IPCO Annual Report 2017
8.36
There were 61 inspections in this context during 2017. Two were at the intelligence agencies,
44 at law enforcement agencies, 14 at other public authorities and there was one inspection
of NAFN (for local authorities).
8.37
IPCO also has a role in overseeing errors committed by public authorities in acquiring
communications data (see the Errors and Breaches Chapter)
Inspection methodology
8.38
Prior to an inspection, the inspectors review the errors which have been reported to the IPC
over the course of the relevant period and consider the materials the public authorities are
required to make available no later than two weeks before the inspection.
8.39
The inspections involve a review of (i) a representative sample of the requests for data;
(ii) the actions of the SPoC, including advice offered to the applicant and the DP; (iii) the
recorded considerations of the DP, which should include a necessity and proportionality
assessment; (iv) the use made of the acquired data; and (v) other relevant matters, such as
whether there is a central record of documentation and the effectiveness of any recording
and reporting of errors resulting from the acquisition or disclosure of the data.
8.40
Many of the larger public authorities manage the process of acquiring, disclosing and
retaining data on a secure, auditable ‘workflow’ database. An interrogation of these
workflow systems through query-based searches enables the inspectors to analyse large
volumes of applications.
Inspection reports
8.41
The inspectors’ findings are reflected in a template report which is provided to the authority.
The report focuses principally on compliance with the legislation and the code of practice,
and whether data is being acquired lawfully for a statutory purpose which the organisation
is entitled to use.
8.42
Any findings of non-compliance are likely to result in recommendations. These are colour‑coded
depending on the level of non-compliance:
• Red recommendations address areas of immediate concern, including serious breaches
or incidents of non-compliance with RIPA or the CoP;
• Amber recommendations focus on non-compliance of lesser seriousness, but which could
nonetheless lead to breaches; and
• Green recommendations highlight where efficiencies and effectiveness could be improved.
8.43
Following receipt of the report, the SRO must respond to the recommendations, outlining
whether they are accepted and detailing any proposed remedial action.
Findings
8.44
During the course of the year, all the public authorities inspected demonstrated an
acceptable level of compliance but the SROs have been encouraged to consider the
detailed recommendations with care, and to implement the inspectors’ advice.
8.45
In 2016, 55 authorities received 235 recommendations (10 Red, 144 Amber and 81 Green).
The 235 recommendations resulted from 68 inspections, an average of 3.45 recommendations
per public authority.
59