Local authorities have powers under Part I Chapter 2 of the Regulation of Investigatory Powers Act 2000 (RIPA) (sections 21 to 25). This concerns the acquisition and disclosure of communications data from Communications Service Providers (CSPs). The definition of “communications data” includes information relating to the use of a communications service (e.g. phone, internet, post) but does not include the contents of the communication itself. It is broadly split into 3 categories: “traffic data” i.e. where a communication was made from, to whom and when; “service data” i.e. the use made of the service by any person e.g. itemised telephone records; “subscriber data” i.e. any other information that is held or obtained by a CSP on a person they provide a service to.
Some public authorities have access to all types of communications data e.g. police, ambulance service, HM Revenues and Customs. Local authorities are restricted to subscriber and service use data and even then only where it is required for the purpose of preventing or detecting crime or preventing disorder. For example, a benefit fraud investigator may be able to get access to an alleged fraudster’s mobile telephone bill. As with other RIPA powers, e.g. Directed Surveillance, there are forms to fill out and strict tests of necessity and proportionality to satisfy.
In April, the Interception of Communications Commissioner’s 2013 Annual Report to the Prime Minister was laid before Parliament. (See also the Press Release and Prime Ministerial Statement .) The Prime Minister under Section 57(1) of RIPA 2000 appointed Sir Anthony May in January 2013. His function is to keep under review the interception of communications and the acquisition and disclosure of communications data by intelligence agencies, police forces and other public authorities (including councils). He is required to make an annual report to the Prime Minister with respect to the carrying out of his functions.
The total number of communications data applications approved in 2013 was 514,608. Of these 87.7% were made by police forces and law enforcement agencies. Less than 1% were made by local authorities and ‘other’ public authorities. The latter includes regulatory bodies with statutory functions to investigate criminal offences and smaller bodies with niche functions.
The report shows that despite media headlines, local authorities are very infrequent users of their RIPA communications data powers. 121 local authorities reported never using their powers. 172 reported they did not use their powers in 2013, but have used their powers in previous years. A big reason for councils’ infrequent use of their powers is that, since 1st November 2012, they have had to obtain Magistrates’ approval for even the simplest communications data applications (e.g. mobile subscriber checks). (Read about the changes in detail here.)
The Commissioner also has the power to conduct inspections of public authorities using these powers. In 2013 his office conducted 75 inspections broken down as follows: 43 police force and law enforcement agency, 1 intelligence agency, 17 local authority and 14 ‘other’ public authority inspections.
A typical inspection may include the following:
A review of the action points or recommendations from the previous inspection to check they have been implemented.
An audit of the information supplied by the CSPs detailing the requests that public authorities have made for disclosure of data. This information is compared against the applications held by the SPoC (Single Point of Contact) to verify that the necessary approvals were given to acquire the data.
Examination of individual applications to assess whether they were necessary in the first instance and then whether the requests met the necessity and proportionality requirements.
Scrutinising at least one investigation or operation from start to end to assess whether the communications data strategy and the justifications for acquiring all of the data were proportionate.
Examination of the urgent oral approvals to check the process was justified and used appropriately.
A review of the errors reported or recorded, including checking that the measures put in place to prevent recurrence are sufficient.
Para 4.3 of the report emphasises the important role of the Single Point of Contact (SPoC) in the communications data application process:
“The SPoCs have an essential role to play here in using their experience to challenge the investigative strategy underlying the applications which they oversee.”
Every SPoC must attend a two-day Home Office approved training course and pass an exam. Act Now is one the few training providers still running this course. Our next course is in Manchester in November. Full details on our website: http://www.actnow.org.uk/courses/1074