Category Archives: surveillance commissioner

Monitoring of blogs and lawful/unlawful surveillance

Tim Turner wrote recently about the data protection implications of the monitoring of Sara Ryan’s blog by Southern Health NHS Trust. Tim’s piece is an exemplary analysis of how the processing of personal data which is in the public domain is still subject to compliance with the Data Protection Act 1998 (DPA):

there is nothing in the Data Protection Act that says that the public domain is off-limits. Whatever else, fairness still applies, and organisations have to accept that if they want to monitor what people are saying, they have to be open about it

But it is not just data protection law which is potentially engaged by the Trust’s actions. Monitoring of social media and networks by public authorities for the purposes of gathering intelligence might well constitute directed surveillance, bringing us explicitly into the area of human rights law. Sir Christopher Rose, the Chief Surveillance Commissioner said, in his most recent annual report

my commissioners remain of the view that the repeat viewing of individual “open source” sites for the purpose of intelligence gathering and data collation should be considered within the context of the protection that RIPA affords to such activity

“RIPA” there of course refers to the complex Regulation of Investigatory Powers Act 2000 (RIPA) (parts of which were reputedly “intentionally drafted for maximum obscurity”)1. What is not complex, however, is to note which public authorities are covered by RIPA when they engage in surveillance activities. A 2006 statutory instrument2 removed NHS Trusts from the list (at Schedule One of RIPA) of relevant public authorities whose surveillance was authorised by RIPA. Non-inclusion on the Schedule One lists doesn’t as a matter of fact or law mean that a public authority cannot undertake surveillance. This is because of the rather odd provision at section 80 of RIPA, which effectively explains that surveillance is lawful if carried out in accordance with RIPA, but surveillance not carried out in accordance with RIPA is not ipso facto unlawful. As the Investigatory Powers Tribunal put it, in C v The Police and the Home Secretary IPT/03/32/H

Although RIPA provides a framework for obtaining internal authorisations of directed surveillance (and other forms of surveillance), there is no general prohibition in RIPA against conducting directed surveillance without RIPA authorisation. RIPA does not require prior authorisation to be obtained by a public authority in order to carry out surveillance. Lack of authorisation under RIPA does not necessarily mean that the carrying out of directed surveillance is unlawful.

But it does mean that where surveillance is not specifically authorised by RIPA questions would arise about its legality under Article 8 of the European Convention on Human Rights, as incorporated into domestic law by the Human Rights Act 1998. The Tribunal in the above case went on to say

the consequences of not obtaining an authorisation under this Part may be, where there is an interference with Article 8 rights and there is no other source of authority, that the action is unlawful by virtue of section 6 of the 1998 Act.3

So, when the Trust was monitoring Sara Ryan’s blog, was it conducting directed surveillance (in a manner not authorised by RIPA)? RIPA describes directed surveillance as covert (and remember, as Tim Turner pointed out – no notification had been given to Sara) surveillance which is “undertaken for the purposes of a specific investigation or a specific operation and in such a manner as is likely to result in the obtaining of private information about a person (whether or not one specifically identified for the purposes of the investigation or operation)” (there is a further third limb which is not relevant here). One’s immediate thought might be that no private information was obtained or intended to be obtained about Sara, but one must bear in mind that, by section 26(10) of RIPA “‘private information’, in relation to a person, includes any information relating to his private or family life” (emphasis added). This interpretation of “private information” of course is to be read alongside the protection afforded to the respect for one’s private and family life under Article 8. The monitoring of Sara’s blog, and the matching of entries in it against incidents in the ward on which her late son, LB, was placed, unavoidably resulted in the obtaining of information about her and LB’s family life. This, of course, is the sort of thing that Sir Christopher Rose warned about in his most recent report, in which he went on to say

In cash-strapped public authorities, it might be tempting to conduct on line investigations from a desktop, as this saves time and money, and often provides far more detail about someone’s personal lifestyle, employment, associates, etc. But just because one can, does not mean one should.

And one must remember that he was talking about cash-strapped public authorities whose surveillance could be authorised under RIPA. When one remembers that this NHS Trust was not authorised to conduct directed surveillance under RIPA, one struggles to avoid the conclusion that monitoring was potentially in breach of Sara’s and LB’s human rights.

1See footnote to Caspar Bowden’s submission to the Intelligence and Security Committee
2The Regulation of Investigatory Powers (Directed Surveillance and Covert Human Intelligence Sources) (Amendment) Order 2006
3This passage was apparently lifted directly from the explanatory notes to RIPA


Filed under Data Protection, human rights, NHS, Privacy, RIPA, social media, surveillance, surveillance commissioner

Police building register of domestic CCTV for crime investigation purposes?

This is a flyer apparently being distributed by Thames Valley Police (TVP).


It invites householders who have private CCTV systems to register with TVP, who want to use those systems “in order to assist us in future investigations”.

Surveillance camera footage can undoubtedly be of great use in the investigation and prosecution of crime. But there is a potential problem for householders who decided to register with TVP, and I’d be interested to know if the latter have taken this into account.

The problem is this: CCTV cameras involve the processing of data, and where they capture images of identifiable individuals, it is personal data that they are processing. Purely domestic processing of personal data is exempt from all of the obligations under the Data Protection Act 1998, but when the processing is no longer purely for domestic purposes, then legal obligations potentially attach themselves to those doing the processing. The Information Commissioner’s Office (ICO) CCTV Code of Practice (both the current 2008 version and an updated version currently in draft) explains

The use of cameras for limited household purposes is exempt from the DPA. This applies where an individual uses CCTV to protect their home from burglary, even if the camera overlooks the street or other areas near their home

But the corollary of this is that if its use is not purely for the “household purposes” of protecting one’s home from bulgary, then the exemption no longer applies. If householders are determining that the purpose for which they will process personal data is to assist TVP in criminal investigations, then they are data controllers.

This can’t simply be TVP wanting a register of CCTV-operating households to assist them if a crime happens on those specific premises, because that would be pointless: in those circumstances the householder would draw the footage to the police’s attention. No, this must be that TVP want to be able to access footage of relevant incidents outwith the individual household. 

I’ve asked TVP if they have any policy statement or guidelines on this initiative, and will update as and when they reply.

1 Comment

Filed under Data Protection, police, Privacy, surveillance, surveillance commissioner

Why won’t you read my secret guidance?!

The Office of Surveillance Commissioners (OSC) is in charge of reviewing the exercise of powers and duties under the Regulation of Investigatory Powers Act 2000 (RIPA) and the equivalent Scottish Act. It does not regulate RIPA (that is the role of the judiciary) but conducts inspections, provides reports and issues guidance. That guidance is, effectively, secret.

I can understand why details of specific instances of lawful surveillance must not be disclosed publicly. I have never fully understood why guidance from the person appointed to review the exercise and performance of powers and duties conferred or imposed by or under RIPA should not be disclosed publicly

The Office of Surveillance Commissioners’ remit is

keeping under review (except in relation to the interception of communications and the intelligence services) the exercise and performance of powers and duties conferred or imposed by or under Part II (covert surveillance) and Part III (encryption) of RIPA and its Scottish equivalent RIP(S)A

(interestingly that website contains a typo – this remit is contained in section 62 of RIPA, not section 63).

This is an important role (which is in addition to the OSC’s remit under the Police Act 1997 to review authorisations by law enforcement agencies “for operations involving entry on, or interference with, property or wireless telegraphy, without the consent of the owner”). RIPA is muchmaligned, although, ironically enough, in key areas it merely provides a regulatory framework for intrusions  into private lives which were formerly permissible at common law (i.e. the sort of surveillance RIPA regulates perhaps always used to happen, it’s just that it was not prima facie unlawful).

However, the Chief Surveillance Commissioner never seems happy with his lot. In his latest report he bewails the limits on his office’s funding

The Home Secretary is required…to provide me with the support necessary to fulfil my responsibilities. The support I receive continues to be, in some respects, inadequate. In particular, information technology for many years has failed to meet the demands of remote, secure and mobile working which is an integral part of the inspection process. Promises of improvement are not fulfilled and there appears little urgency to resolve recurring problems. Similarly, I have to rely on archaic facsimile machines which repeatedly malfunction. (¶3.13)

If true, this is pretty shoddy. I would suggest that if anyone needs to be sure about their information security it’s the Chief Surveillance Commissioner (and why is he still reliant on “facsimile machines”?).

He is also unhappy with some authorities he has inspected

My Inspectors are not lawyers and they address their reports to me. Their reports are subject to my endorsement which I will make clear in my covering letter to the chief officer of the authority inspected. It is therefore important that conversations with them during an inspection are not misquoted or shared with others without prior agreement…There have been a few occasions when correspondence from me to a single public authority has been promulgated by that authority to others as a general interpretation. Usually my guidance relates to specific facts and may not be applicable in circumstances which may appear to be, but which on analysis are not, similar.(¶3.3-3.4)

This reluctance to be open about things he and his inspectors say carries through – in spades – to the guidance he produces. In the most recent report he says

my Commissioners from time to time publish guidance in a single document for use by public authorities. I do not wish to apply a security marking to my guidance but, despite clear instructions, I am dismayed at thoughtless disclosure of a document which provides information which necessarily alludes to covert tactics. The Home Office has not yet provided me with a website capable of balancing the need for transparency to the public with controlled access to specific guidance by a limited audience.

and refers back to the previous year’s report which provided reasoning for not publishing it

my small office does not have the capacity to answer the inevitable influx of requests for clarification this would invite…law enforcement agencies in particular are concerned that tactics might unnecessarily be revealed…it is not a comprehensive document which covers every eventuality and it might be misconstrued or misused; and…it is not my remit to provide free legal advice, though I proffer guidance to public authorities which I have a responsibility to review, in order to raise standards and promote consistency (¶3.4)

although not before regretting it is not always readily available to those who need it

If I continue to find this document is not readily available to those who need it, or is not promoted by national associations, I may make it publicly available on my website

Which seems to me to be a case not of threatening to take your bat home with you, but going home and leaving your bat behind.

All this seems to reveal an attitude rather, shall we say, paternalistic and ante-Freedom of Information Act. Needless to say, someone tried, a couple of years ago, to use FOIA to get a copy (asking the OSC, which is not a public authority for the purposes of FOIA, nonetheless to use the Act’s spirit as a model for discretionary disclosure). Although the OSC refused, the requestor, on the admirable site*, later found that a local authority had helpfully uploaded a copy as part of a committee report. Perhaps this was one of the naughty authorities lambasted by the OSC. If so, he hasn’t done much about it, because the report is still there, happily providing guidance and – I hope – not actually causing him any trouble whatsoever.


*I’ve not linked to it, out of deference to the OSC – I can tug my forelock with the best of ’em – but a bit of googling will get you there in no time.






1 Comment

Filed under Freedom of Information, RIPA, surveillance, surveillance commissioner