136
Investigatory Powers Commissioner’s Annual Report 2019
Serious error investigations
18.38
We investigate all relevant errors (see para 18.11 for further information) that are reported
to us which we judge may fall within the definition of a serious error as set out in the IPA.
Circumstances which we judge to be potentially serious remain:
i. technical errors relating to the communications service provider (CSP) secure-disclosure
systems which result in a significant number of erroneous disclosures;
ii. errors when a public authority has initiated a course of action that has an adverse impact
on someone (for example, sharing information with another public authority stating
a person is suspected of a crime; when an individual is visited, or a search warrant is
executed; or there is an arrest); and
iii. errors which result in the wrongful disclosure of a large volume of CD or a particularly
sensitive data set.
18.39
We undertook 18 serious-error investigations in 2019 and determined that 14 cases were
serious errors, namely where an instance of non-compliance has resulted in significant
prejudice or harm to an individual or individuals. The IPC has a duty to inform affected
parties of a serious error under section 231 of the IPA, if he judges that this is in the public
interest. These cases are summarised at Annex C.
Table 6: Serious errors by cause, 2019
Error Type
Identifier
Applicant
Single Point of
Contact
Telecoms
Operator
3
1* (2 IP)
1
Time Date
1 (1 IP)
Data
4
Misinterpretation – Identifier
2 (1 IP)
Misinterpretation – Data
1
Total
4
1 (1 IP)
4
6
*Error 1 – two different addresses visited.
18.40
The IPC judged that significant harm was clearly apparent in four of the 14 cases where
we made a determination. This number has fallen from eight in 2018. Three of these cases
involved the upload of indecent images and the fourth was a crime in action. Common to
all was the need to resolve the customers allocated to an IP address at a specified time and
date. As shown at Annex C, in two of those cases, the IPC wrote to the affected person(s)
informing them of their rights to apply to the Investigatory Powers Tribunal (IPT) if they
wished to do so.
18.41
As noted at paragraph 18.26, our serious error investigations included errors relating to
TOs. In three investigations the definition of ‘relevant error’ was not met because the error
was made by a TO, not a public authority. In two of these cases, we judged that significant
harm to a person had occurred, but no determination could be made. However, it is
possible that the operation of data protection legislation may result in a notification to the
affected party of the error. We have not, therefore, informed any individuals of harm which
we believe to have met this threshold.
18.42
Errors made on the identifier or the time and date of IP usage pose the greatest risk of a
serious error. Out of the 1,011 reportable errors, 506 fell into this high-risk category. Of