ZDNet UK 26/10/2001: "Home Office admits data retention plans"
Caspar Bowden
cb at fipr.org
Mon, 29 Oct 2001 20:42:12 -0000
> Roland Perry
...
> >Hmm. Since the CoP currently in draft explicitly refers to "bulk"
> >requests to data, on "groups" as well as individuals, what is your
> >undertstanding of "case by case" ? Does it refer to any current
> >legislation or Code, or is it just more Queen Anne's Gate flummery ?
>
> You'll have to tell me which CoP that is.
-----Original Message-----
From: Caspar Bowden [mailto:cb@fipr.org]
Sent: 29 October 2001 16:20
Subject: FIPR Release 16/10/2001: EMERGENCY POWERS ALLOW
MASS-SURVEILLANCE FOR NON-TERRORIST INVESTIGATIONS
...
6. Regulation of Investigatory Powers Act 2000, Part.1 Chapter.2...is
not yet in force and the relevant Code of Practice is open for
consultation until November 2nd
(http://www.homeoffice.gov.uk/ripa/consultintro.htm)
http://www.homeoffice.gov.uk/ripa/pcdcpc.htm
Accessing Communications Data Draft Code Of Practice
------------------------------------------------------------------------
--------
Pursuant to Section 71 of the Regulation of Investigatory Powers Act
2000
This is a draft code published under section 71(3)(a) of the Regulation
of Investigatory Powers Act 2000 and laid before both Houses of
Parliament.
------------------------------------------------------------------------
--------
CONTENTS
1. Introduction
2. General
3. Designated persons within relevant public authorities permitted to
access communications data under the Act
4. Purposes for which communications data may be sought
5. Authorisations and notices
(a) Single points of contact within relevant public authorities
(b) Applications to obtain communications data under the Act
(c) Considerations for designated person
(d) Content of an authorisation
(e) Content of a notice
(f) Oral authority (urgent cases)
(g) Disclosure of data
6. Validity of authorisations and notices
(a) Duration
(b) Renewal
(c) Cancellation
7. Retention of records by public authorities
(a) Errors
(b) Data protection safeguards
8. Oversight
9. Complaints
Annex A Specimen section 22(4) notice
Footnotes appear at the end of the chapter.
------------------------------------------------------------------------
--------
Introduction
1.1 This code of practice relates to the powers and duties conferred or
imposed under Chapter II of Part I of the Regulation of Investigatory
Powers Act 2000 ("the Act"). It provides guidance on the procedures that
must be followed before access to communications data can take place
under those provisions.
1.2 The code should be readily available to any members of a public
authority who are involved in operations to access communications data.
1.3 The Act provides that the code is admissible in evidence in criminal
and civil proceedings. If any provision of the code appears relevant to
a question before any court or tribunal hearing any such proceedings, or
to the Tribunal established under the Act, or to one of the
Commissioners responsible for overseeing the powers conferred by the
Act, it must be taken into account.
1.4 This code applies to relevant public authorities as described in
Chapter II of Part I of the Act (see para 3.1 below).
1.5 This code does not cover conduct consisting in the interception of
communications (contents of a communication).
1.6 This code extends to England, Wales, Scotland and Northern Ireland.
------------------------------------------------------------------------
--------
General
2.1 The code covers any conduct in relation to a postal service or
telecommunication system for obtaining communications data and the
disclosure to any person of such data. For these purposes,
communications data includes information relating to the use of a postal
service or telecommunication system but does not include the contents of
the communication itself, contents of e-mails or interactions with
websites. In this code "data", in relation to a postal item, means
anything written on the outside of the item.
2.2 A person who engages in such conduct must be properly authorised and
must act in accordance with that authority.
2.3 A test of necessity (see paras 4.1-4.3 below) must be met before any
communications data is obtained. The assessment of necessity is one made
by a designated person. (This is a person designated for the purposes of
Chapter II of Part I of the Act (see para 3.2 below). A designated
person has a number of obligations within the provisions of the Act
which must be met before communications data is obtained. These are also
laid out in this code). A designated person must not only consider it
necessary to obtain the communications data but must also consider the
conduct involved in obtaining the communications data to be
proportionate (see para 4.4 below) to what it is sought to achieve.
------------------------------------------------------------------------
--------
Designated persons within relevant public authorities permitted to
access communications data under the Act
3.1 Designated persons within the following "relevant public
authorities"1 are permitted under the Act to grant authorisations or
serve notices2, the two routes by which the Act allows communications
data to be accessed (see further para 5.1 below):
a police force (as defined in section 81(1) of the Act);
the National Criminal Intelligence Service;
the National Crime Squad;
HM Customs and Excise;
the Inland Revenue;
the Security Service;
the Secret Intelligence Service;
the Government Communications Headquarters.
3.2 The appropriate level of official i.e. a designated person within
each public authority for granting authorisations or giving notices will
be as follows:
to obtain any communications data defined by section 21(4) of the Act a
minimum of Superintendent or equivalent;
to obtain communications data defined by section 21(4)(c) only of the
Act (such as account and subscriber information), a minimum of Inspector
or equivalent.)
1 The Act permits the Secretary of State to add further public
authorities to this list by means of an Order subject to the affirmative
resolution procedure in Parliament.
2 The Secretary of State may by Order place restrictions on:
the authorisations or notices that may be granted or given by designated
persons; and
the circumstances in which, or purposes for which, authorisations or
notices may be granted or given.
Relevant public authorities authorised to access communications data
from the list in Chapter II of Part I of the Act may be removed, if
deemed appropriate, by Order of the Secretary of State.
------------------------------------------------------------------------
--------
Purposes for which communications data may be sought
4.1 Under section 22(2) of the Act, communications data may be sought if
a designated person believes it is necessary for one or more of the
following purposes3:
in the interests of national security;
for the purpose of preventing or detecting crime or of preventing
disorder;
in the interests of the economic well-being of the United Kingdom (see
para 4.2 below);
in the interests of public safety;
for the purpose of protecting public health;
for the purpose of assessing or collecting any tax, duty, levy or other
imposition, contribution or charge payable to a government department;
for the purpose, in an emergency, of preventing death or injury or any
damage to a person's physical or mental health, or of mitigating any
injury or damage to a person's physical or mental health.
4.2 In exercising his power to grant an authorisation or give a notice
in the interests of the economic well-being of the United Kingdom (as
provided for by section 22(2)(c)) of the Act, a designated person will
consider whether the economic well-being of the United Kingdom which it
is in the interests of is, on the facts of each case, related to State
security. The term "State security", which is used in Directive 97/66/EC
(concerning the processing of personal data and the protection of
privacy in the telecommunications sector), should be interpreted in the
same way as the term "national security" which is used elsewhere in the
Act and this code. A designated person will not grant an authorisation
or give a notice on section 22(2)(c) grounds if this link is not
established. Any application for an authorisation or a notice on section
22(2)(c) grounds should therefore explain how, in the applicant's view,
the economic well-being of the United Kingdom which it is in the
interests of is related to State security on the facts of the case.
4.3 For an action to be necessary in a democratic society the access to
communications data must pursue a legitimate aim as listed in para 4.1;
fulfil a pressing social need and be proportionate to that aim.
4.4 Under section 22(5) of the Act, a designated person must also
consider the conduct involved in obtaining the communications data to be
proportionate. Proportionality is a crucial concept. In both the Act and
this code reference is made to the conduct being proportionate. This
means that even if a particular case which interferes with a Convention
right4 is aimed at pursuing a legitimate aim (as listed in para 4.1
above) this will not justify the interference if the means used to
achieve the aim are excessive in the circumstances. Any interference
with a Convention right should be carefully designed to meet the
objective in question and must not be arbitrary or unfair. Even taking
all these considerations into account, in a particular case an
interference may still not be justified because the impact on the
individual or group is too severe.
3 The Act permits the Secretary of State to add further purposes to this
list by means of an Order subject to the affirmative resolution
procedure in Parliament.
4 European Convention on Human Rights (ECHR).
------------------------------------------------------------------------
--------
Authorisations and notices
5.1 The Act provides two different ways of authorising access to
communications data; through an authorisation under section 22(3) and by
a notice under section 22(4). An authorisation would allow the relevant
public authority to collect or retrieve the data itself. A notice is
given to a postal or telecommunications operator and requires that
operator to collect or retrieve the data and provide it to the public
authority which served the notice. A designated person decides whether
or not an authorisation should be granted or a notice given.
5.2 In order to illustrate, a section 22(3) authorisation may be
appropriate where:
the postal or telecommunications operator is not capable of collecting
or retrieving the communications data5;
it is believed the investigation may be prejudiced if the postal or
telecommunications operator is asked to collect the data itself;
there is a prior agreement in place between the relevant public
authority and the postal or telecommunications operator as to the
appropriate mechanisms for the disclosure of communications data.
5.3 Applications for communications data may only be made by persons in
the same public authority as a designated person.
(a) Single points of contact within relevant public authorities
5.4 Notices and where appropriate authorisations for communications data
should be channelled through single points of contact within each public
authority (unless the exemption in paras 5.13-5.14 applies). This will
provide for an efficient regime, since the single points of contact will
deal with the postal or telecommunications operator on a regular basis.
It will also help the public authority to regulate itself. This will
assist in reducing the burden on the postal or telecommunications
operator by such requests. Single points of contact will be able to
advise a designated person on whether an authorisation or a notice is
appropriate.
5.5 Single points of contact should be in a position to:
where appropriate, assess whether access to communications data is
reasonably practical for the postal or telecommunications operator;
advise applicants and designated persons on the practicalities of
accessing different types of communications data from different postal
or telecommunications operators;
advise applicants and designated persons on whether communications data
falls under section 21(4)(a), (b) or (c) of the Act;
provide safeguards for authentication;
assess any cost and resource implications to both the public authority
and the postal or telecommunications operator.
(b) Applications to obtain communications data under the Act
5.6 The application form is subject to inspection by the Commissioner
and both applicant and designated person may be required to justify
their decisions. Applications to obtain communications data under the
Act should be made on a standard form (paper or electronic) which must
be retained by the public authority (see section 7 of this code) and
which should contain the following minimum information:
the name (or designation) of the officer requesting the communications
data;
the operation and person (if known) to which the requested data relates;
a description, in as much detail as possible, of the communications data
requested (there will also be a need to identify whether it is
communications data under section 21(4)(a), (b) or (c) of the Act);
the reason why obtaining the requested data is considered to be
necessary for one or more of the purposes in paragraph 4.1 above (the
relevant purpose also needs to be identified);
an explanation of why obtaining the data constitutes conduct
proportionate to what it seeks to achieve;
where appropriate, a consideration of collateral intrusion, the extent
to which the privacy of others may be affected and why that intrusion is
justified; and
the timescale within which the communications data is required. Where
the timescale within which the material is required is any greater than
routine, the reasoning for this to be included.
5.7 The application form should subsequently record whether access to
communications data was approved or denied, by whom and the date.
Alternatively, the application form can be marked with a cross-reference
to the relevant authorisation or notice.
(c) Considerations for designated person
5.8 A designated person must take account of the following points, so
that he is in a position to justify decisions made:
whether the case justifies the accessing of communications data for one
or more of the purposes listed in paragraph 4.1 above, and why obtaining
the data is necessary for that purpose;
whether obtaining access to the data by the conduct authorised by the
authorisation, or required of the postal or telecommunications operator
in the case of a notice, is proportionate to what is sought to be
achieved. (A designated person needs to have in mind the conduct which
he is authorising or requiring in each case. In making a judgement as to
proportionality, a designated person needs to have in mind whether he is
granting an authorisation or issuing a notice, and also what the scope
of the conduct is. For example, where the conduct covers the provision
of ongoing communications data);
where appropriate, where accessing the communications data is likely to
result in collateral intrusion, whether the circumstances of the case
still justify that access; and
whether any urgent timescale is justified.
(d) Content of an authorisation
5.9 An authorisation itself can only authorise conduct to which Chapter
II of Part I of the Act applies. A designated person will make a
decision whether to grant an authorisation based upon the application
which is made. The application form and the authorisation itself is not
served upon the holder of communications data. The authorisation should
be in a standard format (written or electronic) which must be retained
by the public authority (see section 7 of this code) and must contain
the following information:
a description of the conduct to which Chapter II of Part I of the Act
applies that is authorised;
a description of the required communications data;
for which of the purposes in paragraph 4.1 above the data is required;
and
the name (or designation) and office, rank or position of the designated
person.
5.10 The authorisation should also contain:
a unique reference number.
(e) Content of a notice
5.11 A designated person will make a decision whether to issue a notice
based upon the application which is made. The application form is not
served upon the holder of communications data. The notice that they
receive contains only enough information to allow them to fulfil their
duties under the Act. The notice served upon the holder of the
communications data should be in a standard format (written or
electronic) which must be retained by the public authority (see section
7 of this code) and must contain the following information:
a description of the required communications data;
for which of the purposes in paragraph 4.1 above the data is required;
the name (or designation) and office, rank or position of the designated
person; and
the manner in which the data should be disclosed.
5.12 The notice should also contain:
a unique reference number;
where appropriate, an indication of any urgency;
a statement stating that data is sought under the provisions of Chapter
II of Part I of the Act. i.e. an explanation that compliance with this
notice is a legal requirement; and
contact details so that the veracity of the notice may be checked.
[A specimen copy of a notice can be found at annex A to this code].
(f) Oral authority (urgent cases)
5.13 An application for communications data may only be made and
approved orally, on an urgent basis, where it is necessary to obtain
communications data for the purpose set out in section 22(2)(g) of the
Act6:
"for the purpose, in an emergency, of preventing death or injury or any
damage to a person's physical or mental health, or of mitigating any
injury or damage to a person's physical or mental health".
5.14 The fact of an oral application and approval must be recorded by
the applicant and designated person at the time or as soon as possible.
In this case, an authorisation under section 22(3) of the Act must be
completed (in a written or electronic format) very shortly thereafter.
In the case of a notice under section 22(4) of the Act, a designated
person may make an oral request to a postal or telecommunications
operator to disclose communications data which must be followed by a
(written or electronic) notice to the postal or telecommunications
operator very shortly thereafter. A section 22(4) notice may be issued
directly to the postal or telecommunications operator, therefore
relaxing the need to do so via a single point of contact.
(g) Disclosure of data
5.15 Notices under section 22(4) of the Act will only require the
disclosure of data to:
the person giving the notice i.e. the designated person; or
to another specified person who must be from the same relevant public
authority. In practice, this is likely to be the single points of
contact.
5 Where possible, this assessment will be based upon information
provided by the relevant postal or telecommunications operator.
6 To give effect to Article 2 (right to life) of the European Convention
on Human Rights (ECHR).
------------------------------------------------------------------------
--------
Validity of authorisations and notices
(a) Duration
6.1 Authorisations and notices will only be valid for one month. This
period will begin when the authorisation is granted or the notice given.
A designated person should specify a shorter period if that is satisfied
by the request, since this may go to the proportionality requirements.
For 'future' communications data disclosure may only be required of data
obtained by the postal or telecommunications operator within this period
i.e. up to one month. For 'historical' communications data disclosure
may only be required of data in the possession of the postal or
telecommunications operator. A postal or telecommunications operator
should comply with a section 22(4) notice as soon as is reasonably
practicable. Furthermore, they will not be required to supply data
unless it is reasonably practicable to do so.
(b) Renewal
6.2 An authorisation or notice may be renewed at any time during the
month it is valid, by following the same procedure as in obtaining a
fresh authorisation or notice.
6.3 A renewed authorisation or notice takes effect at the point at which
the authorisation or notice it is renewing expires.
(c) Cancellation
6.4 A designated person shall cancel a notice given under section 22(4)
of the Act as soon as it is no longer necessary, or the conduct is no
longer proportionate to what is sought to be achieved. The duty to
cancel a notice falls on the designated person who issued it.
6.5 The appropriate level of official within each public authority who
may cancel a notice in the event of the designated person no longer
being able to perform this duty is to be prescribed by Regulations made
under section 23(9) of the Act.
6.6 As a matter of good practice, authorisations should also be
cancelled in accordance with the procedure above.
6.7 In the case of a section 22(4) notice, the relevant postal or
telecommunications operator will be informed of the cancellation.
------------------------------------------------------------------------
--------
Retention of records by public authorities
7.1 Applications, authorisations and notices for communications data
must be retained by the relevant public authority until it has been
audited by the Commissioner. The public authority should also keep a
record of the dates on which the authorisation or notice is started and
cancelled.
(a) Errors
7.2 Where any errors have occurred in the granting of authorisations or
the giving of notices, a record should be kept, and a report and
explanation sent to the Commissioner as soon as is practical.
7.3 Applications must also be retained to allow for the complaints
Tribunal, under Part IV of the Act, to carry out its functions.
7.4 This code does not affect any other statutory obligations placed on
public authorities to retain data under any other enactment. (Where
applicable, in England and Wales, the relevant tests given in the
Criminal Procedures and Investigations Act 19967, namely whether any
material gathered might undermine the case for the prosecution against
the accused, or might assist the defence, should be applied).
(b) Data protection safeguards
7.5 Communications data, and all copies, extracts and summaries of it,
must be handled and stored securely. In addition, the requirements of
the Data Protection Act 19988 and its data protection principles should
be adhered to.
7 Further guidance is available in the CPIA code of practice.
8 Further guidance is available from
http://www.homeoffice.gov.uk/foi/datprot.htm
------------------------------------------------------------------------
--------
Oversight
8.1 The Act provides for an Interception of Communications Commissioner
whose remit is to provide independent oversight of the use of the powers
contained within Part I.
8.2 This code does not cover the exercise of the Commissioner's
functions. However, it will be the duty of any person who uses the
powers conferred by Chapter II of Part I to comply with any request made
by the Commissioner to provide any information he requires for the
purposes of enabling him to discharge his functions.
------------------------------------------------------------------------
--------
Complaints
9.1 The Act establishes an independent Tribunal, which is made up of
senior members of the legal profession or judiciary and is independent
of the Government. The Tribunal has full powers to investigate and
decide any case within its jurisdiction.
9.2 This code does not cover the exercise of the Tribunal's functions.
However, details of the relevant complaints procedure should be readily
available, for reference purposes, at public offices of those public
authorities permitted to access communications data under the provisions
of Chapter II of Part I of the Act. Where this is not possible, copies
should be made available by post or e-mail.
------------------------------------------------------------------------
--------
Annex A to draft code of practice
Unique reference number: [to be completed by the public authority]
[an indication of any urgency]
------------------------------------------------------------------------
--------
NOTICE UNDER SECTION 22(4) OF THE REGULATION OF INVESTIGATORY POWERS ACT
2000 REQUIRING COMMUNICATIONS DATA TO BE OBTAINED AND DISCLOSED
------------------------------------------------------------------------
--------
To: [NAME OF POSTAL OR TELECOMMUNICATIONS OPERATOR and address].
In accordance with section 22(4) of the Regulation of Investigatory
Powers Act 2000, I hereby require you -
*(a) if not already in possession of the data to which this notice
relates, to obtain it; and {for use in those cases where you are
actually asking for data to be captured for the duration of the notice -
this should be omitted where you are only requiring the disclosure of
historical data}.
(b) to disclose all communications data to which this notice relates,
whether in your possession or subsequently obtained by you.
Description of communications data to which this notice relates:
[enter details of the communications data required {distinguish here
between data (a) to be obtained if not already in the possession of the
operator (omitting if not relevant) and (b) to be disclosed - each
should be described separately}].
*(a) [communications data to be obtained];
(b) [communications data to be disclosed].
This notice is valid from [start date - issue date of this notice] to
[end date]. - This must be no more than one month from the date of this
notice, or earlier if cancelled under section 23(8)). This notice may be
renewed at any time before the end of the period of one month starting
with [issue date] by the giving of a further notice.
I believe that it is necessary for this communications data to be
obtained:
[List the purpose(s) that the communications data is required for (from
Section 22(2)) - follow the statutory language exactly)].
In reaching this conclusion I have satisfied myself that obtaining this
data by the conduct required by this notice is proportionate to what is
sought to be achieved by so obtaining the data.
You are required to produce the said communications data to [specify the
person (a name or designation must be specified), office, rank or
position to whom the data is to be disclosed] of [public authority] for
him to take away as specified below:
[Specify the manner in which the data is to be disclosed].
Date ....................
Designated Person (a minimum of Superintendent or equivalent. For
communications data falling under section 21(4)(c) of the Act, a minimum
of Inspector or equivalent): [Enter office, rank or position] ..........
This notice may be verified by contacting the following:
[enter contact details i.e. of the Single Point of Contact]
*Omit as appropriate