Investigatory Powers Commissioner’s Annual Report 2019
Definition: reportable error
A reportable error occurs when incorrect communications data is acquired; such as a disclosure
to an agency that could infringe on the rights of an individual unconnected to an operation or
investigation. Reportable errors should be recorded within five working days of their discovery.
The error report explains how the mistake occurred, indicates whether any unintended
collateral intrusion has taken place, details and confirms the destruction of data and provides
an indication of steps taken to ensure similar errors are not replicated. When a report is made,
the appropriate Senior Responsible Officer (SRO) must be sighted on the error to enable, if
necessary, any strategic changes to policy or procedures.
Data Protection Act 2018 (DPA) vs Investigatory Powers Act 2016 (IPA)
Law enforcement agencies (LEAs), including police forces, can request data from
telecommunications operators (TOs), who may disclose the data requested under exemptions
in the Data Protection Act 2018. As more LEAs have transitioned to the IPA for communications
data (CD), practical application of the legislation has highlighted a grey area where the
guidelines need to be reviewed regarding the use of these powers which result in acquisition of
CD and the clarification of what constitutes a telecommunications service.
Before the IPA, an LEA could seek certain information from online retailers under the Data
Protection Act 1998, for example if they needed data about a stolen credit card used to buy
goods online, or to identify the address of a person selling stolen property on a web-based
market place. The retailer could release that data under an exemption in the 1998 Act for use
in preventing or detecting crime. Often, the data released included elements of CD that were
inextricably linked to other account details, even though this data was not necessarily asked for
or required.
The Data Retention and Investigatory Powers Act 2014 expanded the definition of
‘telecommunications operator’ to include companies who provide internet-based services, such
as webmail and online retail. When the IPA came in, a further major change was the creation
of an offence in section 11 for knowingly or recklessly acquiring CD without lawful authority.
Although it provides an important safeguard, this offence, when combined with the ambiguity
and complexity of the definition of CD, poses significant challenges for public authorities.
For example, most online retailers do not understand themselves to be offering a
telecommunications service and do not therefore recognise the requirement to respond to a CD
notice under the IPA – instead, they often insist upon the use of the DPA. The outcome is that
for what, in most cases, are relatively straightforward LEA requests for basic user information to
assist in the detection of a crime, an authorisation for the CD element is required under the IPA
and a request under the DPA for other personal data. It also means that a CD authorisation or
notice may be sought out of an (understandable) abundance of caution (given the potential for
criminal liability), even when the data is unlikely to constitute CD.
Whilst this complies with the guidance in the Code of Practice (CoP) and Home Office advice,
it creates what we believe is often an unnecessary process for the applicant, the Office for
Communications Data Authorisations (OCDA) and the retailer, and appears to have created
additional bureaucracy above and beyond what would have been envisaged by the safeguards
introduced under the IPA. We will continue to work with LEAs and the Home Office to resolve
this issue in 2020.
89