52
BIG BROTHER WATCH AND OTHERS v. THE UNITED KINGDOM JUDGMENT
that any conduct to obtain communications data will be proportionate or the collateral
intrusion justified.
...
The single point of contact
3.19. The single point of contact (SPoC) is an accredited individual trained to
facilitate lawful acquisition of communications data and effective co‑operation
between a public authority and CSPs. Despite the name, in practice many
organisations will have multiple SPoCs, working together. To become accredited an
individual must complete a course of training appropriate for the role of a SPoC and
have been issued the relevant SPoC authentication identifier. SPoCs in public
authorities should be security cleared in accordance with their own organisation’s
requirements. Details of all accredited individuals are available to CSPs for
authentication purposes.
3.20. Communications data should be treated as information with a classification of
OFFICIAL and a caveat of SENSITIVE, though it may be classified higher if
appropriate. When handling, processing, and distributing such information, SPoCs
must comply with local security policies and operating procedures. The SENSITIVE
caveat is for OFFICIAL information that is subject to ‘need to know’ controls so that
only authorised personnel can have access to the material. This does not preclude, for
example, the disclosure of material or the use of this material as evidence in open
court when required. Rather, the classification and caveat of OFFICIAL ‑
SENSITIVE makes clear that communications data must be treated with care, noting
the impact on the rights to privacy and, where appropriate, freedom of expression of
the subjects of interest and, depending on the data, possibly some of their
communications contacts. Communications data acquired by public authorities must
also by stored and handled in accordance with duties under the Data Protection Act.
3.21. An accredited SPoC promotes efficiency and good practice in ensuring only
practical and lawful requirements for communications data are undertaken. This
encourages the public authority to regulate itself. The SPoC provides objective
judgement and advice to both the applicant and the designated person. In this way the
SPoC provides a ‘guardian and gatekeeper’ function ensuring that public authorities
act in an informed and lawful manner.
3.22. The SPoC should be in a position to:
engage proactively with applicants to develop strategies to obtain
communications data and use it effectively in support of operations or
investigations;
assess whether the acquisition of specific communications data from a CSP
is reasonably practical or whether the specific data required is inextricably
linked to other data;
advise applicants on the most appropriate methodology for acquisition of
data where the data sought engages a number of CSPs;
advise applicants and designated persons on the interpretation of RIPA,
particularly whether an authorisation or notice is appropriate;
provide assurance to designated persons that authorisations and notices are
lawful under RIPA and free from errors;