Staff Surveillance: It’s a Data Protection Issue

Increasingly affordable surveillance technology means that more and more employers are turning to surveillance to catch errant or work shy employees. But confusion still reigns as to which legislation applies and what can be done lawfully.

If employee surveillance is conducted by a public authority and involves covert techniques or equipment, it is easy to assume that Part 2 of the Regulation of Investigatory Powers Act 2000 (“RIPA”) applies. However, the Investigatory Powers Tribunal has ruled in the past that not all covert surveillance of employees is regulated by RIPA (See C v The Police and the Secretary of State for the Home Department (14th November 2006, No: IPT/03/32/H), discussed in our previous blog post on employee surveillance.)

All employers, whether in the public or the private sector, have to respect their employees’ right to privacy under Article 8 of the European Convention on Human Rights. This means that the surveillance must be carried out in a manner that is in accordance with the law and is necessary and proportionate (see Copland v UK (3rd April 2007 ECHR).

During the course of the surveillance, the employer will inevitably be gathering personal data about employees. Consideration therefore has to be given to the provisions of the Data Protection Act 1998 (DPA). Compliance with the DPA will also help demonstrate that the surveillance is human rights compliant since protection of individuals’ privacy is a cornerstone of the DPA.

The Information Commissioner’s Office’s (ICO) Employment Practices Code, which covers surveillance of employees at work. The code covers all types of employee surveillance from video monitoring and vehicle tracking to email and internet surveillance. Whilst the code is not law, it will be taken into account by the Information Commissioner and the courts whether deciding whether the DPA has been complied with.

In December 2014, Caerphilly County Borough Council signed an undertaking after an ICO investigation found that the Council’s surveillance of an employee , suspected of fraudulently claiming to be sick, had breached the DPA.

The council’s decision to authorise the surveillance was based on anecdotal evidence and was begun only four weeks into the employee’s sickness absence. No other measures were taken to discuss the employee’s absence before the decision to deploy covert surveillance. The surveillance report, which was produced by a private company, was never used. The ICO determined the council did not have sufficient grounds to undertake the surveillance, especially at such an early stage of the employee’s absence.

The council has undertaken that, in future, it will carry out an impact assessment, (as required by the code) in every case of employee surveillance. This will consider whether the adverse impact of the surveillance on the employee(s) is justified by the benefits to the employer and others. Such an impact assessment must also:

  • clearly identify the purpose(s) behind the surveillance and the benefits it is likely to deliver,
  • identify any likely adverse impact of the surveillance,
  • consider alternatives to surveillance or different ways in which it can be carried out
  • take into account the obligations that arise from the surveillance, and
  • judge whether the surveillance is justified.

This assessment is best done in writing using a “Non-RIPA” surveillance form (Our RIPA Policy and Procedures Toolkit contains such a form).

Furthermore the council agreed some general principles which are useful for all employers to note when deciding to conduct covert surveillance of employees:

  • Senior management should authorise any covert monitoring. In doing so they must satisfy themselves that there are grounds for suspecting criminal activity or equivalent malpractice (i.e. serious but non-criminal employee misbehaviour, such as fraudulently claiming sick pay) and that notifying individuals about the monitoring would prejudice its prevention or detection.
  • Such covert monitoring should only be used in exceptional circumstances, as it will be rare for covert monitoring of employees to be justified.
  • Ensure that any covert monitoring is strictly targeted at obtaining evidence within a set timeframe and that the covert monitoring does not continue after the investigation is complete.
  • Do not use covert audio or video monitoring in areas which workers would genuinely and reasonably expect to be private.
  • If a private investigator is employed to collect information on workers covertly make sure there is a contract in place that requires the private investigator to only collect information in a way that satisfies the employer’s obligations under the Act.
  • Check any arrangements for employing private investigators to ensure your contracts with them impose requirements on the investigator to only collect and use information on workers in accordance with your instructions and to keep the information secure.
  • Ensure that information obtained through covert monitoring is used only for the prevention or detection of criminal activity or equivalent malpractice.
  • Disregard and, where feasible, delete other information collected in the course of monitoring unless it reveals information that no employer could reasonably be expected to ignore.

Employee surveillance is a legal minefield. RIPA may not always apply but compliance with the DPA and the Employment Practices Code will ensure that it is human rights compliant and that adverse headlines are avoided.

Act Now can help you get to grips with this difficult area. Please see our full program of surveillance law courses which can also be customised and delivered at your premises.

New Transparency Code for Smaller Authorities

file0001686927828In October 2014 the Department for Communities and Local Government (DCLG), published an updated version of the Local Government Transparency Code . This applies in England only and replaces the previous version. The code requires councils (as well as, amongst others, National Park Authorities, Fire and Waste Authorities and Integrated Transport Authorities) to proactively publish certain categories information (in Part 2 of the code) whilst also recommending that they go beyond the minimum (in part 3 of the code). Read more about the code here.

But what of smaller public authorities and parish councils? On 10th March 2014 the Government launched a consultation on a draft transparency code for such organisations, which will act as a substitute for routine external audit.

On 17th December 2014 the DCLG finally published the Transparency Code for Smaller Authorities. This code applies to the following types of authorities with an annual turnover not exceeding £25,000:

  • parish councils
  • internal drainage boards
  • charter trustees
  • port health authorities

This code is issued to meet “the government’s desire to place more power into citizens’ hands to increase democratic accountability.” However it is published initially as recommended practice, although the Secretary of State told Parliament on 17th December that he intends to make the code mandatory by the start of the 2015 financial year.

The Local Audit and Accountability Act 2014 sets out a new audit framework for public authorities which are currently covered by the Audit Commission regime. Under this new framework smaller authorities will be exempt from routine external audit. In place of routine audit, they will be subject to the new transparency requirements laid out in this code. This will enable local electors and ratepayers to access relevant information about the authorities’ accounts and governance.

Part 2 of the code sets out the information to be published:

  1. all items of expenditure above £100 (see paragraphs 13 – 15);
  2. end of year accounts (see paragraphs 16 and 17),
  3. annual governance statement (see paragraphs 18and 19),
  4. internal audit report (see paragraphs 20 – 22),
  5. list of councillor or member responsibilities (see paragraph 23)
  6. the details of public land and building assets (see paragraphs 24 – 27)
  7. Minutes, agendas and meeting papers of formal meetings (see paragraphs 29 and 30)

The code states that the information specified must be published on a website which is publicly accessible and free of charge. This could be on the authority’s own website or that of the billing authority in its area (district or London borough or unitary council).

Ibrahim Hasan will be discussing both transparency codes in his forthcoming live and interactive one-hour web seminar.

The New RIPA Surveillance Codes: Key Changes

By Sam Lincoln (Chief Surveillance Inspector 2006 – 2013)

Featured imageRecently Ibrahim Hasan alerted you to the revisions of the two codes of practice underPart 2 of the Regulation of Investigatory Powers Act 2000 (RIPA) published on 10th December 2014. Ibrahim urged you to read them but I suspect that it wasn’t at the top of your ‘to do’ list over Christmas! So I’ve done the donkey work for you.

A cursory examination suggests that the revised codes simply implement the amendments to RIPA resulting from the legislation enacted since the last codes were published namely: the Regulation of Investigatory Powers (Extension of Authorisation Provisions: Legal Consultations) Order 2010; to the Protection of Freedoms Act 2012; and the Regulation of Investigatory Powers (Covert Human Intelligence Sources: Relevant Sources) Order 2013. But there are some interesting and important changes.

I approach the subject by addressing each of the two codes. Before I do, it’s worth saying that I compared the existing 2010 codes with the draft codes obtained from the Home Office website available at the time of writing. It may be worth checking to see if further amendments were made before publication. I ignore the frequent amendment resulting from changes to the names or amalgamation of public authorities (for example the formation of Police Scotland and the creation of the National Crime Agency).

If you are a member of a local authority, please don’t persuade yourself that the CHIS Code doesn’t apply to your authority. I think you’ll find that it does!

Covert Surveillance and Property Interference Code

Let’s begin with the Covert Surveillance and Property Interference Code. It might be worth having a copy (printed or online) handy as I’ll refer to relevant paragraph numbers in square brackets ([]):

[2.18] The first sentence is amended to account for the fact that some legal consultations which might otherwise be Directed Surveillance are now to be authorised as Intrusive Surveillance.

[2.24] Examples 3 and 4 have been amended. I am particularly uncomfortable with the amendment to Example 4 which relegates the requirement for an authorisation from “should be sought” to “should … be considered”. The inference is that planned covert surveillance of an individual suspected of shoplifting depends on the public authority deciding whether the individual has a reasonable expectation of privacy. Assessing what is reasonable and what is assumed by another person is open to challenge. It is because examples can mislead that the Office of Surveillance Commissioners (OSC), during my tenure, advised against the inclusion of examples. For this reason it’s vital that applicants and authorising officers note [1.7].

[2.27] This paragraph has been expanded to include guidance provided by the Surveillance Camera Code of Practice pursuant to the Protection of Freedoms Act. (More on CCTV here)

[2.29] This new paragraph provides important guidance regarding the need to consider whether an authorisation for either Directed Surveillance or a CHIS is required when using the Internet. As usual, it lacks the clarity usually sought by practitioners but it is clear that prior consideration should be given to the need for authorisation; it’s not acceptable to ignore this advice and I urge Senior Responsible Officers to ensure that they alert all public authority staff to its implications.

[2.30] The third bullet point of this paragraph is amended to differentiate between non-verbal and verbal noise.

[3.7] The original examples 2 and 3 are deleted. I suspect that the cause is that neither could be protected by a RIPA authorisation as a result of the 2010 Order. But then again, nor does Example 1!

[3.18] This is a new paragraph and covers the use of third party individuals or organisations (for example private investigators and internet researchers). They are acting as agents of the public authority and the need for relevant authorisation must not be ignored.

[3.22] The deletion of reference to Scottish public authorities suggests that there is no collaboration agreement with any public authorities in Scotland.

[3.30 – 3.33] These new paragraphs cover the changes to local authority authorisations of Directed Surveillance resulting from the Protection of Freedoms Act 2012. (More on the changes here)

[3.35] This paragraph amends the requirement for elected members to consider internal reports submitted on a ‘regular basis’ rather than at least quarterly. I’m personally disappointed that there’s no restriction on the detail of authorisations that elected members are entitled to see to prevent inadvertent compromise.

[4.1] The fourth sentence is amended slightly for grammatical effect it seems. The definition of a Member of Parliament is deleted and placed in the glossary at the back of the code.

[5.18] I recall that the OSC advised that there is no ‘legal’ requirement for any further details to be recorded and would have preferred the code to be more assertive. It’s disappointing that this advice is ignored.

[5.20] It isn’t clear why all of the footnotes relating to this paragraph are deleted.

[6.2] Is amended to include directed surveillance.

[7.8] This paragraph isn’t amended despite, to my knowledge, earlier criticism of the accuracy of its first sentence by the OSC. I am not a lawyer but, if I recall accurately, neither loss nor damage is necessary for there to be property interference. Subsequent analysis of a sample isn’t, of itself, surveillance; it’s the obtaining of the sample itself which may need authorisation.

[8.1] An additional sentence is added directing local authorities to the website for further guidance on the recording of magistrates’ decisions.

[8.2] A final bullet is included requiring local authorities to retain a copy of the Magistrates’ approval order in a centrally retrievable form. (more on the Magistrates’ approval process here)

[8.4] This is a new paragraph advising that it is desirable that relevant records should be retained, if possible, for up to five years.

CHIS Code of Practice

Let me turn now to the revised CHIS Code of Practice.

[2.4] This alerts the reader to the renaming of CHIS previously known as undercover officers to ‘relevant source’. Not a particularly helpful title. Contrary to this paragraph, not all references to undercover officers are amended in this revision of the Code.

[2.12] The final sentence of this paragraph is an important amendment. It alerts public authorities to the fact that the existence of a CHIS is not a choice for a public authority. Whether to authorise the use and conduct of a CHIS is a choice of course, but in my experience too often public authorities wished the problem away. In short, all public authorities must acknowledge that a CHIS may appear at any time and must have procedures in place to manage them in accordance with the law.

[2.14] This new paragraph obliges ‘relevant sources’ to comply with the College of Policing Code of Ethics.

[2.15] This is a new paragraph obliging the authorisation of activity known as ‘legend building’.

[2.16] This seems an unnecessary paragraph considering that types of human sources falling outside the CHIS definition are provided specific attention.

[2.17] This new paragraph introduces the concept of a public volunteer (with examples) in addition to the previously existing concept of a human source with a professional or statutory duty.

[3.12] This paragraph is amended in recognition that the 2013 Order introduced enhanced arrangements.

[3.22] The amendment to this paragraph emphasises that the enhanced arrangement for relevant sources relies on accurate recording of the length of deployment of each relevant source.

[3.26 – 3.27] This new section is specific to the use of CHIS by local authorities and the approval by magistrates. It highlights differences between authorities in England and Wales, Scotland, and Northern Ireland. Similar direction is provided to the need for elected member review but, as I was disappointed with the direction in the other Code, I believe that there is benefit in restricting the detail available to elected members in relation to the use and conduct of a CHIS to prevent compromise.

[4.3] This reminds the reader that ‘relevant sources’ are subject to enhanced arrangements when accessing legally privileged and other confidential information.

[4.31] There is an addition to cover the engagement of a member of a foreign law enforcement agency.

[4.32] The is an important new paragraph covering the considerations necessary to authorise the use and conduct of a CHIS for some online covert activity. It should be read in conjunction with [2.29] of the Covert Surveillance and Property Interference Code of Practice.

[5.10] This new paragraph clarifies the enhanced arrangements for relevant sources.

[5.15] Two sentences are added to this paragraph. The first states that local authorities are no longer able to orally authorise the use of RIPA techniques. The second relates to out of hours arrangements.

[5.16] An amendment to this paragraph introduces additional information to include at review; namely the information obtained from a CHIS and the reasons why executive action is not possible if that is the case (my italics are an addition).

[5.21 and 5.22 – 5.26] These new paragraphs relate to enhanced arrangements for the use and conduct of relevant sources. They provide detail regarding timings and, importantly, the calculation of total or accrued deployment or cumulative authorisation periods.

[5.29] An additional sentence requires an authorising officer to satisfy themselves that all welfare issues are addressed at the time of CHIS cancellation.

[5.30 – 5.31] These new paragraphs relate to the refusal of an Ordinary Surveillance Commissioner to approve a long term authorisation. Importantly, it obliges public authorities to plan for the safe extraction of a relevant source if an authorisation is refused.

[6.6] The addition of a final sentence recognises concerns raised by the OSC in relation to traditional police appointments and their responsibilities as defined by RIPA.

[7.3] Similar to [8.4] of the Covert Surveillance and Property Interference Code revision, this new paragraph (and amendment of [7.1] and [7.6]) recommends that relevant RIPA records should be retained for five years if possible.

[7.6] The addition of a bullet point requires that the decision of an Ordinary Surveillance Commissioner should be retained.

There is one other point I would like to make about the CHIS Code; there is no reference to the fact that the Protection of Freedoms Act 2012 did not restrict the use or conduct of a CHIS to the prevention or detection of crimes not attracting a six month sentence as it did for other types of covert surveillance.

What should you do now?

If you’ve got this far without falling asleep, you are obviously a person who takes RIPA seriously! It would be very helpful therefore if you ensure that your Senior Responsible Officer and all authorising officers are alerted to these amendments. I’m sure the OSC will check that policies are amended accordingly and that extant codes of practice are available and understood.

Copy this article by all means but please have the courtesy to accredit it properly!!

Sam Lincoln was formerly Chief Surveillance Inspector with the Office of Surveillance Commissioners for seven years. Please get in touch if you would like Sam to help you prepare for an OSC inspection by delivering customised training at your premises. We also have a full program of RIPA workshops in 2015 where we will examine the new codes in detail:



Looking for an e-learning solution for your RIPA training needs?


%d bloggers like this: