88
Investigatory Powers Commissioner’s Annual Report 2019
12.45
We review overarching policies and consider the level of understanding and adherence
to those policies within the agency to be essential to their adequacy. We therefore test
internal policies and procedures by asking staff who transcribe the material directly how
they manage and process it. We also conduct searches on LEA internal IT systems to
confirm that any confidential material has been deleted when it should have been, or if
retained that the appropriate authorisations are in place. As a final step, we check that, if
LPP or confidential material has been collected, this fact has been mentioned and given
due consideration in any renewal application. We were pleased to note that across the
board there was very good compliance with the handling of LPP and confidential material.
Since the introduction of the IPA, the intercepting LEAs have introduced more quality
control and resources to ensure that their safeguards are robust. This was clear through our
interviews with staff.
Communications data (CD)
12.46
2019 brought the most significant change to how LEAs acquire communication data (CD)
since legislation was first introduced under RIPA in 2000. In response to the European Court
of Justice ruling,31 the IPA was amended to implement two major changes: the introduction
of a serious crime threshold32 and independent authorisation of all routine applications to
acquire CD by OCDA (see chapter 5). Our inspections have overseen the adequacy of this
transition and how well forces have met the different requirements of RIPA and the IPA pre
and post-transition.
12.47
The fundamental requirements of acquiring CD have not changed and the main focus of
our inspections has been to ensure that applications and authorisations are necessary for
one of the relevant statutory purposes, proportionate in what the application seeks to
achieve, and that due regard has been paid to the risk of obtaining any unrelated private
information (collateral intrusion).
12.48
Overall, the general standard of compliance across LEAs is high, due in no small part to
those LEA staff members who act as Single Points of Contact (SPoCs) and the integral
role they play to maintain compliance and manage key areas of risk. We have found that
the SPoC role provides both challenge and quality control for applications. SPoCs we
have interviewed demonstrated a good level of knowledge of the technology and tactics
available to the force, which allows them to advise and challenge Senior Investigating
Officers (SIOs) on the most appropriate method of applying CD tactics. This is essential to
ensuring compliance with necessity and proportionality principles, whilst safeguarding the
privacy of the public. We have been pleased to note a decrease in the number of reportable
errors, which we believe has resulted from the professionalisation of the SPoC role as well
as the introduction of auto-acquisition of CD33 and the introduction of the National Errors
Reduction Strategy.
31 Joined cases C-203/15 and C-698/15
32 This was implemented at the end of 2018, see IPCO’s 2018 Annual Report paragraph 2.40.
33 Once authorised the data can automatically be acquired through the workflow system without the need for
the request to be manually re-typed into a separate portal.