Data Protection Act s28(3) form "agreed by ACPO and the ISP
industry"
Duncan Campbell
duncan at gn.apc.org
Fri, 18 Sep 1998 14:03:33 +0100
The document following is the proposed form which was seen being discussed on
Channel 4 News on Wednesday and which the police wish to standardise for
obtaining data from ISPs without a court order or warrant. It is
different to
the forms which they have been using in the recent past, in that this form has
had significant recent input from the Data Protection Registrar's Office.
I'm
posting it to the list for the sake of discussion and comment.
Duncan Campbell
Data Protection Act s28(3) form
Agreed by ACPO and the ISP industry
Introduction
ACPO and the ISP industry have been working together to produce a standardised
form for requests for data under section 28(3) of the Data Protection Act
1984. This note is divided into four parts:
1. This introduction.
2. The form itself. This has been cast as an HTML form, which will look a
little different from the printed form that will also be distributed.
3. The short-form notes to be printed on the back of the form.
4. The long-form guidance material to be provided to police forces and ISPs.
---------------------------------------------------------------------------
REQUEST FOR DISCLOSURE OF PERSONAL DATA
Under section 28(3) of the Data Protection Act 1984 c.35
To: [note 1] ISP reference: [note 2]
Please provide the data concerning the following subject [note3]:
Please provide the following information:
Name and address
Account name or number
Other (specify): [note 4]
Offence being investigated:
Reason that the information is necessary [note 5]:
I certify that completing the above section would itself prejudice the
prevention or detection of crime [note 6].
__ pages of further information [note 7] are attached.
I certify that the data is required for the prevention or detection of
crime or
for the apprehension or prosecution of offenders, and that failure to disclose
the data would be likely to prejudice these matters.
The requested data are required for case reference [note 8] but may be used
for
any other investigation for which the above declaration applies.
I understand that if any information on this form is omitted or wrong I may be
committing an offence under section 5(6) of the Data Protection Act.
Signed: Date: Name and number:Rank
Authorised: Date: Name and number:Rank:
This application must be authorised by a person who is senior to the
requesting
officer, and of a rank no lower than Inspector. See note 9.
---------------------------------------------------------------------------
NOTES
REQUEST FOR DISCLOSURE OF PERSONAL DATA
Under section 28(3) of the Data Protection Act 1984 c.35
REQUEST FOR DISCLOSURE OF PERSONAL DATA
Under section 28(3) of the Data Protection Act 1984 c.35
Note 1: give the company name here, and any particular contact name on the
covering letter or fax.
Note 2: this space is reserved for the information provider.
Note 3: give here the identifying information that you have available. It will
be assumed that you want information on all accounts matching that
information.
* If specifying an IP address, you must attach an explanation why an IP
address
is being specified.
* If specifying a URL, a printout of the page should be attached to the
request
(if possible) to enable the ISP to confirm the URL is correct.
Note 4: state here what specific information is being requested and why. Do
not
ask for "all information known about the account" or something similar. If in
doubt, discuss the matter with the ISP's contact before making the request.
Note 5: give here enough information that the recipient can make a decision
whether to disclose in accordance with your declaration.
Note 6: if this applies, tick the box to the left and leave the previous
section blank.
Note 7: tick this if you have attached any information mentioned in these
notes, or any other material that the ISP may find useful for processing the
request. Show how many pages have been attached, number those pages, and place
the case reference (see note 8) on each page.
Note 8: give here a case number, file number, case name, or any other
reference
that identifies the investigation being made. It is not necessary to specify
the details of the case or any other names.
Note 9: the authorising officer must be senior to the requesting officer
and of
the rank of Inspector or above. You must give full details of both officers.
---------------------------------------------------------------------------
GUIDANCE ON USE OF THE FORM
REQUEST FOR DISCLOSURE OF PERSONAL DATA
Under section 28(3) of the Data Protection Act 1984 c.35
This form has been designed by a committee representing both Police forces and
Internet Service Providers and meeting under the auspices of ACPO. This
committee aimed to produce a single form that would be recognised by all ISPs
and contained precisely the information they needed. Police forces are
therefore requested to use the form exactly as provided except of course for
replacing the Force name, logo, and details with their own and possibly
modifying the notes on the back to refer to their specific procedures. Use of
this form will allow ISPs to streamline the handling of requests for personal
data.
Section 28(3) of the Data Protection Act gives ISPs the authority to release
personal data to the police provided that certain criteria are met; in
addition, the Data Protection Registrar has placed further interpretations on
the Act. Failure to meet these criteria could mean that the ISP, the
requesting
officer, or both are committing a criminal offence. For these reasons the form
must be completed properly and the wording must not be changed.
Note 1
The form should be addressed to the ISP as a company, and not to a specific
person or department. The form would normally be sent with a covering
letter or
fax, and that can of course be addressed more specifically.
Note 2
This space is reserved for the ISP to use. If you have contacted the ISP ahead
of time they may provide you with a reference to place there. Otherwise leave
it blank. If you contact the ISP again about this request you should quote
that
reference.
Note 3
There tend to be two kinds of request:
1. A "real world" datum - such as a name, address, or telephone number - is
known and the requesting officer has reason to believe the subject has an
account with the ISP and wishes to identify that account.
+ If a name is given, the ISP will search for accounts held in that name.
Unless the name is an unusual one, other information such as an address or
telephone number will probably be necessary. Section 28(3) may not be used for
"trawling" ISP records, and the ISP should refuse to give details if more than
about four unrelated accounts match the data given.
+ If an address or telephone number is given, the ISP will search for accounts
where the customer's records include that address or telephone number.
Officers
should be aware that not all ISPs are able to search by address or by
telephone
number.
2. A "cyberspace" datum - such as email address, account name, or web page URL
- is known and the requesting officer is attempting to identify the person
behind that identifier.
+ If an email address is given, the ISP will provide details of the account
that has that address. In general an email address looks like fred@xxx.com and
will always include an @ sign. An email address will sometimes have the format
Fred Bloggs <fred@xxx.com> where there is a "comment" associated with the
address. This comment is created by the person sending the email and so need
bear no resemblance to the actual account holder's name. Therefore the
complete
email address should always be quoted. It is easy to forge email addresses in
many contexts, and therefore the complete message or posting that is being
used
as a source of information - including any header lines - should be
attached to
the request.
+ If an IP address is given an explanation of why this is provided must be
attached. If the date and time that the address was used is known, this should
be included as well. Some ISPs allocate IP addresses from a central pool, and
so the address alone does not identify an account because it would have been
used by many different accounts.
+ If a web URL is provided the ISP will provide details of the account
operating the relevant web site or part of the site. A URL is the "address" of
a web page, and typically looks like http://www.xxx.com/abc/def.html - it will
be displayed by a web browser when viewing the page. Whenever possible a
printout of the page should be included with the form to allow the ISP to
confirm that the correct page is being viewed.
Some web sites use a technique called "frames", where two or more pages are
displayed on the screen at the same time. When this happens the URL displayed
by the browser will be that of one of the pages and does not identify the
other
pages (which could be part of a different site). In this case the actions
taken
to reach the page should be described and a printout must be attached,
annotated to indicate which specific page is of interest.
Note 4
If other information is required, it should be specified here and an
explanation of why it is needed should be attached to the form. It is not
acceptable to request "all information known about the account". Not all ISPs
may not be able to provide certain kinds of information conveniently or
even at
all, and some data may only be held for a certain length of time. If in doubt,
the specifics of the situation should be discussed informally with the ISP
before making the request; it may be possible to identify some item of data
that meets the Police requirement while being convenient for the ISP to
provide.
Note 5
Give here enough information that the recipient can make an decision
whether to
disclose in accordance with your declaration. This information must relate to
the specific case that is being investigated, and a clear explanation must be
given as to why you need this information and why you will be hindered if
it is
not provided.
Note 6
There are some rare situations where such an explanation would itself
prejudice
the case (for example, where you have evidence pointing at an unknown
member of
the ISP's staff) and in these cases you can tick this and leave the previous
section blank.
Note 7
The requesting officer should attach any relevant items mentioned in this
guidance, and any other material that the ISP might find useful for processing
the request. The attachments should be numbered and carry the case reference
given on the form (see note 8). The ISP can only make use of material attached
in this way when determining whether or not to respond to the request.
If any information is attached, the box on the form must be ticked and the
number of pages given.
Note 8
The requesting officer should specify the case number, file number, case name,
or any other reference that identifies the investigation being made. It is
possible that the ISP will need to contact the Force making the request months
or even years later, and it is essential that the specific case can be
identified without needing to contact the original requesting officer.
Individual Police forces will have their own policies for this identifier, and
it need not be meaningful to the ISP (except that it should be clear when
several requests relate to the same investigation).
The Data Protection Act only allows release of information where both the
information is required for one of the purposes listed and failure to disclose
the data would be likely to prejudice the matter. This form must not be used
where the only purpose is to confirm known facts, for general intelligence, or
for administrative reasons.
Note 9
The ISP is only permitted to reveal personal data if they are reasonably
convinced that the two conditions mentioned above are true, and the Data
Protection Registrar has issued guidance concerning statements from Police
officers. To protect both the ISPs and the requesting officer from
inadvertently breaching the Act, it has been agreed that the ISP will refuse
this request if
o the form has not been signed by both requesting officer and authorising
officer and their full details given, or
o the authorising officer is not of a rank senior to that of the requesting
officer, or
o the authorising officer is below the rank of Inspector.
The requesting and authorising officers should be aware that they are each
making a statement that the two conditions are true, and that obtaining
personal data under false pretences may be a criminal offence.