Key Points from the Home Office Codes of Practice

Bournemouth Borough Council Regulation of Investigatory Powers Act 2000

EXPLANATORY NOTES AND GUIDANCE ON THE HOME OFFICE CODE OF PRACTICE

THE ACQUISTION OF COMMUNICATIONS DATA

1 06/02/18 Bournemouth Borough Council Regulation of Investigatory Powers Act 2000

EXPLANATORY NOTES & GUIDANCE ON THE HOME OFFICE CODE OF PRACTICE FOR THE ACQUISITION OF COMMUNICATIONS DATA

Background______3 What is communications data?______3 For what purposes can the Council acquire communications data?______4 What is application/authorisation for the acquisition of communications data?______4 What is a standard notice?______6 Single Point of Contact (SPOC)______7 Who can approve an application/authorisation for the acquisition of communications data?______7 What is the duration of an application or authorisation?______7 Urgent applications/authorisations, i.e. oral authority.______7 How is an operation renewed or cancelled?______8 How should records be maintained?______8

EXPLANATORY NOTES & GUIDANCE ON THE HOME OFFICE CODE OF PRACTICE FOR THE ACQUISITION OF COMMUNICATIONS DATA

Background

The Regulation of Investigatory Powers Act 2000 (RIPA), Part I, Chapter II provides the legislative framework within which the acquisition of communications data must be conducted in order to ensure that investigatory powers are used in accordance with human rights.

These explanatory notes on the Home Office Code of Practice for the acquisition of communications data are intended as a practical reference guide for Council officers who may be involved in investigations that involve the requirement to obtain such information. They are not intended to replace the (draft) Code of Practice issued by the Home Office and officers involved in acquiring communications data must familiarise themselves with the content of the Code in order to ensure that they fully understand their responsibilities.

The Code can be accessed on the Home Office web site:

http://security.homeoffice.gov.uk/surveillance/ripa-updates/

What is communications data?

The Act defines communications data as follows: a) Any traffic data comprised in or attached to any communication (whether by the sender or otherwise) for the purposes of any postal service or telecommunication system by means of which it is being or may be transmitted. b) Any information that includes none of the contents of a communication ... and is about the use made by any person –  of any postal service or telecommunications service; or  in connection with the provision to or use by any person of any telecommunication service, or any part of a telecommunication system c) Any information not falling within (a) or (b) that is held or obtained, in relation to a person in receipt of telecommunications or postal services, by a provider of such services.

The Council has no powers to acquire communications data defined under item (a).

The Council is able to acquire account and subscriber information, e.g. logs of telephone calls made, name and address information about recipients of service provision, information written on the outside of postal communications. The Council is not able to acquire anything that comprises the content of communications, which includes e-mails, or interactions with websites.

For what purposes can the Council acquire communications data?

The Council can only acquire communications data for:  the purpose of preventing and detecting crime or of preventing disorder

If the acquisition of communications data does not fall within this purpose the Council may be acting unlawfully under the Human Rights Act. Where an officer is contemplating acquiring communications data that does not fall within this purpose it is recommended that they take advice from Legal Services before they proceed.

What is application/authorisation for the acquisition of communications data?

Standard forms in respect of acquiring communications data are available on BORIS.

Application/authorisation is the process by which the acquisition of communications data is subject to proper consideration, recording and approval by the officer conducting the investigation and the senior officer authorised to approve it.

Whilst there is no requirement on public authorities to seek or obtain authorisation where one is available under the Act, the consequence of not completing an application/obtaining an authorisation may render the acquisition of data unlawful under the Human Rights Act, or the evidence obtained from the data inadmissible in any Court proceedings.

It is strongly recommended that Council officers complete an application/seek an authorisation. Completing an application/obtaining an authorisation will ensure that the action to obtain data is carried out in accordance with the law and is subject to stringent safeguards against abuse. Proper application/authorisation should also ensure the admissibility of evidence under the common law, PACE (Section 78) and the Human Rights Act.

Application/authorisation ensures that all relevant factors have been thoroughly considered and checked. It is also the means by which, in the event of challenge, Council officers can demonstrate that the acquisition of data and the method of acquiring it (where applicable) was a fair and reasonable way to proceed, despite the possible intrusion of a person or persons privacy.

Refer to the Home Office (draft) Code of Practice on Acquiring Communications Data for full details of what a written application/authorisation should include. It is important that application/authorisation forms are correctly and adequately completed.

There is one element of the written application that is of particular importance and is an integral part of a number of the questions contained in the standard application form:

Proportionality - this is a fundamental principle embodied in the Human Rights Act. Officers must be able to demonstrate that the acquisition of communications data justifies the level of intrusion of privacy that may occur with regard to the target or targets of the investigation or any other persons, i.e. that it is proportionate set against the outcome. This must be adequately recorded in the application form. It is not enough to simply have a standard phrase saying that the action is proportionate. The rationale for proceeding with the acquisition of communications data needs to be written and explicit. Questions it might be useful to ask to help in framing responses to questions included in the application form are:  What is the nature of the suspected or alleged offence/infringement?  What, if any, are the alternatives to acquiring the data?  If there are other options why have these been rejected in favour of acquiring the data?  What is the level of intrusion of privacy likely to be? Minimal? Average? Significant? Interference will not be justified if the means used to achieve the aim are excessive in the circumstances of the case. Further, any proposed interference with a person or persons private, home and family life (HRA Article 8 rights) should be carefully managed and must not be arbitrary or unfair.  Is the privacy of other persons not connected with the investigation likely to be effected? (Collateral intrusion).  What is the desired outcome?  What is the anticipated benefit to the Council?

Proportionality in this context has nothing whatsoever to do with whether or not the possible benefits of acquiring data justifies the time and money expended by the Council, although officers will no doubt wish to take this into account.

The Act makes a distinction between application and authorisation in respect of the acquisition of communications data, depending on how the information is to be obtained. The two methods of obtaining data are:

1) By means of a standard notice sent to the telecommunications or postal service provider 2) By action to be taken directly by Council investigating officer(s), i.e. not by application to a service provider or providers

Method 1) requires the completion of an application for the acquisition of communications data; method 2) requires the completion of an authorisation for the acquisition of communications data. The written information to be recorded in each instance is very similar. In view of this, and in order to simplify the process, the Council has adopted a single, standard form to cover both circumstances.

What is a standard notice?

If data is to be obtained via a request to a telecommunications or postal service provider this must be submitted on a standard notice. The content of the notices should provide the necessary assurances to service providers that they can legitimately disclose information.

The notice also confirms that an application/authorisation has been completed and approved by an authorised officer of the Council. Copies of applications/authorisations, however, must not be sent to service providers. Service providers should only be provided with the minimum amount of personal information necessary to respond to a request.

The (draft) Home Office Code of Practice recommends a single point of contact (SPOC) within local authorities to process notices to service providers.

Single Point of Contact (SPOC)

The role of the SPOC is detailed in the Home Office Code of Practice. The reasons for establishing a SPOC are:  It helps the Council to regulate the activity of acquiring communications data  It reduces the burden on service providers, who have only one officer to deal with in each public authority

The role of the SPOC is to:  Assess whether access to communications data is reasonably practical for the telecommunications or postal operator  Advise applicants and designated officers on the practicalities of accessing different types of communications data from different telecommunications or postal operators  Advise applicants as to whether the data they are requesting falls under 21(4)(b) or (c) of the Act  Provide safeguards for authentication  Assess any cost or resource implications to both the Council and the telecommunications or postal operator

The SPOC for the Council is:

Trading Standards Manager (Pro-active) Public Protection Ext.4628

Who can approve an application/authorisation for the acquisition of communications data?

Assistant Chief Officer, Assistant Head of Service, Service Manager or equivalent is the appropriate level of authorisation within local authorities, as detailed in the statutory instrument that prescribes the offices, ranks and positions for authorisation purposes; The RIPA (Communications Data) Order 2003, SI No.3172.

A list of authorising officers is available on BORIS, the Council’s Intranet service.

What is the duration of an application or authorisation?

Applications for, or authorisations of, the acquisition of communications data will be valid for the period of one (1) month.

The one (1) month period will begin when either a notice is given, or an authorisation granted.

Urgent applications/authorisations, i.e. oral authority.

There are no provisions under Part I, Chapter II of RIPA for the Council to process urgent, oral applications or authorisations.

How is an operation renewed or cancelled?

All applications or authorisations for the acquisition of communications data must be effectively assessed and regularly monitored by the officer conducting the operation and the senior authorising officer. The application/ authorisation, renewal and cancellation process should be viewed as a useful management tool to help officers to achieve this.

There is clear guidance on renewals and cancellations in the Home Office (draft) Code of Practice and officers should refer to the appropriate sections for further details. The Council’s standard renewal and cancellation forms cover all the necessary aspects. It is important that these forms are correctly and adequately completed.

The authorising officer who granted or last renewed an application or authorisation must cancel it if he is satisfied that the acquisition of data longer meets the criteria for which it was originally approved.

In addition the Council has adopted a policy that all authorisations must be cancelled, even if the surveillance investigation or operation extends to the full three month period for which it was authorised. This is because few surveillance investigations or operations are likely to last for the full three month period and it is easier to adopt a standard practice of cancelling all authorisations than it is to only cancel those that cease prior to the three month period.

How should records be maintained?

A centrally retrievable record of all application/authorisations must be held. This register will be held by the Council's Monitoring Officer (Head of Law & Corporate Governance). Register information will be held for six (6) years. Further information about the management and maintenance of the register is available as a separate document, ‘A Guide to the Authorisation of Covert Surveillance Operations & the Acquisition of Communications Data – The Central Register & the Maintenance of Application/Authorisation Records’.

Officers should refer to the appropriate sections of the Code of Practice for guidance on the maintenance and retention and destruction of application/authorisation and notice records that are held in addition to the register.

8 06/02/18