Authorisations paras 3.18 to 3.24
Authorisations
3.18 An authorisation provides for persons within a public authority to engage in specific conduct, relating to a postal service or telecommunications system, to obtain communications data.
3.19 Any designated person in a public authority may only authorise persons working in the same public authority to engage in specific conduct. This will normally be the public authority’s SPoC.
3.20 The decision of a designated person whether to grant an authorisation shall be based upon information presented to them in an application.
3.21 An authorisation may be appropriate where, for example:
- a CSP is not capable of obtaining or disclosing the communications data;[40]
- a designated person believes the investigation or operation may be prejudiced if notice is given to a CSP to obtain or disclose the data;
- there is an agreement in place between a public authority and a CSP relating to appropriate mechanisms for disclosure of communications data, or
- a designated person considers there is a requirement to identify a person to whom a service is provided but a CSP has yet to be conclusively determined as the holder of the communications data.
- [40] Where possible, this assessment will be based upon information provided by the CSP.
3.22 An authorisation is not served upon a CSP, although there may be circumstances where a CSP may require or may be given an assurance that conduct being, or to be, undertaken is lawful. That assurance may be given by disclosing details of the authorisation or the authorisation itself.[41]
- [41] See also paragraph 3.47
3.23 Requirements to identify a person to whom a service is, or has been, provided – for example telephone number subscriber checks – account for the vast majority of disclosures under the Act. As a consequence of these requirements, some CSPs permit the lawful acquisition of this data by SPoCs, subject to security and audit controls. Where a SPoC has been authorised to engage in conduct to obtain details of a person to whom a service has been provided and concludes that data is held by a CSP from which it cannot be acquired directly, the SPoC may provide the CSP with details of the authorisation granted by the designated person in order to seek disclosure of the required data.[42]
- [42] Where details of an authorisation are provided to a CSP in writing, electronically or orally those details must include the same information as would have been provided in a notice served upon the CSP for the same data.
3.24 An authorisation[43] – the original or a copy of which must be retained by the SPoC within the public authority – must:
- be granted in writing or, if not, in a manner that produces a record of it having been granted;[44]
- describe the conduct which is authorised and describe the communications data to be acquired by that conduct specifying, where relevant, any historic or future date(s) and, where appropriate, time period(s);
- specify the purpose for which the conduct is authorised, by reference to a statutory purpose under 22(2) of the Act;
- specify the office, rank or position held by the designated person granting the authorisation. The designated person should also record their name (or designation) on any authorisation they grant, and
- record the date and, when appropriate to do so, the time[45] when the authorisation was granted by the designated person.
- [43] Where the grant of an authorisation is recorded separately from the relevant application they should be cross-referenced to each other. See also footnote 32.
- [44] See also paragraph 6.1
- [45] Recording of the time an authorisation is granted (or a notice is given) will be appropriate in urgent and time critical circumstances.