66
BIG BROTHER WATCH AND OTHERS v. THE UNITED KINGDOM JUDGMENT
Excess Data
6.26. Where authorised conduct by a public authority results in the acquisition of
excess data, or its disclosure by a CSP in order to comply with the requirement of a
notice, all the data acquired or disclosed should be retained by the public authority.
6.27. Where a public authority is bound by the CPIA and its code of practice, there
will be a requirement to record and retain data which is relevant to a criminal
investigation, even if that data was disclosed or acquired beyond the scope of a valid
notice or authorisation. If a criminal investigation results in proceedings being
instituted all material that may be relevant must be retained at least until the accused
is acquitted or convicted or the prosecutor decides not to proceed.
6.28. If, having reviewed the excess data, it is intended to make use of the excess
data in the course of the investigation or operation, an applicant must set out the
reason(s) for needing to use that material in an addendum to the application upon
which the authorisation or notice was originally granted or given. The designated
person will then consider the reason(s) and review all the data and consider whether it
is necessary and proportionate for the excess data to be used in the investigation or
operation. As with all communications data acquired, the requirements of the DPA
and its data protection principles must also be adhered to in relation to any excess data
(see next section).
7 DATA PROTECTION SAFEGUARDS
7.1. Communications data acquired or obtained under the provisions of RIPA, and
all copies, extracts and summaries of it, must be handled and stored securely. In
addition, the requirements of the DPA and its data protection principles must be
adhered to.
7.2. Communications data that is obtained directly as a consequence of the
execution of an interception warrant must be treated in accordance with the safeguards
which the Secretary of State has approved in accordance with section 15 of RIPA.
Disclosure of communications data and subject access rights
7.3. This section of the code provides guidance on the relationship between
disclosure of communications data under RIPA and the provisions for subject access
requests under the DPA, and the balance between CSPs’ obligations to comply with a
notice to disclose data and individuals’ right of access under section 7 of the DPA to
personal data held about them.
7.4. There is no provision in RIPA preventing CSPs from informing individuals
about whom they have been required by notice to disclose communications data in
response to a Subject Access Request made under section 7 of the DPA. However a
CSP may exercise certain exemptions to the right of subject access under Part IV of
the DPA.
7.5. Section 28 of the DPA provides that data are always exempt from section 7
where such an exemption is required for the purposes of safeguarding national
security.
7.6. Section 29 of the DPA provides that personal data processed for the purposes
of the prevention and detection of crime, the apprehension or prosecution of
offenders, or the assessment or collection of any tax or duty or other imposition of a
similar nature are exempt from section 7 to the extent to which the application of the
provisions for rights of data subjects would be likely to prejudice any of those matters.