32
IPCO Annual Report 2018
5.24
In advance of an interception inspection, we ask the intercepting agency or WGD to
provide a full list of the relevant authorisations. This will include contextual details to aid
the process of selecting particular authorisations for scrutiny at inspection. Casework is
reviewed, to establish whether the internal documentation adequately sets out the matters
taken into consideration, including why the interception is deemed necessary and how
intrusion into privacy will be managed and minimised. We interview individuals involved in
the interception, including analysts and linguists.
5.25
A significant proportion of authorisations are reviewed where the application was originally
approved under the urgent provisions, or when the requesting agency judged that there
was likely to be confidential or privileged material. The policies and practices that are
designed to safeguard sensitive material are considered with care.
5.26
More generally, throughout 2018, we worked with the interception agencies to ensure
that their systems and processes were adequate to meet the requirements of the IPA.
Where possible, query-based searches are conducted to test compliance and identify how
the intercepted material is being used. We consider whether intrusion was appropriately
handled and minimised and whether the interception was stopped at the appropriate
point in the operation. We also look at whether the retention, storage and destruction
arrangements are adequate.
Communications Data (CD)
5.27
Annual CD inspections range from three to five days in duration, depending on the size
of the force or agency and the volume of CD that is acquired. For example, one Inspector
might visit a small force to assess their compliance, whilst a larger metropolitan force
or agency will require a team of Inspectors in order to target individual themes and
disciplines.
5.28
Our CD inspections are designed to ensure public authorities are acquiring CD for the
correct statutory purpose and in compliance with RIPA and the Codes of Practice (CoP).
We scrutinise their records and, in particular, focus on the methodologies used to ensure
any unrelated private information that has been unavoidably obtained is appropriately
documented and handled.
5.29
Before an inspection, we require the authority to complete a schedule of information; this
will include any relevant statistics and documentation and we then select the records for
inspection. The key staff involved in the application, authorisation and acquisition of CD
are interviewed. In some cases, we conduct a ‘reverse audit’ whereby a selection of data is
obtained directly from a telecommunications operator and cross referenced to the relevant
application in the force or agency. This is to ensure data has been acquired for the correct
statutory purpose.
5.30
Certain key themes are pursued on every CD inspection:
• The operational independence of the senior officer who authorises the acquisition of CD
(known as the Designated Person);
• Any applications that relate to sensitive professions;
• Data acquired in support of internal professional standards investigations;
• Data acquired under an oral authorisation using the urgency provisions;