RIPA and Communications Data: IoCCo Annual Report














In October 2015 the Prime Minister appointed Sir Stanley Burnton as the new Interception of Communications Commissioner replacing Sir Anthony May. Sir Stanley’s function is to keep under review the interception of communications and the acquisition and disclosure of communications data by public authorities under the Regulation of Investigatory Powers Act 2000 (RIPA).

Local authorities, as well as other agencies, have powers under Part I Chapter 2 of RIPA to acquire communications data from Communications Service Providers (CSPs). The definition of “communications data” includes information relating to the use of a communications service (e.g. phone, internet, post) but does not include the contents of the communication itself. It is broadly split into 3 categories: “traffic data” i.e. where a communication was made from, to whom and when; “service data” i.e. the use made of the service by any person e.g. itemised telephone records; “subscriber data” i.e. any other information that is held or obtained by a CSP on a person they provide a service to.

Some public authorities have access to all types of communications data e.g. the Police, the Ambulance Service and HM Revenues and Customs. Local authorities are restricted to subscriber and service use data and then only where it is required for the purpose of preventing or detecting crime or preventing disorder. For example, a benefit fraud investigator may be able to obtain an alleged fraudster’s mobile phone bill. As with other RIPA powers, e.g. Directed Surveillance under Part 2, there are forms to fill out and strict tests of necessity and proportionality to satisfy.

On 8th September 2016, Sir Stanley laid his 2015 annual report before Parliament. The report covers the period January to December 2015. Key findings around communications data powers include:

  • 761,702 items of communications data were acquired during 2015.
  • 48% of the items of communications data were traffic data, 2% service use information and 50% subscriber information.
  • 7% of the applications for communications data were made by police forces and law enforcement agencies, 5.7% by the intelligence agencies and 0.6% by local authorities and other public authorities.
  • Only 71 local authorities reported using these powers. The majority of these used them on less than 10 occasions.
  • Out of the 975 applications made by local authorities in 2015, Kent County Council made 107 of these whilst five councils made just 1 application each.

A big reason for the low use of these powers by local authorities is that, since 1st November 2012, they have had to obtain Magistrates’ approval for even the simplest communications data applications (e.g. mobile subscriber checks).

Another reason may be that since December 2015 last year, the Home Office has required councils to go through the National Anti Fraud Network to access communications data rather than make direct applications to CSPs. This has also made the internal SPoC’s (Single Point of Contact) role redundant. Consequently the Commissioner no longer conduct inspections of individual local  authorities; choosing to inspect NAFN instead.

In March 2015 a new Code of Practice for the Acquisition and Disclosure of Communications Data by public authorities came into force.  It contains several policy changes, which will require careful consideration.

When the Investigatory Powers Bill comes into force it will change the communications data access regime.  Read our blog and watch this space.

Do you make use of these powers and need refresher training? Act Now is running a live one hour webinar on this topic. We also offer a whole host of training in this area. Please visit our website to find out more!

Posted in Communications Data, Privacy, RIPA, Security | Leave a comment

Act Now DP Practitioner Certificate: Latest Results


Act Now Training’s Data Protection Practitioner Certificate continues to go from strength to strength. The two remaining courses in 2016 are fully booked and the latest set of results and delegate feedback show that it is an ideal qualification for those who work with Data Protection and privacy issues on a day-to-day basis.

In September 2016, a total of 14 delegates passed the course of which 10 achieved a distinction. As ever there was a wide range of delegates from the local government, health, education and private sectors.

Candidates were delighted with their results. They really appreciated the effort put in by our expert speaker Tim Turner:

“The course really was excellent and I would thoroughly recommend it. Data Protection can be a dry subject, but not when delivered by Tim – he kept my full attention from beginning to end with his excellent and interesting presentation, and invaluable advice.”  SB, Lancashire CC

“Tim broke the course down into manageable chunks and gave useful, practical examples that illustrated his points. This course has given me not only the knowledge but also the confidence to improve at my job and make my organisation better too!” DH, Cheshire West and Chester Council

“Tim imparts a huge amount of information in an accessible, user-friendly way that has never felt overwhelming.” SM, University of Surrey

The emphasis of the course is on practical skills which a Data protection Officers need to do their job and raise DP standards in their organisation. This is something, which was emphasised by our delegates in their feedback:

“I would thoroughly recommend the course, which has a sensible, practical focus and deals with the application of an otherwise abstract and complex piece of legislation to real life situations.”  AG, Parliamentary and Health Service Ombudsman

“The course provided useful practical examples which makes it easy to apply the DPA and identify a potential breach in a scenario – Immensely useful🙂.” BA, Nursing and Midwifery Council

“Great, thorough presentation and discussion of the practical implementations of data protection, the Act and its future developments.” PC, University of the Highlands and Islands

The course syllabus continues to be revised to include more themes covered by the General Data Protection Regulation (GDPR) which will come in force in May 2018  (and which is still relevant despite the Brexit vote).

The course, designed in consultation with a panel of experts from the UK and Europe, takes place over four days (one day per week) and involves lectures, assessments and exercises. This is followed by a written assessment. Candidates are then required to complete a practical project (in their own time) to achieve the certificate.

If you don’t have the time to attend for four consecutive weeks, why not try our intensive course in Summer 2017?

To learn more please visit our website or get in touch.

Posted in Data Protection, EU DP Regulation, GDPR | Leave a comment

IG Dates for your Diary – Let’s seize the day(s)!










By Frank Rankin

It always seems to be the national or international day of something-or-other.  As I write it is (as decreed by the United Nations) International Democracy Day. Coming soon we will have (as decreed by a couple of strange blokes in Oregon) International Talk Like A Pirate Day.

As well as providing useful space-fillers to lazy journalists on slow news days, such commemorations are often used to draw attention to serious (or silly) issues.

And as information governance practitioners, why should we miss out?

There are a few calendar dates which we can possibly exploit in the never-ending task of raising awareness among our managers and co-workers of some of the key messages around FOI, data protection and information security.

I plan to send some communications to my colleagues in the NHS organisation where I work, commemorating International Right to Know Day on 28 September. Initiated by FOI activists from around the world in 2002, the day seeks to celebrate successes in improving government transparency, and highlighting continuing struggles. It provides an excuse for me to gently remind colleagues that they could be the recipient of FOI requests and how they should react. I’ll also remind them of the rights that they have as citizens. (Why not put up some FOI posters Frank? Ed.)

October is National Cyber Security Awareness Month and 7 February 2017 will be Safer Internet Day. In drawing the attention of colleagues to guidance and resources to help them keep their families safe online, we also build their skills and awareness to improve security in the workplace. On the last Safer Internet Day we took the opportunity to send tips to colleagues on how to protect themselves and their children from phishing, malware and other nasties. It is the first time I have ever received notes of thanks for an information governance awareness programme!

Across Europe, Data Protection Day is marked on 28 January – the anniversary of the signing of the Council of Europe’s Convention 108 for the Protection of individuals with regard to automatic processing of personal data, ancestor to the forthcoming General Data Protection Regulation (GDPR). Although I am sure you all knew that.  (Well, Tim Turner probably did.)  (Dear reader, it is still relevant despite the Brexit vote.Ed)

While I don’t expect to see MoonPig selling cards for the occasion, again it gives us a hook to hang an awareness message on – perhaps some reminders of appropriate behaviours we expect from staff to protect the personal data we hold, as well as an update on GDPR developments. (Er why not put up some GDPR posters Frank?Ed.)

But Frank, I hear some of you object, aren’t these commemorative dates just a wee bit cheesy? Perhaps. But I am not too proud to borrow any excuse to highlight information governance messages in a way that reminds our people that these issues are universal.

Back in the 1990s, the late Declan Treacy used to champion International Clear Your Desk Day as an opportunity to declutter our work spaces, delivering benefits for ergonomics, mental health and feng shui – as well as for records management and data security. Alas, no-one seems to have picked up the mantle since his death.

So, who is with me? Let’s pick a date and I’ll see you at the confidential waste bin.

Frank Rankin is an information security, FOI and records management expert. Amongst other courses he is currently delivering our Practitioner Certificate in Freedom of Information (Scotland).

Posted in Data Protection, EU DP Regulation, GDPR, Privacy | Leave a comment

9 Tweets Long



By Paul Simpkins

I went to an AGM last night. It was an employee owned company. I wasn’t there representing anyone just observing but a DP issue cropped up. There was a roaming photographer taking pictures of all the attendees. Some naturally smiled and waved but when I asked the photographer

“What will you do with these pictures?”

the answer was staggering.

“I don’t know “.

It didn’t seem  promising but I settled down and Googled the company. The Chief Executive meanwhile made a standard speech about how good they were, being an employee owned company, just like John Lewis he chortled (but not quite as big). The company secretary told us how the Employee Trust was being set up very soon and everything looked rosy.

The results of the Google jury came in. It had a cookie policy on the front page. No privacy policy. I looked on the ICO website. They had notified so they knew something about DP. Back to their website I used their search facility and typed in Data Protection.  No results found.

It wasn’t looking good but I hit “Disclaimer and Copyright” just for fun. There it was. Halfway down the page was a Privacy Statement. Unfortunately it only had 216 words and 1,300 characters.  It didn’t give any commitment to protecting personal data; It didn’t quote the Notification number; It didn’t reference the Data Protection Act 1998; It didn’t say the purpose for which data was processed. It didn’t outline the rights of data subjects. It didn’t talk about data sharing (and it was a heath and social care employee owned company) and it didn’t offer any contact details if anyone wanted to ask anything about the policy.

In fact it was poor specimen which didn’t meet current good practice. Of course when the  General Data Protection Regulation (GDPR) comes into force the new rules on privacy notices will be much stricter.

Finally a quote from the policy.

“By continuing to use this site you are considered as understanding and agreeing to the contents of this statement.”

So they have no reference to Data Protection, the term isn’t searchable. You can find a Privacy Statement if you look under Disclaimer and Copyright button but it’s pretty poor missing out many things that the ICO code of practice recommends but whether you find it or not by continuing to use the site you understand and agree to their Privacy statement that is just 9 tweets long.

Act Now has a full programme of Data Protection workshops including “Data Protection and Social Media.”



Posted in Uncategorized | Leave a comment

Privacy Notices under #GDPR: Have you noticed my notice?


As you all know by now the General Data Protection Regulation (GDPR) is here and it is (as predicted) starting to get various people fired up ready for its 2018 implementation date. (Dear reader, it is still relevant despite the Brexit vote.) We’ve been exploring various aspects of the GDPR and in this particular blog I want us to look at the concept of privacy notices and what they will need to start looking like under the Regulation.

Data Protection Act 1998:

Under the current Data Protection Act 1998, and indeed the Information Commissioner’s Office Privacy Notices Code of Practice, privacy notices should be on any collection point where personal data is being collected from a Data Subject. Especially if being collected for a new purpose. In that notice Data Controllers should (at the very least) include the following;

  • The identity of the Organisation in control of the processing;
  • The purpose, or purposes, for which the information will be processed;
  • Any further information necessary, in the specific circumstances, to enable the processing in respect of the individual to be ‘fair’ (in accordance with the 1st Principle).

The requirements also outline that this information must be clear and in ‘plain English’ and your purposes cannot be too vague. The less vague the purpose the less likely it’s going to be a valid consent (or indeed a valid notification if you are not relying on consent).

While privacy notices vary most of them aren’t that much longer than your average paragraph (the paragraph I’ve just written for example) and that, providing it’s clear, concise and meets your legal grounds for processing, is generally how privacy notices work under the Data Protection Act 1998. Further information on a Controllers processing is then often outlined in Terms and Conditions either in the contract paperwork or online.

The New World:

The GDPR builds on the current expectations around privacy notices but expands on the requirements based on the widened first principle which now specifically requires controllers to be transparent with their processing.

Article 13 Paragraph 1 (a-f) of the GDPR outlines that the following information should be provided to the data subject at the point of data collection;

(a) the identity and the contact details of the controller and, where applicable, of the controller’s representative;

(b) the contact details of the data protection officer, where applicable;

(c) the purposes of the processing for which the personal data are intended as well as the legal basis for the processing;

(d) where the processing is based on point (f) of Article 6(1), the legitimate interests pursued by the controller or by a third party;

(e) the recipients or categories of recipients of the personal data, if any;

(f) where applicable, the fact that the controller intends to transfer personal data to a third country or international organisation and the existence or absence of an adequacy decision by the Commission, or in the case of transfers referred to in Article 46 or 47, or the second subparagraph of Article 49(1), reference to the appropriate or suitable safeguards and the means by which to obtain a copy of them or where they have been made available.

Depending on what processing is going on, Article 13 Paragraph 2 (a-f) states that controllers will also need to provide some of the following;

(a) the period for which the personal data will be stored, or if that is not possible, the criteria used to determine that period;

(b) the existence of the right to request from the controller access to and rectification or erasure of personal data or restriction of processing concerning the data subject or to object to processing as well as the right to data portability;

(c) where the processing is based on point (a) of Article 6(1) or point (a) of Article 9(2), the existence of the right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal;

(d) the right to lodge a complaint with a supervisory authority;

(e) whether the provision of personal data is a statutory or contractual requirement, or a requirement necessary to enter into a contract, as well as whether the data subject is obliged to provide the personal data and of the possible consequences of failure to provide such data;

(f) the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.

Now if you are engaging in some quite complicated processing, like in the insurance industry for example, your new notices under GDPR are going to need to strike a balance between being ‘too much information’ and being far too simple and high level that they don’t actually meet your transparency requirements to demonstrate effective notice or consent.

Article 13 Paragraph 3 also outlines that should a controller seek to process personal data for purposes different to which it was collected the controller shall project the subject (prior to that processing commencing) information on that purpose and any other relevant information from paragraph 2.

I’ve attempted to ‘mock up’ what one of these new notices could look like. Now this is very much an imaginary one but if we assume that a controller is processing Personal Data for complex purposes their notice may look something like this;

Your Personal Data:

What we need

The A Notice Ltd will be what’s known as the ‘Controller’ of the personal data you provide to us. We only collect basic personal data about you which does not include any special types of information or location based information. This does however include name, address, email etc.

Why we need it

We need to know your basic personal data in order to provide you with notice writing and analysis services in line with this overall contract. We will not collect any personal data from you we do not need in order to provide and oversee this service to you.

What we do with it

All the personal data we process is processed by our staff in the UK however for the purposes of IT hosting and maintenance this information is located on servers within the European Union. No 3rd parties have access to your personal data unless the law allows them to do so.

We have a Data Protection regime in place to oversee the effective and secure processing of your personal data. More information on this framework can be found on our website.

How long we keep it

We are required under UK tax law to keep your basic personal data (name, address, contact details) for a minimum of 6 years after which time it will be destroyed. Your information we use for marketing purposes will be kept with us until you notify us that you no longer wish to receive this information. More information on our retention schedule can be found online.

What we would also like to do with it

We would however like to use your name and email address to inform you of our future offers and similar products. This information is not shared with third purposes and you can unsubscribe at any time via phone, email or our website. Please indicate below if this is something you would like to sign up to.

Please sign me up to receive details about future offers from A Notice Ltd.

What are your rights?

If at any point you believe the information we process on you is incorrect you request to see this information and even have it corrected or deleted. If you wish to raise a complaint on how we have handled your personal data, you can contact our Data Protection Officer who will investigate the matter.

If you are not satisfied with our response or believe we are processing your personal data not in accordance with the law you can complain to the Information Commissioner’s Office (ICO).

Our Data Protection Officer is Notice McNoticeface and you can contact them at

This example is working on the assumption of a simple data processing arrangement. The more complex your data processing the more complex that notice and consent capture will need to be. But this must be comprehensible to the average consumer and cannot be a work of ‘legal-ee brilliance’ that makes no sense to those not trained in law.

I suspect that notices will allow ‘outlines of categories’ of types of processing and third parties however we shall see how big these categories can be. After all, the bigger the ‘bucket’ the less you are actually giving a robust ‘informed’ notice to a data subject.

In addition to all of this, Article 14 states that should you obtain Personal Data via a means not direct from the Data Subject themselves you also need to provide a notification to them (with some exceptions);

(a) within a reasonable period after obtaining the personal data, but at the latest within one month, having regard to the specific circumstances in which the personal data are processed;

(b) if the personal data are to be used for communication with the data subject, at the latest at the time of the first communication to that data subject; or

(c) if a disclosure to another recipient is envisaged, at the latest when the personal data are first disclosed.

The requirement is to provide them with very similar information that you would provide to them if you collected the data directly. How you do this will be a matter of some discussion to come but excluding the reasons outlined in Article 14 (5) (a – d), if you aren’t collecting directly you will now need to take steps to advise and ‘notify’ the Data Subject of what you are up to.

Now that is quite a long list of things to notify a data subject of, especially if you are delivering various services to the data subject (and collecting data on them) via various means. But Paragraph 4 does say that all of the above shall not apply if the data subject already has the data. So, for example, if a customer is simply renewing a service and nothing about the provision of that service (the processing) has changed then there is no obvious requirement here to re-issue the original notice at that point of renewal.

We will delve into the concept of consent at another time (very soon) but the requirement to be transparent as well as the requirement to ensure you have a clear and documented consent means that privacy notices are going to have to become more than just a long legal document but that far away from what we are doing today (assuming we are doing them correctly that is).

Scott Sammons CIPP/E, AMIRMS is an experienced Data Protection & Information Risk practitioner and blogs under the name @privacyminion. He is on the Exam Board for the Act Now Data Protection Practitioner Certificate.

Want to know more about privacy notices?  Attend our one hour webinar or our full day GDPR workshop. 

Posted in Data Protection, EU DP Regulation, GDPR, Personal Data | Tagged , , , | 3 Comments

OSC RIPA (Surveillance) Procedures and Guidance: A view from its former editor




















For the first time, the Office of Surveillance Commissioners (OSC) has made its Procedures and Guidance (P&G) public (in electronic format).

The guidance is essential reading for public authorities, especially councils, who conduct surveillance under Part 2 of the Regulation of Investigatory Powers Act 2000 (RIPA) (Directed Surveillance, Intrusive Surveillance and the deployment of a Covert Human Intelligence Source (CHIS)). The guidance also covers Part III of RIPA and RIP(S)A and to Part III of the Police Act 1997. It does not provide guidance on interception and the obtaining of communications data requiring a RIPA/RIP(S)A warrant.

Why should you care?

For reasons which Steve Morris explains in his blog on the latest OSC report, you’re going to face some form of inspection whether or not you have or intend to conduct covert surveillance; so at least understand how that inspection will be approached.

Also, as the Chief Surveillance Commissioner emphasises, every public authority should have in place policies, procedures and training programmes to ensure that relevant legislation is complied with when a situation arises. The OSC P&G will help you understand when relevant situations arise and how they should be approached.

Failure to recognise when the protection of RIPA/RIP(S)A may be sought or to know how to respond in a manner compliant with legislation – that is claiming ignorance – is no longer an option!

Why does the document exist?

When I first joined the OSC there was a best practice document which I believe had been shared with law enforcement agencies. This, combined with inspection reports, did not appear to meet with unanimous approval.

The Police Service attempted to introduce its own ‘Key Principles’ document which was sufficiently inadequate to attract the comment that “this is why the police should not be left to interpret legislation!”

However, I hope that I am not criticised for saying that the Surveillance Commissioners were not entirely comfortable publishing generic principles; they were more accustomed to making judgments on the facts of specific cases.

It is no coincidence that the following disclaimer, changed little since the first edition, is given prominence: 

“The opinions expressed within the Interpretation Guidance section of this publication are those of the Surveillance Commissioners. The OSC is not a judicial authority. This Guidance simply indicates the way in which the Commissioners would be minded to construe particular statutory provisions. There is no statutory requirement to publish them but they are a response to frequent requests for guidance from public authorities or are matters raised or identified during the inspection process. In the absence of case law, they are the most reliable indicator of likely judicial interpretation. They are the basis upon which inspections will be conducted and performance assessed by the Office of Surveillance Commissioners. Applicants and Authorising Officers should take note of the interpretations when constructing and considering applications and authorisations for the use of covert powers.”

These are the Surveillance Commissioners’ views. It’s rare that a collective interpretation of law is construed by seven ex-Appeal Court judges and three ex-Circuit judges. During my time, issues were examined and discussed at length during meetings with Commissioners and inspectors. You can imagine that, as Editor, I have happy memories of ‘wordsmithing’ each entry to accommodate the wishes of eminent lawyers!

In effect it is the OSC’s ‘party line’ but the disclaimer should be read in conjunction with paragraph 12. It would be wrong to imply that every member of the OSC agrees with every word in the document, so it is necessary to remember that it is guidance which may easily be altered by facts specific to each case. This is why you’ll find phraseology such as “is capable of being construed as [a type of] surveillance” rather than the definitive “is [a type of] surveillance”. Each Surveillance Commissioner is able to exercise his own judgment when approving authorisations.

RIPA and RIP(S)A are permissive and discretionary powers; the onus is on an authorising officer to decide whether or not to grant an authorisation for covert conduct. Assistant Surveillance Commissioners and inspectors cannot dictate. The aim of the document is to provide a level of consistency in approach from the OSC.

Finally, it is not the task of the OSC to make law; its task is to interpret the law as it is written, not as the Commissioners or others may prefer it. So don’t accuse the OSC of promoting covert conduct which you don’t agree with!

Why publication was resisted?

Partly because of conflict with the Police Service in relation to the ‘Key Principles’ document, and in response to concerns that operational techniques would be exposed, it was decided that the P&G should not be made available to the public. My repeated requests to identify any operational technique in the document that hadn’t already been disclosed by enthusiastic senior investigating officers resulted in no applications. But it was decided that we relied on practitioner transparency which required trust that we would not inhibit legitimate techniques.

When serving in the OSC and today, I am sometimes disappointed with the understanding of some trainers and the quality of their training. Too often legislation, codes of practice and the P&G are regurgitated or misused for commercial gain without improving knowledge or practitioner performance. Sometimes challenging the P&G was used as enticement to attendance or purchase; we were concerned that alternative opinions undermined confidence in the OSC.

I can avow the time and effort that goes into the formulation of this guidance; there is good reason why phrases are used. To protect copyright, to avoid misinterpretation and to prevent others gaining financially from the immense effort of the OSC were, I confess, causes of reticence to provide the document to the public.

In hindsight I believe my advice to the Chief Surveillance Commissioner to prevent public disclosure was misguided. Copies leaked to trainers and OSC silence allowed the media and campaigners to inadequately interpret legislation and its use.

Discussions relating to the Investigatory Powers Bill indicate that the need for regulators to transparently demonstrate how they hold public authorities to account has been recognised. Making the P&G public is a positive step but I am surprised that it is free! It‘s a publication worthy of a charge.


For the remainder of this post I compare the July 2016 version with its predecessor of December 2014. There are many notes useful to practitioners. If you have not read it at least once, you should. Numbers in parenthesis are the relevant note number.

Part 1 – Procedures

Part 1 Section 1 provides detail of how to contact the OSC and matters relating to inspection process and reporting. Part 1 Section 2 provides detail in relation to Commissioner approvals, which apply mainly to law enforcement agencies.

[7-8] Disclosure of inspection reports. This is not new but worth reiterating. There is no requirement – as stated in the Codes of Practice – to notify the OSC of an intention to publicly disclose an inspection report, nor does the OSC promote or discourage the practice. The decision whether or not to publish rests entirely with the chief officer of the public authority inspected.

Part 2 – Guidance

[75] “I am satisfied” and “I believe” Again, not new but important. Too often authorising officers provide insufficient rationale to support their judgment; relying on the details provided by the applicant. This guidance cautions against lax authorisations. The heading indicates an unexplained difference between RIPA and RIP(S)A which use different requirements. This is likely to be complicated further if the terms in the draft IP Bill are enacted. That Bill currently requires a designated officer to “consider”. I may write another article on the significance of these differences.

[87] Duration of authorisations and renewals. Added clarification to ensure that electronic systems date/time algorithms do not have the effect of “losing a day” of authorised conduct. This amendment probably reflects the law enforcement agencies tendency to use electronic systems to create and process applications and authorisations. A useful audit is provided by date stamps and automatically generated data which cannot be altered. There have obviously been instances where automatic dates are not accurate. This amendment indicates how an OSC inspector will regard the inaccuracy but it’s a hint that authorising officers should ensure that dates are accurate.

[93-98] Persons, groups, associates and vehicles. These notes provide guidance in to assist public authorities amend authorisations when details are not known at the outset. The final sentence of Note [96] is amended:

Deleted: “The AO should set parameters to limit surveillance and use review to avoid “mission creep”.

Inserted: “The AO should guide the operational commanders by setting contextual parameters for the use of the “link” approach.” (i.e. where a possible link has previously been identified between individuals to the common criminal purpose being identified.)

There is a new note [97].

“The Authorising Officer should be updated when it is planned to deploy equipment or surveillance against a freshly identified subject before such deployment is made, to enable him to consider whether this is within the terms of his original authorisation, necessary, proportionate and that any collateral intrusion (or interference) has been taken into account; alternatively, where operational demands make it impracticable for the Authorising Officer to be updated immediately, as soon as reasonably practicable thereafter. This is to ensure that the decision to deploy further devices or surveillance remains with the Authorising Officer and is not delegate to, or assumed by, another, such as the operational commander. Such reviews should be pertinent and can be done outwith the usual formal monthly written review process, provided that the details of the Authorising Officer’s decisions are recorded contemporaneously and formally updated at the next due review. Where the terms of an authorisation do not extend to interference to other subjects (criminal associates) or their property then a fresh authorisation, using the urgency provisions if necessary, will need to be sought.” (My emphasis)

[222-229] Authorisation of undercover officers (UCOs). Note [226] is amended to enable additional UCOs to be authorised by way of review but indicates that every UCO must be authorised for the correct duration. This reflects the reality that it is frequently necessary to introduce additional UCOs to an investigation (for example to support a legend). Often the identity of additional UCOs will not be known at the outset. Rather than insist on the added bureaucracy of a new authorisation, the Commissioners have indicated that amendment by review (providing the terms of the original authorisation allow it) will not be criticised.

[289] Covert Surveillance of Social Network Sites (SNS). I advise that all members of local authorities read paragraph 289 in entirety as it’s the conduct most likely to introduce RIPA/RIP(S)A compliance issues. It remains my view that too few public authorities recognise (either deliberately or in ignorance) that the ‘less intrusive’ means that have resulted in decreased authorisations may be the result of not authorising internet investigations on the belief that ‘open source’ or publicly available mitigates RIPA/RIP(S)A consideration. This note provides the OSC’s guidance. Sub-note [289.3] is amended as shown in bold type:

“It is not unlawful for a member of a public authority to set up a false identity but it is inadvisable for a member of a public authority to do so for a covert purpose without an authorisation for directed surveillance when private information is likely to be obtained. The SRO should be satisfied that there is a process in place to ensure compliance with the legislation. Using photographs of other persons without their permission to support the false identity infringes other laws.”

See also Ibrahim Hasan’ blog post on RIPA and social networks.



I hope that this background is useful. I hope that my reticence to persuade the former Chief Surveillance Commissioner to make the P&G available to the public is proven to be misguided. Publishing the document is a very positive move in my opinion and is a useful indicator that the Commissioners have come to terms with the need to be public-facing. I applaud the decision.

Disclaimer: Sam Lincoln is a former Chief Surveillance Inspector with the OSC. In that capacity he introduced the OSC Procedures and Guidance and edited it from 2006 to 2013. The opinions expressed in this post are his alone; he does not represent the OSC and OSC endorsement is neither sought nor implied.

Sam has designed our RIPA E-Learning Package which is an interactive online learning tool, ideal for those who need a RIPA refresher before an OSC inspection.


Like our image? It is available as an A3 Poster for the office, We have a small range of them for only £5 for three!  Take a look at the link below.

Posted in Communications Data, OSC, Privacy, RIPA, RIPA codes, Surveillance | Tagged , , | Leave a comment

Data Protection Reform after Brexit. Does GDPR still matter?

gdprAccording to the new Prime Minister “Brexit means Brexit.” But what does Brexit mean for UK Data Controllers who are planning for implementation of the new General Data Protection Regulation (GDPR)? The short answer is keep calm and carry on.

GDPR received formal adoption by the European Parliament in April 2016 and was published on 4th May in the Official Journal. This means that it will be directly applicable throughout EU member states (without the need for implementing legislation) from 25th May 2018. Following the referendum result, you might be forgiven for thinking that you can shred your copy of the Regulation or indeed cancel your place on our very popular GDPR workshop.

The UK may have voted to leave the EU but formal divorce proceedings cannot begin until it notifies the EU of its intention to invoke Article 50 of the Lisbon Treaty. This gives negotiators two years from the date of notification to conclude new arrangements. The newly appointed Secretary of State for Exiting the European Union, David Davis, has said Article 50 should be “triggered before or by the beginning of next year.” Therefore the UK could leave the EU by December 2018 at the earliest. Consequently there would be at least six months where UK Data Controllers would have to abide by all the provisions of GDPR. In reality exiting the EU could take much longer than two years and so we could be stuck with GDPR for much longer.

In the unlikely event that Brexit negotiations are concluded before May 2018, the DPA is still living on borrowed time. Immediately after the Brexit vote the Information Commissioner’s Office (ICO), released a statement saying:

“If the UK wants to trade with the Single Market on equal terms we would have to prove ‘adequacy’—in other words UK data protection standards would have to be equivalent to the EU’s General Data Protection Regulation framework starting in 2018.”

In a speech on 4th July 2016 the then Minister for Data Protection, Baroness Neville-Rolfe, touched on the future of data protection: (HT Panopticon Blog)

One thing we can say with reasonable confidence is that if any country wishes to share data with EU Member States, or for it to handle EU citizens’ data, they will need to be assessed as providing an adequate level of data protection. This will be a major consideration in the UK’s negotiations going forward….”

The law firm, Bird and Bird, have set out the options available to the UK in terms of exiting the EU and its implications for data protection. Each of these options makes it likely that either the GDPR or a very close cousin will be required in the UK after Brexit takes effect.

Regardless of what data protection path the UK chooses, UK companies with European customers and operations have to continue with preparations. This is because GDPR will apply to any entity offering goods or services (regardless of payment being taken) and any entity monitoring the behaviours of citizens residing within the EU. Companies will be directly responsible for GDPR compliance wherever they are based (and not just their EU based offices) as long as they are processing EU citizens’ personal data.

Recently on the ICO’s Blog,  the message was reiterated that GDPR is still relevant and preparation must continue:

“We’ve been working hard on producing a set of guidance on GDPR, with an overview of the law being the first substantive part of that. We still think it will be useful to publish this overview. This is because once implemented in the EU, the GDPR will be relevant for many organisations in the UK – most obviously those operating internationally. The other main reason is that the GDPR has several new features – for example breach notification and data portability. Therefore, we thought it would still be useful to familiarise information rights professionals with the GDPR’s main principles and concepts.”

 Data Controllers have two years to prepare for the biggest change to the EU data protection regime in 20 years.  Many provisions such as breach notification and the new DP Principles will require careful planning. With some GDPR breaches carrying fines of up to 4% of global annual turnover or 20 million Euros, a “wait and see” approach would be very risky.

How Act Now can help

The next two years need to be spent wisely. Training and awareness (see our poster) at all levels needs to start now. We are running a series of GDPR webinars and workshops and our team of experts is available to come to your organisation to deliver customised data protection/GDPR workshops as well as to carry out health checks and audits. GDPR requires many Data Controllers to appoint a dedicated Data Protection Officer. Our Data Protection Practitioner Certificate, with an emphasis on the practical skills requited to implement GDPR, is an ideal qualification for those aspiring for such positions.

And if you like our image, it, as well as some others are available as A3 Posters for the office for only £5 for three!  Take a look at the link below.

Posted in Data Protection, EU DP Regulation, GDPR, Privacy | 4 Comments