Legal Services Regulation of Investigatory Powers Act … guidance.pdf · For All Directorates 2017 RIPA Guidance & Procedure M J Turnbull, Legal Services Page 1 Version 12 1. INTRODUCTION

For All Directorates 2017

RIPA Guidance & Procedure M J Turnbull, Legal Services Page 1 Version 12

1. INTRODUCTION The Regulation of Investigatory Powers Act (RIPA) controls and regulates surveillance,

and other means of gathering information, which public bodies employ in the discharge of their functions. Information gathering is one of the Council’s many activities which could involve an interference with an individual’s human rights, specifically an individual’s rights under Article 8.

Article 8 provides:

Everyone has the right to respect for his private and family life, his home and his correspondence.

There shall be no interference by a public authority with the exercise of this right except such as is in accordance with the law and is necessary in a democratic society in the interests of national security, public safety or the economic well-being of the country, for the prevention of disorder or crime, for the protection of health or morals, or for the protection of the rights and freedoms of others.

RIPA provides an authorisation process for certain types of surveillance and information

gathering, and that process can be used as a defence against certain human rights claims. Conversely, if the Council chose not to use that process, where it could have done, the courts might find that the Council’s actions were not “in accordance with the law”. In addition, activity which should properly be authorised but which isn’t should be reported to the Chief Surveillance Commissioner, in writing, as soon as the error is recognised, and this activity should be recorded and reported to the Inspector at the start of an Office of Surveillance Commissioners (OSC) inspection.

It is important to distinguish between the types of surveillance and information gathering

regulated by RIPA, and normal general observation, in the course of discharging the Council’s functions. It is acknowledged that low-level general observation will not usually be regulated under the provisions of RIPA. The Covert surveillance and property interference code of practice referred to later in this document, gives the following examples of this kind of general observation:

patrolling to prevent and detect crime, officers attending a car boot sale where it is suspected that counterfeit goods are

being sold, but where the intention is, through reactive “policing”, to identify and tackle offenders.

“Test purchases” in circumstances where any relationship is so limited that a CHIS authorisation is unnecessary.

Legal Services Regulation of Investigatory Powers Act 2000

Guidance and Procedure



2. WHICH KINDS OF SURVEILLANCE AND INFORMATION GATHERING METHODS ARE REGULATED BY RIPA?

Covert surveillance which consists of directed surveillance, intrusive surveillance, the

conduct and use of covert human intelligence sources, the acquisition and disclosure of communications data, and intercepting communications are all regulated by RIPA.

3. HOW HAS THE GOVERNMENT IMPLEMENTED RIPA?

The Home Office has issued a Covert surveillance and property interference code of practice (10.12.2014), a Covert human intelligence sources code of practice (10.12.2014), a Code of practice for the acquisition and disclosure of communications data (March 2015), and an Interception of communications: Code of Practice (27.1.2016). These Codes are available on the government website at https://www.gov.uk/government/collections/ripa-codes.

The RIPA forms referred to in this document are available at

www.gov.uk/government/collections/ripa-forms--2. If you do not have access to the internet, copies of these materials can be obtained from Legal Services (Legal). References in this document to “the relevant Code” are references to one or other of these Codes as appropriate.

The Council must have regard to these Codes of Practice, and they should be given

careful consideration by all those involved in activities regulated by RIPA. The Codes and this document must be made readily available to members of staff,

customers, and elected Members. The OSC keeps under review the performance of functions relating to covert surveillance,

and makes periodic inspections for these purposes. The Interception of Communications Commissioner’s Office (IOCCO) keeps under review the exercise of powers and duties in relation to the acquisition and disclosure of communications data, and carries out periodic inspections. IOCCO also has certain functions in relation to the interception of communications. Details of the Council’s latest inspection reports can be obtained from Legal.

Authorisations by the Council of directed surveillance or use of a CHIS, and

renewals of those authorisations, and authorisations made or notices given to acquire communications data, and renewals of those authorisations or notices are all subject to judicial approval. In addition, the authorisation of directed surveillance is subject to a crime threshold.

4. HOW HAS THE COUNCIL IMPLEMENTED RIPA? The City Solicitor, who is a member of the Council’s Leadership Team, is the Senior

Responsible Officer (SRO) with ultimate responsibility for the Council’s implementation of RIPA. The SRO is responsible for ensuring that all authorising officers are of an appropriate standard in the light of any recommendations in OSC inspection reports. If an OSC report raises concerns about the standards of authorising officers, the SRO is responsible for ensuring these concerns are addressed. The SRO is also responsible for



the integrity of the Council’s processes, compliance with RIPA and with the relevant Codes, oversight of the reporting of errors, engagement with the OSC inspectors, and oversight of the implementation of post-inspection action plans. Under the Council’s constitution, the City Solicitor has the following responsibilities:

Preparing policies and strategies for approval Guidance and advice Monitoring compliance

Legal maintain the RIPA Central Record for directed surveillance and CHIS

authorisations, and are responsible for monitoring and quality control. The relevant procedures are in Appendix 2 and Appendix 3 respectively.

The following matters are the responsibility of Directors/Chief Officers:

To implement and secure compliance with the rules on surveillance activities, the Council’s policies on these matters, and guidance and advice from Legal on these matters.

To designate officers with specific responsibilities for these matters (RIPA practitioners).

The Council has a RIPA policy. This is in Appendix 1. The relevant Code recommends

that elected Members of a local authority should review the authority’s use of RIPA and set the policy at least once a year. Members should also consider internal reports on use of RIPA on a regular basis to ensure it is being used consistently with the authority’s policy and that the policy remains fit for purpose. This role is performed by the Council’s Corporate Governance and Audit Committee, which receives an annual assurance report about the use of RIPA powers and any recommended policy changes, and periodic updates (every 3 to 4 months) about the use (or not) of RIPA powers.

These delegations mean that you should refer day to day queries which you may have on

RIPA matters, to the RIPA practitioner for your service. They may then of course choose to refer some of these matters to Legal.

If RIPA practitioners want to issue their own guidance relating to the activities of their own

service, this must first be approved by Legal. 5. WHAT DOES “SURVEILLANCE” MEAN? RIPA says “surveillance” means monitoring, observing or listening to persons, their

movements, conversations, other activities or communications, recording anything monitored observed or listened to in the course of surveillance, and surveillance with a surveillance device (which means anything designed or adapted for surveillance use).

6. WHEN DOES SURVEILLANCE BECOME “DIRECTED SURVEILLANCE”? Surveillance becomes “directed surveillance” when ALL of the following criteria are

satisfied. The surveillance must:



be “covert”. This means surveillance which is carried out in a way that is “calculated to ensure” that the subjects are unaware that it is or may be taking place. “Calculated to ensure” means there must be a deliberate effort by the Council to make sure the subjects aren’t aware of the surveillance

be for the purposes of a “specific investigation” or a “specific operation”. General observations which do not involve the systematic surveillance of an individual, will not be directed surveillance

be undertaken in such a manner as is likely to result in the obtaining of “private information”. “Private information” includes any information relating to a person’s private or family life, whether or not that person is the subject of the investigation. The relevant Code says private information should be taken generally to include any aspect of a person’s private or personal relationship with others, including family and professional or business relationships, and that “family” should be treated as extending beyond the formal relationships created by marriage or civil partnership. The relevant Code also says that whilst “a person may have a reduced expectation of privacy when in a public place, covert surveillance of that person’s activities in public may still result in the obtaining of private information. This is likely to be the case where that person has a reasonable expectation of privacy even though acting in public, and where a record is made by a public authority of that person’s activities for future consideration or analysis”. The Supreme Court has now confirmed1 that the state’s systematic collection and storage in retrievable form even of “public” information about an individual is an interference with private life, and that therefore the Article 8 rights are engaged. As a result, where an investigation includes covert surveillance using CCTV cameras, the creation of a record by filming activities even in a “public” place such as in the street, will amount to obtaining “private” information. In a similar way, the systematic retention of information gathered from “open” social media sources may well engage the Article 8 rights. The issue then would be whether monitoring or observing a person’s communications “after the event” constituted “surveillance”, and if so whether in particular circumstances this also amounted to a specific investigation or operation. The OSC Procedures and Guidance provides “the Commissioners’ tentative view is that if there is a systematic trawl through recorded data (sometimes referred to as “data-mining”) of the movements or details of a particular individual with a view to establishing, for example, a lifestyle pattern or relationships, it is processing personal data and therefore capable of being directed surveillance”. The relevant Code also suggests that if several records are to be analysed together in order to establish, for example, a pattern of behaviour, or if one or more pieces of information (whether or not available in the public domain) are covertly (or in some cases overtly) obtained for the purposes of making a permanent record about a person or for subsequent data processing to generate further information, then “private life” considerations are particularly likely to arise. The totality of information gleaned may constitute private information even if individual records do not. The relevant Code gives examples of repeatedly photographing the exterior of a café to establish a pattern of occupancy by a person, and recording a person providing their name and telephone number to a shop assistant in order to confirm their identity, as instances where a directed surveillance authorisation should be considered. The relevant Code also provides that whilst a surveillance device which provides information about the location of a vehicle does not necessarily provide “private information” about a person, the use of that information when coupled with other surveillance activity which may obtain

1 R (on the application of Catt) (AP) v Commissioner of Police of the Metropolis & Anr [2015] UKSC 9



“private information” could interfere with the Article 8 rights and so an authorisation may be appropriate. The recording or monitoring of one or both ends of a telephone conversation, even if this did not amount to an “interception”, would still result in “private” information being obtained. The use of the internet to gather information as part of an operation may amount to directed surveillance.

not be done as an immediate response to events or circumstances, where it would not be reasonably practicable to try and get an authorisation

not be intrusive (please see below) 7. EXAMPLES OF SURVEILLANCE WHICH WOULD NOT BE “DIRECTED

SURVEILLANCE” Council officers openly observing the activities of residents whilst patrolling the streets, as

part of activities to combat anti-social behaviour. Note “openly” means there must not be any deliberate effort to make sure individuals are not aware that this is taking place.

Generally, the use of CCTV cameras, where these are properly signed. Routine planning enforcement visits, to check up on the physical development of a site. Covert surveillance of premises (as opposed to individuals) by environmental health

officers, as part of their routine duties to detect statutory nuisances. The covert surveillance of suspected noise nuisance where the intention is only to record

excessive noise levels from adjoining premises, and the recording device is calibrated to record only excessive noise levels.

Covert surveillance for the purposes of an “ordinary function”, for example surveillance of

an employee as part of a disciplinary process, (as opposed to covert surveillance for the purposes of a “specific public function” undertaken by the Council).

8. DOES DIRECTED SURVEILLANCE HAVE TO BE AUTHORISED? The Council’s RIPA policy provides that directed surveillance must be authorised. RIPA

says surveillance is lawful for all purposes, if an authorisation has been properly granted, and the surveillance is in accordance with that authorisation. Consequently, a proper authorisation should be a full protection, in the event of a claim by an individual who has been the subject of surveillance, for breach of their Article 8 rights.

The Council can authorise its directed surveillance. The approved forms on the Home

Office website mentioned above, must be used. Note also however that an authorisation cannot take effect until such time as a

Justice of the Peace (JP) has made an order approving the authorisation. The JP can only give approval if satisfied that there were, and still are reasonable grounds for the authorisation, and also that certain relevant conditions were satisfied. Legal will deal with the application to the JP, and will notify you once such an order has been made. Legal will retain copies of the judicial application/order forms after



they have been signed by the JP, and these will be kept in the Central Record together with the original authorisation.

9. WHAT ARE COVERT HUMAN INTELLIGENCE SOURCES? The term Covert Human Intelligence Source (CHIS) is used to describe people who are

more commonly known as informants. Informants are used more widely by the Police and other law enforcement organisations than by the Council. Applicants or authorising officers who are considering the use or conduct of a CHIS, must first seek advice from Legal.

The use or conduct of a CHIS would include work by officers working “undercover”

whereby a covert relationship is established with another person. This type of activity may sometimes be undertaken by officers. This guidance only deals with circumstances when a CHIS authorisation would be needed for officers. It should only be in exceptional circumstances that it is proposed to use a person who is not an officer, and in this event further guidance must be sought from Legal.

A person is a covert human intelligence source if:

he/she establishes or maintains a personal or other relationship with a person for the covert purpose of

covertly using the relationship to obtain information or to provide access to any information to another person; or

covertly disclosing information obtained by the use of such a relationship, or as a consequence of the existence of such a relationship.

A relationship is established or maintained for a covert purpose if and only if it is

conducted in a manner that is calculated to ensure that one of the parties to the relationship is unaware of the purpose.

A relationship is used covertly, and information obtained is disclosed covertly, if and only

if the relationship is used or the information is disclosed in a manner that is calculated to ensure that one of the parties to the relationship is unaware of the use or disclosure in question.

A routine test purchase, which does not go beyond a normal transaction, would not be

considered a CHIS activity. However, this depends on all the circumstances including the length of time of the contact between buyer and seller and the nature of any covert activity. Many sources volunteer or provide information that is within their personal knowledge, without being induced, asked, or tasked by a public authority. For example a member of the public volunteering information about something he has witnessed in his neighbourhood, where a relationship will not have been established or maintained for a covert purpose. Where members of staff are required to comply with the Money Laundering Regulations and report suspicious transactions, this will not result in these individuals meeting the definition of a CHIS. If the Council asked a member of the public to keep a record of all vehicles arriving at or leaving a house, or to record details of



visitors to a neighbouring house, a relationship has not been established to gather the information, and therefore a CHIS authorisation would not be available.

10. CAN THE COUNCIL AUTHORISE THE USE OF A CHIS? Yes. The Council can authorise the use or conduct of a CHIS. The use of a CHIS involves

any action on behalf of a public authority to induce, ask or assist a person to engage in the conduct of a CHIS, or to obtain information by means of the conduct of a CHIS. The conduct of a CHIS is any conduct which falls within establishing a relationship, and obtaining or disclosing information as mentioned above, or is incidental to any such activity. Most CHIS authorisations will be for both use and conduct because authorities will usually task the CHIS to take covert action, and because the CHIS will be expected to take action, such as responding to the particular tasking. Care must be taken to ensure that the CHIS is clear on what is/is not authorised at any given time, and that all the CHIS’s activities are properly risk assessed. As the relevant Code provides, “the use or conduct of a CHIS can be a particularly intrusive and high-risk covert technique, requiring dedicated and sufficient resources, oversight and management”. Whilst the use or conduct of a CHIS need not relate to private information, the covert manipulation of a relationship to gain information of any kind will engage the Article 8 rights, and therefore authorisation must be sought. The Home Office prescribed forms must be used. The authorising officer must believe that an authorisation for the use or conduct of a CHIS is “necessary” in the circumstances of the particular case, on the ground mentioned below. If deemed necessary, the authorising officer must also believe that it is “proportionate” to what is sought to be achieved by carrying it out. The twin requirements of necessity and proportionality are explained in more detail below.

Note however, authorisation must not be given unless:

there is a person (known as the “handler”) in the service, with day to day responsibility for dealing with the CHIS, and for monitoring their security and welfare

there is another person in the service (known as the “controller”), who will have general oversight of the use made of the CHIS, and will normally be responsible for the management and supervision of the “handler”.

there is a person in the service with responsibility for maintaining a record of the use made of the CHIS

that records disclosing the identity of the CHIS will not be available to persons except to the extent that there is a need for access.

Note also the relevant Code says vulnerable individuals should only be authorised

to act as a CHIS in the most exceptional circumstances. A “Vulnerable individual” is defined as a person who by reason of mental disorder or vulnerability, other disability, age or illness, is or may be unable to take care of themselves, or unable to protect themselves against significant harm or exploitation. Where it is known or suspected that an individual may be vulnerable, they should only be authorised to act as a CHIS in the most exceptional circumstances, and authorisation in such a case would need to be by the Head of Paid Service (Chief Executive), or in his absence the person acting as the Head of Paid Service.

Note there are also special safeguards for the use or conduct of a CHIS who is a

juvenile, i.e. who is under 18. The relevant Code says on no occasion should the use or



conduct of a source under 16 be authorised to give information against their parents, or any person who has parental responsibility for them. In other cases, special provisions must be complied with, and again authorisation would need to be by the Head of Paid Service (Chief Executive), or in his absence the person acting as the Head of Paid Service. The duration of such an authorisation would be only one month.

Note also that the Council must appoint a “handler” who will have day to day

responsibility for dealing with the CHIS on behalf of the Council, directing the day to day activities of the CHIS, recording the information supplied by the CHIS, and monitoring the CHIS’s security and welfare. The Council must also appoint a “controller” who will be responsible for the management and supervision of the “handler” and for general oversight of the use of the CHIS. Responsibilities for the management and oversight of a CHIS can however be split between authorities where there is joint working. The “handler” is responsible for bringing to the attention of the “controller” any concerns about the personal circumstances of the CHIS, insofar as they might affect the validity of the risk assessment mentioned below, the conduct of the CHIS and the safety and welfare of the CHIS. Where appropriate, concerns about such matters must be considered by the authorising officer, and a decision taken on whether or not to allow the authorisation to continue.

The relevant Code says that any public authority deploying a CHIS should take into

account the safety and welfare of that CHIS when carrying out actions in relation to an authorisation or tasking, and the foreseeable consequences to others of that tasking. Before authorising the use or conduct of a CHIS, the authorising officer should ensure that a risk assessment is carried out to determine the risk to the CHIS of any tasking and the likely consequences should the role of the CHIS become known. The ongoing security and welfare of the CHIS, after the cancellation of the authorisation, should also be considered at the outset. Also, consideration should be given to the management of any requirement to disclose information tending to reveal the existence or identity of a CHIS to, or in, Court.

Note also that an authorisation cannot take effect until such time as a JP has made

an order approving the authorisation. The JP can only give approval if satisfied that there were, and still are reasonable grounds for the authorisation, and also that certain relevant conditions were satisfied. Legal will deal with the application to the JP, and will notify you once such an order has been made. Legal will retain copies of the judicial application/order forms after they have been signed by the JP, and these will be kept in the Central Record together with the original authorisation.

11. WHO CAN GIVE DIRECTED SURVEILLANCE AND CHIS

AUTHORISATIONS? Generally, The Regulation of Investigatory Powers (Directed Surveillance and Covert

Human Intelligence Sources) Order 2010 as amended permits a “Director, Head of Service, Service Manager or equivalent” to grant authorisations. This will also include anyone in a more senior position. The Council’s RIPA policy says authorisations will only be granted by a small number of nominated officers at Head of Service level, from Strategy & Resources Directorate. In addition, the SRO is permitted to grant



authorisations in exceptional circumstances. Contact details for nominated Heads of Service can be obtained from Legal.

Note the relevant Codes say that “particular care should be taken in cases where

the subject of the investigation or operation might reasonably expect a high degree of privacy, or where confidential information is involved. Confidential information consists of communications subject to legal privilege, communications between a Member of Parliament and another person on constituency matters, confidential personal information, or confidential journalistic material”. In cases where it is likely that knowledge of confidential information will be acquired, the use of covert surveillance is subject to a higher level of authorisation, and in the Council’s case the authorising officer is the Head of Paid Service (Chief Executive), or in his absence the person acting as the Head of Paid Service.

The relevant Codes provide that all applications for covert surveillance that may result in

the acquisition of knowledge of matters subject to “legal privilege” should state whether this is intended. If this is not intended, but is likely, the application must identify all steps which will be taken to mitigate this risk, and if this risk cannot be removed entirely the application must explain what steps will be taken to ensure any such knowledge which is obtained is not used in law enforcement investigations or criminal prosecutions. Where covert surveillance is likely or intended to result in the acquisition of such knowledge, an authorisation shall only be granted if the authorising officer is satisfied there are “exceptional and compelling circumstances”. The relevant Codes make specific recommendations as regards the handling and dissemination of knowledge of matters which may be subject to legal privilege, and advice on these matters must be sought from Legal. Any material which is retained must be notified to the OSC inspector during his or her next inspection and made available on request. Please note also that directed surveillance that is carried out in relation to anything taking place on so much of certain specified premises as is, at any time during the surveillance, used for the purposes of “legal consultations”, is deemed to be “intrusive surveillance”. Such premises include any place where people can be detained under the Mental Health Act, police stations, the courts, and the place of business of any professional legal adviser.

Special consideration must also be given to authorisations that involve confidential

personal information, confidential constituent information, and confidential journalistic material. Confidential personal information means information held in confidence relating to the physical or mental health, or spiritual counselling of a person (whether living or dead) who can be identified from it. Confidential constituent information is information relating to communications between an MP and a constituent in respect of constituency matters.

Confidential journalistic material includes material acquired or created for the purposes of

journalism, and held subject to an undertaking to hold it in confidence, and communications resulting in information being acquired for the purposes of journalism, and held subject to such an undertaking.

The relevant Code says where confidential personal information, confidential

constituent information and confidential journalistic material has been acquired and retained, this should be reported to the Inspector during the next inspection, and the material should be made available to them if requested. Consequently,



applications need to specify this clearly, so that the Central Record can be properly maintained by Legal.

If there is any doubt about whether such information is likely to be acquired, or

how it should be retained, or disseminated advice should always be sought from Legal.

12. WHEN CAN AUTHORISATION PROPERLY BE GIVEN? An authorisation cannot be granted unless the authorising officer believes that the

authorisation is “necessary” on certain specified grounds, and that it is proportionate to what is sought to be achieved by carrying it out. “Necessary” means more than simply convenient or desirable for the Council. Authorising officers should be sure that the use of overt investigation methods has always been considered before considering whether an authorisation is required. Covert investigation authorised under RIPA should be used only when other reasonable options have been considered and ruled out. The OSC Procedures and Guidance provides that in order for this test to be satisfied, the conduct that the surveillance is aimed to prevent or detect “must be identified and clearly described, particularly if it is questionable whether serious crime criteria are met. Often missed is an explanation of why it is necessary to use the covert techniques requested”.

“Proportionate” means that the Council needs to try and strike a fair balance between

the intrusiveness of the activity on the subject and others who might be affected by it, against the need for the activity in operational terms and the public interest in preventing the relevant crime or disorder. This means the activity must not be excessive or heavy-handed, and must take account of the particular circumstances of the subject and others affected, and the particular sensitivities of the communities in which they live. The OSC Procedures and Guidance provides that there must be an explanation of the reasons why “the method, tactic or technique proposed is not disproportionate (the proverbial ‘sledgehammer to crack a nut’)….It is insufficient to make a simple assertion or to say that the ‘seriousness’ of the crime justifies any or every method available”. Authorising officers should seek to limit surveillance to the minimum level required to meet the outcome. The relevant Code says the following elements of proportionality should therefore be considered:

balancing the size and scope of the proposed activity against the gravity and extent

of the perceived crime or offence; explaining how and why the methods to be adopted will cause the least possible

intrusion on the subject and others; considering whether the activity is an appropriate use of the legislation and a

reasonable way, having considered all reasonable alternatives, of obtaining the necessary result;

evidencing, as far as reasonably practicable, what other methods had been considered and why they were not implemented.

The only specified ground upon which the Council can grant an authorisation for

directed surveillance is:

preventing or detecting conduct which constitutes one or more criminal offences, and that offence or one of the criminal offences is an offence which is punishable on



summary conviction or indictment by at least 6 months imprisonment (for example, more serious criminal damage, dangerous waste dumping and serious or serial benefit fraud), or is one of certain other specified offences relating to the sale of alcohol to children, or the sale of tobacco to persons under 18. If there is any doubt about whether the conduct in question constitutes such an offence, advice should always be sought from Legal.

The only specified ground upon which the Council can authorise the use of a

CHIS is for the purpose of preventing or detecting crime or of preventing disorder.

13. WHAT IF THE PURPOSE DOES NOT FIT INTO THE SPECIFIED

GROUND? For example, where audit investigations undertaken to safeguard the financial resources

of the Council, include covert surveillance, there may be no RIPA ground for authorising directed surveillance. The OSC Procedures and Guidance provides that when it is decided to use covert surveillance without the protection of RIPA it would be prudent to maintain an auditable record of decisions and actions, and such activity should be regularly reviewed by the SRO. Therefore, in circumstances where a RIPA authorisation cannot be given, a Human Rights Audit (Appendix 4) must be completed. Human Rights Audits do not need to be supplied to Legal, but they must be kept on file as they could be an important part of the Council’s defence in the event of a claim for breach of Article 8.

14. WHAT DO APPLICANTS AND AUTHORISING OFFICERS NEED TO DO?

An authorising officer must give authorisations in writing. Written authorisations for directed surveillance will last for 3 months from the date of the JP’s order approving the authorisation. Written authorisation for use of a CHIS can last for a period of 12 months from the date of the JP’s order approving the authorisation.

Applications for authorisation must include an assessment of the risk of any collateral

intrusion or interference with the privacy of persons, other than the subject of the surveillance, and details of any measures taken to limit this, to enable the authorising officer fully to consider the proportionality of the proposed activity. Authorising officers must make sure that the activity is managed in such a way, and that measures are taken wherever practicable, to avoid or minimise unnecessary intrusion into the lives of those not directly connected with the investigation or operation. The same proportionality tests apply to the likelihood of collateral intrusion as to intrusion into the privacy of the intended subject of the surveillance. If surveillance is specifically proposed against an individual who is not suspected of direct or culpable involvement in the relevant crime or disorder, any interference with their privacy should be considered as intended, rather than collateral intrusion. Any such surveillance should be carefully considered against the necessity and proportionality criteria referred to above.

Every directed surveillance and CHIS authorisation must be sent to Legal for

inclusion in the Central Record. Please note Legal must make the Central Record available to the relevant Inspector from the OSC, upon request. Please note the



original application and authorisation, and any documents referred to in that form would be of critical importance in the event of a human rights claim against the Council. It is therefore essential that the original forms are sent to Legal, and that any background documents are preserved appropriately by the applicant or authorising officer.

Authorising officers must ensure that arrangements are in place for the secure handling,

storage and destruction of material obtained through the use of directed surveillance, or through the use or conduct of a CHIS, including compliance with the relevant data protection requirements. This material may be used as evidence in criminal proceedings, subject to the legal rules on admissibility of evidence.

15. HOW SHOULD THE RIPA FORMS BE FILLED IN? The Home Office prescribed application form includes:

A description of the purpose of the specific operation or investigation. This should

include a concise and balanced summary of the alleged crime or disorder, and the specific objectives of the investigation, with a description of the evidence it is sought to gather.

A description of the surveillance operation to be authorised and expected duration, including any premises, vehicles or equipment that may be used. The type of surveillance, for example static or mobile, needs to be described, as well as how the surveillance will be conducted, for example by CCTV or by observation. The place where the surveillance is to be conducted, the number of officers involved, and the duration of the surveillance need to be specified. If any equipment is to be used, a technical description should be given, and also a description of the level of intrusion. For example, if cameras are to be used how will they be directed, or if sound recording equipment is to be used, will it record speech? Note sufficient detail needs to be given, so the authorising officer can properly assess whether the operation is proportionate, and the likelihood of collateral intrusion.

the information that it is desired to obtain as a result of the directed surveillance. This should explain the levels of evidence which the applicant hopes to obtain, and how this will go to prove or disprove the allegations of crime.

The ground on which the directed surveillance is “necessary” – see above. If it is not possible to identify a specific crime in the application or grant, the Investigatory Powers Tribunal have said it must be “reasonably clear what sort of criminal offence might be prevented”, and there must be a “reasonable belief” that such an offence was or would be committed.

An explanation of why the proposed surveillance is “necessary” on the ground identified – see above. This must include evidence that the Council has considered whether measures other than covert surveillance were feasible and sufficiently effective, and if such measures have been tried and failed, a description of those measures. This must also explain why the applicant believes covert surveillance is the only method left available to progress the investigation.

Any collateral intrusion and why it is unavoidable, and the precautions taken to minimise such intrusion. This should state who the surveillance is likely to intrude upon, including the subject, and others as appropriate, for example others known be in their household (in particular, any children), neighbours, work colleagues, and members of the public in the surveillance locations. The actions to be taken to



reduce that risk must be stated, with an explanation how and why the methods to be adopted will cause the least possible intrusion on the subject and others listed. For example, how officers or equipment can be positioned to minimise intrusion, whether surveillance is to be limited to specific times, and whether the number of officers involved can be reduced depending on the location.

Why the directed surveillance is proportionate to what it seeks to achieve – see above. It must be shown that the surveillance is not excessive in the circumstances of the case, or arbitrary or unfair. Again, there must be a reasonable belief that the surveillance is proportionate, and the setting of reasonable conditions and limitations on the surveillance is likely to be key. For example, measures should be taken to ensure that young children who are not believed to be parties to the suspected crime or disorder, are not also made targets of the surveillance by default.

Confidential information – see above. It is important to identify any likelihood of acquiring this information, because particular care needs to be taken in such cases, and a special level of authorisation is needed.

Authorising officer’s statement. This must be a fully reasoned statement, and must explain why they believe the surveillance is necessary and proportionate. However, as the OSC Procedures and Guidance indicates, a bare assertion that “I am satisfied” or “I believe” that the activity is necessary and proportionate is insufficient. This statement must demonstrate that the authorising officer has actively considered and has understood the surveillance proposals, and has set conditions and limitations where appropriate. The activity which is being authorised must be fully specified (i.e. who, what, where, when and how), and a full justification for the surveillance must be given, in the authorising officers own words, (which should preferably be hand-written). If the authorising officer does not authorise all that was requested, a note should be added explaining why. Note it is for the authorising officer personally to justify the surveillance. This cannot be delegated, and the authorising officer must show they have done more than simply rely upon the judgement of other less senior colleagues.

16. SHOULD AUTHORISATIONS BE REVIEWED? As every authorisation must be for the statutory period, normally 3 months for directed

surveillance authorisations and 12 months for CHIS authorisations, regular reviews should be undertaken using the Home Office recommended form, to take care of issues of continuing necessity and proportionality. In particular, if during the investigation it becomes clear that the activity being investigated does not amount to a criminal offence or that it would be a less serious offence that does not meet the threshold referred to above, then the use of directed surveillance should cease, and the authorisation should be cancelled. There is a need to review authorisations frequently where the surveillance involves a high degree of intrusion into private life, or significant collateral intrusion, or where confidential information is likely to be obtained. A review is the responsibility of the original authorising officer and so should be conducted by them, or failing that, by an officer who would be entitled to grant a new authorisation in the same terms.

Any proposed or unforeseen changes to the nature or extent of the surveillance that may

result in further or greater intrusion should be brought to the attention of the authorising officer by means of a review. The authorising officer should consider whether these



changes are necessary and proportionate (bearing in mind any extra intended intrusion into privacy, or collateral intrusion), before approving or rejecting them. Note however, that any proposed changes which mean the original authorisation will be exceeded, will require a further authorisation which in turn, will require a further order by a JP approving that authorisation.

Where an authorisation provides for the surveillance of unidentified individuals whose

identity is later established, the terms of the authorisation should be refined at a review to include the identity of these individuals, and a review should be convened for this purpose. There will be no need for a new authorisation if the scope of the original authorisation envisaged surveillance of these individuals.

Any reviews should be supplied to Legal for inclusion in the Central Record

mentioned above. 17. CAN AUTHORISATIONS BE RENEWED? Yes. If at any time before a directed surveillance authorisation would cease to have

effect, the authorising officer considers it necessary for the authorisation to continue for the purpose for which it was given, he/she may renew it in writing for a further period of 3 months. Renewals should be recorded using the Home Office recommended form.

Applications for renewal must record at the time of application

Whether this is the first renewal, or every occasion on which the authorisation has

been renewed previously Any significant changes to the information in the initial application The reasons why the authorisation for directed surveillance should continue The content and value to the investigation or operation, of the information so far

obtained by the surveillance The results of regular reviews of the investigation or operation

Renewals must be supplied to Legal for inclusion in the Central Record mentioned

above. Note also however that a renewal cannot take effect until such time as a JP has

made an order approving the renewal. The JP can only give approval if satisfied that there were, and still are reasonable grounds for the authorisation, and also that certain relevant conditions were satisfied. Legal will deal with the application to the JP, and will notify you once such an order has been made. Legal will retain copies of the judicial application/order forms after they have been signed by the JP, and these will be kept in the Central Record.

18. DO AUTHORISATIONS HAVE TO BE CANCELLED? Yes. The authorising officer who granted or last renewed the authorisation must cancel it,

if satisfied that the directed surveillance as a whole no longer meets the criteria upon which it was authorised. Where the original authorising officer is no longer available, this



duty will fall on the person who has taken over this role, or who is entitled to act as authorising officer as mentioned above.

As written authorisations are granted automatically for 3 months/12 months, this means

each written authorisation needs to be cancelled, whatever the actual duration of the investigation or operation. The Home Office recommended form should be used. The reason for the cancellation will usually be that the objectives of the surveillance have been achieved, and this should be fully explained on the form. Effective practice suggests that the authorising officer’s comments should include a direction as to how the material, (or product) from the surveillance should be stored, and for how long. Where a JP refuses to approve the grant or renewal of an authorisation, then the authorisation should be cancelled. If approval was refused because of a technical error, consideration should be given to repeating the authorisation process and then reapplying for approval. Otherwise, the authorisation should be cancelled. Where judicial approval is refused, and the grant or renewal of the authorisation is quashed, no formal cancellation is necessary.

Cancellations must be supplied to Legal, for inclusion in the Central Record

mentioned above. 19. WHEN CAN SURVEILLANCE BE “INTRUSIVE?” Intrusive surveillance means covert surveillance which:

is carried out in relation to anything taking place on any residential premises (not including common areas, nor as the relevant Code of Practice suggests, the front garden or driveway of premises readily visible to the public) or in any private vehicle; and

involves the presence of an individual on the premises or in the vehicle, or is carried out by means of a surveillance device

or is directed surveillance that is carried out in relation to anything taking place on so much of certain specified premises, as is, at any time during the surveillance, used for the purposes of “legal consultation” (see above).

Intrusive surveillance may take place by means of a person or device located in the residential premises or private vehicle or place for legal consultation. It may also take place by means of a device outside the premises or vehicle or place for legal consultation which consistently provides information of the same quality and detail as might be expected to be obtained from a device inside. The Code provides by way of example, use of a zoom lens which consistently achieves imagery of the same quality as that which would be visible from within the premises, would constitute intrusive surveillance. The Code provides that the use of a device for the purpose of providing information about the location of any private vehicle is not considered to be intrusive surveillance. However, where the recording or use of such information would amount to the covert monitoring of the movements of the occupants of that vehicle, then this will amount to directed surveillance.

Note the Council cannot authorise surveillance which is intrusive. If it appears that a

proposed surveillance investigation or operation, may fall within the scope of intrusive surveillance, then further guidance must be sought from Legal.



20. WHAT ABOUT CCTV AND ANPR (AUTOMATIC NUMBER PLATE RECOGNITION) SYSTEMS?

Generally, RIPA does not affect CCTV systems where these are properly signed. This is

because any surveillance is usually overt, rather than covert, and there is not usually a specific investigation or operation. Similarly, the overt use of ANPR systems to monitor traffic flows or detect motoring offences does not require an authorisation. If a CCTV system or ANPR were used to gather information as part of a reactive operation, for example to identify individuals who have committed criminal damage after the event, then that would not be directed surveillance if the equipment was overt, and there was no covert targeting. However, if a system were diverted from its usual functions and used in a covert and pre-planned manner as part of a specific investigation or operation, for the surveillance of a specific person or group of people, this would go beyond the intended use of the system for the general prevention or detection of crime and protection of the public, and could mean there was directed surveillance. For example, if a signed CCTV system on a housing estate, which was generally used only for general security purposes in “public areas”, was used specifically in a pre-planned way for monitoring the criminal activities of a particular group of people, this could constitute directed surveillance.

Where CCTV systems are not signed, then unless the cameras are clearly visible surveillance will be covert, and there will be directed surveillance if the other criteria for directed surveillance are present.

21. WHEN WILL AN INVESTIGATION USING SOCIAL MEDIA REQUIRE

AUTHORISATION? Please remember that you must only use social media at work in accordance with

current Council policies, and in accordance with any specific policies and rules applying in your own Service.

If you are permitted to use social media for investigative purposes, please see the guidance from Legal regarding the use of “open source” social networks – “Use of Social Networks in Investigations”.

The OSC says that whilst it is impossible in the current atmosphere of changing technology and multiple sites to say what may apply in all cases, the following may serve as a “rule of thumb” guide Reviewing open source sites does not require authorisation unless the review is

carried out with some regularity, usually when creating a profile, in which case directed surveillance authorisation will be required.

If it becomes necessary to breach the privacy controls and become, for example, a “friend” on the Facebook site, with the investigating officer using a false account concealing his/her identity as a Council officer for the purposes of gleaning intelligence, this is a covert operation intended to obtain private information and should be authorised, at the minimum, as directed surveillance.

If the investigator engages in any form of relationship with the account operator then s/he becomes a CHIS requiring authorisation as such and management by a Controller and Handler with a record being kept and a risk assessment created.

It will only be in exceptional cases that a Service will need to consider breaching privacy controls, or engaging in any form of relationship with an account-holder, and you must first seek advice from Legal.



Please remember that, even if the purpose of your investigation is such that there is no proper ground for authorising directed surveillance or a CHIS, a Human Rights Audit (Appendix 4) must be completed.

22. HOW DOES RIPA REGULATE THE INTERCEPTION OF

COMMUNICATIONS? RIPA regulates the interception of communications in the course of transmission by

means of a public postal service, or a public or private telecommunication system. This would include mail received by post or fax, the Council’s phone systems and the Council’s computer network.

It would be a criminal offence to “intercept” mail, faxes, phone calls or e-mail whilst in the

public system, unless the Council has lawful authority. In addition, IOCCO may impose a monetary penalty notice up to £50,000 for an unlawful interception in the course of transmission via a public telecommunication system.

Once mail and faxes have been received by the Council, interception would not be an

offence, and the interception of phone calls or e-mail within the Council’s private telecommunications systems will not be an offence as long as the Council has the right (as it usually will) to control the operation or use of the system, or as long as the Council again has lawful authority.

However, the interception in the course of transmission by the Council of phone calls or

e-mail within the Council’s private telecommunications systems would mean the Council could be sued by the sender, recipient or intended recipient, unless again the Council has lawful authority.

Interception in the course of transmission means modifying or interfering with the system,

or its operation, or monitoring transmissions, so as to make some or all of the contents of the communication available, while being transmitted, to a person other than the sender or intended recipient. Modifying a system includes attaching any apparatus to, or other modification of, or interference with any part of the system. Being transmitted includes time when the system is used for storing the communication in a way that enables the intended recipient to collect it, or otherwise have access to it. Making available while being transmitted, includes cases where the contents of the communication, while being transmitted, are diverted or recorded so as to be available to a person subsequently.

Consequently, if one party to a telephone conversation makes a recording of that

conversation this is not “telephone tapping” and is not interception. Note however, this could constitute directed surveillance. First receipt of a voicemail message will not bring “transmission” to an end, and this will include circumstances where the message is stored in the communication system where the intended recipient might thereafter have access to it by playing back the message. Consequently, opening emails in an e-mail account, even where these have already been received by the intended recipient, may still amount to an “interception” regardless of whether they remain unopened by the intended recipient. In addition, systematically monitoring or observing e-mails could constitute “surveillance”, and plainly the opening or re-opening of e-mails by a manager, could lead to a complaint that there had been unfair processing of the sender/recipient’s personal



data, or that there had been an interference with their Article 8 rights, particularly if the e-mails self-evidently did not pertain to work duties.

If any activity is proposed, which you think might constitute the interception of a

communication in the course of transmission by means of the public postal service, or a public telecoms system, advice must be sought from Legal.

If any activity is proposed, which constitutes the interception of a communication

in one of the Council’s private telecoms systems, this must only be done where the Council has “lawful authority”.

Lawful authority can be given in a number of ways. One of these is where legitimate

business practices can be authorised by the Secretary of State. Various practices have been so authorised by the Telecommunications (Lawful Business Practice) (Interception of Communications) Regulations 2000, as amended. It will be necessary to keep a full record of any such interception, and the grounds on which the Council has “lawful authority”. Advice must be sought from Legal on these matters.

23. HOW DOES RIPA REGULATE THE ACQUISITION AND

DISCLOSURE OF COMMUNICATIONS DATA?

RIPA says conduct in relation to a postal service or a telecommunications service for obtaining communications data is lawful for all purposes if it is covered by, and in accordance with an authorisation or notice given under RIPA.

The Council can only use these powers to acquire certain limited types of communications data known as “service use information” and “subscriber information”. This data is the “who”, “when” and “how” of a communication but not the “what” (the content of what was said or written) nor the “where” (origin or destination of a communication).

“service use information” is data about the use made by a person of any postal service or telecommunications service, or any part of a telecommunications system. The relevant Code of Practice gives the following examples of such information – itemised telephone call records (numbers called), itemised records of connections to internet services, itemised timing and duration of service usage (calls and/or connections), information about amounts of data downloaded or uploaded, information about the use made of services, information about the use of forwarding/redirection services, information about selection of preferential numbers or discount calls, and records of postal items.

“subscriber information” relates to information held or obtained by a communications service provider (CSP), about persons to whom the CSP provides or has provided a communications service. The relevant Code of Practice gives the following as examples of this type of data: “subscriber checks” (also known as “reverse look ups”) such as “who is the

subscriber of phone number 012 345 6789?”, “who is the account holder of e-mail account [email protected]?”, or “who is entitled to post to web space www.example.co.uk?”

Information about the subscriber to a PO Box number, or a Post Paid Impression used on bulk mailings.



Information about the provision to a subscriber or account holder of forwarding/redirection services, including delivery and forwarding addresses.

Subscribers’ or account holders’ account information, including names and addresses for installation, and billing including payment method(s), and details of payments.

Information about the connection, disconnection and reconnection of services. Information about apparatus used by, or made available to, the subscriber or account holder.

Information provided by a subscriber or account holder to a CSP, such as demographic or sign-up data (but not information, such as a password, giving access to the content of any stored communication).

Information about the apparatus used by, or made available to, the subscriber or account holder.

The Council cannot use these powers to acquire “traffic data” as defined in RIPA.

A designated person can grant an authorisation in relation to certain conduct to specified Council officers, or give a notice to a postal or telecommunications operator requiring the operator to obtain certain data if they are not already in possession of it, and to disclose all the data in their possession or subsequently obtained by them.

The Council’s designated person can only grant an authorisation or give a notice if they believe it is “necessary” for “the purpose of preventing or detecting crime or of preventing disorder”, and if they believe this is “proportionate” to what is sought to be achieved by so obtaining the data. The guidance in 12 above should be followed in assessing “necessity” and “proportionality”. The relevant Home Office recommended application form should be used by applicants, and the designated person must carefully include their own hand-written considerations in approving or not approving the application, and these considerations must explain why the proposed conduct is necessary and proportionate.

Under The Regulation of Investigatory Powers (Communications Data) Order 2010 as amended, the only ground on which communications data may be acquired is “for the purpose of preventing or detecting crime or of preventing disorder”.

Under the Order mentioned above, the designated person must be a “Director, Head of Service, Service Manager or equivalent”, or someone in a more senior position. The Council’s RIPA policy says the designated person must be at Head of Service level as a minimum. The relevant Code of Practice says that designated persons must be independent from operations and investigations for which they are granting authorisations or giving notices.

The relevant Code of Practice says that public authorities “unable to call upon the services of an accredited SPoC [single point of contact] should not undertake the acquisition of communications data”. From 1 December 2014 Local Authorities that wish to acquire communications data must become members of the National Anti-Fraud Network (“NAFN”), and must use their shared SPoC service. The key functions of the SPoC are to provide objective judgement and advice to both the applicant and the designated person, to provide assurance to designated persons that authorisations and notices are lawful and free from errors, to provide assurance to communications service providers that authorisations and notices are authentic and lawful, and to assess whether communications data disclosed by such providers in response to a notice or authorisation



fulfils the requirement of the notice, or authorisation.

The relevant Code of Practice says that every relevant public authority should appoint a senior responsible officer (SRO) who must be responsible for the integrity of the process, compliance with RIPA, oversight and minimisation of errors, and engagement with IOCCO inspectors. The Council’s SRO is the City Solicitor.

A designated person in a public authority may only give an authorisation to persons working in the same public authority to engage in specific conduct such as requesting data via secure auditable communications data acquisition systems. Local Government legislation allows for NAFN to act on behalf of the Council for this purpose.

Notices must be given in writing or in a manner that produces a record of it having been given, and in particular must not require a communications service provider to do anything which is not reasonably practicable, and should correspond with the ways in which the provider processes, retains and retrieves its data for these purposes.

Authorisations and notices are valid for a maximum of 1 month from the date of an order by a JP approving the authorisation or notice. Any valid authorisation or notice may be renewed for a period of up to 1 month by the grant of a further authorisation or the giving of a further notice, again subject to an order by a JP approving such a renewal. A designated person must cancel a notice if it is no longer necessary or proportionate.

Applications, authorisations, copies of notices, and records of the withdrawal of authorisations and the cancellation of notices will be retained by NAFN. NAFN will also keep a record of the date and, when appropriate to do so, the time when each notice or authorisation is given or granted, renewed or cancelled. These records must be held centrally by NAFN as the Council’sSPoC.

NAFN will also keep records relating to the number of applications, notices, and authorisations made by the Council as required by the relevant Code of Practice..

Where errors are made in the grant of an authorisation, the giving of a notice, or as a consequence of any authorised conduct or conduct undertaken to comply with a notice, a record will be kept by NAFN. Reportable errors must be reported to the SRO and then to IOCCO within no more than 5 working days of the error being discovered. These errors are where an authorisation or notice is made for a purpose, or for a type of data which the Council is not entitled to call upon or seek under RIPA, where human error occurs and data is acquired or disclosed, where the wrong data is disclosed in response to a notice, or where the wrong data is acquired. Recordable errors are where a notice is given to a provider which it is impossible for them to comply with and the Council attempts to impose the requirement, where there is a failure to review information already held and for example data is sought which has already been acquired, where there is a failure to serve written notice on a provider within 1 working day of urgent oral notice being given, or human error that does not result in the acquisition or disclosure of data. Details of recordable errors must be kept, and the SRO must undertake a regular review of the recording of such errors.

Note that no authorisation or notice, or renewal of an authorisation or notice can take effect until such time as a JP has made an order approving the same. A JP



can only give approval if satisfied that there were, and still are reasonable grounds for the authorisation or notice, or renewal, and also that certain relevant conditions were satisfied. Legal will deal with the application to the JP, and will notify you once such an order has been made. Once an order has been made, NAFN will proceed with acquiring the communications data.

24. WHERE CAN I GET MORE ADVICE? This document cannot provide a definitive statement of the law, in all situations, nor a full

description of all aspects of the Codes. If you or your RIPA practitioner have any doubt about whether a particular activity is lawful, you should always seek further advice from Legal, contacting Mark Turnbull, Head of Service, Legal Services, tel. 0113 3789151, e-mail [email protected], in the first instance.



Appendix 1

Regulation of Investigatory Powers Act 2000 (RIPA) Policy 1.0 Extent

This policy applies to the authorisation of directed surveillance under Section 28(1) of RIPA. This policy also applies to authorisations and notices for the purposes of obtaining communications data, under Section 22(3) and 22(4) of RIPA. This policy does not cover the authorisation of covert human intelligence sources under Section 29 of RIPA, nor does this policy cover intrusive surveillance (which the Council is not entitled to authorise under RIPA).

2.0 Safeguards

2.1 The Council will apply a presumption in favour of overt investigation methods. The Council will always consider using a variety of overt investigatory tools, before considering whether the use of these powers is required. Covert surveillance or investigation will be used only when other reasonable options have been considered, and ruled out.

2.2 In order to comply with the duties in Section 28(2) of RIPA, that a person shall not grant an authorisation for the carrying out of directed surveillance unless they believe that the authorisation is “necessary” for the purposes of preventing or detecting crime punishable by a maximum term of at least 6 months imprisonment or for the purpose of preventing or detecting certain other specified offences, and “proportionate”, in accordance with the Covert Surveillance and Property Interference Code of Practice, the Council will

balance the size and scope of the proposed activity against the gravity and extent of

the perceived crime or offence, or disorder; explain how and why the methods to be adopted will cause the least possible

intrusion on the target and others; consider whether the activity is an appropriate use of the legislation and a

reasonable way, having considered all reasonable alternatives, of obtaining the necessary result;

evidence, as far as reasonably practicable, what other methods had been considered and why they were not implemented.

2.3 The Council will only use covert surveillance when the problem is serious and/or

persistent, and where overt surveillance would not provide evidence and/or might displace the problem elsewhere.

2.4 The Council will use covert surveillance proportionately, and will not use covert

surveillance to address minor matters, but instead will focus on those issues which are of greatest concern to the community.



2.5 The Council will only use covert surveillance either to obtain evidence that can be presented at court, or where another positive outcome relating to the prevention or detection of crime as referred to above has been identified, for example through the positive identification of perpetrators.

2.6 The Council will give responsibilities to a single member of its Corporate Leadership

Team, the City Solicitor, as Senior Responsible Officer, to ensure that designated authorising officers meet the standards required by the Office of Surveillance Commissioners.

2.7 The Council will ensure that the quality of authorisations is monitored by Legal

Services. 2.8 The Council will ensure applicants and authorising officers receive an appropriate level

of training. 2.9 The Council will ensure that in accordance with The Regulation of Investigatory

Powers (Directed Surveillance and Covert Human Intelligence Sources) Order 2010 as amended, directed surveillance authorisations will only be granted by 2 or 3 Heads of Service appointed from within Resources & Housing Directorate. This will avoid any perception that a Head of Service is agreeing to “their” investigation within their own service, or is directly involved with the investigations they authorise. Authorising officers will therefore be able to apply more independently reasoned judgment of the issues. No authorisation will be put into effect until an order has been made by the Magistrates Court approving that authorisation.

2.10 In order to comply with the duties in Section 22(1) and 22(5) of RIPA that a designated

person will not grant an authorisation or give a notice for the acquisition of communications data unless they believe this is “necessary” for the purpose of preventing or detecting crime as referred to above, and “proportionate” to what is sought to be achieved, the Council will balance the extent of the intrusiveness of the interference with an individual’s right to respect for their private life against a specific benefit to the investigation or operation being undertaken by the Council in the public interest.

2.11 The Council will only use powers to acquire communications data when investigating

serious incidents, (such as vehicles causing nuisance within communities, and illegal advertising) and where overt investigation methods would not provide the necessary evidence.

2.12 In accordance with the Acquisition and Disclosure of Communications Data Code of

Practice, the Council has appointed the City Solicitor as senior responsible officer, who will be responsible for the integrity of the process within the Council to acquire communications data, compliance with the relevant provisions of RIPA and the Code, oversight of the reporting of errors to IOCCO and the identification of both the cause of errors and the implementation of processes to minimise the repetition of errors, engagement with IOCCO inspectors, and overseeing the implementation of post inspection action plans.



2.13 In accordance with the Acquisition and Disclosure of Communications Data Code of Practice, the Council will not acquire communications data without using the SPoC services of NAFN, who will monitor the quality of notices and authorisations.

2.14 The Council will ensure that applicants, the designated person, and the senior

responsible officer receive an appropriate level of training. 2.15 The Council will ensure that in accordance with The Regulation of Investigatory

Powers (Communications Data) Order 2010 as amended, the designated person will be a “Director, Head of Service, Service Manager or equivalent”, or someone in a more senior position. The Council will ensure that the designated person is at Head of Service level as a minimum. No authorisation will be put into effect until an order has been made by the Magistrates Court approving that authorisation.

3.0 Review 3.1 This policy will be reviewed, and reports on the use of these RIPA powers will be

considered on an annual basis, by Corporate Governance and Audit Committee.



Appendix 2 RIPA Central Record – Directed Surveillance Authorisations New RIPA Matters - Issuing Unique Reference Numbers

1. On deciding that an authorisation for directed surveillance is required, the officer who intends to apply for that authorisation (“the Applicant”) must contact the officer responsible for administering the central RIPA record in Legal Services (“the Administrator”) in order to obtain a Unique Reference Number (URN).

2. Upon receiving a request for a URN (a URN Request) the Administrator must log the

matter as a new matter on a spreadsheet maintained exclusively for the purpose of recording RIPA matters (the RIPA Spreadsheet), logging the name of the Applicant, the date of the URN Request and the new URN which will be the next sequential number available. The Administrator must mark the matter as “Live” on the RIPA Spreadsheet. The Administrator must log the “Date of Next Matter Check” on the RIPA Spreadsheet and this date will be the day two weeks after the date of the URN Request unless that day would fall on a bank holiday in which case it will be the next working day thereafter.

3. Following receipt of a URN Request the Date of the Next Matter Check, as referred to

in paragraph 2 above, must be written as a reminder entry against the relevant day in a desk diary kept exclusively for the purpose of diarising RIPA Matter Checks (The RIPA Diary) with the diary reminder entry specifying the URN for the matter.

4. Having received a request for a URN for a new matter and having issued a URN for

that matter, the Administrator must revert to the Applicant by email notifying him of the URN for the matter (a URN Notification) and providing him with a link to the Home Office recommended authorisation form.

5. The Administrator must file a hard copy of the URN Notification on a lever arch file

designated for RIPA matters (the Central Record). Matters will be stored on the Central Record in their URN numerical order.

Obtaining Authorisation – Authorisation Form signed by Authorising Officer 6. As soon as possible after receiving a URN from the Administrator the Applicant must

obtain authorisation from an Authorising Officer on a completed authorisation form (an authorisation form which has been completed by both Applicant and Authorising Officer hereafter being referred to as an Authorisation Form) and thereafter must instruct Legal Services to obtain an order from a Justice of the Peace (an Authorisation Order). The Applicant must send the Authorisation Form to the Administrator. The officer in Legal Services who is instructed to obtain an Authorisation Order must provide a copy to the Administrator.

7. Upon receiving an Authorisation Form and copy Authorisation Order the Administrator

must enter on the RIPA Spreadsheet in the appropriate columns, the Date of the



Authorisation Form and the name and rank of the Authorising Officer as well as the date of the Authorising Order. If the Authorisation Form makes reference to “the Date of the First Review” the Administrator must enter on the RIPA Spreadsheet in the appropriate column this Proposed Date of First Review. The Administrator must enter into the RIPA Spreadsheet the “Automatic Expiry Date” which shall be the day 3 months from the Date of the Authorisation. If the Authorisation Form makes reference to an “Estimated Expiry Date” the Administrator must also add this Estimated Expiry Date to the RIPA Spreadsheet in the appropriate column. The Administrator must also enter into the RIPA Spreadsheet the Title of the Investigation / Operation, the Name of the directorate running the Investigation / Operation, and whether a Confidential Information Authorisation has been completed.

8. Upon receiving the Authorisation Form and copy Authorisation Order the Administrator

must file them with the URN Notification for that matter on the Central Record, having first written on it the date on which the Authorisation Form is received and having checked that the URN is shown clearly on the Authorisation Form.

Review – Review Form signed by Authorising Officer 9. If the Authorisation Form makes reference to “the Date of the First Review” the

Applicant must ensure that an Authorising Officer signs a completed review form (a completed review form signed by an Authorising Officer hereafter being referred to as a Review Form) on or immediately before that proposed Review Date and must send the Review Form to the Administrator.

10. Upon receiving a Review Form the Administrator must enter on the RIPA Spreadsheet

in the appropriate columns the Actual Date of Review and the name and rank of the Authorising Officer that signed the Review Form.

11. Upon receiving the Review Form the Administrator must file it on the Central Record

with the URN Notification, the Authorisation Form and copy Authorisation Order for that matter, having first written on it the date on which the Review Form is received and having checked that the URN is shown clearly on the Review Form.

Renewal – Renewal Form to be signed by Authorising Officer 12. Where an Applicant wants an authorisation period extended he must immediately prior

to the Automatic Expiry Date have an Authorising Officer sign a completed renewal form (a completed renewal form signed by an Authorising Officer hereafter being referred to as a Renewal Form) and must thereafter instruct Legal Services to obtain an order from a Justice of the Peace approving the Renewal (a Renewal Order). The Applicant must send the Renewal Form to the Administrator. The officer instructed in Legal Services to apply for the Renewal Order must supply a copy of that Order to the Administrator.

13. Upon receiving a Renewal Form and copy Renewal Order the Administrator must enter

on the RIPA Spreadsheet in the appropriate columns, the Date of the Renewal Form, the name and rank of the Authorising Officer that signed the Renewal Form and the



date of the Renewal Order. If the Renewal Form makes reference to “the date of the First Review” the Administrator must enter on the RIPA Spreadsheet in the appropriate column this Proposed First Renewal Review Date. The Administrator will enter into the RIPA Spreadsheet the “Automatic Renewal Expiry Date” which shall be 3 months from the date of the Renewal Form. If the Renewal Form makes reference to an “Estimated Expiry Date” the Administrator will add this Estimated Renewal Expiry Date to the RIPA Spreadsheet in the appropriate column.

14. Having received a Renewal Form and copy Renewal Order the Administrator must file

them on the Central Record with the URN Notification the Authorisation Form, the copy Authorisation Order, and any Review Forms previously received for that matter, having first written on it the date on which the Renewal Form is received and having checked that the URN is shown clearly on the Renewal Form.

Review during a Renewal Period – Review Form to be signed by Authorising Officer 15. If the Renewal Form makes reference to “the date of the First Review“ the Applicant

must ensure that the Authorising Officer signs a review form on or immediately before that Proposed Renewal Review Date and must send that Review Form to the Administrator.

16. Upon receiving the Review Form during a renewal period the Administrator must enter

on the RIPA Spreadsheet in the appropriate columns the Actual Date of First Renewal Review and the name and rank of the Authorising Officer who signed the Review Form.

17. Upon receiving a Review Form during the renewal period the Administrator must file it

on the Central Record with the URN Notification, the Authorisation Form, the Renewal Form and any Review Forms previously received for that matter, having first written on it the date on which the Review From is received and having checked that the URN is shown clearly on the Review Form.

Estimated Expiry Dates – Review or Cancellation – Cancellation Forms to be signed by an Authorising Officer 18. On any Estimated Expiry Date or Renewal Estimated Expiry Date, or as soon as

possible thereafter, the Applicant must have an Authorising Officer sign a completed review form or a completed cancellation form (a completed cancellation form signed by an Authorising Officer being hereafter referred to as a Cancellation Form) and must send the Cancellation Form or Review Form to the Administrator.

19. Upon receiving a Cancellation Form the Administrator must enter onto the RIPA

Spreadsheet the Date of the Cancellation and the name and rank of Cancellation Authorising Officer. Upon receiving a Review Form the Administrator must enter it onto the RIPA Spreadsheet in accordance with paragraph 10 or paragraph 16 above, as appropriate.



20. Upon receiving a Cancellation Form the Administrator must file it on the Central Record with the URN Notification and the Authorisation Form and any Review Forms and Renewal Forms previously received for that matter, having first written on it the date on which the Cancellation Form is received and having checked that the URN is shown clearly on the Cancellation Form. Upon receiving a signed Review Form the Administrator must enter in onto the RIPA Spreadsheet in accordance with paragraph 11 or paragraph 17 above, as appropriate.

Automatic Expiry Dates and Cancellations – 21. On any Automatic Expiry Date or Automatic Renewal Expiry Date or upon a Justice of

the Peace refusing to make an Authorisation Order or Renewal Order, or as soon as possible thereafter, the Applicant must have an Authorising Officer sign a completed cancellation form and must send that Cancellation Form to the Administrator.

22. Upon receiving a Cancellation Form the Administrator must enter it onto the RIPA

Spreadsheet in accordance with paragraph 19 above. 23. Upon receiving a signed Cancellation Form the Administrator must file it on the Central

Record in accordance with paragraph 20 above. Finalising Matters 24. If, and only if, the Administrator receives a signed Cancellation Form and is satisfied

that all of the other relevant Forms for a matter have been received, including the Authorisation Form and any Renewal Form, then the Administrator will mark on the RIPA Spreadsheet that that particular matter has been “Finalised”.

25. All matters remain Live until such time as they are Finalised. 26. If, in pursuance to paragraph 24 above, a matter has been marked as “Finalised” on

the RIPA Spreadsheet the Administrator will also mark on the Central Record that the matter has been Finalised.

Matter Checks and emailing reminders to Applicants 27. Every Live matter must be checked by the Administrator (Matter Check) every two

weeks. The first Matter Check for a matter must be two weeks after the URN Request for the matter and the subsequent Matter Checks for that matter will be fortnightly from then until the matter is Finalised. Where a fortnightly Matter Check would otherwise fall on a bank holiday it should instead be diarised for the next working day. When undertaking a Matter Check for a matter the Administrator must refer to the entries on the RIPA Spreadsheet relating to that matter and to the documents held on the Central Record relating to that matter.

28. Where, on undertaking a Matter Check, the Administrator notes that, although a URN

Notification has been sent on the matter, no Authorisation Form and copy Authorisation Order have been received, the Administrator must email the Applicant



asking for the Authorisation Form and copy Authorisation Order to be sent to him as a matter of urgency.

29. Where, on undertaking a Matter Check, the Administrator notes that, although an

Authorisation Form and copy Authorisation Order have been received for that matter, there is no Estimated Expiry Date for the matter, and no Cancellation Form received, the Administrator must email the Applicant asking him to revert to him immediately with a Cancellation Form if the surveillance operation is no longer continuing.


Authorisation Form and copy Authorisation Order have been received for that matter, and although the First Review Date (including a First Review Date in a renewal period) has passed, no Review Form has been received, the Administrator must email the Applicant asking for the Review Form to be sent to him as a matter of urgency.


Authorisation Form and copy Authorisation Order have been received for that matter, and although the Estimated Expiry Date (including an Estimated Expiry Date in a Renewal Period) has passed, no Cancellation Form, or Review Form dated on or after the Estimated Expiry Date, has been received, the Administrator must email the Applicant asking for a Review Form or a Cancellation Form to be sent to him as a matter of urgency.


Authorisation Form and copy Authorisation Order have been received for that matter, and although an Automatic Expiry Date (including an Automatic Expiry Date in a Renewal Period) has passed, no Cancellation Form or Renewal Form has been received, the Administrator must email the Applicant asking for a Cancellation Form or Renewal Form and copy Renewal Order to be sent to him as a matter of urgency.

Recording and Diarising Matter Checks on the RIPA Spreadsheet and in the RIPA Diary 33. Every Live Matter must be checked by the Administrator (Matter Check) every two

weeks, the first Matter Check being undertaken two weeks after the URN Request. Where a fortnightly Matter Check would otherwise fall on a bank holiday it must be diarised for the next working day thereafter. Having undertaking a Matter Check the Administrator must:

i) add the date of that Matter Check in the “Last Matter Check” column in the RIPA

Spreadsheet, replacing any existing date in that column. ii) add the date of that Matter Check in the next available column marked MC1, MC2,

MC3 …etc. on the RIPA Spreadsheet so that the columns marked MC1 onwards provide a complete history of all Matter Checks undertaken for every matter.

iii) add the date of the next Matter Check (two weeks hence or the next working day

thereafter if it is a bank holiday) in the “Next Matter Check” column in the RIPA Spreadsheet, replacing any existing date in that column.

34. Having undertaken a Matter Check the Administrator must add the date of the next

Matter Check (two weeks hence or the next working day thereafter if it is a bank



holiday) as a reminder entry against the relevant day in the RIPA Diary with the diary entry specifying the URN for the matter.

35. The Administrator must check the RIPA Diary on a daily basis to ascertain what Matter

Checks need to be undertaken that day.

Maintaining and Checking the RIPA Spreadsheet and the RIPA Diary

36. The Administrator must make a check of the RIPA Spreadsheet at least once every two months to check that there are no “Live” matters that have not had the fortnightly Matter Checks undertaken on them in line with this procedure.

37. No record shall be removed from the RIPA Spreadsheet without the written authority of

the relevant Head of Service, Legal Services. 38. The Administrator must make a check of the Central Record at least once every two

months to check that there are no matters in the Central Record that are not recorded on the RIPA Spreadsheet or that are Live but wrongly recorded on the RIPA Spreadsheet as “Finalised”.

39. No Matter shall be removed from the Central Record until the expiry of 3 years from

the Date of Cancellation of that matter.



Appendix 3

Regulation of Investigatory Powers Act 2000 (RIPA) - Monitoring and Quality Control Procedure

1. Introduction This Procedure sets out the monitoring and quality control measures in relation to

directed surveillance authorisations, and associated documentation issued under RIPA. For general guidance on RIPA, and for details about how the Council’s Central Record is maintained, reference should be made to the RIPA Guidance and Procedure document, and the procedure for the RIPA Central Record respectively.

2. Record keeping In accordance with the Guidance and Procedure document, and the procedure for the

RIPA Central Record, the City Solicitor will maintain

The authorisations register Original applications/ authorisations Original reviews of authorisations Original renewals of authorisations Original cancellations

in a Central Record, for at least 3 years. 3. Monitoring - General The City Solicitor will monitor and ensure the following in relation to authorisations

generally,

That authorisations are being completed in appropriate circumstances, as specified in the Guidance and Procedure document.

That authorisations relating to the following are exceptional, and are reported appropriately to the relevant Commissioner or Inspector

confidential information an authorising officer authorising their own investigation vulnerable individuals or juveniles That specific advice is given where surveillance could amount to intrusive

surveillance. That there is a renewal and/or cancellation for each authorisation. That authorisations are not being renewed unnecessarily. That authorisations are being cancelled in a timely manner. That applications are made to the Magistrates Court for orders approving

authorisations That appropriate lessons are learned in the event that the Magistrates Court refuses

to approve an authorisation.



4. Monitoring – Specific In relation to each original authorisation received, the City Solicitor will monitor the

following

The correct Home Office prescribed form has been used, (unless the use of a modified form has been approved).

The applicant has undertaken the standard training for applicants. Necessity has been explained adequately. Proportionality has been explained adequately. The correct RIPA ground has been specified. Measures have been specified to minimise collateral intrusion, where necessary. The authorising officer has undertaken the standard training for authorising officers. The authorising officer has given an appropriate summary of the conduct to be

authorised. The date and start time have been specified. Whether there has been a delay between the application being made, and

authorisation being given, and whether there are any implications for the surveillance operation.

That an authorisation or renewal for directed surveillance is for preventing conduct which constitutes one or more criminal offences punishable by a maximum term of at least 6 months imprisonment, or as specified in Article 7A(3) of the Regulation of Investigatory Powers (Directed Surveillance and Covert Human Intelligence Sources) Order 2010 as amended.

5. Training and Feedback

The City Solicitor will provide standard training for all applicants, and standard training for all authorising officers, and will maintain a central register recording which officers have received such training. Refresher training will be provided not less than once every 18 months.

Feedback from the general monitoring and specific monitoring specified above, will be

provided to the authorising officers and to the relevant services not less than once every 3 months. This feedback will also be sent to the City Solicitor, as Senior Responsible Officer.

The Guidance and Procedure document, the procedure for the RIPA Central Record, and this Monitoring and Quality Control Procedure will be reviewed once every 18 months.



Appendix 4

Human Rights Act 1998

Human Rights Audit

Public Authority

(including full address)

Leeds City Council, Civic Hall, Leeds LS1 1UR.

Name & Job Title of Officer

Full Address

Contact Details

DETAILS OF AUDIT

1. Describe the purpose of the surveillance.



2. Describe in detail the surveillance operation to be authorised and expected duration, including any premises, vehicles or equipment (e.g. camera, binoculars, recorder) that may be used.

3. The identities, where known, of those to be subject of the surveillance.

Name:

Address:

DOB:

Other information as appropriate:

4. Explain the information that it is desired to obtain as a result of the surveillance.

5. Identify on which ground in Article 8.2 of the Human Rights Act 1998 the surveillance is necessary. Delete those that are inapplicable.

In the interests of national security;

In the interests of public safety;

In the interests of the economic well-being of the United Kingdom or the Leeds area;

For the prevention of disorder or crime;

For the protection of health or morals;

For the protection of the rights and freedoms of others (including those of the Council);



6. Explain why this surveillance is necessary on the grounds you have identified.

7. Supply details of any potential collateral intrusion and why the intrusion is unavoidable.

Describe precautions you will take to minimise collateral intrusion.

8. Explain why this surveillance is proportionate to what it seeks to achieve. How intrusive might it be on the subject of surveillance or on others? And why is this intrusion outweighed by the need for surveillance in operational terms or can the evidence be obtained by any other means?





9. Officer’s Details.

Name (print) Tel No:

Job Title Date

Signature

Documents

Legal Services Regulation of Investigatory Powers Act … guidance.pdf · For All Directorates 2017 RIPA Guidance & Procedure M J Turnbull, Legal Services Page 1 Version 12 1. INTRODUCTION