CHAPTER 6: POWERS AND SAFEGUARDS
RIPA safeguards
6.71.
RIPA sets up a range of safeguards to ensure the proper collection, storage and use
of intercepted communications and communications data. Those safeguards do not
apply to the collection of information via the other routes identified above, which may
be governed by their own safeguards such as the handling arrangements under the
SSA 1989 and ISA 1994.
6.72.
RIPA s15 contains a set of general safeguards concerning intercepted material:
(a)
The number of persons, copies and times that that information is shared is
restricted to the minimum that is necessary (s15(2)). The Interception Code
makes clear that this applies to persons both within and outside the agency.72
As a result, data are only shared only on a “need-to-know” basis. Further
disclosure requires either the originator’s permission or the application of explicit
safeguards to the secondary recipients. Those safeguards are not in the public
domain.73
(b)
Material must be destroyed as soon as there are no longer any grounds for
retaining it for an authorised purpose (s15(3)).
(c)
The material must be stored in a secure manner (s15(5)).
6.73.
Unlike the position in relation to intercepted material, RIPA places no restrictions on
the retention or use of communications data.74 Section 23(3) provides that a s24(4)
notice to a service provider may require it to disclose data to another police force.
However, further disclosure between authorities is not specifically addressed either
within RIPA or the Codes of Practice.
6.74.
Therefore, the framework that largely or exclusively controls its use is the Data
Protection Act [DPA 1998].75 But DPA 1998 s28 allows the Secretary of State to issue
a certificate excluding material from the scope of the data protection principles and
from parts of the Act on national security grounds.76 I was informed by GCHQ that
such certificates are sometimes issued by the Secretary of State but that they only
exempt the personal data held by it from the obligation to comply with the first, second
and eighth (as well as part of the sixth) data protection principles.77
72
73
74
75
76
77
Interception Code, para 6.4.
Ibid., para 6.5.
Unless that communications data is related communications data collected in association with an
interception warrant. The Interception Code contains surprisingly little detail on the use such material.
The Criminal Procedure and Investigations Act 1974 and the Management of Police Information
principles will also apply in the context of material obtained for the purposes of a criminal investigation.
Acquisition Code, chapter 7, addresses data use to some degree, though it is focused on the conduct of
service providers, rather than the authority that has gathered the data.
Those certificates are not drafted to as to exempt the intelligence agencies from compliance with the fifth
and seventh principles and as a result data must not be kept for longer than is necessary, having regard
to the purposes for which it was obtained. Furthermore those data must be subject to appropriate
technical and organisational measures against unauthorised or unlawful processing of the data and
accidental loss of the data in question.
113