In March 2015 a new Code of Practice for the Acquisition and Disclosure of Communications Data by public authorities, including councils, under Part I Chapter 2 of the Regulation of Investigatory Powers Act 2000(RIPA), came into force. It contains several policy changes, which will require careful consideration.
The key change is the need to ensure the independence of the Designated Person (DP). This is the person within the public authority who has to be satisfied that acquiring the communications data is necessary and proportionate and who signs off the application. Paragraph 3.12 of the new code states that DPs must be independent from operations and investigations when granting authorisations, or giving notices related to those operations.
This policy change was brought about in response to the European Court of Justice (ECJ) Judgment which struck down the Data Retention Directive (2006/24/EC) as the Directive did not include sufficient safeguards as to why and by whom such data may be accessed. The Judgment noted that the Directive contained no safeguards in relation to access to the retained data, including in relation to the independence of the person authorising access to the retained data.
The new code requires public authorities to satisfy the Interception of Communications Commissioner’s Office (IOCCO) that they have sufficient measures in place to ensure the DP’s independence. IOCCO have set out certain guidelines. In a nutshell, a DP must not be directly responsible for the operation or investigation (i.e. they should not have a strategic or tactical influence on the investigation). He/she should be far enough removed from the applicant’s line management chain which will normally mean they are not within the same department or unit. Applicants should not be able to choose who the DP will be on a case by case basis (save for in urgent circumstances). Finally, there should be a defined group of DPs in an organisation i.e. a recognised list defined by role and/or position.
Public authorities will need to ensure that they have a formal procedure setting out the arrangements in place to ensure independence. This will be examined by IOCCO during their inspection. It will also explore how the DPs are selected to consider applications and will audit compliance with the code.
There are exceptions to the rule of independence of DPs set out in the IOCCO Circular of the 1st June 2015 advising public authorities of the changes. These exceptions mainly relate to urgent authorisations and where very small teams of investigators mean that independence would be difficult. These exceptions will not normally apply to local authorities.
In all circumstances where public authorities use DPs who are not independent from an operation or investigation (save for the exceptions) this must be notified to the IOCCO at the next inspection. The details of the public authorities and the reasons such measures are being undertaken may be published and included in the IOCCO report.
What Should You Do Now?
- Prepare for an IOCCO inspection. The Commissioner still inspects councils despite their infrequent use. Read here what a typical inspection involves.
- Review your current DP authorisations and procedures. You may need to nominate additional (independent) DPs
- Review training for DPs. Paragraph 3.8 of the code says:
“Individuals who undertake the role of a designated person must have current working knowledge of human rights principles and legislation, specifically those of necessity and proportionality, and how they apply to the acquisition of communications data under Chapter II and this code.”
Do all your DP’s have this knowledge to undertake their role?
Act Now is offering live and interactive webinars for DPs tailored to your organisation. The webinars last for one hour which include an online test. All participants receive a certificate of completion. Get in touch for a quote.