Pursuant to Section 71 of the Regulation of Investigatory Powers Act 2000

This is a draft code published under section 71(3)(a) of the Regulation of Investigatory Powers Act 2000 and laid before both Houses of Parliament.

Covering Letter

CONTENTS

1. Introduction

2. General

3. Designated persons within relevant public authorities permitted to access communications data under the Act

4. Purposes for which communications data may be sought

5. Authorisations and notices

(a) Single points of contact within relevant public authorities

(b) Applications to obtain communications data under the Act

(c) Considerations for designated person

(d) Content of an authorisation

(e) Content of a notice

(f) Oral authority (urgent cases)

(g) Disclosure of data

6. Validity of authorisations and notices

(a) Duration

(b) Renewal

(c) Cancellation

7. Retention of records by public authorities

(a) Errors

(b) Data protection safeguards

8. Oversight

9. Complaints

Annex A Specimen section 22(4) notice

Footnotes appear at the end of the chapter.

Introduction

1.1 This code of practice relates to the powers and duties conferred or imposed under Chapter II of Part I of the Regulation of Investigatory Powers Act 2000 ("the Act"). It provides guidance on the procedures that must be followed before access to communications data can take place under those provisions.

1.2 The code should be readily available to any members of a public authority who are involved in operations to access communications data.

1.3 The Act provides that the code is admissible in evidence in criminal and civil proceedings. If any provision of the code appears relevant to a question before any court or tribunal hearing any such proceedings, or to the Tribunal established under the Act, or to one of the Commissioners responsible for overseeing the powers conferred by the Act, it must be taken into account.

1.4 This code applies to relevant public authorities as described in Chapter II of Part I of the Act (see para 3.1 below).

1.5 This code does not cover conduct consisting in the interception of communications (contents of a communication).

1.6 This code extends to England, Wales, Scotland and Northern Ireland.

General

2.1 The code covers any conduct in relation to a postal service or telecommunication system for obtaining communications data and the disclosure to any person of such data. For these purposes, communications data includes information relating to the use of a postal service or telecommunication system but does not include the contents of the communication itself, contents of e-mails or interactions with websites. In this code "data", in relation to a postal item, means anything written on the outside of the item.

2.2 A person who engages in such conduct must be properly authorised and must act in accordance with that authority.

2.3 A test of necessity (see paras 4.1-4.3 below) must be met before any communications data is obtained. The assessment of necessity is one made by a designated person. (This is a person designated for the purposes of Chapter II of Part I of the Act (see para 3.2 below). A designated person has a number of obligations within the provisions of the Act which must be met before communications data is obtained. These are also laid out in this code). A designated person must not only consider it necessary to obtain the communications data but must also consider the conduct involved in obtaining the communications data to be proportionate (see para 4.4 below) to what it is sought to achieve.

Designated persons within relevant public authorities permitted to access communications data under the Act

3.1 Designated persons within the following "relevant public authorities"¹ are permitted under the Act to grant authorisations or serve notices², the two routes by which the Act allows communications data to be accessed (see further para 5.1 below):

• a police force (as defined in section 81(1) of the Act);

• the National Criminal Intelligence Service;

• the National Crime Squad;

• HM Customs and Excise;

• the Inland Revenue;

• the Security Service;

• the Secret Intelligence Service;

• the Government Communications Headquarters.

3.2 The appropriate level of official i.e. a designated person within each public authority for granting authorisations or giving notices will be as follows:

• to obtain any communications data defined by section 21(4) of the Act a minimum of Superintendent or equivalent;

• to obtain communications data defined by section 21(4)(c) only of the Act (such as account and subscriber information), a minimum of Inspector or equivalent.)

¹ The Act permits the Secretary of State to add further public authorities to this list by means of an Order subject to the affirmative resolution procedure in Parliament.

² The Secretary of State may by Order place restrictions on:

• the authorisations or notices that may be granted or given by designated persons; and
• the circumstances in which, or purposes for which, authorisations or notices may be granted or given.

Relevant public authorities authorised to access communications data from the list in Chapter II of Part I of the Act may be removed, if deemed appropriate, by Order of the Secretary of State.

Purposes for which communications data may be sought

4.1 Under section 22(2) of the Act, communications data may be sought if a designated person believes it is necessary for one or more of the following purposes³:

• in the interests of national security;

• for the purpose of preventing or detecting crime or of preventing disorder;

• in the interests of the economic well-being of the United Kingdom (see para 4.2 below);

• in the interests of public safety;

• for the purpose of protecting public health;

• for the purpose of assessing or collecting any tax, duty, levy or other imposition, contribution or charge payable to a government department;

• for the purpose, in an emergency, of preventing death or injury or any damage to a person's physical or mental health, or of mitigating any injury or damage to a person's physical or mental health.

4.2 In exercising his power to grant an authorisation or give a notice in the interests of the economic well-being of the United Kingdom (as provided for by section 22(2)(c)) of the Act, a designated person will consider whether the economic well-being of the United Kingdom which it is in the interests of is, on the facts of each case, related to State security. The term "State security", which is used in Directive 97/66/EC (concerning the processing of personal data and the protection of privacy in the telecommunications sector), should be interpreted in the same way as the term "national security" which is used elsewhere in the Act and this code. A designated person will not grant an authorisation or give a notice on section 22(2)(c) grounds if this link is not established. Any application for an authorisation or a notice on section 22(2)(c) grounds should therefore explain how, in the applicant's view, the economic well-being of the United Kingdom which it is in the interests of is related to State security on the facts of the case.

4.3 For an action to be necessary in a democratic society the access to communications data must pursue a legitimate aim as listed in para 4.1; fulfil a pressing social need and be proportionate to that aim.

4.4 Under section 22(5) of the Act, a designated person must also consider the conduct involved in obtaining the communications data to be proportionate. Proportionality is a crucial concept. In both the Act and this code reference is made to the conduct being proportionate. This means that even if a particular case which interferes with a Convention right⁴  is aimed at pursuing a legitimate aim (as listed in para 4.1 above) this will not justify the interference if the means used to achieve the aim are excessive in the circumstances. Any interference with a Convention right should be carefully designed to meet the objective in question and must not be arbitrary or unfair. Even taking all these considerations into account, in a particular case an interference may still not be justified because the impact on the individual or group is too severe.

³ The Act permits the Secretary of State to add further purposes to this list by means of an Order subject to the affirmative resolution procedure in Parliament.

⁴ European Convention on Human Rights (ECHR).

Authorisations and notices

5.1 The Act provides two different ways of authorising access to communications data; through an authorisation under section 22(3) and by a notice under section 22(4). An authorisation would allow the relevant public authority to collect or retrieve the data itself. A notice is given to a postal or telecommunications operator and requires that operator to collect or retrieve the data and provide it to the public authority which served the notice. A designated person decides whether or not an authorisation should be granted or a notice given.

5.2 In order to illustrate, a section 22(3) authorisation may be appropriate where:

• the postal or telecommunications operator is not capable of collecting or retrieving the communications data⁵;

• it is believed the investigation may be prejudiced if the postal or telecommunications operator is asked to collect the data itself;

• there is a prior agreement in place between the relevant public authority and the postal or telecommunications operator as to the appropriate mechanisms for the disclosure of communications data.

5.3 Applications for communications data may only be made by persons in the same public authority as a designated person.

(a) Single points of contact within relevant public authorities

5.4 Notices and where appropriate authorisations for communications data should be channelled through single points of contact within each public authority (unless the exemption in paras 5.13-5.14 applies). This will provide for an efficient regime, since the single points of contact will deal with the postal or telecommunications operator on a regular basis. It will also help the public authority to regulate itself. This will assist in reducing the burden on the postal or telecommunications operator by such requests. Single points of contact will be able to advise a designated person on whether an authorisation or a notice is appropriate.

5.5 Single points of contact should be in a position to:

• where appropriate, assess whether access to communications data is reasonably practical for the postal or telecommunications operator;

• advise applicants and designated persons on the practicalities of accessing different types of communications data from different postal or telecommunications operators;

• advise applicants and designated persons on whether communications data falls under section 21(4)(a), (b) or (c) of the Act;

• provide safeguards for authentication;

• assess any cost and resource implications to both the public authority and the postal or telecommunications operator.

(b) Applications to obtain communications data under the Act

5.6 The application form is subject to inspection by the Commissioner and both applicant and designated person may be required to justify their decisions. Applications to obtain communications data under the Act should be made on a standard form (paper or electronic) which must be retained by the public authority (see section 7 of this code) and which should contain the following minimum information:

• the name (or designation) of the officer requesting the communications data;

• the operation and person (if known) to which the requested data relates;

• a description, in as much detail as possible, of the communications data requested (there will also be a need to identify whether it is communications data under section 21(4)(a), (b) or (c) of the Act);

• the reason why obtaining the requested data is considered to be necessary for one or more of the purposes in paragraph 4.1 above (the relevant purpose also needs to be identified);

• an explanation of why obtaining the data constitutes conduct proportionate to what it seeks to achieve;

  • where appropriate, a consideration of collateral intrusion, the extent to which the privacy of others may be affected and why that intrusion is justified; and 

• the timescale within which the communications data is required. Where the timescale within which the material is required is any greater than routine, the reasoning for this to be included.

5.7 The application form should subsequently record whether access to communications data was approved or denied, by whom and the date. Alternatively, the application form can be marked with a cross-reference to the relevant authorisation or notice.

(c) Considerations for designated person

5.8 A designated person must take account of the following points, so that he is in a position to justify decisions made:

• whether the case justifies the accessing of communications data for one or more of the purposes listed in paragraph 4.1 above, and why obtaining the data is necessary for that purpose;

• whether obtaining access to the data by the conduct authorised by the authorisation, or required of the postal or telecommunications operator in the case of a notice, is proportionate to what is sought to be achieved. (A designated person needs to have in mind the conduct which he is authorising or requiring in each case. In making a judgement as to proportionality, a designated person needs to have in mind whether he is granting an authorisation or issuing a notice, and also what the scope of the conduct is. For example, where the conduct covers the provision of ongoing communications data);

  • where appropriate, where accessing the communications data is likely to result in collateral intrusion, whether the circumstances of the case still justify that access; and

• whether any urgent timescale is justified.

(d) Content of an authorisation

5.9 An authorisation itself can only authorise conduct to which Chapter II of Part I of the Act applies. A designated person will make a decision whether to grant an authorisation based upon the application which is made. The application form and the authorisation itself is not served upon the holder of communications data. The authorisation should be in a standard format (written or electronic) which must be retained by the public authority (see section 7 of this code) and must contain the following information:

• a description of the conduct to which Chapter II of Part I of the Act applies that is authorised;

• a description of the required communications data;

• for which of the purposes in paragraph 4.1 above the data is required; and

• the name (or designation) and office, rank or position of the designated person.

5.10 The authorisation should also contain:

• a unique reference number.

(e) Content of a notice

5.11 A designated person will make a decision whether to issue a notice based upon the application which is made. The application form is not served upon the holder of communications data. The notice that they receive contains only enough information to allow them to fulfil their duties under the Act. The notice served upon the holder of the communications data should be in a standard format (written or electronic) which must be retained by the public authority (see section 7 of this code) and must contain the following information:

• a description of the required communications data;

• for which of the purposes in paragraph 4.1 above the data is required;

• the name (or designation) and office, rank or position of the designated person; and

• the manner in which the data should be disclosed.

5.12 The notice should also contain:

• a unique reference number;

• where appropriate, an indication of any urgency;

• a statement stating that data is sought under the provisions of Chapter II of Part I of the Act. i.e. an explanation that compliance with this notice is a legal requirement; and

• contact details so that the veracity of the notice may be checked.

[A specimen copy of a notice can be found at annex A to this code].

(f) Oral authority (urgent cases)

5.13 An application for communications data may only be made and approved orally, on an urgent basis, where it is necessary to obtain communications data for the purpose set out in section 22(2)(g) of the Act⁶:

"for the purpose, in an emergency, of preventing death or injury or any damage to a person's physical or mental health, or of mitigating any injury or damage to a person's physical or mental health".

5.14 The fact of an oral application and approval must be recorded by the applicant and designated person at the time or as soon as possible. In this case, an authorisation under section 22(3) of the Act must be completed (in a written or electronic format) very shortly thereafter. In the case of a notice under section 22(4) of the Act, a designated person may make an oral request to a postal or telecommunications operator to disclose communications data which must be followed by a (written or electronic) notice to the postal or telecommunications operator very shortly thereafter. A section 22(4) notice may be issued directly to the postal or telecommunications operator, therefore relaxing the need to do so via a single point of contact.

(g) Disclosure of data

5.15 Notices under section 22(4) of the Act will only require the disclosure of data to:

• the person giving the notice i.e. the designated person; or

• to another specified person who must be from the same relevant public authority. In practice, this is likely to be the single points of contact.

⁵ Where possible, this assessment will be based upon information provided by the relevant postal or telecommunications operator.

⁶ To give effect to Article 2 (right to life) of the European Convention on Human Rights (ECHR).

Validity of authorisations and notices

(a) Duration

6.1 Authorisations and notices will only be valid for one month. This period will begin when the authorisation is granted or the notice given. A designated person should specify a shorter period if that is satisfied by the request, since this may go to the proportionality requirements. For 'future' communications data disclosure may only be required of data obtained by the postal or telecommunications operator within this period i.e. up to one month. For 'historical' communications data disclosure may only be required of data in the possession of the postal or telecommunications operator. A postal or telecommunications operator should comply with a section 22(4) notice as soon as is reasonably practicable. Furthermore, they will not be required to supply data unless it is reasonably practicable to do so.

(b) Renewal

6.2 An authorisation or notice may be renewed at any time during the month it is valid, by following the same procedure as in obtaining a fresh authorisation or notice.

6.3 A renewed authorisation or notice takes effect at the point at which the authorisation or notice it is renewing expires.

(c) Cancellation

6.4 A designated person shall cancel a notice given under section 22(4) of the Act as soon as it is no longer necessary, or the conduct is no longer proportionate to what is sought to be achieved. The duty to cancel a notice falls on the designated person who issued it.

6.5 The appropriate level of official within each public authority who may cancel a notice in the event of the designated person no longer being able to perform this duty is to be prescribed by Regulations made under section 23(9) of the Act.

6.6 As a matter of good practice, authorisations should also be cancelled in accordance with the procedure above.

6.7 In the case of a section 22(4) notice, the relevant postal or telecommunications operator will be informed of the cancellation.

Retention of records by public authorities

7.1 Applications, authorisations and notices for communications data must be retained by the relevant public authority until it has been audited by the Commissioner. The public authority should also keep a record of the dates on which the authorisation or notice is started and cancelled.

(a) Errors

7.2 Where any errors have occurred in the granting of authorisations or the giving of notices, a record should be kept, and a report and explanation sent to the Commissioner as soon as is practical.

7.3 Applications must also be retained to allow for the complaints Tribunal, under Part IV of the Act, to carry out its functions.

7.4 This code does not affect any other statutory obligations placed on public authorities to retain data under any other enactment. (Where applicable, in England and Wales, the relevant tests given in the Criminal Procedures and Investigations Act 1996⁷, namely whether any material gathered might undermine the case for the prosecution against the accused, or might assist the defence, should be applied).

(b) Data protection safeguards

7.5 Communications data, and all copies, extracts and summaries of it, must be handled and stored securely. In addition, the requirements of the Data Protection Act 1998⁸ and its data protection principles should be adhered to.

⁷ Further guidance is available in the CPIA code of practice.

⁸ Further guidance is available from http://www.homeoffice.gov.uk/foi/datprot.html

Oversight

8.1 The Act provides for an Interception of Communications Commissioner whose remit is to provide independent oversight of the use of the powers contained within Part I.

8.2 This code does not cover the exercise of the Commissioner's functions. However, it will be the duty of any person who uses the powers conferred by Chapter II of Part I to comply with any request made by the Commissioner to provide any information he requires for the purposes of enabling him to discharge his functions.

Complaints

9.1 The Act establishes an independent Tribunal, which is made up of senior members of the legal profession or judiciary and is independent of the Government. The Tribunal has full powers to investigate and decide any case within its jurisdiction.

9.2 This code does not cover the exercise of the Tribunal's functions. However, details of the relevant complaints procedure should be readily available, for reference purposes, at public offices of those public authorities permitted to access communications data under the provisions of Chapter II of Part I of the Act. Where this is not possible, copies should be made available by post or e-mail.

Annex A to draft code of practice

Unique reference number: [to be completed by the public authority]

[an indication of any urgency]

NOTICE UNDER SECTION 22(4) OF THE REGULATION OF INVESTIGATORY POWERS ACT 2000 REQUIRING COMMUNICATIONS DATA TO BE OBTAINED AND DISCLOSED

To: [NAME OF POSTAL OR TELECOMMUNICATIONS OPERATOR and address].

In accordance with section 22(4) of the Regulation of Investigatory Powers Act 2000, I hereby require you -

^*(a) if not already in possession of the data to which this notice relates, to obtain it; and {for use in those cases where you are actually asking for data to be captured for the duration of the notice - this should be omitted where you are only requiring the disclosure of historical data}.

(b) to disclose all communications data to which this notice relates, whether in your possession or subsequently obtained by you.

Description of communications data to which this notice relates:

[enter details of the communications data required {distinguish here between data (a) to be obtained if not already in the possession of the operator (omitting if not relevant) and (b) to be disclosed - each should be described separately}].

^*(a) [communications data to be obtained];

(b) [communications data to be disclosed].

This notice is valid from [start date - issue date of this notice] to [end date]. - This must be no more than one month from the date of this notice, or earlier if cancelled under section 23(8)). This notice may be renewed at any time before the end of the period of one month starting with [issue date] by the giving of a further notice.

I believe that it is necessary for this communications data to be obtained:

[List the purpose(s) that the communications data is required for (from Section 22(2)) - follow the statutory language exactly)].

In reaching this conclusion I have satisfied myself that obtaining this data by the conduct required by this notice is proportionate to what is sought to be achieved by so obtaining the data.

You are required to produce the said communications data to [specify the person (a name or designation must be specified), office, rank or position to whom the data is to be disclosed] of [public authority] for him to take away as specified below:

[Specify the manner in which the data is to be disclosed].

Date ....................

Designated Person (a minimum of Superintendent or equivalent. For communications data falling under section 21(4)(c) of the Act, a minimum of Inspector or equivalent): [Enter office, rank or position] ..........

This notice may be verified by contacting the following:

[enter contact details i.e. of the Single Point of Contact]

^*Omit as appropriate