IPCO Annual Report 2017
using a different device from the one which is of interest. The analysts processing the
data routinely detect these errors; they promptly suspend the interception and delete
any material that has been gathered. It follows that although the interception of these
communications was properly authorised, there was unintended intrusion into the privacy
of individuals who were not of intelligence interest. The operational teams within the
intercepting agencies must be alert to this risk, and immediately suspend interception
whenever this mistake is detected.
14.20
IPCO accepts that it is inevitable that some errors, whether due to human or technical
mistakes, will occur. Nonetheless, the interception agencies, warrant granting departments
and CSPs are required to report them to IPCO promptly. They should provide an explanation
as to what had occurred and demonstrate that the measures put in place to prevent any
recurrence are sufficiently robust. They must facilitate any investigation by IPCO and ensure
that any erroneously acquired material or data that was not of legitimate intelligence interest
has been destroyed.
Acquisition of targeted communications data
14.21
Under the code of practice, an error can only occur after a DP has granted an authorisation
and the acquisition of data has been initiated, or a notice has been given and it has been
served on a CSP. The likelihood of errors occurring increases if the processes under the code
of practice for acquiring or obtaining communications data have not been properly followed.
14.22
Errors that do not result in the return of any data should nonetheless be recorded by
the relevant public authority and reviewed by the SRO. Consideration should be given to
implementing measures that will prevent recurrence. Errors in this category clearly constitute
‘near misses’, in that individual rights were not breached.
14.23
Errors that result in data being wrongly acquired are of greater concern, given the likelihood
that privacy and other rights will have been infringed. These errors are reported to the
Commissioner and an account is provided which details how the error occurred and any
remedial action that has been taken to prevent recurrence.
14.24
If the Commissioner considers the error to be serious, he will instigate an investigation
into the relevant circumstances and assess any adverse impact. The Commissioner may
inform relevant individuals of the infringement, and anyone adversely affected may make
a complaint the Investigatory Powers Tribunal.
14.25
In 2017, 926 errors were reported to the Commissioner by relevant public authorities, of
which 33 were considered to be serious and resulted in further investigation (see Annex B).
In 2016, IOCCO reported that it had been notified of 1,200 errors and conducted 29 serious
error investigations. Whilst we are unable to say with absolute confidence whether this
drop is significant and reflecting changes in the way in which data is being acquired, it is in
all probability a positive development. It is interesting to note that the number of IP related
errors dropped from 244 in 2016 to 200 in 2017 when the quantity of internet-related data
acquired had generally increased (Figure 12 in CD Chapter). This may reflect the attention
public authorities have given to the issue of erroneous IP address resolution following
considerable focus by IOCCO on the issue in the past 3 years.
95