressing a ‘pressing social need’ or problem? Or would a smaller number of cameras providing images and data of the quality required, when it is required, be a better use of resources?

Compliance with the various codes and laws which govern CCTV, is easy if key questions are addressed at the outset:

  1. What is the pressing social need or lawful grounds for the CCTV surveillance activity? What type(s) of devices and system is appropriate? What personal data is going to be collected? What policies and processes should we have?
  2. Why do we need this surveillance in this place? Why is surveillance the option we have chosen?
  3. When should the system be capturing and recording information? When is it right to share this information?
  4. How will the system be managed? How much private information are we obtaining about individuals? How will we ensure it is kept secure?
  5. Where will the cameras be positioned? Where will we store the data?
  6. Who will we be watching? Who will have access to the collected information?

Looking for an opportunity to discuss these questions and many others, and to examine the regulatory requirements in relation to the decision making process? Attend one of my CCTV workshops and be brought right up to date with the latest laws, codes of practice and guidance.

Steve Morris is an ex police officer and one of our experts in surveillance law trainers.

Staff Surveillance: It’s a Data Protection Issue

Increasingly affordable surveillance technology means that more and more employers are turning to surveillance to catch errant or work shy employees. But confusion still reigns as to which legislation applies and what can be done lawfully.

If employee surveillance is conducted by a public authority and involves covert techniques or equipment, it is easy to assume that Part 2 of the Regulation of Investigatory Powers Act 2000 (“RIPA”) applies. However, the Investigatory Powers Tribunal has ruled in the past that not all covert surveillance of employees is regulated by RIPA (See C v The Police and the Secretary of State for the Home Department (14th November 2006, No: IPT/03/32/H), discussed in our previous blog post on employee surveillance.)

All employers, whether in the public or the private sector, have to respect their employees’ right to privacy under Article 8 of the European Convention on Human Rights. This means that the surveillance must be carried out in a manner that is in accordance with the law and is necessary and proportionate (see Copland v UK (3rd April 2007 ECHR).

During the course of the surveillance, the employer will inevitably be gathering personal data about employees. Consideration therefore has to be given to the provisions of the Data Protection Act 1998 (DPA). Compliance with the DPA will also help demonstrate that the surveillance is human rights compliant since protection of individuals’ privacy is a cornerstone of the DPA.

The Information Commissioner’s Office’s (ICO) Employment Practices Code, which covers surveillance of employees at work. The code covers all types of employee surveillance from video monitoring and vehicle tracking to email and internet surveillance. Whilst the code is not law, it will be taken into account by the Information Commissioner and the courts whether deciding whether the DPA has been complied with.

In December 2014, Caerphilly County Borough Council signed an undertaking after an ICO investigation found that the Council’s surveillance of an employee , suspected of fraudulently claiming to be sick, had breached the DPA.

The council’s decision to authorise the surveillance was based on anecdotal evidence and was begun only four weeks into the employee’s sickness absence. No other measures were taken to discuss the employee’s absence before the decision to deploy covert surveillance. The surveillance report, which was produced by a private company, was never used. The ICO determined the council did not have sufficient grounds to undertake the surveillance, especially at such an early stage of the employee’s absence.

The council has undertaken that, in future, it will carry out an impact assessment, (as required by the code) in every case of employee surveillance. This will consider whether the adverse impact of the surveillance on the employee(s) is justified by the benefits to the employer and others. Such an impact assessment must also:

  • clearly identify the purpose(s) behind the surveillance and the benefits it is likely to deliver,
  • identify any likely adverse impact of the surveillance,
  • consider alternatives to surveillance or different ways in which it can be carried out
  • take into account the obligations that arise from the surveillance, and
  • judge whether the surveillance is justified.

This assessment is best done in writing using a “Non-RIPA” surveillance form (Our RIPA Policy and Procedures Toolkit contains such a form).

Furthermore the council agreed some general principles which are useful for all employers to note when deciding to conduct covert surveillance of employees:

  • Senior management should authorise any covert monitoring. In doing so they must satisfy themselves that there are grounds for suspecting criminal activity or equivalent malpractice (i.e. serious but non-criminal employee misbehaviour, such as fraudulently claiming sick pay) and that notifying individuals about the monitoring would prejudice its prevention or detection.
  • Such covert monitoring should only be used in exceptional circumstances, as it will be rare for covert monitoring of employees to be justified.
  • Ensure that any covert monitoring is strictly targeted at obtaining evidence within a set timeframe and that the covert monitoring does not continue after the investigation is complete.
  • Do not use covert audio or video monitoring in areas which workers would genuinely and reasonably expect to be private.
  • If a private investigator is employed to collect information on workers covertly make sure there is a contract in place that requires the private investigator to only collect information in a way that satisfies the employer’s obligations under the Act.
  • Check any arrangements for employing private investigators to ensure your contracts with them impose requirements on the investigator to only collect and use information on workers in accordance with your instructions and to keep the information secure.
  • Ensure that information obtained through covert monitoring is used only for the prevention or detection of criminal activity or equivalent malpractice.
  • Disregard and, where feasible, delete other information collected in the course of monitoring unless it reveals information that no employer could reasonably be expected to ignore.

Employee surveillance is a legal minefield. RIPA may not always apply but compliance with the DPA and the Employment Practices Code will ensure that it is human rights compliant and that adverse headlines are avoided.

Act Now can help you get to grips with this difficult area. Please see our full program of surveillance law courses which can also be customised and delivered at your premises.

The New RIPA Surveillance Codes: Key Changes

By Sam Lincoln (Chief Surveillance Inspector 2006 – 2013)

Featured imageRecently Ibrahim Hasan alerted you to the revisions of the two codes of practice underPart 2 of the Regulation of Investigatory Powers Act 2000 (RIPA) published on 10th December 2014. Ibrahim urged you to read them but I suspect that it wasn’t at the top of your ‘to do’ list over Christmas! So I’ve done the donkey work for you.

A cursory examination suggests that the revised codes simply implement the amendments to RIPA resulting from the legislation enacted since the last codes were published namely: the Regulation of Investigatory Powers (Extension of Authorisation Provisions: Legal Consultations) Order 2010; to the Protection of Freedoms Act 2012; and the Regulation of Investigatory Powers (Covert Human Intelligence Sources: Relevant Sources) Order 2013. But there are some interesting and important changes.

I approach the subject by addressing each of the two codes. Before I do, it’s worth saying that I compared the existing 2010 codes with the draft codes obtained from the Home Office website available at the time of writing. It may be worth checking to see if further amendments were made before publication. I ignore the frequent amendment resulting from changes to the names or amalgamation of public authorities (for example the formation of Police Scotland and the creation of the National Crime Agency).

If you are a member of a local authority, please don’t persuade yourself that the CHIS Code doesn’t apply to your authority. I think you’ll find that it does!

Covert Surveillance and Property Interference Code

Let’s begin with the Covert Surveillance and Property Interference Code. It might be worth having a copy (printed or online) handy as I’ll refer to relevant paragraph numbers in square brackets ([]):

[2.18] The first sentence is amended to account for the fact that some legal consultations which might otherwise be Directed Surveillance are now to be authorised as Intrusive Surveillance.

[2.24] Examples 3 and 4 have been amended. I am particularly uncomfortable with the amendment to Example 4 which relegates the requirement for an authorisation from “should be sought” to “should … be considered”. The inference is that planned covert surveillance of an individual suspected of shoplifting depends on the public authority deciding whether the individual has a reasonable expectation of privacy. Assessing what is reasonable and what is assumed by another person is open to challenge. It is because examples can mislead that the Office of Surveillance Commissioners (OSC), during my tenure, advised against the inclusion of examples. For this reason it’s vital that applicants and authorising officers note [1.7].

[2.27] This paragraph has been expanded to include guidance provided by the Surveillance Camera Code of Practice pursuant to the Protection of Freedoms Act. (More on CCTV here)

[2.29] This new paragraph provides important guidance regarding the need to consider whether an authorisation for either Directed Surveillance or a CHIS is required when using the Internet. As usual, it lacks the clarity usually sought by practitioners but it is clear that prior consideration should be given to the need for authorisation; it’s not acceptable to ignore this advice and I urge Senior Responsible Officers to ensure that they alert all public authority staff to its implications.

[2.30] The third bullet point of this paragraph is amended to differentiate between non-verbal and verbal noise.

[3.7] The original examples 2 and 3 are deleted. I suspect that the cause is that neither could be protected by a RIPA authorisation as a result of the 2010 Order. But then again, nor does Example 1!

[3.18] This is a new paragraph and covers the use of third party individuals or organisations (for example private investigators and internet researchers). They are acting as agents of the public authority and the need for relevant authorisation must not be ignored.

[3.22] The deletion of reference to Scottish public authorities suggests that there is no collaboration agreement with any public authorities in Scotland.

[3.30 – 3.33] These new paragraphs cover the changes to local authority authorisations of Directed Surveillance resulting from the Protection of Freedoms Act 2012. (More on the changes here)

[3.35] This paragraph amends the requirement for elected members to consider internal reports submitted on a ‘regular basis’ rather than at least quarterly. I’m personally disappointed that there’s no restriction on the detail of authorisations that elected members are entitled to see to prevent inadvertent compromise.

[4.1] The fourth sentence is amended slightly for grammatical effect it seems. The definition of a Member of Parliament is deleted and placed in the glossary at the back of the code.

[5.18] I recall that the OSC advised that there is no ‘legal’ requirement for any further details to be recorded and would have preferred the code to be more assertive. It’s disappointing that this advice is ignored.

[5.20] It isn’t clear why all of the footnotes relating to this paragraph are deleted.

[6.2] Is amended to include directed surveillance.

[7.8] This paragraph isn’t amended despite, to my knowledge, earlier criticism of the accuracy of its first sentence by the OSC. I am not a lawyer but, if I recall accurately, neither loss nor damage is necessary for there to be property interference. Subsequent analysis of a sample isn’t, of itself, surveillance; it’s the obtaining of the sample itself which may need authorisation.

[8.1] An additional sentence is added directing local authorities to the .gov.uk website for further guidance on the recording of magistrates’ decisions.

[8.2] A final bullet is included requiring local authorities to retain a copy of the Magistrates’ approval order in a centrally retrievable form. (more on the Magistrates’ approval process here)

[8.4] This is a new paragraph advising that it is desirable that relevant records should be retained, if possible, for up to five years.

CHIS Code of Practice

Let me turn now to the revised CHIS Code of Practice.

[2.4] This alerts the reader to the renaming of CHIS previously known as undercover officers to ‘relevant source’. Not a particularly helpful title. Contrary to this paragraph, not all references to undercover officers are amended in this revision of the Code.

[2.12] The final sentence of this paragraph is an important amendment. It alerts public authorities to the fact that the existence of a CHIS is not a choice for a public authority. Whether to authorise the use and conduct of a CHIS is a choice of course, but in my experience too often public authorities wished the problem away. In short, all public authorities must acknowledge that a CHIS may appear at any time and must have procedures in place to manage them in accordance with the law.

[2.14] This new paragraph obliges ‘relevant sources’ to comply with the College of Policing Code of Ethics.

[2.15] This is a new paragraph obliging the authorisation of activity known as ‘legend building’.

[2.16] This seems an unnecessary paragraph considering that types of human sources falling outside the CHIS definition are provided specific attention.

[2.17] This new paragraph introduces the concept of a public volunteer (with examples) in addition to the previously existing concept of a human source with a professional or statutory duty.

[3.12] This paragraph is amended in recognition that the 2013 Order introduced enhanced arrangements.

[3.22] The amendment to this paragraph emphasises that the enhanced arrangement for relevant sources relies on accurate recording of the length of deployment of each relevant source.

[3.26 – 3.27] This new section is specific to the use of CHIS by local authorities and the approval by magistrates. It highlights differences between authorities in England and Wales, Scotland, and Northern Ireland. Similar direction is provided to the need for elected member review but, as I was disappointed with the direction in the other Code, I believe that there is benefit in restricting the detail available to elected members in relation to the use and conduct of a CHIS to prevent compromise.

[4.3] This reminds the reader that ‘relevant sources’ are subject to enhanced arrangements when accessing legally privileged and other confidential information.

[4.31] There is an addition to cover the engagement of a member of a foreign law enforcement agency.

[4.32] The is an important new paragraph covering the considerations necessary to authorise the use and conduct of a CHIS for some online covert activity. It should be read in conjunction with [2.29] of the Covert Surveillance and Property Interference Code of Practice.

[5.10] This new paragraph clarifies the enhanced arrangements for relevant sources.

[5.15] Two sentences are added to this paragraph. The first states that local authorities are no longer able to orally authorise the use of RIPA techniques. The second relates to out of hours arrangements.

[5.16] An amendment to this paragraph introduces additional information to include at review; namely the information obtained from a CHIS and the reasons why executive action is not possible if that is the case (my italics are an addition).

[5.21 and 5.22 – 5.26] These new paragraphs relate to enhanced arrangements for the use and conduct of relevant sources. They provide detail regarding timings and, importantly, the calculation of total or accrued deployment or cumulative authorisation periods.

[5.29] An additional sentence requires an authorising officer to satisfy themselves that all welfare issues are addressed at the time of CHIS cancellation.

[5.30 – 5.31] These new paragraphs relate to the refusal of an Ordinary Surveillance Commissioner to approve a long term authorisation. Importantly, it obliges public authorities to plan for the safe extraction of a relevant source if an authorisation is refused.

[6.6] The addition of a final sentence recognises concerns raised by the OSC in relation to traditional police appointments and their responsibilities as defined by RIPA.

[7.3] Similar to [8.4] of the Covert Surveillance and Property Interference Code revision, this new paragraph (and amendment of [7.1] and [7.6]) recommends that relevant RIPA records should be retained for five years if possible.

[7.6] The addition of a bullet point requires that the decision of an Ordinary Surveillance Commissioner should be retained.

There is one other point I would like to make about the CHIS Code; there is no reference to the fact that the Protection of Freedoms Act 2012 did not restrict the use or conduct of a CHIS to the prevention or detection of crimes not attracting a six month sentence as it did for other types of covert surveillance.

What should you do now?

If you’ve got this far without falling asleep, you are obviously a person who takes RIPA seriously! It would be very helpful therefore if you ensure that your Senior Responsible Officer and all authorising officers are alerted to these amendments. I’m sure the OSC will check that policies are amended accordingly and that extant codes of practice are available and understood.

Copy this article by all means but please have the courtesy to accredit it properly!!

Sam Lincoln was formerly Chief Surveillance Inspector with the Office of Surveillance Commissioners for seven years. Please get in touch if you would like Sam to help you prepare for an OSC inspection by delivering customised training at your premises. We also have a full program of RIPA workshops in 2015 where we will examine the new codes in detail: http://www.actnow.org.uk/content/110

STOP PRESS… STOP PRESS… STOP PRESS… STOP PRESS…

ONLINE RIPA TRAINING

Looking for an e-learning solution for your RIPA training needs? http://www.actnow.org.uk/content/185

———————————————————————————————————-

Ex Chief Surveillance Inspector (OSC) Joins Act Now Team

Sam_Lincoln_smallAct Now Training is pleased to announce that Sam Lincoln has joined our team of trainers.

Together with, Ibrahim Hasan and Steve Morris, Sam will deliver high quality training and consultancy services in the field of surveillance law particularly on Part 2 of the Regulation of Investigatory Powers Act 2000 (Directed Surveillance, Intrusive Surveillance and CHIS).

Sam was formerly Chief Surveillance Inspector with the Office of Surveillance Commissioners for seven years.

The Chief Surveillance Commissioner said of him:

“He is of complete integrity, hardworking, conscientious, highly intelligent and immensely knowledgeable about the law and practice of covert surveillance by public authorities.”

Sam has a unique perspective on covert surveillance law and practice. During 28 years commissioned service, he served for 18 years in military intelligence in staff, operational command and training appointments many in the covert domain.

Sam’s relevant other work experience includes:

  • Commanding Officer, Defence Human Intelligence training school
  • Editor of the OSC Procedures and Guidance publication
  • Speaker (often keynote) at national and local RIPA conferences
  • Visiting lecturer College of Policing RIPA Authorising Officer course
  • International trainer and consultant, Danish Emergency Management Agency
  • Design and delivery of the European Commission civil protection information management and security courses

Sam is currently working with Act Now to develop an online training module for front line staff on covert surveillance and RIPA. We would be happy to hear from any local authorities who are interested in being a test site for this.

Please get in touch if you would like to engage Sam to deliver in house customised RIPA training. With seven years experience of working for the OSC, conducting and coordinating RIPA inspections, he is in a unique position to be able to help your organisation prepare for an OSC inspection.

PS – Don’t forget, the new RIPA Codes of Practice came into force on 10th December 2014. Read more here.

New RIPA Codes come into force on 10th December 2014

file000640591433

On 10th December 2014 revised versions of the two codes of practice under Part 2 of the Regulation of Investigatory Powers Act 2000 (RIPA) will come into force. This will be as a result of two statutory instruments made on 19th November 2014 namely; the Regulation of Investigatory Powers (Covert Surveillance and Property Interference: Code of Practice) Order 2014 and the Regulation of Investigatory Powers (Covert Human Intelligence Sources: Code of Practice) Order 2014.

The revised codes are essential reading for those public authorities, especially councils, who conduct surveillance (Directed Surveillance, Intrusive Surveillance and the deployment of a Covert Human Intelligence Source (CHIS)). They take account of the changes, which took effect on 1st November 2012; namely magistrates’ approval for council surveillance and a new six-month threshold test for Directed Surveillance.

CCTV is a hot topic. Following complaints by Big Brother Watch, the Information Commissioner’s Office (ICO) has taken enforcement action involving both number plate recognition cameras and cameras recording people’s conversations in taxis. On 15th October 2014, the ICO published its 44 page code of practice on surveillance cameras and personal information. Revised paragraph 2.27 of the covert surveillance code draws attention to the importance of complying with the Data Protection Act and consequently the ICO code as well as the Surveillance Camera Code, when using overt CCTV cameras for surveillance. The Surveillance Camera Code, came into force last year and was made pursuant to the Protection of Freedoms Act 2012 (PoFA). It governs the use of surveillance camera systems including CCTV and Automatic Number Plate Recognition (ANPR) and applies to local authorities and policing authorities in England and Wales.

As regards the legal effects of the Surveillance Camera Code:

“A failure on the part of any person to act in accordance with any provision of this code does not of itself make that person liable to criminal or civil proceedings. This code is, however, admissible in evidence in criminal or civil proceedings, and a court or tribunal may take into account a failure by a relevant authority to have regard to the code in determining a question in any such proceedings” (paragraph 1.16 of the PoFA code).

The Surveillance Camera Commissioner has been appointed by the Home Secretary but has no enforcement or inspection powers unlike the ICO. He “should consider how best to ensure that relevant authorities are aware of their duty to have regard for the Code and how best to encourage its voluntary adoption by other operators of surveillance camera systems” (paragraph 5.3 of the PoFA code). (see our workshop on the Surveillance Camera Code)

The Chief Surveillance Commissioner in his annual report, published on 4th September 2014, drew special attention to the use of the Internet for investigations, particularly involving social networking sites. He suggests that a RIPA authorisation may be required for some online investigations. (See our detailed blog post on the OSC report.) Paragraph 2.29 of the revised covert surveillance code states:

“2.29 The use of the internet may be required to gather information prior to and/or during an operation, which may amount to directed surveillance. Whenever a public authority intends to use the internet as part of an investigation, they must first consider whether the proposed activity is likely to interfere with a person’s Article 8 rights, including the effect of any collateral intrusion. Any activity likely to interfere with an individual’s Article 8 rights should only be used when necessary and proportionate to meet the objectives of a specific case. Where it is considered that private information is likely to be obtained, an authorisation (combined or separate) must be sought as set out elsewhere in this Code. Where an investigator may need to communicate covertly online, for example contacting individuals using social media websites, a CHIS authorisation should be considered.”

Paragraph 4.32 of the revised CHIS code states:

“4.32 The use of the internet may be required to gather information prior to and/ or during a CHIS operation, which may amount to directed surveillance. Alternatively the CHIS may need to communicate online, for example this may involve contacting individuals using social media websites. Whenever a public authority intends to use the internet as part of an investigation, they must first consider whether the proposed activity is likely to interfere with a person’s Article 8 rights, including the effect of any collateral intrusion. Any activity likely to interfere with an individual’s Article 8 rights should only be used when necessary and proportionate to meet the objectives of a specific case. Where it is considered that private information is likely to be obtained, an authorisation (combined or separate) must be sought as set out elsewhere in this Code.”

We have a workshop on investigating E – Crime and Social Networking Sites, which considers all the RIPA implications of such activities.

On the keeping of records both revised RIPA codes state that, although records are only required to be retained for at least three years, it is desirable, if possible, to retain records for up to five years. Finally both revisions confirm that local authorities are no longer able to orally authorise the use of RIPA techniques and that “Out of hours arrangements should be in place with HMCS to deal with out of hours applications.”

These are the main changes to the RIPA codes. We have prepared a detailed document setting out all the changes. Please e-mail us (info@actnow.org.uk) if you would like a copy.

Act Now will be revising its RIPA Policy and Procedures Toolkit to take account of the RIPA codes. The toolkit gives you a standard policy as well as forms (with detailed notes to assist completion) for authorising RIPA and non-RIPA surveillance. Now is the time to consider refresher training for RIPA investigators and authorisers. We have a full program of RIPA Courses and can also deliver these at your premises, tailored to the audience.

OSC Annual RIPA Report (2014) – Key Points

file0001162281290

The Chief Surveillance Commissioner published his annual report on 4th September 2014. The report covers the period from 1st April 2013 to 31st March 2014 and is essential reading for those public authorities, especially councils, who conduct surveillance under Part 2 of the Regulation of Investigatory Powers Act 2000 (RIPA) (Directed Surveillance, Intrusive Surveillance and the deployment of a Covert Human Intelligence Source (CHIS)). The report details statistics relating to the use of these tactics and information about how the Office of Surveillance Commissioners (OSC) conducts its oversight role.

Non-law enforcement agencies (including councils) authorised Directed Surveillance on 4,412 occasions in the reporting period. This continues a downward trend over the last few years. Last year there were 5,827 of such authorisations. 75% of these were completed by the Department for Work and Pensions.

The report also considers the changes, which took effect on 1st November 2012; namely magistrates’ approval for council surveillance and a new six-month threshold test for Directed Surveillance. There were 517 approval requests made to a magistrate in the reporting period of which only 26 were rejected. On the whole the changes are working well but the Chief Surveillance Commissioner has expressed concern about the level of RIPA knowledge amongst magistrates:

“What has become clear is that the knowledge and understanding of RIPA among magistrates and their staff varies widely. Adequate training of magistrates is a matter for others, but I highlight the need. The public is not well served if, through lack of experience or training, magistrates are not equipped effectively to exercise the oversight responsibility, which the legislation requires. I am aware, for example, of one magistrate having granted an approval for activity retrospectively, and another having signed a formal notice despite it having been erroneously completed by the applicant with details of a different case altogether.” (Para 3.10)

The Commissioner notes a continuing steady decline in the use of Directed Surveillance by local councils which may, or may not, have resulted from the introduction of the need to seek a magistrate’s approval. In one borough council there had been 47 directed surveillance authorisations between 2010 and the introduction of The Protection of Freedoms Act 2012 and none in the 16 months thereafter. (It is important to note that, as the Commissioner pointed out at paragraph 5.5 of last year’s report, RIPA is permissive legislation and there may be occasions where surveillance outside the scope of RIPA may be required. He pointed to the IPT decision in BA and others v Cleveland Police (IPT/11/129/CH). This is in keeping with Ibrahim Hasan’s view as explained previously on this blog. )

Where councils have continued to use their RIPA powers, the OSC has identified a lack of a corporate approach to the new process. Some councils have established or used existing relationships with their local magistrates’ court to ensure that both parties were prepared for the impact of the new Act; some have gone so far as to provide a training input to local magistrates and their clerks, so they understand RIPA and the type of case and associated documentation which will be presented to them. (The Home Office guidance document is a good place to start for authorities new to the approval process.)

Social Networks

The Commissioner draws special attention in his report to the use of the Internet for investigations, particularly involving social networking sites:

“5.30. This is now a deeply embedded means of communication between people and one that public authorities can exploit for investigative purposes. I am reasonably satisfied that there is now a heightened awareness of the use of the tactic and the advisable authorisations under RIPA that should be considered. Although there remains a significant debate as to how anything made publicly available in this medium can be considered private, my Commissioners remain of the view that the repeat viewing of individual “open source” sites for the purpose of intelligence gathering and data collation should be considered within the context of the protection that RIPA affords to such activity.”

The Commissioner advises caution when conducting online investigations:

“5.31. In cash-strapped public authorities, it might be tempting to conduct on line investigations from a desktop, as this saves time and money, and often provides far more detail about someone’s personal lifestyle, employment, associates, etc. But just because one can, does not mean one should. The same considerations of privacy, and especially collateral intrusion against innocent parties, must be applied regardless of the technological advances.”

He goes on to suggest that a RIPA authorisation may be required for some online investigations:

“5.32. Access to social networking sites by investigators in all public authorities is something we examine on inspections. Many, particularly the law enforcement agencies, now have national and local guidance available for their officers and staff. However, many local authorities and government departments have still to recognise the potential for inadvertent or inappropriate use of the sites in their investigative and enforcement role. Whilst many have warned their staff of the dangers of using social media from the perspective of personal security and to avoid any corporate damage, the potential need for a RIPA authorisation has not been so readily explained.

5.33. I strongly advise all public authorities empowered to use RIPA to have in place a corporate policy on the use of social media in investigations. Some public authorities have also found it sensible to run an awareness campaign, with an amnesty period for declarations of any unauthorised activity or where, for example, officers have created false personae to disguise their on line activities.”

We have a workshop on investigating E – Crime and Social Networking Sites, which considers all the RIPA implications of such activities.

Common inspection findings

Over the past year, the OSC has carried out in excess of 140 council inspections in England and Wales. At paragraph 5.37 of the report, the Commissioner lists the main issues that he has commented upon in his inspection reports:

· Unsubstantiated and brief, or, conversely, excessively detailed intelligence cases

· Poor and over-formulaic consideration of potential collateral intrusion and how this will be managed

· Poor proportionality arguments by both applicants and Authorising Officers – the four key considerations (identified by my Commissioners and adopted within the Home Office Codes of Practice) are often not fully addressed

· A surfeit of surveillance tactics and equipment being requested and granted but rarely fully used when reviews and cancellations are examined

· At cancellation, a lack of adequate, meaningful update for the Authorising Officer to assess the activity conducted, any collateral intrusion that has occurred, the value of the surveillance and the resultant product; with, often, a similarly paltry input by Authorising Officers as to the outcome and how product must be managed

· On the CHIS documentation, a failure to authorise a CHIS promptly as soon as they have met the criteria; and in many cases (more typically within the non-law enforcement agencies) a failure to recognise or be alive to the possibility that someone may have met those criteria

· Some risk assessments can be over-generic and not timeously updated to enable the Authorising Officer to identify emergent risks

· Discussions that take place between the Authorising Officer and those charged with the management of the CHIS under Section 29(5) of RIPA are not always captured in an auditable manner for later recall or evidence

· As resources become stretched within police forces, the deputy to the person charged with responsibilities for CHIS under Section 29(5)(b) often undertakes those functions: as with an Authorising Officer, this is a responsibility which cannot be shared or delegated

· Outside pure documentary issues, a lack, in some public authorities, of ongoing refresher training for those that require it; and a need for an improved level of personal engagement in the oversight process by the Senior Responsible Officer.

Now is the time to consider refresher training for RIPA investigators and authorisers. We have a full program of RIPA Courses and can also deliver these at your premises, tailored to the audience. If you want to avoid re inventing the wheel, our RIPA Policy and Procedures Toolkit gives you a standard policy as well as forms (with detailed notes to assist completion) for authorising RIPA and non-RIPA surveillance. There is substantial discount for orders received before 30th September 2014.

Interception of Communications Commissioner’s Annual Report

IOCCO

Local authorities have powers under Part I Chapter 2 of the Regulation of Investigatory Powers Act 2000 (RIPA) (sections 21 to 25). This concerns the acquisition and disclosure of communications data from Communications Service Providers (CSPs). The definition of “communications data” includes information relating to the use of a communications service (e.g. phone, internet, post) but does not include the contents of the communication itself. It is broadly split into 3 categories: “traffic data” i.e. where a communication was made from, to whom and when; “service data” i.e. the use made of the service by any person e.g. itemised telephone records; “subscriber data” i.e. any other information that is held or obtained by a CSP on a person they provide a service to.

Some public authorities have access to all types of communications data e.g. police, ambulance service, HM Revenues and Customs. Local authorities are restricted to subscriber and service use data and even then only where it is required for the purpose of preventing or detecting crime or preventing disorder. For example, a benefit fraud investigator may be able to get access to an alleged fraudster’s mobile telephone bill. As with other RIPA powers, e.g. Directed Surveillance, there are forms to fill out and strict tests of necessity and proportionality to satisfy.

In April, the Interception of Communications Commissioner’s 2013 Annual Report to the Prime Minister was laid before Parliament. (See also the Press Release and Prime Ministerial Statement .) The Prime Minister under Section 57(1) of RIPA 2000 appointed Sir Anthony May in January 2013. His function is to keep under review the interception of communications and the acquisition and disclosure of communications data by intelligence agencies, police forces and other public authorities (including councils). He is required to make an annual report to the Prime Minister with respect to the carrying out of his functions.

The total number of communications data applications approved in 2013 was 514,608. Of these 87.7% were made by police forces and law enforcement agencies. Less than 1% were made by local authorities and ‘other’ public authorities. The latter includes regulatory bodies with statutory functions to investigate criminal offences and smaller bodies with niche functions.

The report shows that despite media headlines, local authorities are very infrequent users of their RIPA communications data powers. 121 local authorities reported never using their powers. 172 reported they did not use their powers in 2013, but have used their powers in previous years. A big reason for councils’ infrequent use of their powers is that, since 1st November 2012, they have had to obtain Magistrates’ approval for even the simplest communications data applications (e.g. mobile subscriber checks). (Read about the changes in detail here.)

The Commissioner also has the power to conduct inspections of public authorities using these powers. In 2013 his office conducted 75 inspections broken down as follows: 43 police force and law enforcement agency, 1 intelligence agency, 17 local authority and 14 ‘other’ public authority inspections.

A typical inspection may include the following:

  • A review of the action points or recommendations from the previous inspection to check they have been implemented.
  • An audit of the information supplied by the CSPs detailing the requests that public authorities have made for disclosure of data. This information is compared against the applications held by the SPoC (Single Point of Contact) to verify that the necessary approvals were given to acquire the data.
  • Examination of individual applications to assess whether they were necessary in the first instance and then whether the requests met the necessity and proportionality requirements.
  • Scrutinising at least one investigation or operation from start to end to assess whether the communications data strategy and the justifications for acquiring all of the data were proportionate.
  • Examination of the urgent oral approvals to check the process was justified and used appropriately.
  • A review of the errors reported or recorded, including checking that the measures put in place to prevent recurrence are sufficient.

Para 4.3 of the report emphasises the important role of the Single Point of Contact (SPoC) in the communications data application process:

“The  SPoCs  have  an  essential  role  to  play  here  in using their experience to challenge the investigative strategy underlying the applications which they oversee.”

Every SPoC must attend a two-day Home Office approved training course and pass an exam. Act Now is one the few training providers still running this course. Our next course is in Manchester in November. Full details on our website: http://www.actnow.org.uk/courses/1074

RIPA Policy and Procedures Toolkit – Time Limited Offer

 

capture-20140903-130009

It is almost two years since major changes to the local authority surveillance regime (under the Regulation of Investigatory Powers Act 2000, (RIPA) came into force.

Since 1st November 2012, whenever exercising any powers under RIPA (doing Directed Surveillance, deploying a CHIS or accessing Communications Data) councils have had to obtain Magistrates’ approval. Directed Surveillance has also been made the subject of a new Serious Crime Test (Read about the changes in detail here. On the whole the changes are working well.

A common criticism of local authorities though, by the Office of Surveillance Commissioners (OSC) when carrying out RIPA compliance inspections, is that they need to revise their RIPA polices and procedures in the light of the changes. Act Now has developed a RIPA procedures and guidance toolkit to prevent councils having to re invent the wheel. The toolkit has been drafted by Ibrahim Hasan, an experienced trainer and writer on surveillance law.

The toolkit includes an updated version of our previous RIPA Forms Guidance document, which was bought by over one hundred different organisations. In addition there are detailed guidance notes on deciding when surveillance is caught by RIPA, how to authorise it and what to do about surveillance which is not regulated by RIPA. The toolkit is written in straightforward language (avoiding legal jargon) and includes flowcharts to assist understanding. The full contents list includes:

New – Template covert surveillance policy statement
New – Guide to the changes in force from 1st November 2012
New – Full guide to surveillance under RIPA (e.g. Directed, CHIS etc.)
New – Guidance for Authorising Officers including decision trees

New – Seeking Magistrates’ Approval

  • Step by step guide to the process
  • New judicial application/order form with full notes to assist completion

Updated – Completing the RIPA Forms

  • Procedure for completing the forms
  • Common mistakes
  • All Directed Surveillance forms with full notes to assist completion
  • All CHIS forms with full notes to assist completion

Updated – Undertaking Non RIPA Surveillance

  • When it is appropriate
  • Non – RIPA Surveillance Authorisation Form

More here: http://www.actnow.org.uk/content/117

The normal price of the toolkit is £199 plus vat for a hard copy and £399 plus vat for a CD ROM (plus hard copy). The CD contains an electronic version with a licence to make additional hard copies and to upload the toolkit on to an intranet site (for internal use only).

TIME LIMITED OFFER – Until 30th September 2014, we are offering the hard copy for £99 plus vat and the CD ROM for £199 plus vat. Please quote “Blog/OfferSep14” when ordering. No other discounts apply.

Scottish colleagues can buy the RIP(S)A version of the toolkit here: http://www.actnow.org.uk/content/84

For those of you looking for refresher training in this area, we have a full program of public workshops. We can also bring the training to you for a customised in house training course. Please get in touch for a quote.