Tag: RIPA

Judicial Approval for Council Surveillance

The Commencement Order for, amongst other things, the RIPA provisions within the Protection of Freedoms Act 2012 has now been made. This means that from 1st November 2012 all local authority surveillance will require judicial approval.

Chapter 2 of Part 2 of the 2012 Act (sections 37 and 38) amends the Regulation of Investigatory Powers Act 2000 (RIPA) so as to require local authorities to obtain the approval of a Magistrate for the use of any one of the three covert investigatory techniques available to them under RIPA namely Directed Surveillance, the deployment of a Covert Human Intelligence Source (CHIS) and accessing communications data. An approval is also required if an authorisation to use such techniques is being renewed. In each case, the role of the Magistrate is to ensure that the correct procedures have been followed and the relevant factors have been taken account of. The new provisions allow the Magistrate, on refusing an approval of an authorisation, to quash that authorisation.

For a full explanation of the new provisions click here

Note that 1st November also sees Directed Surveillance being made subject to a new Serious Crime Test. More information here

These provisions will be examined in our forthcoming RIPA update workshops. We also have a new RIPA Policy and Procedure Toolkit which will help.

Please get in touch if you would like customised in house training  on any aspects of the Act.

UPDATE (13/9/12)

The New Criminal Procedure Rules 2012 (coming into force on 1st October) provide more details about the procedure for seeking magistrates’ approval:

http://www.legislation.gov.uk/uksi/2012/1726/part/6/crossheading/6/made

We are still waiting though for the detailed guidance from the Home Office.

The 2012 Surveillance Commissioner Report

By Steve Morris

The Office of Surveillance Commissioners published its 2012 annual report (covering the period from 1st April 2011 to 31st March 2012) on 14th July 2011. The report details statistics relating to the use of Part 2 of RIPA by public authorities and information about how OSC conducts its oversight role. It highlights some important issues such as:

  • Collaborative Working – Departments, teams and various units within several authorities are pooling resources but then not obtaining authorisations and keeping records in relation to a proper designated authority (Sec 5.7)
  • There is a lack of awareness of what constitutes a CHIS and there is a likelihood that public authorities might have unauthorised CHIS activity being undertaken (Sec 5.14)
  • Authorising Officers are not making adequate provision for destruction of product that is collateral intrusion or of no value to the operation (Sec 5.16)
  • Some ‘open source’ internet research is being conducted which may actually meet the criteria of Directed Surveillance and therefore require authorisation (Sec 5.17)
  • Where there is an invasion of privacy and RIPA does not apply, due to all conditions not being met, then the OSC recommends use of the authorisation mechanism where Article 8 issues (privacy) should be considered (Sec 5.22)
  • ACPO (Association of Chief Police Officers) is reviewing the authorisation forms and it will also report on form redesign (Sec 5.25)

Our RIPA Courses already address these issues. Future courses are also being revised to take account of other recently announced changes affecting local authorities:

  • The Protection of Freedoms Act 2012 which received Royal Assent on 1st May 2012. The RIPA provisions in this Act are yet to come into force but when they do they will require local authorities to have all their RIPA surveillance authorisations (i.e. Directed Surveillance, CHIS and the acquisition of Communications Data) approved by a Magistrate before they take effect (Read more here).
  • From 1st November 2012, local authorities will face severe restrictions upon the grounds for which they can authorise Directed Surveillance under the RIPA. The days of local authorities being able to use surveillance powers to tackle dog fouling and littering offences will soon be over (Read more here).
  • The Communications Data Bill and the changes it will make to the communications data access regime (currently under Part 1 of Chapter 2 of RIPA)

Steve Morris is a former police officer who delivers our RIPA Courses as well as a course on Internet Investigations

The Communications Data Bill: What Councils Need to Know

The Draft Communications Data Bill was laid before Parliament on 14th June 2012. The Bill provides an updated framework for ensuring the availability of communications data and its obtaining by public authorities. It will replace the communications data provisions within the Regulation of Investigatory Powers Act 2000 (RIPA).

The most controversial aspects of the Bill will enact proposals, announced in the Queen’s Speech in May, which will require Internet firms to give the Police, the Serious and Organised Crime Agency, the Intelligence Agencies and HM Revenue and Customs access to a wider range of communications data on demand and, in some cases, in real time. The Home Office says  that they are updating the law “in terms of social media and new devices”. Without action they say that there is a growing risk that crimes enabled by email and the Internet will go undetected and unpunished. However civil liberties groups, as well as Internet Service Providers have voiced concerns about the Bill from a privacy and technical perspective. See my previous blog entry  for a discussion about these concerns.

But what effect will the new Bill have on local authorities?

The Bill will replace Part 1 Chapter 2 of RIPA. Sections 21 to 25 of RIPA (and the Regulation of Investigatory Powers (Communications Data) Order 2010 (SI 2010/480)) currently set out who can access what type of communications data and for what purposes. This includes the police and security services as well as councils, government departments and various quangos. RIPA restricts access to the different types of communications data depending on the nature of the body requesting it and the reason for doing so.

The definition of “communications data” includes information relating to the use of a communications service (e.g telephone, internet and postal service) but does not include the contents of the communication itself.  Such data is broadly split into three categories: “traffic data” i.e. where a communication was made from, to whom and when; “service data” i.e. the use made of the service by any person e.g. itemised telephone records; “subscriber data” i.e. any other information that is held or obtained by an operator on a person they provide a service to.

Some public bodies already get access to all types of communications data e.g. police, security service, ambulance service, customs and excise. Local authorities are restricted to subscriber and service use data and even then only where it is necessary for the purpose of preventing or detecting crime or preventing disorder.

At present access to communications data is done on a system of self authorisation. There are forms to complete ((signed by a senior officer) and  tests of necessity and proportionality to satisfy. Notices have to be served on the service provider requesting the data.

The new Bill will broadly replicate the current system for accessing communications data by local authorities. There is no provision to widen the scope of the information available to councils or the grounds for doing so (unlike the police and law enforcement agencies mentioned above). However the Bill does replicate the changes to the local authority RIPA regime to be made by Protection of Freedoms Act 2012. In the future all local authority surveillance activity under RIPA, including a request for communications data (however minor), will have to be approved by a Magistrate. (See my earlier Blog Post for more detail about the 2012 Act.)

The Bill also implements a recommendation in the RIPA Review published by the Home Office on 26th January 2011.  This stated that the range of non-RIPA legislative frameworks by which communications data can in principle be acquired from Communication Service Providers “should be streamlined to ensure that as far as possible RIPA is the only mechanism by which communications data can be acquired.”

Clause 24 introduces Schedule 2 to the Bill which repeals certain general information powers so far as they enable public authorities to secure the disclosure by a telecommunications operator of communications data without the consent of the operator. This includes powers under the Trade Descriptions Act 1968, Environmental Protection Act 1990, Social Security Administration Act 1992 and the Enterprise Act 2002. Local authority officers in environmental health, trading standards and benefit fraud departments, who may not be have been using RIPA to gain access to communications data previously, will now need to get to grips with a new regime.

The Communications Data Bill will be subject to scrutiny by a joint parliamentary committee before the effort to bring the measures through Parliament and into law begins in earnest.  This comes on top of other recently announced changes to the criteria for local authority to authorise Directed Surveillance under Part 2 of RIPA.  The Home Office will have to issue a new code of practice and standard forms which Investigating Officers and their legal advisers will have to familiarise themselves with.

We have a series of courses on RIPA and Surveillance which cover all the recent changes to the RIPA regime including the Protection of Freedoms Act 2012. We also have a range online courses.

 

To RIPA or Not To RIPA: Changes to Council Surveillance Powers

The days of local authorities being able to use surveillance powers to tackle dog fouling and littering offences will soon be over. From 1st November 2012, local authorities will face severe restrictions upon the grounds for which they can authorise Directed Surveillance under the Regulation of Investigatory Powers Act 2000 (RIPA).

The Regulation of Investigatory Powers (Directed Surveillance and Covert Human Intelligence Sources) (Amendment) Order 2012, SI 2012/1500  (“the 2012 Order”), was made on 11 June 2012 and will come into force on 1 November 2012,

The 2012 Order amends the Regulation of Investigatory Powers (Directed Surveillance and Covert Human Intelligence Sources) Order 2010, SI 2010/521 (“the 2010 Order”), which prescribes which officers, within a public authority, have the power to grant authorisations for the carrying out of Directed Surveillance and the grounds, under Section 28(3) of RIPA, upon which authorisations can be granted. At present local authorities have one ground; where it is necessary “for the purpose of preventing or detecting crime or preventing disorder.” (Section 28(3)(b))

From 1st November 2012, local authority Authorising Officers may not authorise Directed Surveillance unless it is for the purpose of preventing or detecting a criminal offence and it meets the condition set out in New Article 7A(3)(a) or (b) of the 2010 Order. Those conditions are that the criminal offence which is sought to be prevented or detected is punishable, whether on summary conviction or on indictment, by a maximum term of at least 6 months of imprisonment, or would constitute an offence under sections 146, 147 or 147A of the Licensing Act 2003 or section 7 of the Children and Young Persons Act 1933. The latter are all offences involving sale of tobacco and alcohol to underage children.

Background

These changes have not come out of the blue. Responding to media stories of councils misusing “anti terror laws” both coalition parties promised in their election manifestos to overhaul Part 2 of RIPA, which regulates local authorities, amongst others, when conducting covert surveillance on citizens. They argued that such surveillance was often used to investigate minor offences and in a disproportionate manner. The introduction of a Serious Crime Test for Directed Surveillance was recommended in the Home Office review of counter-terrorism and security powers published on 26th January 2011.

Directed Surveillance has been the subject of substantial debate and controversy. It is often conducted by local authorities to, amongst other things, investigate a benefit fraud or to collect evidence of anti-social behaviour. Typical methods include covertly following people, covertly taking photographs of them and using hidden cameras to record their movements. Introducing a six months imprisonment test will ensure that such techniques are no longer an option when local authorities are investigating “minor offences” such as dog fouling and littering.

But the 2012 Order also removes the second limb of Section 28(3)(b) (“preventing disorder”). Directed Surveillance for the purposes of tackling anti social behavior will no longer be able to be authorised unless of course the activity involves criminal offences involved carrying a maximum prison term of six months or more. How will this impact on the work of local authority Anti Social Behaviour Units?

There is an exception to the general rule though. Because of the importance of Directed Surveillance in corroborating investigations into underage sales of alcohol and tobacco, the Serious Crime Test will not be applied when Directed Surveillance is being done in these cases.

The other recommendation of the RIPA Review (Magistrate’s Approval) will be implemented via the Protection of Freedoms Act 2012 which received Royal Assent on 1st May 2012. The RIPA provisions in this Act are yet to come into force but when they do they will require local authorities to have all their RIPA surveillance authorisations (i.e. Directed Surveillance, CHIS and the acquisition of Communications Data) approved by a Magistrate before they take effect. (Read more here: http://www.actnow.org.uk/content/47)

When the the Coalition Government published the Bill in February 2011, the Home Secretary, announced:

“The first duty of the state is the protection of its citizens, but this should never be an excuse for the government to intrude into peoples’ private lives. Snooping on the contents of families’ bins and security checking school-run mums are not necessary for public safety and this Bill will bring them to an end. I am bringing common sense back to public protection and freeing people to go about their daily lives without a fear that the state is monitoring them.”

Most local authorities feel that this is a disproportionate response to inaccurate media stories about their “overzealous” use of RIPA. The reality is that most authorities only use their powers in a handful of cases each year and only when there is no other viable means of investigating offences and then in a reasonable and proportionate manner.  The latest available annual report by the Office of Surveillance Commissioners (2010/2011) states:

“Generally speaking, local authorities use RIPA/RIP(S)A powers sparingly with over 50% granting five or fewer directed surveillance authorisations during the reporting period. Some 16% granted none at all.”

The changes to be made to the local authority RIPA regime via the 2012 Order, as well as the Protection of Freedoms Act, will have a big impact on their investigation and enforcement activities.  Now is the time to review RIPA processes and procedures and to make staff aware of the changing legal landscape.

We have a series of courses on RIPA and Surveillance which also cover the changes in the Protection of Freedoms Act. We can also provide in house customized training (e mail info@actnow.org.uk)

 

Sort of Fair Processing Notice

Walking through Huddersfield the other day I caught this interesting example of a fair processing notice. It was a bus shelter. The actual notice was well above the normal range of vision. (Which reminds me of an old joke. What lies on its back eight feet up in the air.  Answer later.)

But how fair is this sign? Is it a fair processing notice informing data subjects that they might be being filmed? It has the magic acronym CCTV so there’s definitely a possibility that filming is taking place. But the other words seem to confuse the issue.

Anti-social behaviour is a crime. We’re not going to disagree with that are we? but it’s a statement of fact not really what’s needed on an FPN. You might as well say that Chelsea won the Champion’s League this year.

Plain Clothes Police Officers.  So how do we know they are Police Officers? Do they wear a carnation in their lapel or are they really operating covertly? This phrase means that everyone on the streets may be a police officer. Is this fair? Or if covert operations are being undertaken why do we say that plain clothes police officers are in place. Isn’t covert er… wait for it… covert? Does RIPA ring a bell?

Or CCTV in use.  Whoa let’s take a rain check.  Either it is in use or it isn’t. If it is you put up signs saying who’s doing it, why and contact details. If it’s not you don’t. Or maybe it’s secret filming. Donnnngggg. (That’s an alliteration denoting the tolling of the RIPA bell)

Finally your behaviour could be under observation. Back to the previous paragraph. Either it is or it isn’t. If it is for general crime prevention purposes then put up signs. If it’s a covert operation pre-authorise it through your SPOC and don’t bother with signs.

And to finish off 7 (count them) individual organisations contributed to this sort of fair processing notice including some very well known ones. So 7 data protection persons gave their opinion on the poster. No-one thought it was a bit naff.   Or maybe they didn’t ask the DP persons.

Take care in Huddersfield. They might be filming you (or not). Anyone at all could be a police officer. And Chelsea won the Champions League.

Ah yes the answer to the question.

What lies on its back eight feet up in the air. A dead spider.

Protection of Freedoms Act 2012

Protection of Freedoms Act 2012

 2012 CHAPTER 9

The Protection of Freedoms Act 2012 received Royal Assent on 1st May 2012. The Act contains a number of measures which, when brought into force, will have a major impact on public authorities especially councils. Amongst other things the Act:

Introduces a new code of practice for surveillance camera systems. This is in addition to the CCTV Code of Practice under the Data Protection Act 1998. There will also be a surveillance camera commissioner. Read our article on  the New CCTV Regime 

  • Extends the Freedom of Information Act by requiring datasets to be made available in a re-usable electronic format. Read our blog entry on how this can make you money. For details of an innovative use of a dataset click here
  • Provides for Magistrates’ approval of all surveillance activities by local authorities under RIPA. Read a full article on the changes.
  • Requires schools to obtain parents’ consent before processing children’s biometric information
  • Restrict the scope of the ‘vetting and barring’ scheme for protecting vulnerable groups and makes changes to the system of criminal records checks. Read our article

Ibrahim Hasan is doing a special online training session  on the new Act in June and July.

The Act will also:

  • bring in a new framework for police retention of fingerprints and DNA data
  • provide for a code of practice to cover officials’ powers of entry, with these powers being subject to review and repeal
  • outlaw wheel-clamping on private land
  • introduce a new regime for police stops and searches under the Terrorism Act 2000 and reduces the maximum pre-charge detention period under that Act from 28 to 14 days
  • enable those with convictions for consensual sexual relations between men aged 16 or over (which have since been decriminalised) to apply to have them disregarded

All our information and surveillance law courses will be updated to take account of the new Act. If you would like customised in house training on any aspects of the Act, please get in touch.

Act Now Book Draw – Week 8

The winner of last week’s Act Now Book Draw was Amy Ford from NHS Southampton City.

Next week’s book is Covert Investigation by Clive Harfield and Karen Harfield.

The next draw will take place on Wednesday 25th April at 9am. Click here to enter the draw.

If you enter the draw and win, you give us permission to let others know that you have won (by e mail, on our website and by Twitter). If you do not want us to do this, please do not enter the draw. Any information we receive through this free draw will not be used for any other purpose.

Breaking (In) News from Sky


Is the Sky about to fall in on Rupert Murdoch? Yet again another of his news outlets is accused of breaking the law in the pursuit of a good story. Where will it end? Yesterday Sky News admitted in a statement that it had hacked emails belonging to members of the public on two separate occasions.

One incident involved targeting the accounts of a suspected paedophile and his wife. The other one involved the “dead canoeist” John Darwin. His wife Anne collected more than £500,000 in life insurance payouts while he hid in their marital home.  The pair were found guilty of the deception in 2008. In the run-up to the trial former Sky News managing editor Simon Cole agreed North of England correspondent Gerard Tubb could hack into Darwins’ Yahoo! email account. The full story can be read on the Guardian website.

The interesting aspect, from a legal perspective, is the legal repercussions for Sky News. It has stated:

 “We stand by these actions as editorially justified and in the public interest.”

Note that it says editorially justified, not legally.  As will be explained below, the offences involved do not contain a public interest defence.

Accessing a person’s computer (directly or remotely) without their consent to read their emails is a criminal offence under the Computer Misuse Act 1990 which is punishable with a fine or a term of imprisonment of up to 12 months. Section 1 (1) of the Act contains the elements of the offence:

(1) A person is guilty of an offence if—

(a) he causes a computer to perform any function with intent to secure access to any program or data held in any computer or to enable any such access to be secured ;

(b) the access he intends to secure or to enable to be secured is unauthorised;

and

(c) he knows at the time when he causes the computer to perform the function that that is the case.

There is no public interest defence in the Computer Misuse Act. However section 11 states that no proceedings can be brought for a section 1 offence more than three years after the commission of the offence. Darwin’s emails were accessed in 2008 and therefore a prosecution under S.1 is not possible.

Sky may also have committed a criminal offence under Section 1 of the Regulation of Investigatory Powers Act 2000(RIPA).  Here there is not time limit for a prosecution. The Guardian reports:

“The broadcaster also published a voicemail message on its website, dated 19 May 2007, in which Anne Darwin is clearly heard leaving a message for her husband. The voicemail, part of an interactive graphic, ends with her saying “I’ll try and catch you tomorrow. Love you,” which the broadcaster said showed “she was doing as much of the running as he was”.”

Section 1 makes it a criminal offence to intercept a communication in the course of transmission.  The listening to stored voicemails as well as accessing stored e mails all potentially fall into this category. The maximum penalty for such an offence is two years imprisonment. Again there is no public interest defence.

Once again this case bring into focus the highly dubious tactics of the media when trying to obtain information “in the public interest”. The setting up of the Leveson Inquiry and the inquiry by the House of Commons Select Committee on Culture, Media and Sport meant that at first the primary concern was about allegations of phone hacking by the News of the World.  However it has now become clear that hacking phones was just one part of the unscrupulous journalist’s toolkit. It also included buying information from the police, blagging sensitive personal information from public and private sector organisations and the hacking politicians’ computers to gain access to  their e mails.

There is now a very strong case for tougher regulation of the media especially when it comes to covert surveillance activities. My view is that, amongst other things, they should be subject to more of the RIPA regime as at present they only have to comply with certain aspects (Part 1 Chapter 1 – Interception of Communications). (see my earlier blog post earlier Blog post  for more).

This is a difficult time for the Murdochs and  Sky News. The broadcaster’s parent company, BSkyB, is subject to a “fit and proper” investigation being conducted by the communications regulator, Ofcom, in the wake of the News of the World phone-hacking scandal. Cleveland police say that enquiries are ongoing into how the emails were obtained.

No doubt there is much more to come. As Kay Burley would say, “Stay with us…”

We have a serious of courses on RIPA and Surveillance which also over the changes in the Protection of Freedoms Bill.

See also our RIPA Forms Guidance Document.

Bigger Brother

The Coalition Agreement states that the government “will end the storage of internet and e mail records without good reason.”  This commitment is now in tatters as the Government wants the power to be able to monitor the calls, emails, texts and website visits of everyone in the UK.

The new law, which may be announced in the forthcoming Queen’s Speech in May, will require Internet firms to give intelligence agency, GCHQ, access to communications on demand, in real time. However it will not allow GCHQ to access the content of emails, calls or messages without a warrant. Civil liberties groups including Big Brother Watch have condemned this move as an unacceptable invasion of privacy.

At present Internet service providers are obliged to keep details of users’ web access, email and internet phone calls for 12 months, under the EU Data Retention Directive 2009. While they keep a limited amount of other data already on their own subscribers for billing and other commercial purposes, the new law will require them to store a much bigger volume of third party data such as that from Google Mail, Twitter, Skype and Facebook that crosses their servers every day.

This is not the first time this idea has been floated. In October 2010, the Government announced its intention to introduce the Interception Modernisation Programme, at a cost of  £2billion. This latest announcement seems to be the same project but renamed “the Communications Capabilities Development Programme (CCDP)”. Details of the scheme will be published within weeks and will build on Labour’s abandoned proposal  (which was heavily criticised by the Coalition partners at the time) to require communications service providers (CSPs) to collect and store the traffic details of all internet and mobile phone use, initially in a central database.

The Law

Access to Communications Data in the UK is already governed by Part 1 Chapter 2 of the Regulation of Investigatory Powers Act 2000 (RIPA) (sections 21-25). This sets out who can access what type of communications data and for what purposes. This includes the police and security services as well as councils, government departments and various quangos. The legislation restricts access to the different types of communications data depending on the nature of the body requesting it and the reason for doing so.

The definition of “communications data” includes information relating to the use of a communications service (e.g telephone, internet and postal service) but does not include the contents of the communication itself.  Such data is broadly split into three categories: “traffic data” i.e. where a communication was made from, to whom and when; “service data” i.e. the use made of the service by any person e.g. itemised telephone records; “subscriber data” i.e. any other information that is held or obtained by an operator on a person they provide a service to.

Some public bodies already get access to all types of communications data e.g. police, security service, ambulance service, customs and excise. Local authorities are restricted to subscriber and service use data and even then only where it is required for the purpose of preventing or detecting crime or preventing disorder.

At present access to communications data is done on a system of self authorisation. There are forms to fill (signed by a senior officer) out and  tests of necessity and proportionality to satisfy. Notices have to be served on the service provider requesting the data.

Real Time

It is unclear as to how the new proposals will be different from the current system. There is talk of the security services being able to access data in real time. The current system normally gives access to historic data. It does allow real time access to certain organisations (including the police and security services) but only in an emergency to save life or limb or in exceptionally urgent operations. The authorisation forms still have to be completed and signed and served later on though. Maybe they are suggesting that the security services get carte blanche direct access into communications service providers’ systems. This would be unprecedented and certainly “Orwellian” to say the least. The potential for abuse would be massive.

Updating the Law

The Home Office Minister says they are updating the law “in terms of social media and new devices” – it is widely expected to include things like Facebook and phone calls via web-based systems such as Skype. If this means the agencies knowing when an individual visits these sites this is already allowed under the current regime known as traffic data (web browsing information). If the new system goes further and allows agencies to look at actual webpages visited  within a domain (e.g Facebook) and calls made (e.g from Skype) this would be a big extension of existing powers and much more intrusive. It gives the possibility of building up a picture of someone’s lifestyle, their movements, contacts, interests etc.; potentially  vast a amount of information which, if it gets into the wrong hands, can be quite damaging to individuals.

Safeguards

At present the checks and balances are very weak (self authorisation followed by a notice to the CSP). The proposals, which talk of access in “real time” and “on demand”, require much stronger checks and balances.

If it is really necessary for GCHQ to have access to such a vast amount of information, it should be subject to judicial approval. This could be a similar system to the one which councils will be subject to as a result of the changes to the RIPA regime to be made by Protection of Freedoms Bill. In the future any local authority request for communications data (however minor) will have to be approved by a Magistrate. (See my earlier Blog Post for more detail about the Bill.) After all, the powers that the police and intelligence agencies have under RIPA to undertake surveillance and acquire communications data are much wider than those of local authorities.

There are also legitimate concerns about what would happen if the information held and accessed on individuals by GCHQ gets into the wrong hands. Can we really trust the law enforcement agencies not to mishandle such data? Only recently allegations have surfaced that that the police have been misusing their powers under RIPA to assist the tabloids to locate the whereabouts of celebrities and other persons of interest.

The Government needs to think carefully about its plans. If these new proposals are enacted there is a massive potential for misuse. It will provide a rich seem of information which may be bought by journalists from unscrupulous police and intelligence officers. This could lead to further erosion of trust in the police and Government. Of course “the Devil is in the detail” and we wait to see how the Government will address these concerns.

We have a series of courses on RIPA and Surveillance which also over the changes in the Protection of Freedoms Bill.

See also our RIPA Forms Guidance Document.