New RIPA Communications Data Code of Practice

In March 2015 a new Code of Practice for the Acquisition and Disclosure of Communications Data by public authorities, including councils, under Part I Chapter 2 of the Regulation of Investigatory Powers Act 2000(RIPA), came into force.  It contains several policy changes, which will require careful consideration.

The key change is the need to ensure the independence of the Designated Person (DP). This is the person within the public authority who has to be satisfied that acquiring the communications data is necessary and proportionate and who signs off the application. Paragraph 3.12 of the new code states that DPs must be independent from operations and investigations when granting authorisations, or giving notices related to those operations.

This policy change was brought about in response to the European Court of Justice (ECJ) Judgment which struck down the Data Retention Directive (2006/24/EC) as the Directive did not include sufficient safeguards as to why and by whom such data may be accessed. The Judgment noted that the Directive contained no safeguards in relation to access to the retained data, including in relation to the independence of the person authorising access to the retained data.

The new code requires public authorities to satisfy the Interception of Communications Commissioner’s Office (IOCCO) that they have sufficient measures in place to ensure the DP’s independence. IOCCO have set out certain guidelines. In a nutshell, a DP must not be directly responsible for the operation or investigation (i.e. they should not have a strategic or tactical influence on the investigation). He/she should be far enough removed from the applicant’s line management chain which will normally mean they are not within the same department or unit. Applicants should not be able to choose who the DP will be on a case by case basis (save for in urgent circumstances). Finally, there should be a defined group of DPs in an organisation i.e. a recognised list defined by role and/or position.

Public authorities will need to ensure that they have a formal procedure setting out the arrangements in place to ensure independence. This will be examined by IOCCO during their inspection. It will also explore how the DPs are selected to consider applications and will audit compliance with the code.

There are exceptions to the rule of independence of DPs set out in the IOCCO Circular of the 1st June 2015 advising public authorities of the changes. These exceptions mainly relate to urgent authorisations and where very small teams of investigators mean that independence would be difficult. These exceptions will not normally apply to local authorities.

In all circumstances where public authorities use DPs who are not independent from an operation or investigation (save for the exceptions) this must be notified to the IOCCO at the next inspection. The details of the public authorities and the reasons such measures are being undertaken may be published and included in the IOCCO report.

What Should You Do Now?

  1. Prepare for an IOCCO inspection. The Commissioner still inspects councils despite their infrequent use. Read here what a typical inspection involves.
  1. Review your current DP authorisations and procedures. You may need to nominate additional (independent) DPs
  1. Review training for DPs. Paragraph 3.8 of the code says:

“Individuals who undertake the role of a designated person must  have current working knowledge of human rights principles and  legislation, specifically those of necessity and proportionality, and how they apply to the acquisition of communications data under Chapter II and this code.”

Do all your DP’s have this knowledge to undertake their role?

Act Now is offering live and interactive webinars for DPs tailored to your organisation. The webinars last for one hour which include an online test. All participants receive a certificate of completion. Get in touch for a quote.

Author: actnowtraining

Act Now Training is Europe’s leading provider of information governance training with clients including government organisations, local authorities, multi national corporations, financial institutions and corporate law firms. Our associates have decades of information governance experience. We pride ourselves on delivering high quality training that is practical and makes the complex simple. Our extensive programme ranges from short webinars and one day workshops through to higher level practitioner certificate courses delivered online or in the classroom.

One thought on “New RIPA Communications Data Code of Practice”

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: