Reading between the lines of the latest Annual Report of the Surveillance Commissioner (published last week) there is much to worry about; a lack of resources is undermining privacy protection and the system of supervision.
As well as this significant degradation in privacy protection, the Surveillance Commissioner hints that the monitoring of users on the Internet might be unlawful if it does not consider the requirements of the Regulation on Investigatory Powers Act 2000 (RIPA). He also implies that the surveillance practices of the private sector should be subject to regulation.
In addition, the Report notes that the Department of Work (DWP) and Pensions and the Police appear to be circumventing some requirements of the Regulation on Investigatory Powers Act 2000 (RIPA) and points to the damage caused by the inadequate training of those who authorise RIPA surveillance.
This blog reviews all these issues (link to the Report at the end of the blog).
The DWP and police bypass RIPA requirements
In his Report, the Surveillance Commissioner identifies that with respect to directed surveillance, the DWP are now authorising Local Authorities. In relation to benefit fraud, any DWP authorisation removes the need for Local Authorities to obtain its own authorisation to perform directed surveillance from a magistrate as now required by the Protection of Freedoms Act 2012. This mechanism sidesteps the much vaunted protection of that Act (see references for a blog on this Act).
The evidence for this is in the Report; it notes that 4,309 directed surveillance authorisations were “granted by the Department of Works and Pensions”. The report then speculates that the DWP “authorises the use of directed surveillance conducted on its behalf by many local authorities” and that this “may account for the low statistics from other local authorities”.
In relation to the Police, the Report states that “I am less happy to discover that the proper ANPR authorisation process can be circumvented using the Police National Computer. I do not desire to prevent the use of this very useful tool, but the ease with which ANPR can be used for directed surveillance demands that authorisation processes should not be circumvented”.
Data sharing problems
In relation to data sharing, the Report notes concerns over the sharing of personal data which relate to the product of covert surveillance. These problems are:
• “First, there must be adequate protection of sources, techniques and product and this is not always apparent when there is no human in the loop to challenge the need to know”.
• “Secondly, I do not detect much effort by some authorising officers to make adequate arrangements for the destruction of product which was the result of collateral intrusion or not of value to the investigation or not properly authorised” and that “The default solution appears to be in favour of retention”.
• “The necessity and proportionality of retaining data, which may later be shared in a different context, is as important as the necessity and proportionality of obtaining it in the first place”.
All I would say is that the above involve possible breaches of the First, Third, Fifth and Seventh Data Protection Principles. The latter also raises a Second Principle issue, and clearly, any data sharing should be subject to the Code of Practice on data sharing (not mentioned in the Report). Any reader who works for a public authority that uses RIPA, might want to check on the above.
Is Internet surveillance subject to RIPA?
With respect to the Internet, the Report notes that the working assumption appears to be that Internet surveillance does not fall under RIPA. The Report however states that to the contrary, “some research using the Internet may meet the criteria of directed surveillance” and this is “particularly true if a profile is built by processing data about a specific individual or group of individuals without their knowledge”.
The Report then spells it out; “The Internet is a surveillance device as defined by RIPA section 48(1)” and that “surveillance is covert if, and only if, it is conducted in a manner that is calculated to ensure that persons who are subject to the surveillance are unaware that it is, or may be taking place”.
The Report adds that “Knowing that something is capable of happening is not the same as an awareness that it is or may be taking place. The ease with which an activity meets the legislative threshold demands improved supervision”.
Can you pause for a moment here: fair processing notices which generally state that some kind of surveillance “may happen” could easily fall within the problem the Surveillance Commissioner has highlighted.
Surveillance by private sector is uncontrolled
The Report states that the “Monitoring the activity of investigative journalists or other non-public authority entities (such as private investigators working on behalf of insurance companies) is not within my remit”.
The Report then adds that as public authorities have to be held accountable (e.g. by RIPA) “it seems to me odd that the use of techniques that would require authorisation if conducted by a public body is accepted, without apparent challenge, if it is not conducted on behalf of the State”.
The Report concludes that “invasions of privacy of this nature are unregulated” and that “The public should be confident that there are adequate mechanisms so far as public authority covert surveillance is concerned; but there is no system of regulation of surveillance for covert investigative, commercial or entertainment purposes”.
The Report gives an example of where regulation is needed: “the Commissioner believes that the use of privately owned ANPR systems for a covert purpose should be subject to authorisation if it is to be used for the benefit of a public authority operation or investigation”.
The Surveillance Commissioner’s resources
The Report notes that the Commissioner’s budget “has always been less than £2 million” and that “the budget for 2011-12 was reduced to £1.58 million”. This sum covers the cost of supervising the use of directed surveillance on 12,015 occasions, 2,646 property interferences, 408 intrusive surveillance of which 82% are urgent, and 3,361 uses of covert human intelligence sources. Summing these, we can say that there were 18,430 “surveillance events” covered by the period of the Report.
So if we assume that the cost of supervision by the Commissioner is about the same for each surveillance event, then £1.58 million covers 18,430 surveillance events. This works out at £85.73p per surveillance event – a very marginal sum at best which, in my view, sends a message that supervision is not valued!
This lack of resources reflects the depth of supervision. The Report, for instance, notes that “My Assistant Commissioners and Inspectors can only carry out a dip sample of authorisations at inspections. ... The Commissioners do not contemporaneously examine authorisations for other types of covert surveillance”.
To misquote the late James Goldsmith: “Pay peanuts – get sheep dipping".
Lower protection by the Protection of Freedoms Act 2012
I think the Report provides evidence that the Protection of Freedoms Act 2012 reduces RIPA protection in the context of Local Authorities.
This evidence arises from the firm rejection of “a Home Office proposal that I should report on the performance of the many thousands of magistrates who, when the Protection of Freedoms Act 2012 commences, will be enabled to approve the authorisation of covert surveillance by local authorities under RIPA”. The Commissioner then notes that he does not possess the powers to report on magistrates and that “In any case, I do not have the resources to take on this task”.
One conseqeunce of the Protection of Freedoms Act is that,in this case, the training of 400 authorisation officer (one from each Local Authority) has been exchanged for the training of thousands of magistrates.
It is well known that surveillance is used by Local Authorities sparingly; they are a minor user of RIPA authorisations. Whereas an authorisation officer for a Local Authority will over time become familiar with the issues associated with granting authorisations for surveillance events, magistrates will not because they might not even deal with one event per year.
In other words, I think the risk of an erroneous authorisation in the context of Local Authority use of RIPA’s enabling powers has increased.
The absence of training
The lack of training will also result in many RIPA mis-authorisations. This is demonstrated by the following quotes from the Report; they don’t need any amplification from me.
“The loss of expertise in law enforcement agencies as a result of redundancy and career termination is noticeable in many forces. An increasing number of authorising officers have limited experience of covert operations; some compensate by detailed scrutiny, others succumb to the assertions of more experienced applicants or the demands of their other responsibilities”.
“An increased need for training appears to exceed the capacity of diminishing training budgets. There is an increased reliance on internal training delivery; the quality varies considerably from one authority to another”
“Using covert technology because it is easier, cheaper or potentially quicker is a temptation many authorising officers accept as a compelling argument. In some cases it may be proportionate, but in many cases other less intrusive or overt options could be considered. Proportionality is not the same as convenience and a lack of resources should not be a significant factor in decision-making”.
“I expressed concern, at paragraph 5.15 of my last report, at the ignorance of many non-law enforcement agencies regarding CHIS. The situation has not improved. I remain concerned that many non-law enforcement authorities still cannot properly identify a CHIS...”
Looking at this Report in the round, one concludes therefore that much RIPA activity is in fact unregulated and depends on the good-faith of the organisation undertaking the surveillance to follow the rules. However, increasingly, those who authorise RIPA surveillance are not fully trained in best practice and that an increasing number of incorrect authorisations is a likely consequence.
If this is the result, then the system of RIPA supervision, which many already believe to be inadequate, will ultimately fail. Self authorisation of surveillance activity cannot possibly work if those authorising the surveillance are inexperienced and do not know the law.
Annual Report of the Chief Surveillance Commissioner to the Prime Minister and to Scottish Ministers for 2011-2012 on http://www.official-documents.gov.uk/document/hc1213/hc04/0498/0498.pdf
Why the Protection of Freedoms Act changes to the RIPA regime are inconsequential. http://amberhawk.typepad.com/amberhawk/2011/03/ripa-changes-in-freedoms-bill-negligible-improvement-in-privacy-protection.html