Report of the Interception of Communications Commissioner - 2016

An examination of urgent oral approvals to confirm that the process was used appropriately.
A review of the errors reported or recorded, including checking any measures put in place
to prevent recurrence.
Number of inspections. In 2016, my inspectors conducted 68 communications data
inspections. These reviewed 52 police forces and law enforcement agencies, 3 intelligence
agencies, and 13 ‘other’ public authorities including the National Anti-Fraud Network
(NAFN), which acts as the SPoC for all local authorities.
The length of an inspection depends on the type of body being inspected and its communications
data usage. The inspections of larger users, such as police forces and intelligence agencies, are
conducted by at least two inspectors and take place over 3 or 4 days. The inspections of smaller
volume users can be conducted over a day by a single inspector.
Query-based searches. IOCCO works closely with the software companies that supply
secure auditable systems for administering communications data applications for most
police forces and law enforcement agencies. These systems can be searched to give
better insight into the activities undertaken by the authorities. This enables specific areas
to be tested for compliance and to identify trends, for example:
Records of authorisers’ considerations enable inspectors to confirm that that they are
discharging their statutory duties responsibly, that they are of the requisite seniority or
rank and that they are independent of the investigation.
Applications for large amounts of communications data or for particularly intrusive
datasets are tested to confirm that the requirements of necessity and proportionality
have been applied appropriately.

Inspection Findings and Recommendations
Following the inspection, IOCCO publishes an inspection report setting out its findings
and recommendations and giving a judgement on the overall level of compliance. These
reports identify the level of compliance against a set of baselines, which are derived
from Chapter 2 of Part 1 RIPA and the Code of Practice. When necessary, they contain
recommendations with a requirement for the public authority to report back on progress
against the implementation of remedial action.
The total number of recommendations made during the 68 communications data
inspections in 2016 was 235. 55 public authorities received at least 1 recommendation. A
traffic light system (red, amber, green) allows public authorities to prioritise remedial action:
Red recommendations are of immediate serious breaches or areas of non-compliance
with the law or of the code of practice.
Amber recommendations identify where there has been non-compliance but to a lesser
extent. Remedial action should prevent potential escalation to more serious breaches.
Green recommendations are issued where the public authority could act more efficiently
or where better practices are available.
This year, 10 recommendations (4.3%) were red, 144 (61.3%) amber and 81 (34.4%) green.
14

@iocco_oversight

Select target paragraph3