FA Blog 1

The Investigatory Powers Act & Comms Data

The Investigatory Powers Act (IPA) became law in 2016 – many aspects of the new legislation have already been brought into use, but there has been a long lead up to some of its key features being enacted.

Part of the motivation for the IPA was based on a recognition that the framework for the lawful acquisition of communications data (CD) as laid out in the Regulation of Investigatory Powers Act 2000 (RIPA) wasn’t adequately independent – an impression that was reinforced by a ruling from the European Court of Justice (ECJ) in December 2016 that the data retention practices employed by the UK were unlawful. The ECJ came to this ruling partly based on the fact that the CD retention regulations provided under RIPA were not subject to judicial oversight and therefore weren’t thought to be sufficiently independent.

Under RIPA, regulated authorities (police forces, security services and some other public bodies) are able to lawfully intrude into a citizen’s communications records if the application is approved by a suitably senior officer within that organisation – subject to the request satisfying the thresholds of necessity, proportionality and lawfulness – so RIPA essentially allowed requests for comms data disclosure to be self-certified within the organisation that was requesting it.

Arguably, this regime was open to abuse and required more rigour, or at the very least was open to charges that the authorisation process might not be sufficiently insulated from the investigatory processes within the requesting organisation. There’s an equally strong argument to say that, due to Freedom of Information (FOI) legislation, the CD authorisation activities of regulated authorities are open to public scrutiny and can be shown to have been fairly applied in the vast majority of cases.

Irrespective of the merits or otherwise of the RIPA regime, the IPA has ushered in a new methodology which, on the face of it, should be more independent, but whether it is more transparent is another matter.

One of the key structures introduced by the IPA is the Investigatory Powers Commission (IPC). The IPC’s Judicial Commisioners are all current or former judges and the idea is that whole sphere of CD activity comes under their impartial and independent scrutiny. Day-to-day activities of the IPC are handled by Investigatory Powers Commissioner’s Office (IPCO) which is currently headed by Sir Adrian Fulford.

Potentially, the biggest shake up to be triggered by the IPA is related to another organisation created under the auspices of the IPC, the Office of Communications Data Acquisition (OCDA).

Under RIPA, regulated authorities had a hierarchy of officers authorised to request comms data from Communications Service Providers (CSPs). Data applicants (i.e. investigators or analysts) could make an application to obtain CD and would forward it to a Designated Person (DP) within their organisation for approval – a DP was usually a Superintendent or equivalent senior officer. If the DP authorised the request, a Single Point of Contact (SPoC) officer would be authorised to request the CD from a CSP and the CSP would be given legal protection to disclose that information.

This process is organised into a series of ‘grades’ – a CD request is graded according to the severity of the incident or crime being investigated. Grade 1 requests relate to immediate threat to life situations and were acted upon immediately by the CSP; Grade 2 requests relate to serious incidents that might lead to death, serious injury or significant criminality and were fulfilled within a few hours; Grade 3 cover everything else and could sometimes take up to a month to be fulfilled.

Under the IPA, the CD acquisition arrangements are significantly altered – much of the authorisation work previously handled ‘in house’ is passed to an independent organisation called the Office for Communications Data Authorisations (OCDA), which operates under the control of the IPC. Within this new structure, Grade 1 requests are still handled internally within the requesting organisations but Grade 2s and Grade 3s will be managed by OCDA, although Grade 2s can be handled internally if there is a risk that OCDA won’t fulfil the request in time.

OCDA staff, based in Birmingham and the North West, are charged with reviewing requests for CD disclosure made by UK authorities and either approving or rejecting them based on the merits of the request.

In principle, the aims and intentions of OCDA are laudable – decisions about the disclosure of sensitive, private communications meta data are taken out of the hands of individuals whose decisions might be influenced by operational imperatives or personal knowledge of the cases in question, and are given over to an independent organisation with no knowledge of the operations or individuals involved.

In practice the implementation of OCDA has raised some concerns – the Birmingham OCDA office plans to deal with ‘ordinary’ crime-related disclosure requests, while the North West office will deal with other types of request. Whereas all or most regulated authorities can be expected to have a DP on duty (or at least on call) 24 hours a day, OCDA work from 7am to 10pm – this is partly why control of Grade 1s is retained by the individual authorities. In place of the hundreds of DPs that are available across UK LEAs, OCDA will have a much smaller staff, so there is potential for authorisation delays to mount up as the workload on OCDA rises.

The build up to full operation of the OCDA model is being phased – only a handful of forces have so far moved over to the new model and time will tell if the new methods will be as effective as the old ones. In general, a system that offers more oversight and independent decision making has to welcomed, but the risk that the acquisition of critical CD disclosures might be delayed or that requests might be rejected can’t be ignored – comms data forms such a key part of the modern investigative landscape that any threat to the availability of that data has to be taken very seriously.

The UK law enforcement community will welcome the arrival of OCDA, but will be watching closely to make sure that it delivers on its promises and doesn’t disrupt the flow of vital evidence in major investigations.

If this resonates with you, let’s discuss.