Investigatory Powers Commissioner’s Annual Report 2019
more intrusive available to them for the first time. In brief, entity data will identify the
user of a device or address, while events data may identify communications (but not their
content) made by the device during a given timescale and could identify where the device
was when it was being used. For this reason, the request needs carefully to be structured
to ensure that only the necessary data is requested and obtained. The increased complexity
when applying for and handling events data supports the need for subject matter expertise
in both the application and acquisition of data: this role is fulfilled by OCDA and the Single
Point of Contact (SPoC).
13.14
As at other authorities, the role of the SPoC is vital to ensuring compliance standards
are maintained. Dependent on their size and structure, some public authorities have
their own staff trained42 as accredited SPoC to acquire data from telecommunications
operators (TOs), whilst others utilise the centralised services of the National Anti-Fraud
Network (NAFN) (see chapter 14). In some cases, we observed that using a single inhouse SPoC provided little resilience for the organisation. We advise that a collaboration
agreement43 is appropriate to resolve this risk, by giving the authority access to additional
accredited SPoCs. We have also recommended at times that the authorities must ensure
that the national list of accredited SPoCs is properly updated when individuals move and
change roles.
13.15
Our inspections of CD generally noted a high standard of compliance. In respect of the
application records we sampled, we continue to be satisfied overall that the documentation
reflects the complexities of their investigations and justifies the principles of necessity,
proportionality and collateral intrusion. We made a small number of recommendations,
most of which related to how the organisation was addressing Internet Protocol Address
Resolution (IPAR), record keeping when relying on urgent oral provisions and effecting
changes within applications. As noted in chapter 18, IPAR is a priority for our oversight
because CD applications relating to IPAR have historically resulted in a high proportion of
errors. IPAR requests are a new capability for WPAs so our priority has been to ensure that
processes implemented at each authority adequately reflect the National Error Reductions
Strategy of the National Police Chiefs Council (NPCC).
13.16
We made a number of common observations which are intended to encourage greater
efficiency and standardisation across the authorities we oversee. For example, in some
cases we noted that authorities were using national templates but without the benefit
of common workflow systems which are designed to automate certain processes and to
eliminate human transposition errors. Similarly, authorities that do not have access to
telecom operator (TO) portals, and therefore rely on manual interaction, would benefit in
efficiency terms from adopting this methodology.
13.17
We understand that low-volume use by a public authority impacts upon any justification
to have multiple SPoCs or to support any business case to introduce bespoke workflow
systems or access TO portals. In cases where it is not appropriate or proportionate to adopt
these measures, we advise that engagement with OCDA will assist with those requests
seeking data types new to the public authority and ensure the correct course of conduct is
being applied.
42 As set out in the Code of Practice (CoP) paragraph 4.4, the Home Office National Communications Data
Service works with public authorities to ensure all accredited SPoCs receive adequate training, run by the
College of Policing, and issue accredited SPoC with a unique identifier.
43 Under section 78 of the Act, public authorities may enter into a collaboration agreement which allows
one public authority to use a SPoC working for another authority. These provisions are clarified in the
CoP paragraphs 8.55-8.58. A written agreement should be in place, and the Home Office must be notified
before the agreement is in place.
101