Report of the Interception of Communications Commissioner - July 2016
•
for example, section 22(2)(d) in the interests of public safety or section 22(2)
(e) for the purpose of protecting public health when the requirement related
to the prevention or detection of crime;
the relevance of the date or time periods sought had not been justified.
7.53 Record-keeping (44 recommendations). We found that in a number of cases the
record-keeping requirements in Paragraphs 6.1 to 6.8 of the Code of Practice (including a
number of the revised statistical requirements) were not complied with, specifically:
•
•
applications under section 22(2)(b) were being incorrectly categorized by
crime type - either the list of offences did not align properly to statutory
offences or to the Home Office’s recorded crime list or, the list was being
applied inconsistently by applicants.
the procedures in place for applications processed outside the main workflow
system, e.g. by specialist departments or those approved orally, had not been
amended to meet the revised statistical requirements.
7.54 DP independence (34 recommendations). Paragraph 3.12 of the Code of
Practice states that DPs must be independent from operations and investigations
when granting authorisations, or giving notices related to those operations. This is a
strengthening of the previous Code of Practice which stated that DPs should not be
responsible for granting authorisations or giving notices in relation to investigations in
which they are directly involved.
7.55 This policy change in March 2015 was brought about in response to the European
Court of Justice (ECJ) Judgement which struck down the Data Retention Directive
(2006/24/EC) on the grounds the Directive did not include sufficient safeguards as to
why and by whom such data may be accessed. The Judgment did not prevent Member
States implementing their own laws requiring the retention of communications data but
it did critically note that the Directive itself contained no safeguards for access to the
retained data, including in relation to the independence of the person authorising access
to the retained data.
7.56 In our July 2015 report we set out that we were concerned that SPoCs within public
authorities seemed to be unaware of the detail of the policy changes in the March 2015
Code of Practice. The period allowed by the Government for the drafting, consultation
and implementation of the Code of Practice was ambitious, and with hindsight, more
extensive consultation with key stakeholders and more time for all to consider the issues
properly would have enabled some of the provisions to be better refined to make certain
matters clearer. It would also have ensured that all public authorities were aware of the
changes and had time to consider the operational implications.
7.57 We received a number of questions from public authorities regarding the change
in policy around DP independence and its operational consequences. On 1 June 2015 we
published a circular to SROs to provide clarification about the new provisions and to assist
public authorities to implement procedures to comply. This was a significant change for
a number of the larger public authorities (such as police forces, intelligence agencies
60
@iocco_oversight