108
Investigatory Powers Commissioner’s Annual Report 2019
Online surveillance
14.13
We frequently ask what mechanisms councils have put in place to prevent
unauthorised surveillance, particularly online, and an insufficient response will result
in recommendations to improve their rigour in this area. We recognise that there is a
temptation for council staff to access private information online utilising council-provided
or personal devices, and it will never be possible for us to know the full extent of such
activity. We have been made aware of one case where a member of council staff conducted
online enquiries for a protracted period and conducted their own private surveillance
activity, all of which was unknown to their supervisor until it was identified and reported by
a colleague. In this case, the error was reported to us and internal disciplinary action was
initiated by the local authority.
Reports to elected members
14.14
The Covert Surveillance and Property Interference CoP requires that a report be made to
Council Members on the use of RIPA powers on a quarterly basis. Where this is a nil return,
reports will often be made less frequently as part of annual compliance reporting, usually
to Audit and Standards Committees. It is important that such reporting mechanisms are
maintained to ensure that Members are afforded the opportunity to scrutinise the use of
covert investigation powers as part of the democratic process, and to annually approve the
local authority’s RIPA policy.
Communications data (CD)
14.15
During 2019 new provisions under the IPA brought a significant change to how local
authorities acquire CD. Previously under RIPA, councils could only acquire limited data to
identify the user of a telephone (now known as entity data). Under RIPA,45 prior approval
by a judge or magistrate was required to validate an internal authorisation before CD could
be acquired.
14.16
Local authorities can now obtain both entity data and events data (for example, call billing
or cellular location details) if the appropriate thresholds are met. From 11 June 2019, the
prior approval process no longer applied; all local authority applications seeking to acquire
CD are independently considered by the Office for Data Communication Authorisation
(OCDA) (see chapter 5).
14.17
Unlike the LEAs, the IPA and the CD CoP place further requirements on councils seeking to
acquire CD. Under the Act,46 local authorities must use the services of NAFN, which acts as
a centralised single point of contact (SPoC) service. NAFN will quality assure an application
to address any omissions or failings before submitting the application to OCDA. If the
authorisation is granted by OCDA, the NAFN SPoC will acquire the CD from the relevant
telecommunications provider and forward the data to the applicant from the requesting
authority. Currently, of the 400 or so local authorities, there are 355 registered with NAFN
but of those, only 65 sought to acquire CD during 2019.
14.18
We have seen that the requirement to use NAFN brings a number of benefits. Firstly, the
role of the SPoC requires specialist training and continuous professional development to
become proficient and competent. Maintaining an individual in this role in-house would
be challenging for local authorities in terms of cost, and the low volume of applications
45 Sections 23A and 23B, as amended by The Protection of Freedoms Act 2012.
46 In accordance with section 73 of the IPA and as set out in paragraphs 8.1 – 8.7 of the Code of Practice.