Both opposition parties (now in power) before the General Election focussed on Local Authorities as the main abuser of Regulation of Investigatory Powers Act (RIPA) powers, and to some extent the Investigatory Powers Tribunal's recent decision re Poole Borough Council appears to reinforce that view (see references).
The Tribunal concluded that the Council’s procedures were at fault (they are in fact very sloppy), the surveillance was too extensive, and the purpose underpinning the surveillance operation uncertain. This was also accompanied by the fact that Poole had already decided to stop this surveillance practice - a prior admission of “guilt” if ever there was one.
However, many observers are missing the obvious and freely criticise the Council. Instead, I would argue that the Poole Borough Council case is a symptom of a far deeper malaise and that the real problem is an appalling system of regulation which the previous Government established (the Office of the Surveillance Commissioner – OSC). In short, it is the absence of effective checks and balances to the misuse of self-authorising, wide ranging, surveillance powers that allows “Poole-type” practices to flourish.
First to the facts surrounding Poole’s use of RIPA powers. The Council, like most Local Authorities, have some very oversubscribed schools. It was tipped off (twice) that two parents (Ms Paton, her partner identified as C2 in the Tribunal Decision) and their three children (aged 10, 8 and 3 - identified as C3, C4 and C5) were trying to secure a place for their youngest child (C5) at a popular school by providing false details. Child C4 was already enrolled at the school and C3 had attended that school throughout his primary school career.
Despite a sibling already at the primary school (usually an important factor in primary schools admissions policy), Poole decided to check the allegations, especially as the mother and her partner owned two properties, one of which was in the catchment area of the school and the other wasn’t. Given the sibling rule, it is reasonable to assume that Poole was also thinking of removing child C4 as well as denying C5 a place, something not emphasised in the Tribunal adjudication.
So how should Poole resolve the issue of: “which property are the family living in?”. Poole’s answer to this dilemma was to authorise itself to undertake directed surveillance on all the family members for 22 days prior to any meeting with any parent?
You don’t need to go any further to identify the problems in Poole’s approach. Do you really need 22 days surveillance to answer a trivial “domestic” question when you can ask the parents/guardians to prove residence?
Do you really need to seek a directed surveillance authorisation that refers to monitoring a 3 year old (assuming C5 is not a species of “feral toddler” on the verge of getting an ASBO)?
Do you need to use surveillance powers associated with criminal activity when it is very uncertain that a crime can actually be committed (and where one can be very certain that the children are not committing any crime!).
These are the kinds of issues that the Tribunal considered (under the guise of "proportionality" and "necessity") and Poole, not unsurprisingly, lost its case, hands-down. So who should shoulder the blame? Are you sure it is Poole Borough Council? Or somebody else?
The first comment to make is that the Surveillance Commissioner does not have the power to do much other than raise problems in Annual Reports – and he has being doing this for years. In his 2007/8 Annual Report, for example, the Surveillance Commissioner stated that local authorities “have a tendency to expose lack of understanding of the legislation by completing documentation poorly”. He added “In particular there is a serious misunderstanding of the concept of proportionality" (paragraph 9.2)
In his 2008-9 Annual Report he says that most Local Authorities do not train their staff properly about RIPA powers:
“In many authorities where executive officers, legal advisers or motivated individuals show an interest in the legislation, and where there is investment in practical training for authorising officers as well as awareness education for potential applicants, there is a high standard of compliance. The performance of these authorities sets the benchmark, but they are not yet in the majority” (my emphasis from Section 9 of the 2008-9 Report)
In this report under the heading “Common causes of error” he states that the areas that have received the most criticism on inspection include:
- “a continuing failure on the part of Authorising Officers properly to demonstrate that less intrusive methods have been considered and why they have been discounted in favour of the tactic selected";
- "the failure of Authorising Officers, when cancelling authorisations, to give directions for the management and storage of the product of the surveillance";
- "Authorising Officers not knowing the capability of the surveillance equipment which they are authorising", and
- "Poor internal audit by senior management”.
For good measure the 2009/10 report continued the theme and states: “I am concerned that some applicants and authorising officers in public authorities other than law enforcement agencies claim to be unaware of OSC Guidance”, and noted that Local Authorities like Poole are inspected by the OSC for one day every three years. Less than 1 in a 1000 chance of a visit - hardly a risk!
(By the way, this is an improvement on the Northern Ireland position identified in the 2007/8 report: “I have not inspected the Local Authorities in Northern Ireland as I have not been given the power to do so. I note that these authorities have never been inspected”). Earlier reports from the Commissioner also raised similar issues re lack of training and poor management.
Now look at the cost of the system of regulation at the OSC. Excluding its other regulatory responsibilities, the 2009/10 Report identified 23,762 directed surveillance operations. Since there are about 15 operational OSC staff, that is a work load of 1,600 directed surveillance operations per person each per year so each staff member has about a half dozen new ones per working day to consider (if they indeed they are considered).
The cost of the OSC in 2009/10 was £1,585,000 (I have excluded a £150K office move). This means the cost of regulation for each directed surveillance operation is about £67 each. Now compare that £67 spent on reporting on the status of “privacy protection” with the cost of the 22 days of effort expended at Poole on surveillance? What conclusion do you draw?
Now to be clear, I am not getting at the OSC staff – they are hard working and not to blame. Evey day, they have to play a hand of poker where the only cards they are dealt are seven-deuce in different suits.
Under RIPA most surveillance is undertaken by bodies that report to the Home Office. RIPA is Home Office legislation where rules, Codes of Practice and secondary regulations are all established by a Home Secretary and his law enforcement advisors. The Regulator is appointed by the Prime Minister who is also responsible for surveillance policy. Parliament has little role other than to receive the OSC’s Annual Report, once the Prime Minister has had the chance to remove anything he does not like.
Quite simply, what has happened is this: the Department of State responsible for designing a system of privacy protection has produced one that has minimal interference with its functions with respect to surveillance. Is anyone surprised by that?
However one can recognise the systemic error: to have the same body creating the system of protective regulation as well as wanting a system of surveillance. This doesn't work because there is an unresolveable internal conflict that inevitably creates weak regulators - like those who cannot enforce proper rules of protection but can huff and puff in largely unread Annual Reports. The solution is also apparant: to have a system of privacy protection produced independently from those in charge of the surveillance policy.
In short, the problem is that previous Government built a weak system of regulation designed not to rock its surveillance boat. And in such circumstances, it is not surprising that the outcome is RIPA cases like that at Poole Borough Council.
If Poole type cases can't rock the boat, nothing will - and that is why the whole system of privacy protection under RIPA has to be taken away from the Home Office and the Government of the day.
References: Annual Reports of the OSC from http://www.surveillancecommissioners.gov.uk/about_annual.html.
Tribunal Decision from http://www.poole.gov.uk/news/ref:N4C56ACFE8ACC1 (top right). It will appear eventually on http://www.ipt-uk.com/default.asp?sectionID=17
Marketing: We have a set of Data Protection courses (Edinburgh commencing in late August and in Manchester late September). Our next FOI course is in London (commencing 20th September) and in Leeds (commencing 19th October). Update sessions (at £95+VAT is a snip). We also have onsite courses on RIPA and CCTV. Details on www.amberhawk.com.