84
IPCO Annual Report 2018
officers, demonstrated the success of previous training programmes; officers were well
aware of when a RIPA authorisation might become necessary and how to authorise their
actions. Elsewhere, we have commonly made recommendations that all staff should receive
enhanced training so that they recognise when online activities, particularly social media
research, would constitute surveillance.
12.11
We were impressed with the RIPA and open source training programmes undertaken by a
number of organisations in response to previous recommendations.
12.12
We have often found applications and review casework in public authorities to be longwinded, and not focused clearly on the central considerations. We have continued to see
casework that is often formulaic and does not pay sufficient regard to the specifics of the
case being considered. We have recommended that documentation should be succinct and
bespoke, which would give us a higher level of confidence that the Authorising Officer (AO)
has considered the key elements and has an accurate understanding of the anticipated level
of interference with privacy.
12.13
However, we have also seen evidence of high standards of compliance in the management
of CHIS and undercover officers in certain organisations. However, we were concerned that
some public authorities showed a lack of understanding of when a member of the public or
other informant should be considered a CHIS. We believe that this is particularly important
for organisations that do not have the power to authorise use of CHIS and must therefore
not establish covert reporting relationships. We have suggested that, irrespective of their
power, a public authority has a duty of care towards any individual that provides them with
information on which they might later act, and therefore ought to have in place a system of
recording such details as would enable them to assess whether the status of the informant
has drifted. We were pleased to see that some authorities had established a system to
regularly review the status of individuals providing information.
12.14
At the end of 2018 we received a report of a potential error which we investigated and
will therefore report in more detail in 2019. An authority reported that they had been
receiving intelligence from an individual, who had not been authorised as a CHIS, since
2017. While there is no obligation, legally, to authorise an individual as a CHIS, in this case
the nature of the relationship was such that we would have expected the activity to have
been authorised and managed under RIPA. Our inspection raised wider concerns, which we
expect to be remedied over the coming year.
12.15
As shown in figure 23, use of CHIS has generally fluctuated in recent years, but we saw little
change from 2017. The public authorities continue to be relatively low users of this tactic
and we expect this to continue over the coming years.
Communications Data
12.16
These public authorities are generally low users of communications data (CD) powers.
The processes they follow are the same as those undertaken by local authorities. Some
authorities have their own staff trained as accredited Single Points of Contact (SPoC) to
acquire data from telecommunications operators, whilst others utilise the centralised
services of the National Anti-Fraud Network (NAFN), which is described further in the
next chapter in line with others from 2019. Public authorities will be required to apply for
communications data by independent authorisation via the Office for Communications Data
Authorisations (ODCA).