Errors paras 6.7 to 6.18
Errors
6.7 Proper application of the Act and thorough procedures for operating its provisions, including the careful preparation and checking of applications, notices and authorisations, should reduce the scope for making errors whether by public authorities or by CSPs.
6.8 An error can only occur after a designated person:
- has granted an authorisation and the acquisition of data has been initiated, or
- has given notice and the notice has been served on a CSP in writing, electronically or orally.
6.9 Where any error occurs, in the grant of an authorisation, the giving of a notice or as a consequence of any authorised conduct or any conduct undertaken to comply with a notice, a record should be kept and a report made to the Commissioner. Recording and reporting of errors will draw attention to those aspects of the process of acquisition and disclosure of communications data that require further improvement to eliminate errors and the risk of undue interference with any individual’s rights.
6.10 Any failure by a public authority to correctly apply the process of acquiring or obtaining communications data set out in this code will increase the likelihood of an error occurring. This section of the code cannot provide an exhaustive list of possible causes for an error. They can, for example, fall into one of the following categories:
- an authorisation or notice made for a purpose, or for a type of data, which the relevant public authority cannot call upon, or seek, under the Act;
- human error, such as incorrect transposition of information from an application to an authorisation or notice or the disclosure of communications data by the CSP other than that specified on a notice;
- an authorisation granted for a public authority to engage in impractical conduct;
- a notice given which is impossible for a CSP to comply with and an attempt to impose the requirement has been undertaken by the public authority;
- disclosure or acquisition of data in excess of that required, where a SPoC may have failed to identify that the required data is inextricably linked to or inseparable from other data and it was reasonable for the SPoC to have known that or the CSP failed to identify that compliance with the notice entailed the disclosure of data outside of the scope of the notice;
- failure to review information already held, for example seeking the acquisition or disclosure of data already acquired or obtained for the same investigation or operation, or data for which the requirement to acquire or obtain it is known to be no longer valid.
6.11 Communications identifiers can be readily transferred, or ‘ported’, between CSPs. When a correctly completed authorisation or notice results in a CSP indicating to a public authority that, for example, a telephone number has been ‘ported’ to another CSP does not constitute an error – unless the fact of the porting was already known to the public authority.
6.12 When an error has been made the public authority which made the error, or established that the error had been made, must report the error to the authority’s Senior Responsible Officer and then to the Commissioner, in written or electronic form, as soon as is practical. All errors should be reported individually. If the report relates to an error made by a CSP the public authority should also inform the CSP of the report in written or electronic form. This will enable the CSP to investigate the cause or causes of the reported error.
6.13 The report sent to the Commissioner, in relation to any error by a public authority, must include details of the error, explain how the error occurred, indicate whether any unintended collateral intrusion has taken place and provide an indication of what steps have been, or will be, taken to ensure that a similar error does not reoccur. When a public authority reports an error made by a CSP, the report must include details of the error and indicate whether the CSP has been informed or not (in which case the public authority must explain why the CSP has not been informed of the report).
6.14 Where a CSP discloses communications data in error it must report each error to the Commissioner. It is appropriate for a person holding a suitably senior position within a CSP to do so and to provide an indication of what steps have been, or will be, taken to ensure that a similar error does not reoccur. Errors by service providers could include responding to a notice by disclosing incorrect or excessive data or by disclosing the required data or excessive data to the wrong public authority.
6.15 Where authorised conduct by a public authority results in the acquisition of excess data, or a CSP discloses data in excess of that required by a notice, all the data acquired or disclosed should be retained by the public authority and the error reported.
6.16 After the error has been reported, and it is intended to make use of the excess data in the course of the investigation or operation, an applicant must set out the reason(s) for needing to use that material in an addendum to the application upon which the authorisation or notice was originally granted or given. The designated person will then consider the reason(s) and review all the data and consider whether it is necessary and proportionate for the excess data to be used in the investigation or operation.
6.17 Where a public authority is bound by the CPIA and its code of practice, there will be a requirement to record and retain data which is relevant to a criminal investigation, even if that data was disclosed or acquired beyond the scope of a valid notice or authorisation. If a criminal investigation results in proceedings being instituted all material that may be relevant must be retained at least until the accused is acquitted or convicted or the prosecutor decides not to proceed.
6.18 Where material is disclosed by a CSP in error which has no connection or relevance to any investigation or operation undertaken by the public authority receiving it, that material and any copy of it should be destroyed as soon as the report to the Commissioner has been made.