100
Investigatory Powers Commissioner’s Annual Report 2019
essential that WPAs have the necessary training and awareness arrangements in place to
provide practical examples and scenarios that users can relate to in their day-to-day roles.
13.10
In the spirit of the legislation, WPAs use covert tactics only if available overt means of
achieving their objectives have been considered. Our 2018 report highlighted failings by
certain WPAs clearly and explicitly to set out the activities that were being authorised.
At our 2019 inspections we noted improvements in this area, for example when directed
surveillance powers were exercised we found that documented considerations were clearer.
However, there is still room for improvement in proportionality considerations, such as
setting out which overt tactics had been considered or used without gaining the required
information. We have found when reviewing casework that AOs who have a background
in law enforcement tended to be more familiar with the human rights principles engaged
by the processes under the Regulation of Investigatory Powers Act 2000 (RIPA), and
therefore will often attain much higher standards of compliance than their colleagues.
We believe that the opportunity for these officers to share their knowledge and act as
mentors to their colleagues should be taken to improve the overall standard of applications
and authorisations.
Communications data
13.11
In 2019, we inspected 13 public authorities, all of which had used their communications
data (CD) powers in some capacity during the year.40 Compared to the law enforcement
agencies (LEAs), these public authorities are generally low-volume users of powers.41 During
our inspections we review a higher than typical proportion of authorisations, addressing
the risk that less frequent applicants might not document considerations and apply
safeguards to the expected standards. This risk, however, is also limited by the structures in
place under the IPA to process CD requests.
13.12
The schedules to the IPA set out which authorities can use specific powers and are subject
to revision. In 2019, Schedule 4 was commenced with the effect that four additional public
authorities became able to obtain CD. These authorities are: Food Standards Agency
(FSA); Food Standards Scotland – Scottish Food Crime and Incidents Unit; Department for
Communities in Northern Ireland and Department for the Economy in Northern Ireland –
Trading Standards. As these public authorities only recently had the power to obtain CD
granted or re-granted to them we did not conduct inspections in 2019. In 2020, we will
review any applications that these authorities have made as well as the adequacy of their
systems and processes for handling and safeguarding that data.
13.13
WPAs all apply for CD with independent authorisation via the Office for Communications
Data Authorisations (ODCA) (see chapter 5), except in exceptional circumstances e.g. urgent
cases. Following transition to the IPA, WPAs can acquire both entity and events data if they
fulfil the necessary statutory criteria. For many, this makes data that is more complex and
40 The Competition and Markets Authority (CMA); the Criminal Cases Review Commission (CCRC); the
Department for Transport – Air Accident Investigation Branch (AAIB) and the Maritime and Coastguard
Agency (MCA); the Department for Work and Pensions (DWP); the Home Office Immigration and
Enforcement Directorate (HOIE); the Department of Health and Social Care – Medicines and Healthcare
Products Regulatory Agency (MHRA); the Gambling Commission; the Gangmasters and Labour Abuse
Authority (GLAA); the Health and Safety Executive (HSE); the Independent Office for Police Conduct (IOPC);
the Ministry of Justice – Her Majesty’s Prison and Probation Service (HMPPS), and the Serious Fraud Office
(SFO).
41 With the exception of the Department of Work and Pensions and the Serious Fraud Office, which conduct
investigations using CD on a more frequent basis because of their remit.