Category Archives: RIPA

October 12, 2014 · 9:54 am

Monitoring of blogs and lawful/unlawful surveillance

Tim Turner wrote recently about the data protection implications of the monitoring of Sara Ryan’s blog by Southern Health NHS Trust. Tim’s piece is an exemplary analysis of how the processing of personal data which is in the public domain is still subject to compliance with the Data Protection Act 1998 (DPA):

there is nothing in the Data Protection Act that says that the public domain is off-limits. Whatever else, fairness still applies, and organisations have to accept that if they want to monitor what people are saying, they have to be open about it

But it is not just data protection law which is potentially engaged by the Trust’s actions. Monitoring of social media and networks by public authorities for the purposes of gathering intelligence might well constitute directed surveillance, bringing us explicitly into the area of human rights law. Sir Christopher Rose, the Chief Surveillance Commissioner said, in his most recent annual report

my commissioners remain of the view that the repeat viewing of individual “open source” sites for the purpose of intelligence gathering and data collation should be considered within the context of the protection that RIPA affords to such activity

“RIPA” there of course refers to the complex Regulation of Investigatory Powers Act 2000 (RIPA) (parts of which were reputedly “intentionally drafted for maximum obscurity”)1. What is not complex, however, is to note which public authorities are covered by RIPA when they engage in surveillance activities. A 2006 statutory instrument2 removed NHS Trusts from the list (at Schedule One of RIPA) of relevant public authorities whose surveillance was authorised by RIPA. Non-inclusion on the Schedule One lists doesn’t as a matter of fact or law mean that a public authority cannot undertake surveillance. This is because of the rather odd provision at section 80 of RIPA, which effectively explains that surveillance is lawful if carried out in accordance with RIPA, but surveillance not carried out in accordance with RIPA is not ipso facto unlawful. As the Investigatory Powers Tribunal put it, in C v The Police and the Home Secretary IPT/03/32/H

Although RIPA provides a framework for obtaining internal authorisations of directed surveillance (and other forms of surveillance), there is no general prohibition in RIPA against conducting directed surveillance without RIPA authorisation. RIPA does not require prior authorisation to be obtained by a public authority in order to carry out surveillance. Lack of authorisation under RIPA does not necessarily mean that the carrying out of directed surveillance is unlawful.

But it does mean that where surveillance is not specifically authorised by RIPA questions would arise about its legality under Article 8 of the European Convention on Human Rights, as incorporated into domestic law by the Human Rights Act 1998. The Tribunal in the above case went on to say

the consequences of not obtaining an authorisation under this Part may be, where there is an interference with Article 8 rights and there is no other source of authority, that the action is unlawful by virtue of section 6 of the 1998 Act.3

So, when the Trust was monitoring Sara Ryan’s blog, was it conducting directed surveillance (in a manner not authorised by RIPA)? RIPA describes directed surveillance as covert (and remember, as Tim Turner pointed out – no notification had been given to Sara) surveillance which is “undertaken for the purposes of a specific investigation or a specific operation and in such a manner as is likely to result in the obtaining of private information about a person (whether or not one specifically identified for the purposes of the investigation or operation)” (there is a further third limb which is not relevant here). One’s immediate thought might be that no private information was obtained or intended to be obtained about Sara, but one must bear in mind that, by section 26(10) of RIPA “‘private information’, in relation to a person, includes any information relating to his private or family life” (emphasis added). This interpretation of “private information” of course is to be read alongside the protection afforded to the respect for one’s private and family life under Article 8. The monitoring of Sara’s blog, and the matching of entries in it against incidents in the ward on which her late son, LB, was placed, unavoidably resulted in the obtaining of information about her and LB’s family life. This, of course, is the sort of thing that Sir Christopher Rose warned about in his most recent report, in which he went on to say

In cash-strapped public authorities, it might be tempting to conduct on line investigations from a desktop, as this saves time and money, and often provides far more detail about someone’s personal lifestyle, employment, associates, etc. But just because one can, does not mean one should.

And one must remember that he was talking about cash-strapped public authorities whose surveillance could be authorised under RIPA. When one remembers that this NHS Trust was not authorised to conduct directed surveillance under RIPA, one struggles to avoid the conclusion that monitoring was potentially in breach of Sara’s and LB’s human rights.

1See footnote to Caspar Bowden’s submission to the Intelligence and Security Committee
2The Regulation of Investigatory Powers (Directed Surveillance and Covert Human Intelligence Sources) (Amendment) Order 2006
3This passage was apparently lifted directly from the explanatory notes to RIPA

3 Comments

Filed under Data Protection, human rights, NHS, Privacy, RIPA, social media, surveillance, surveillance commissioner

Tagged as , , ,

September 19, 2014 · 5:08 pm

RIPA errors…but also serious data protection breaches?

A circular from the Interception of Communications Commissioner’s Office raises concerns about some public authorities’ data protection compliance

The benighted (although often misrepresented) Regulation of Investigatory Powers Act 2000 (RIPA) had at least the ostensible worthy aim of ensuring that, when public authorities conducted investigations which were intrusive on people’s private lives, those investigations took place in accordance with the law. Thus, under Chapter II of Part 1 of RIPA, authorisations may be granted within an organisation to acquire, or an application made to require a postal or telecommunications operator to disclose, communications data (“communications data”, in the words of the Statutory Code of Practice “embraces the ‘who’, ‘when’ and ‘where’ of a communication but not the content, not what was said or written”). If the acquisition is done in accordance with RIPA, and the Code of Practice, it will in general terms be done lawfully.

The acquisition and disclosure of communications data under RIPA is overseen by the Interception of Communications Commissioner who is appointed pursuant to section 57 RIPA. It is the Commissioner’s role to review the exercise and performance of relevant persons’ functions under the Act. From time to time his office (IOCCO) will also issue circulars, and one such landed on the desks of Senior Responsible Officers of relevant public authorities earlier this month. Laudably, IOCCO has also uploaded it to its website and its contents are worrying not just because they indicate errors in complying with RIPA authorisations and applications, but also with the data protection compliance of the authorities involved. The circular, from the Head of IOCCO, Jo Cavan, states that

in the first six month period of the reporting year (January to June 2014) there have been 195 applicant errors – of which 153 (78%) were, according to the reports submitted to IOCCO, caused by the applicant submitting the wrong communications address. [emphasis in original]

As I say, the provisions of RIPA at least implicitly acknowledge that acquisition and disclosure of communications data will be highly intrusive actions. But failure to ensure that the data acquired is accurate means that such intrusion has taken place into the private communications of people totally uninvolved in the investigations being undertaken, as the circular highlights

In all cases the applicant error led to communications data being acquired relating to members of the public who had no connection to the investigation or operation being undertaken

but most chillingly

one of these errors led to executive action being taken against a member of the public who had no connection to the investigation being undertaken

Although no indication is given of what the deceptively bland phrase “executive action” actually consisted of.

The fourth principle in Schedule One of the Data Protection Act 1998 (DPA) requires in terms that data controllers take reasonable steps to ensure the accuracy of personal data they process. Failure to comply with that obligation potentially gives rise to civil claims by data subjects, and, in qualifying serious cases, civil enforcement action by the Information Commissioner’s Office, which can serve monetary penalty notices to a maximum of £500,000.  Moreover, the seventh principle in Schedule One of the DPA requires to data controllers to take appropriate technical and organisational measures to safeguard against the unfair or unlawful processing of personal data. IOCCO’s Circular notes that

It is unsatisfactory to note that the telephone numbers / email addresses / Internet Protocol (IP) addresses were, in the vast majority of cases, derived from records available to the applicant in electronic form and as such could have been electronically copied into the application to ensure accuracy. SROs must develop, implement and robustly enforce measures to require applicants to electronically copy communications addresses into applications when the source is in electronic form (for example forensic reports relating to mobile phones, call data records etc). Communications addresses acquired from other sources must be properly checked to reduce the scope for error. It is not acceptable for public authorities to simply state that applicants have been reminded to double check communications addresses to prevent recurrence

This points to possible failure by the authorities in question to take appropriate DPA principle 7 measures.

IOCCO’s enforcement powers in this regard are limited, although the circular notes that the Commissioner shall, where appropriate, notify affected individuals of the existence and role of the Investigatory Powers Tribunal (IPT) . However, complainants would not be restricted simply to complaining to the IPT – the Surveillance Roadmap (“a shared approach to the regulation of surveillance in the United Kingdom”) agreed between the UK’s surfeit of privacy commissioners, allows for the possibility of someone aggrieved by intrusive obtaining of communications data making a complaint to the Information Commissioner’s Office (ICO) as well as the IPT. It does state that “the ICO does not have the necessary [sic] powers to investigate breaches of RIPA and will only make a decision as to whether it is likely or unlikely that an organisation has complied with the DPA”, but it does strike me that a complaint to the ICO is a lot easier to make than an application to the IPT. Or, alternatively, a civil claim (under section 13 DPA) through the courts on the basis that the public authority in question had contravened its obligations opens up the possibility of a damages award. This might be a more attractive option for an complainant, because, although damages are a remedy available in the IPT (under s67(7) RIPA), it is notable that there is no right of appeal from an IPT decision (s67(8)).

One last point – the Surveillance Roadmap tries to draw lines separating the functions of the various commissioners. This is sensible, and aims to avoid overlap and duplication of functions, but one wonders if the ICO might be interested in looking at the DPA compliance of the authorities who erred so notably in the cases seen by IOCCO.

 

 

 

 

Leave a comment

Filed under Data Protection, human rights, Information Commissioner, RIPA

Tagged as , ,

March 17, 2014 · 5:10 pm

A balanced view on Optic Nerve

As I’m keen always to take a balanced view of important privacy issues, and not descend into the sort of paranoid raving which always defines, say, the state as the enemy, capable of almost anything, I sometimes think I end up being a bit naive, or at least having naive moments.

So, when outgoing Chair of Ofcom Dame Colette Bowe recently gave evidence to the House of Lords Select Committee on Communications, and said about consumers that

their smart TV may well have a camera and a microphone embedded in it there in their living room. What is that smart TV doing? Do people realise that this is a two-way street?

I thought for a moment “Oh come on, don’t be so scaremongering”. Sure, we saw the stories about Smart TVs and cookies, which is certainly an important privacy issue, but the idea that someone would use your TV to spy on you…?!

And then, of course, I quickly remembered – with a feeling of nausea – that that is exactly the sort of thing that GCHQ are alleged to have done, by jumping on the unencrypted web cam streams of Yahoo users, as part of the Optic Nerve program. And each time I remember this, it makes me want to scream “THEY WERE INDISCRIMINATELY SPYING ON PEOPLE…IN THEIR HOMES, IN THEIR BEDROOMS, FOR ****’S SAKE!”

And they were doing it just because they could. Because they’d notice a way – a vulnerability – and taken advantage of it to slurp masses of intensely private data, just in case it might prove useful in the future.

The intrusion, the prurience, the violation do indeed make me feel like raving against the state and its agents who, either through direct approval, or tacit acceptance, or negligence, allowed this to happen. Although *balance alert* GCHQ do, of course, assure us that “GCHQ insists all of its activities are necessary, proportionate, and in accordance with UK law”. So that’s OK. And yes, they really did call it “proportionate”. 

I know the web cam grabbing was by no means the only such intrusion, but for me it exemplifies the “something” which went wrong, at some point, which led to this. I don’t know what that something was, or even how to fix it, and I’ve never used a web cam, so have no direct interest, but I will closely watch the progress of Simon Davies’ request for the Attorney General to refer the matter to the police.

Leave a comment

Filed under Confidentiality, Data Protection, human rights, interception, Privacy, RIPA, surveillance

Tagged as , , ,

July 11, 2013 · 6:45 am

Is the BBC spying on whistleblowers?

A couple of the normal BBC-baiting newspapers report that that organisation has been “accused of spying on whistleblowers”, after a Freedom of Information request revealed that the BBC’s Investigation Service monitored emails of 30 workers last year. The Telegraph says this

raised fears that BBC management is engaged in a crack down on people it suspects of whistle-blowing about their concerns over the running of the corporation

There seems to be absolutely no evidence for this. To me it looks more like an employer intercepting communications on business systems in order to prevent or investigate potential unlawful behaviour. The law provides for this, and the paper reports that the BBC even said

The BBC Investigations Service does not target whistleblowers. The four cases of leaked information involved other matters such as the release of commercially sensitive information or the release of internal information – none of the four cases of leaked information could be considered as whistleblowing in any sense. The BBC has a clear policy protecting the right to whistleblow

The circumstances under which email communication can be intercepted by an employer are clearly prescribed by law. The much-maligned and -misunderstood Regulation of Investigatory Powers Act 2000 (RIPA) corrected the previous domestic position that workplace surveillance could not amount to an infringement of an employee’s Article 8 rights (a position criticised by the European Court of Human Rights in Halford v UK). The provisions of section 1 of RIPA create a criminal offence of unlawful interception of a communication (transmitted either by public or private telecommunications system) where the interception occurs without lawful authority. However, secondary legislation, made under RIPA, prescribes what “lawful authority” can mean within an employment context. The Telecommunications (Lawful Business Practice) (Interception of Communications) Regulations 2000 (the “LBP Regulations”) provide inter alia that interception of emails will be lawful if it is done for the purposes of preventing or detecting crime, or for the purpose of investigating or detecting the unauthorised use of that or any other telecommunication system. This can be done without consent or notification as long as the business informs users of its systems in advance (normally by way of a policy) that emails may be intercepted for relevant purposes (I wrote on this in detail in None of our business? Private emails, FOI and lawful interception (PDP FOI Journal, Nov/Dec 2011
Volume 8, Issue 2, subscription only)).

So, provided the BBC have a policy informing staff that their emails could be intercepted (and I would be amazed if they don’t) they will have done nothing wrong, and nothing that a responsible employer, and public service provider, should be blamed for doing. Do the Telegraph and the Mail think the BBC should not investigate alleged unlawful – perhaps criminal – behaviour on the part of its staff?

Leave a comment

Filed under BBC, employment, interception, RIPA, surveillance

Tagged as ,

September 29, 2012 · 9:04 am

Private emails, FOI and Criminality

Private emails are subject to FOI searches, and it’s a crime intentionally to conceal relevant information.

So, it appears that the Department of Education (DfE) has conceded that business emails sent by private email accounts are subject to the Freedom of Information Act 2000 (FOIA), thus accepting what the right-thinking world, and, indeed, anyone with a glimmer of common sense knew all along.

Plaudits, or brickbats, according to your position on the merits of FOIA, should go to Christopher Cook of the Financial Times, who has pursued the Department of Education (DfE) on this with the enthusiasm of a Jack Russell terrier faced with a scurrying rat. Fellow hacks at the Independent had also joined themselves to the proceedings listed (but now withdrawn) in the First-tier Tribunal (Information Rights). The DfE had had the balls to launch a challenge to a previous decision by the Information Commissioner (ICO) that the information (held in private email accounts) requested by Chris should be released. The decision notice itself was clear, and difficult to argue with, as is the advice on the subject published by the ICO around the same time. One wondered what possible grounds the DfE had to base a successful appeal on, and the withdrawal of the appeal probably answers that point, although it appears the withdrawal was actually prompted by the imminent publication of Cabinet Office guidance.

Some are now predicting that there will be a deluge of FOI requests specifically targeted at information held in private emails, or text messages, and I think this is probably right. What is not clear is how they will be handled. The ICO’s guidance suggests that, faced with requests for information that could be held in private emails, public authorities should restrict themselves to asking the person to search their account and keeping a record to show that this was asked:

The public authority will then be able to demonstrate, if required, that appropriate searches have been made in relation to a particular request. The Commissioner may need to see this in the event of a…complaint

This suggests that, when investigating a complaint about refusal to disclose information, the ICO will restrict himself merely to satisfying himself that an authority has asked its staff to check emails. Absent any evidence that those staff have not been honest about the contents of those private emails, the ICO will take no further action. The reasons for this are, really, quite obvious: the powers open to a public authority to access private email accounts are limited. Although the Telecommunications (Lawful Business Practice) (Interception of Communications) Regulations 2000 allow an employer to “intercept” an employee’s private emails  (if sent using the employer’s systems) to determine whether they are business-related, those powers must be exercised with due regard to the employee’s privacy rights. The interception of private emails in a private email account (sent using the employer’s systems) must be necessary and proportionate. If an employee has told his or employer that their private emails contain no information caught by an FOI request it is doubtful, absent any evidence to the contrary, that a “trawl” of emails without the employee’s consent would be lawful (I’ve written for PDP journals on this subject – subscription needed).

On one view, then, nothing much has changed with the concession by the DfE, although no doubt many new FOI requests will be made as a result. What has changed, perhaps, is the focus on individuals’ personal responsiblity under FOIA. Currently, section 77 creates an offence if a person alters, defaces, blocks, erases, destroys or conceals a record in response to an FOI request. If a trawl of emails on a public authority’s systems is required this will normally fall to IT, or similar, and employees have little say – or, if you like, given the existence of back-up systems – limited opportunity to commit a section 77 offence. Now, if the same employee is asked whether private emails contain specific information, and he or she untruthfully says “no”, criminality – the mens rea – will be relatively easy to make out.

The question is, how would we find out?

6 Comments

Filed under Freedom of Information, Information Commissioner, Information Tribunal, Privacy, RIPA, Uncategorized

Tagged as , ,

August 24, 2012 · 3:14 pm

Why won’t you read my secret guidance?!

The Office of Surveillance Commissioners (OSC) is in charge of reviewing the exercise of powers and duties under the Regulation of Investigatory Powers Act 2000 (RIPA) and the equivalent Scottish Act. It does not regulate RIPA (that is the role of the judiciary) but conducts inspections, provides reports and issues guidance. That guidance is, effectively, secret.

I can understand why details of specific instances of lawful surveillance must not be disclosed publicly. I have never fully understood why guidance from the person appointed to review the exercise and performance of powers and duties conferred or imposed by or under RIPA should not be disclosed publicly

The Office of Surveillance Commissioners’ remit is

keeping under review (except in relation to the interception of communications and the intelligence services) the exercise and performance of powers and duties conferred or imposed by or under Part II (covert surveillance) and Part III (encryption) of RIPA and its Scottish equivalent RIP(S)A

(interestingly that website contains a typo – this remit is contained in section 62 of RIPA, not section 63).

This is an important role (which is in addition to the OSC’s remit under the Police Act 1997 to review authorisations by law enforcement agencies “for operations involving entry on, or interference with, property or wireless telegraphy, without the consent of the owner”). RIPA is muchmaligned, although, ironically enough, in key areas it merely provides a regulatory framework for intrusions  into private lives which were formerly permissible at common law (i.e. the sort of surveillance RIPA regulates perhaps always used to happen, it’s just that it was not prima facie unlawful).

However, the Chief Surveillance Commissioner never seems happy with his lot. In his latest report he bewails the limits on his office’s funding

The Home Secretary is required…to provide me with the support necessary to fulfil my responsibilities. The support I receive continues to be, in some respects, inadequate. In particular, information technology for many years has failed to meet the demands of remote, secure and mobile working which is an integral part of the inspection process. Promises of improvement are not fulfilled and there appears little urgency to resolve recurring problems. Similarly, I have to rely on archaic facsimile machines which repeatedly malfunction. (¶3.13)

If true, this is pretty shoddy. I would suggest that if anyone needs to be sure about their information security it’s the Chief Surveillance Commissioner (and why is he still reliant on “facsimile machines”?).

He is also unhappy with some authorities he has inspected

My Inspectors are not lawyers and they address their reports to me. Their reports are subject to my endorsement which I will make clear in my covering letter to the chief officer of the authority inspected. It is therefore important that conversations with them during an inspection are not misquoted or shared with others without prior agreement…There have been a few occasions when correspondence from me to a single public authority has been promulgated by that authority to others as a general interpretation. Usually my guidance relates to specific facts and may not be applicable in circumstances which may appear to be, but which on analysis are not, similar.(¶3.3-3.4)

This reluctance to be open about things he and his inspectors say carries through – in spades – to the guidance he produces. In the most recent report he says

my Commissioners from time to time publish guidance in a single document for use by public authorities. I do not wish to apply a security marking to my guidance but, despite clear instructions, I am dismayed at thoughtless disclosure of a document which provides information which necessarily alludes to covert tactics. The Home Office has not yet provided me with a website capable of balancing the need for transparency to the public with controlled access to specific guidance by a limited audience.

and refers back to the previous year’s report which provided reasoning for not publishing it

my small office does not have the capacity to answer the inevitable influx of requests for clarification this would invite…law enforcement agencies in particular are concerned that tactics might unnecessarily be revealed…it is not a comprehensive document which covers every eventuality and it might be misconstrued or misused; and…it is not my remit to provide free legal advice, though I proffer guidance to public authorities which I have a responsibility to review, in order to raise standards and promote consistency (¶3.4)

although not before regretting it is not always readily available to those who need it

If I continue to find this document is not readily available to those who need it, or is not promoted by national associations, I may make it publicly available on my website

Which seems to me to be a case not of threatening to take your bat home with you, but going home and leaving your bat behind.

All this seems to reveal an attitude rather, shall we say, paternalistic and ante-Freedom of Information Act. Needless to say, someone tried, a couple of years ago, to use FOIA to get a copy (asking the OSC, which is not a public authority for the purposes of FOIA, nonetheless to use the Act’s spirit as a model for discretionary disclosure). Although the OSC refused, the requestor, on the admirable whatdotheyknow.com site*, later found that a local authority had helpfully uploaded a copy as part of a committee report. Perhaps this was one of the naughty authorities lambasted by the OSC. If so, he hasn’t done much about it, because the report is still there, happily providing guidance and – I hope – not actually causing him any trouble whatsoever.

 

*I’ve not linked to it, out of deference to the OSC – I can tug my forelock with the best of ’em – but a bit of googling will get you there in no time.

 

 

 

 

 

1 Comment

Filed under Freedom of Information, RIPA, surveillance, surveillance commissioner