RIPA Part III consultation blog

SCOPE OF THE POWERS

3.1 Part III provides a statutory framework which enables public authorities to require protected information which they have obtained or are likely to obtain be put into an intelligible form; to acquire the means to gain access to protected information and to acquire the means to put protected information into an intelligible form.

3.2 The specific provisions are:

• power to require disclosure of protected information in an intelligible form (section 49);
• power to require disclosure of the means to access protected electronic information (section 50(3)(c);
• power to require disclosure of the means of putting protected information into an intelligible form (section 50(3)(c)), and
• power to attach a secrecy provision to any disclosure requirement (section 54).

3.3 Failure to comply with a disclosure requirement or a secrecy requirement is a criminal offence.

Posted by wtwu at 06:17 PM | Permalink | Comments (0)

Protected information

• be accessed, or
• be put into an intelligible form.

3.5 Section 49(1) of the Act describes various means by which protected information has come into, or may come into, the possession of any person within a public authority.

This includes information that has been, or is likely to be:

Within the scope of section 49(1)(a) of the Act:

• acquired by exercising a statutory power to seize, detain, inspect, search for property or to interfere with documents or other property;
  • for example, seized under a judicial search warrant under section 8 of the Police and Criminal Evidence Act 1984;
  • for example, disclosed in compliance with a judicial production order under Schedule 1 of the Police and Criminal Evidence Act 1984;

Within the scope of section 49(1)(b) of the Act:

• acquired by the exercise of a statutory power to intercept communications, for example under a warrant issued personally or expressly authorised by the Secretary of State under Chapter I of Part I of the Act;

Within the scope of section 49(1)(c) of the Act:

• acquired by undertaking conduct authorised under section 22(3) of the Act (authorised conduct to obtain communications data);
• disclosed as a result of the giving of a notice under section 22(4) of the Act (notice requiring disclosure of communications data);
• acquired by undertaking conduct authorised under Part II of the Act (whether an authorisation for carrying out directed surveillance under section 28, for carrying out intrusive surveillance under section 32, or for the conduct or the use of a covert human intelligence source under section 29);

Within the scope of section 49(1)(d) of the Act:

• provided to, or disclosed to, a public authority in the exercise of any statutory duty whether or not the provision or disclosure of information was requested;

Within the scope of section 49(1)(e) of the Act:

• acquired lawfully by any of the intelligence services^[1], the police, Serious Organised Crime Agency (SOCA) or HM Revenue and Customs (HMRC) without using statutory powers, including information voluntarily disclosed to a public authority by a member of the public.

• ^[1] The Security Service, the Secret Intelligence Service and GCHQ.

3.6 Section 49(1) provides by the words "has come in to the possession of any person .... or is likely to do so" that a public authority can seek permission to give a section 49 notice ('a notice') at the same time as seeking to exercise a statutory power to obtain the information or in anticipation of such action. This will occur in circumstances where there is an expectation that the information being sought is protected. For example an application for, and the issue of, a search warrant, production order or interception warrant may include reference to protected information likely to be seized, produced or intercepted.

• ^[2] See Section 9 of this code.

• a key^[3] to the protected material is in possession of any person;

• ^[3] Examples of the sorts of material that can constitute 'a key' are described in paragraph 3.9.

• a disclosure requirement in respect of the protected information is necessary:
• in the interests of national security;^[4]

• ^[4] One of the functions of the Security Service is the protection of national security and in particular the protection against threats from terrorism. These functions extend throughout the United Kingdom, except in Northern Ireland where the lead responsibility for investigating the threat from terrorism related to the affairs of Northern Ireland lies with the Police Service of Northern Ireland. Where a disclosure requirement is considered necessary in the interests of national security a person in another public authority should not give a notice under the Act where the operation or investigation falls within the responsibilities of the Security Service, as set out above, except where that person is a member of a Special Branch or the Metropolitan Police Counter Terrorism Command, or where the Security Service has agreed a notice may be given by a member of another public authority in relation to an operation or investigation which would fall within the responsibilities of the Security Service.

• for the purpose of preventing or detecting crime;^[5]

• ^[5] Detecting crime includes establishing by whom, for what purpose, by what means and generally in what circumstances any crime was committed, the gathering of evidence for use in any legal proceedings and the apprehension of the person (or persons) by whom any crime was committed. See section 81(5) of the Act.

• in the interests of the economic well being of the United Kingdom;^[6]

• ^[6] Where, on the facts of the specific case, there is a connection with national security, original condition, or restored to a previously protected form, only momentarily or for a finite period of time.

• necessary for the purpose of securing the effective exercise or proper performance by any public authority of any statutory power or statutory duty;
• the imposition of such a requirement is proportionate to what is sought to be achieved by its imposition, and
• that it is not reasonably practicable for the person with the appropriate permission to obtain possession of the protected information in an intelligible form without the giving of a notice.

Posted by wtwu at 06:23 PM | Permalink | Comments (0)

Protected Information in an intelligible form

3.8 In the Act and throughout this code references to protected information being 'intelligible' or 'put into an intelligible form' mean restoring the protected information to the condition it was in before being protected, whether by encryption or other process. This will be the condition in which the information or data was originally generated or processed before being protected or any condition it was in before being protected. In other words putting information into an intelligible form can include restoring it to a previously protected form to which further decryption or similar process needs to be applied to the information or data in order to comprehend it fully.

3.9 Information put into its original condition means that it must remain stable in that condition. Information is not put into an intelligible form if it is put into its original condition, or restored to a previously protected form, only momentarily or for a finite period of time

Posted by wtwu at 06:37 PM | Permalink | Comments (0)

Description of a key

3.10 The key to the data means any key, code, password, algorithm or other data the use of which, by itself or with another key or keys:

• allows protected electronic data to be accessed, or
• facilitates putting protected electronic data into an intelligible form.

3.11 All manner of material can constitute a key. It can include, for example, words, phrases or numbers written on any form of paper, plastic cards bearing numbers, electronic chips or magnetic strips and all forms of removable or fixed media for storing electronic data. Equally key material can be retained in the memory of an individual.

3.12 A key can be a plain language password or pass-phrase. It can be proprietary software that will render intelligible otherwise unintelligible data. A key can comprise more complex material such as algorithms for either or both encryption and decryption of data, and take the form of computer code (in written, source or executable form) or a functional description of the algorithm or code.

3.13 Reference to any key includes split-keys which, when used in combination, form a single key. Circumstances can arise where it is necessary to combine several split-keys before protected information can be made accessible or put into an intelligible form. This may require separate notices to be given to those persons holding the split-keys (either all of them or sufficient number of them) to require them, acting together, to access the protected information or disclose it in an intelligible form. Equally a notice may be served on a holder of a split-key who undertakes to seek the assistance of such other persons holding other parts of the key or holding any other part of the key in order to fulfil a requirement to provide access to the protected information or disclose it in an intelligible form.

Posted by wtwu at 06:42 PM | Permalink | Comments (1)

Electronic signature keys

3.14 Any key intended to be used for the purpose only of generating electronic signatures and which has not in fact been used for any other purpose can never be the subject of a disclosure requireme^[7]

• ^[7] See Section 49(9) of the Act.

3.15 An electronic signature means anything in electronic form which is incorporated into or logically associated with any electronic communication or other electronic data, generated by the signatory or other source of the data, and which establishes the authenticity of the data, its integrity, or both by providing a link between the signatory or other source and the communication or data.

3.16 Where there are reasonable grounds to believe that a key used as an electronic signature has also been used for confidentiality purposes, that key may be required to be disclosed under the terms of the Act.

Posted by wtwu at 06:45 PM | Permalink | Comments (8)

Multi-use keys

3.17 Multi-use keys are keys that can be used to protect more than one item of information, or have been used for signature purposes as well as for putting information into an intelligible form or for protecting all the communications sent to a person only some of which may be the subject of a disclosure notice. Particular care should be taken when a multi-use key is required to access protected information or to disclose it in an intelligible form. The notice must explain explicitly what is required and that it is proportionate to what is sought to be achieved.^[8]

• ^[8] See also paragraph 8.4

Posted by wtwu at 06:46 PM | Permalink | Comments (0)

Session keys

3.18 A session key is an encryption and decryption key that can be randomly generated to ensure the security of a single item of data, for example a file or a communication Session keys are sometimes called symmetric keys, because the same key is used for both encryption and decryption.

Posted by wtwu at 06:51 PM | Permalink | Comments (0)

Possession of a key

3.19 Possession of a key by a person ('the person') can include circumstances where the key is in the possession of:

• an employee or other individual under their control, or
• a trusted third party or other service provider and the person has an immediate right of access to it or to have it transmitted or otherwise supplied to him.

3.20 Where the key is, or is contained in, anything which the person, an employee or other individual under their control is entitled, in exercise of any statutory power and without otherwise taking possession of it, to detain, inspect or search that key is in the possession of the person. This means the key is, or is in, something to which the person or anyone under their control has lawful access.

3.21 Where more than one person is in possession of the key to protected information, and at least one of those is in possession of that key in his capacity as an officer or employee of a corporate body or firm and another is also an officer or employee of the body, or a partner of the firm (or is the corporate body or firm itself), a notice imposing a disclosure requirement shall not be given to any officer or employee of the body or employee of the firm who is in possession of the key unless that person is a senior officer of the body or a partner of the firm. In this context senior officer means a director, manager, secretary or other similar officer of the corporate body (and where the body is managed by its members a director means one of its members).

3.22 In practice this means notices should be served upon a person holding a position such as company secretary, legal director, chief information officer, information disclosure manager or other post designated for the purpose of receiving notices served upon the company or firm.

3.23 Where it appears to a person giving a notice that there is no senior officer of the company, or partner of the firm, or a more senior employee to whom it would be reasonably practicable to give the notice, the notice shall be given to an officer or employee in possession of the key. This means an investigator giving a notice must always seek to give that notice to the most senior officer or employee in possession of the key whether or not any less senior officer or employee of the body, or employee of the firm, would be capable of complying with the disclosure notice.

3.24 The requirements for giving a notice to corporate bodies or firms do not apply where the special circumstances of the case mean that the purpose or purposes for which the notice is to be given would be defeated, in whole or in part, if the notice were required to be given to a senior officer of the company or a partner of the firm or a senior employee to whom it would otherwise be reasonably practicable to give the notice. This can include circumstances where a senior officer of the company or a partner of the firm is the subject of, or connected to, the investigation or operation.

Posted by wtwu at 06:53 PM | Permalink | Comments (0)

Necessity and proportionality

3.25 Exercise of the powers to require disclosure of protected information; disclosure of the means to access such information or to put it into an intelligible form may amount to interference with an individual's right to respect for their private and family life.

3.26 Such interference will be justifiable under Article 8 of the European Convention on Human Rights and in accordance with the Human Rights Act 1998 only if the conduct being required or taking place is both necessary and proportionate and in accordance with the law. The provisions in Part III are designed to meet the requirements that such activities are in accordance with law and to provide guidance to ensure that the activities are, in fact, both necessary and take place in a proportionate manner.

3.27 The person giving appropriate permission and, if different, the person with that permission must believe that the imposition of a disclosure requirement by a notice is necessary. They should consider whether other means to obtain the protected information in an intelligible form have failed, or would be bound to fail, for example that the person in possession of the key has not provided voluntarily the protected information in an intelligible form or would not do so.

3.28 He or she must also believe the imposition of that requirement to be proportionate to what is sought to be achieved by obtaining the disclosure of the protected information in an intelligible form or the disclosure of the means to gain access to the protected information or to put it in an intelligible form - that the disclosure requirement is no more than is required in the circumstances. This involves balancing the extent of the intrusiveness of the interference with an individual's right of respect for their private life against the benefit to the investigation or operation being undertaken by a relevant public authority in the public interest.

3.29 Consideration must also be given to any actual or potential infringement of the privacy of individuals who are not the subject of the investigation or operation. An application for appropriate permission to give a notice should draw attention to any circumstances which give rise to a meaningful degree of collateral intrusion.

3.30 Taking all these considerations into account in a particular case, an interference with the right to respect of individual privacy may still not be justified because the adverse impact on the privacy of an individual or group of individuals is too severe.

3.31 Any conduct that is excessive in the circumstances of both the interference and the aim of the investigation or operation, or is in any way arbitrary will not be proportionate.

Posted by wtwu at 06:56 PM | Permalink | Comments (1)

RULES ON GIVING OF NOTICES

4.1 There are a number of statutory requirements that must be met before any disclosure requirement is imposed. Primarily only a person with appropriate permission may impose a disclosure requirement upon a person in respect of specific protected information. Schedule 2 to the Act defines persons able to grant appropriate permission, persons capable of having appropriate permission and describes the circumstances in which appropriate permission can be obtained.^[9]

• ^[9] See section 9 of this code

Who may give notices?

4.2 Public authorities may seek permission to serve a notice in relation to protected information that has already been obtained lawfully or in relation to protected information which is not yet in their lawful possession.

Who may notices be served upon?

4.3 Section 49 notices may potentially be served on a wide variety of individuals, bodies or organisations. Individuals using products or services to protect data under their control, and businesses involved in producing or supplying such products or services, or using such technologies themselves could, conceivably, be in a position to disclose protected information in an intelligible form or to disclose a key required to put such information into an intelligible form.

4.4 Disclosure requirements are most likely to be imposed on individuals who have protected information directly relevant to an investigation or operation and are themselves a subject of, or are connected to, the investigation or operation. As a consequence of the way that information protection or cryptographic and other information technologies work, disclosure requirements may also be imposed on a person who will have a relevant key to protected information by virtue of a personal or business relationship with an individual subject of, or connected to, an investigation or operation.

4.5 It is important in all circumstances where a notice is being contemplated that careful consideration is given to whether a notice should be given, and if so, who should be given the notice. Where the imposition of a disclosure requirement upon a corporate body or firm is being considered, the person intending to seek appropriate permission must determine that body or firm would be able to comply with the proposed disclosure requirement. The imposition of a disclosure requirement upon a corporate body or firm without any prior consultation should be undertaken rarely and only in special circumstances.

Posted by wtwu at 06:59 PM | Permalink | Comments (0)

Application for appropriate permission

4.6 Applications for appropriate permission must be made in writing or electronically to a person able to give appropriate permission. The person making the application will be a person involved in conducting an investigation or operation for a public authority. The applicant may be an individual who is seeking appropriate permission or is seeking the grant of appropriate permission on behalf of another person.

4.7 Applications may be made orally in exceptional circumstances but a record of that application must be made in writing or electronically as soon as possible.

4.8 Applications - the original or a copy of which must be retained by the person with the appropriate permission - must:

• include the name (or designation)^[10] and the office, rank or position held by the person making the application;
  • ^[10] The use of a designation rather than a name will be appropriate only for persons in one of the Intelligence services.

• where it is different from the applicant, the name (or designation) and the office, rank or position held by the person for whom appropriate permission is being sought;
• include the operation name (if applicable) to which the application relates;
• specify the grounds on which the imposition of a disclosure requirement is necessary whether:
  • in the interests of national security;
  • for the purpose of preventing or detecting crime;
  • in the interests of the economic well-being of the United Kingdom; or
  • for the purpose of securing the effective exercise or proper performance by any public authority of any statutory power or statutory duty (and must identify that power or duty);

• describe the protected information which has been, or is likely to be, lawfully obtained;
• confirm the statutory power or other lawful means in which the protected information has been, or is likely to be, lawfully obtained;
• explain why it is reasonably believed that the person on whom it is intended to serve a section 49 notice has possession of a key or keys to the protected information described in the application;
• explain why the imposition of a disclosure requirement is considered necessary and proportionate to what is sought to be achieved by its imposition;
• consider and, where appropriate, describe any meaningful collateral intrusion
• the extent to which the privacy of any individual not under investigation may be infringed and why that intrusion is justified in the circumstances;
• explain why it is not reasonably practicable to acquire or obtain access to the protected information in an intelligible form by some other method without serving a section 49 notice;
• identify and explain any urgency with which the proposed disclosure requirement is necessary.

Posted by wtwu at 07:04 PM | Permalink | Comments (4)

Obtaining appropriate permission

4.9 The decision to grant appropriate permission by a person able to do so shall be based upon information presented to them in an application. The grant of appropriate permission to any person must be in writing or, if not, in a manner that produces a record of it being granted.

4.10 The record of the grant of appropriate permission may take the form of a countersignature to the application, may be separate from that or be included in any warrant or order being given at the same time.

Posted by wtwu at 07:07 PM | Permalink | Comments (0)

Format of notices

4.11 The statutory requirements of the Act^[11] mean that any notice imposing a disclosure requirement in respect of any protected information:

• ^[11] See section 49(4)

• a) must be given in writing or in a manner that produces a record;
• b) must describe the protected information to which the notice relates and, where known and where appropriate, identify any key to the protected information;
• c) must specify the grounds on which the notice is necessary including where appropriate the statutory power or duty within the meaning of section 49 (2)(b) (ii) of the Act;
• d) must specify the office, rank or position of the individual giving the notice, and where appropriate and helpful to do so, their name (or designation);
• e) must specify the office, rank or position of the person who granted permission for the notice to be given and where appropriate, which will be ordinarily in most cases the name of that person. If the person giving the notice does so without another persons' permission, the notice must set out the circumstances in which the person giving the notice is entitled to do so;
• f) must specify the time by which the notice is to be complied with, which must be reasonable in all the circumstances; and
• g) must set out clearly the extent of the disclosure required - whether a disclosure of the protected information in an intelligible form, or a disclosure of the means to either or both access the protected information and put it in an intelligible form - and must set out clearly how the disclosure is to be made.

4.12 A notice cannot require any person to make a disclosure to someone other than the person giving the notice or such other person as is specified or identified in the notice where disclosure to another person is in accordance with the notice. For example, an investigator giving the notice may require disclosure to be made to a technical facility or to a named technician.

4.13 Section 49 notices must describe the form and manner in which the required disclosure of information is to be made (as described in paragraph 4.11 above).

Notwithstanding this, it is best practice that the person giving the notice seeks, so far as possible, to agree with the person given the notice or with their professional legal adviser the manner in which the required disclosure should take place. The conditions under which compliance with the disclosure requirement takes place must be reasonable and practicable in all circumstances.

4.14 Notices should explain clearly that it is an offence to knowingly fail to make the required disclosure (section 53 of the Act) and, where a secrecy requirement is being imposed explain the 'tipping off' offence (section 54 of the Act).

4.15 Section 49 notices should clarify that if the recipient has any doubt what they are required to do in response to the notice, they should contact a professional legal adviser.

Posted by wtwu at 07:08 PM | Permalink | Comments (0)

Description of the protected information

4.16 Persons applying for appropriate permission must ensure that their application describes the protected information which has been, or is likely to be, lawfully obtained and in relation to which a disclosure requirement is sought to be imposed as precisely as possible. Where appropriate permission is granted or where a person has appropriate permission without another person's permission the consequent notice must similarly describe the protected information.

4.17 Any notice must be in sufficient detail to enable the person given notice to be clear about the protected information to which it relates. The information can be described by reference to file names, usernames, dates and times or by any other identifiers of data, storage media, software or hardware. Where a key to the protected information can be identified the identity of the key should be included in the notice.

4.18 In some cases, it may be appropriate in order to identify or to confirm the identification of the protected data to include in, attach to or accompany the notice some or all of the protected information or a copy of some or all of it.

4.19 In respect of protected information likely to be obtained it may not always be practicable to describe the information in the same detail or as precisely as information that has been obtained - although a fuller description may be provided subsequently in the form of a schedule to the original notice.

Posted by wtwu at 07:10 PM | Permalink | Comments (0)

Time to comply with a notice

4.20 The time by which any notice has to be complied with must be reasonable and realistic in all the circumstances and must take into account the practical and technical requirements of undertaking the disclosure. It will vary depending on the type and extent of the disclosure required.

4.21 Any person given a notice or to be given a notice should be afforded a reasonable period of time to seek legal or technical advice before complying with it. Equally where appropriate to do so any person who will or may be given a notice should have time to take such advice before the notice is served.

4.22 Where appropriate the time period will be related to the duration of the underlying statutory power whereby the protected information has come into the possession of the public authority or is likely to do so.

4.23 In exceptional urgent circumstances it is possible that the time by which the notice is to be complied with must be curtailed. Examples of circumstances in which immediate compliance with a notice may be appropriate are:

• an immediate threat to life such that a person's life might be endangered if the period of time for compliance were not curtailed;
• an exceptionally urgent operational requirement where, within no more than 48 hours of the notice being given compliance with that notice will directly assist the prevention or detection of the commission of a serious crime^[12] and the making of arrests or the seizure of illicit material, and where that operational opportunity will be lost if the period for compliance with the notice were not curtailed, or
  • ^[12] See Section 81(2) of the Act.

• a credible and immediate threat to national security or a time critical or unique opportunity to secure, or prevent the loss of, information of vital importance to national security where that threat might be realised, or that opportunity lost, if the period for compliance with the notice were not curtailed.

Posted by wtwu at 07:12 PM | Permalink | Comments (0)

Authenticity of section 49 notices

4.24 It is essential that any person who is given a notice is able to confirm its authenticity should they need to do so. In practice the giving of a notice will be a stage in the progress of an investigation or operation and the person given the notice will usually have been involved earlier in that process, either as a consequence of their arrest or having been identified as being in possession of a key to the relevant information.

4.25 In addition to the statutory requirements^[13] all written notices must include a unique reference number, must identify the public authority and must provide the address of an office and a published contact telephone number using which the recipient of a notice may check its authenticity.

• ^[13] See paragraph 4.12

4.26 Public authorities must provide a means for authenticating any notice they give at whatever time the notice is given. In addition, the person giving the notice should, when doing so, carry sufficient identification to confirm their office, rank or position and, if requested to do so, should produce that identification to the person being given the notice.

Posted by wtwu at 07:14 PM | Permalink | Comments (2)

Explaining the notice

4.27 The person giving the notice should take steps to explain, as far practicable and necessary (and to the extent such an explanation has not been offered before the notice is given), the contents of the notice and what is required to be done to comply with it. In particular the person giving the notice should be prepared to explain:

• on what grounds the disclosure requirement is being imposed;
• what is the relevant protected information;
• what is required to be disclosed, by when and to whom;
• any requirement to disclose a key (if appropriate) with clarification that the choice of which key to disclose is open to the recipient of the notice if that key, including any relevant session key, gives access to the information or puts it into an intelligible form;
• any secrecy provision (if appropriate);
• the consequences of not complying with the notice;
• that the person given the notice is entitled to seek legal advice about the effect of the notice and the provisions of the Act, and
• how the authenticity of the notice may be confirmed.

4.28 The person given notice must be provided with a copy of the notice which they may retain.

4.29 The person who had the appropriate permission to give the notice or the person who gave the notice shall withdraw it if, at any time after giving the notice, it is no longer necessary for the person given notice to comply with it or the disclosure required by the notice is no longer proportionate to what was sought to be achieved.

Withdrawal of a notice must:

• be undertaken in writing to the person given the notice or, if not, in a manner that produces a record of the notice having been withdrawn;
• identify, by reference to its unique reference number, the notice being withdrawn;
• record the date and, when appropriate to do so, the time when the notice was withdrawn; and
• record the name and the office, rank or position held by the person withdrawing the notice.

Posted by wtwu at 07:16 PM | Permalink | Comments (0)

Amending a notice

4.30 There may be circumstances when amendment to the notice may be required. In these cases, the amendment to the notice must:

• be undertaken in writing to the person given the notice or, if not, in a manner that produces a record of the amendment which the person given the notice may retain;
• cross reference the original unique reference number;
• record the date and time of the amendment; and
• record the name and the office, rank or position held by the person amending the notice.

Posted by wtwu at 07:18 PM | Permalink | Comments (1)

Contributions to Costs

4.31 Should any person or persons incur costs in complying with a notice an appropriate contribution towards those costs may be made by the public authority that has imposed the disclosure requirement or obtained appropriate permission to impose that requirement.

Posted by wtwu at 07:20 PM | Permalink | Comments (0)

Confirmation of compliance with a notice

4.32 Where a notice has been complied with, in full or as fully as practicable in all the circumstances, the person with appropriate permission for giving the notice or the person who gave the notice shall provide written confirmation of that fact to the person given the notice.

Posted by wtwu at 07:21 PM | Permalink | Comments (0)

RULES ON THE EFFECT OF IMPOSING DISCLOSURE REQUIREMENTS

5.1 The effect of giving a notice to a person who, at the time the notice is served, is in possession of both the protected information^[14] a means of obtaining access to the information and of disclosing it in intelligible form (using a key or keys) is that he (or she):

• ^[14] Possession of the protected information includes being provided with protected information or a copy of it that has come into the possession of any person.

• may use any key or keys in his (or her) possession to gain access to the information or to put it into an intelligible form, and
• is required to disclose the information described in the notice in an intelligible form, and
• is required to make that disclosure in accordance with the notice.

5.2 The person given notice to disclose the information in an intelligible form can nonetheless choose to disclose any key or keys (including any session key or keys) giving access to the information in an intelligible form, together with any relevant details of the cryptographic or other process used to protect the information.

5.3 Voluntary disclosure of the key or keys providing access to the protected information in an intelligible form, to the person to whom disclosure of the intelligible information was required, and by the time that disclosure was required, will mean that the person given notice to disclose the information in an intelligible form shall have complied with the requirement imposed on him (or her) to do so.

5.4 Where a disclosure requirement is to be imposed upon a business or service provider in order to assist an investigation or operation, appropriate consideration must be given to minimising any actual or possible disruption to the business or service, or any actual or possible inconvenience or unfairness to the customers of the business or users of the service.

Posted by wtwu at 07:24 PM | Permalink | Comments (0)

SPECIAL RULES ON THE EFFECT OF IMPOSING DISCLOSURE REQUIREMENTS

6.1 This section concerns the circumstances in which a notice can be complied with only by the disclosure of a key, in other words:

• requiring disclosure of the means to access protected information, or
• requiring disclosure of the means to put protected information into an intelligible form.

6.2 No section 49 notice shall require the disclosure of a key unless the person granting permission for the notice to be given has directed that the disclosure requirement can only be complied with by disclosure of a key, or the person giving such a notice has appropriate permission to do so or has express permission for giving such a direction.

Posted by wtwu at 07:26 PM | Permalink | Comments (0)

Special circumstances requiring disclosure of a key

6.3 The Act imposes extra conditions upon requiring disclosure of a key, in addition to those for requiring the disclosure of protected information in an intelligible form.

6.4 No person able to do so shall give a direction that a disclosure requirement can be met only by disclosure of a key unless that person believes:

• that there are special circumstances of the case which mean that the purposes for which the disclosure notice is necessary would be defeated, in whole or in part, if a key was not required to be disclosed; and
• that the requirement for disclosure of a key is proportionate to what is sought to be achieved by preventing compliance with the disclosure requirement other than by disclosure of a key.

6.5 Matters to be considered in determining such proportionality include the extent and nature of any protected information (other than that to which the disclosure requirement relates) which is protected by the same key and any adverse effect that a disclosure requirement might have on a business carried on by the person on whom the requirement is imposed.

6.6 This means that the person giving a direction that a key is required to be disclosed must consider the actual or potential collateral intrusion that will or may arisefrom disclosure of the key and its application to any protected information that has come into the possession of any person or is likely to do so or might do so

6.7 Although the special circumstances for giving direction to require the disclosure of a key will vary with each case as will the proportionality of doing so such a requirement may be appropriate where:

• trust is an issue - where there is doubt about the integrity of the person or organisation being asked to comply with a disclosure requirement, for example the person or organisation concerned is suspected of involvement in criminality or of protecting another person or persons involved in criminality;
• credibility is an issue - where a prior disclosure of protected information in an intelligible form, whether undertaken voluntarily or in supposed compliance with a notice, is demonstrably incomplete;
• timeliness is an issue - if a person or organisation has the key to protected information but cannot, for whatever reason and having been given the opportunity to do so, provide the information in an intelligible form in a time critical situation^[15];
  • ^[15] See paragraph 4.23

• the content of the intelligible information is an issue - where the person required to make the disclosure might find the intelligible form of the material offensive, obscene or otherwise distressing or it is important in the interests of justice that they do not view or be reminded of the material;
• the key itself has evidential value - where there is reasonable belief that the key may provide evidence linking a person or persons to an offence or offences, for example where a person seeks to deny responsibility for protected information in their possession but a password or pass-phrase for the key is personal to the person being served the notice or is indicative of the material it protects;
• practicality is an issue - where the key is divided into split-keys and it is not practicable or possible for the holders of the split-keys, or sufficient number of them, to act together to provide access to protected information or to disclose it in an intelligible form it may be necessary to require disclosure of one or more split-keys.

6.8 Particular care must be taken when considering the imposition of a requirement to disclose a key upon a provider of financial services in view of the crucial role that protected information has in the financial services sector. No such requirement should be imposed upon any company or firm regulated by the Financial Services Authority without prior notification to the Chairman of the Authority. The period of notification will be reasonable in all the circumstances of any instance.

Posted by wtwu at 07:27 PM | Permalink | Comments (2)

Notices requiring disclosure of a key

6.9 Where a direction has been given that a notice can be complied with only by disclosure of a key, the notice must clearly state that the person on whom the notice is served may choose which key to disclose. The only requirement is that the key is capable of rendering the protected information intelligible.

6.10 Where a disclosure requirement is imposed on any person by a section 49 notice and:

• that person is not in possession of the information (either because they do not have the information, have not acquired the information or cannot be given possession);
• that person is incapable, without the use of a key that is not in his (or her) possession, of obtaining access to the information and of disclosing it in an intelligible form (or so disclosing it), or
• the notice states that it can only be complied with by the disclosure of a key to the information

the effect of imposing that disclosure requirement is that the person given the notice shall be required, in accordance with the notice imposing the requirement, to disclose any key to the protected information that is in his (or her) possession at a relevant time, that is the time when the notice is given or any subsequent time before the time by which the disclosure requirement has to be complied with.

6.11 Where a person has been given notice requiring that a key be disclosed, he (or she) may choose which key or keys to disclose together with any other requested relevant details of the cryptographic methods in use, including the relevant algorithm. The information given should be sufficient to allow the person giving the notice or the person to whom disclosure is required to be made to put the protected information described in the notice into intelligible form.

6.12 The recipient of a notice may disclose an alternative key such as a 'session key' if it enables the same access or functionality as an underlying true key would have enabled

6.13 No person shall be required to disclose any key or keys other than those which are sufficient to enable the person giving the notice or the person to whom disclosure is required to be made to put the protected information described in the notice into intelligible form - even if the person given notice to disclose a key is in possession of more than one key to that information.

6.14 The person given notice is able to comply with a requirement to disclose a key without disclosing all of the keys in his (or her) possession and where there are different keys, or combinations of keys, that would enable compliance with the notice, the person given notice may choose which key or combination of keys to disclose.

6.15 Where a person is required by a section 49 notice to make a disclosure in respect of any protected information and that person:

• has had possession of the key to the protected information but no longer has possession of it;
• would have been required by the notice to disclose the key if it had continued to be in his (or her) possession, and
• when given the notice, or within the time by which the notice must be complied with, is in possession of any information that would facilitate the obtaining or discovery of the key or the putting of the protected information into an intelligible form;

the effect of the disclosure requirement is that he (or she) shall be required to disclose all such information to the person to whom he (or she) would have been required to disclose the protected information in an intelligible form or the key. In other words to disclose anything they have that assists putting the protected information into an intelligible form.

Posted by wtwu at 07:28 PM | Permalink | Comments (1)

KEEPING OF RECORDS

7.1 Public authorities must retain copies of all written applications for permission to give a section 49 notice. Such applications must be available for scrutiny by the relevant independent Commissioner with a statutory oversight role.^[16] Public authorities may be required to justify to the Commissioner the content of a particular application, or their general approach to, and handling of applications and giving of notices.

• ^[16] See Section 11 of this Code.

7.2 All public authorities must maintain a central record of all applications for appropriate permission to give notices, of the grant of appropriate permission, of the giving of all notices and of compliance with each notice. These records must be available for inspection by the relevant Commissioner and retained to allow the Investigatory Powers Tribunal, established under Part IV of the Act, to carry out its functions.^[17]

• ^[17] The Tribunal will consider complaints made up to one year after the conduct to which the complaint relates and, where it is satisfied it is equitable to do so, may consider complaints made more than one year after the conduct to which the complaint relates. See section 67(5) of the Act.

7.3 This Code of Practice does not affect any other statutory obligations placed on public records to keep records under any other enactment. For example, where applicable in England and Wales, the relevant test given in the Criminal Procedure and Investigations Act 1996 as amended and the Code of Practice under that Act. This requires that material which is obtained in the course of an investigation and which may be relevant to the investigation must be recorded, retained and revealed to the prosecutor.

Posted by wtwu at 07:30 PM | Permalink | Comments (1)

PROCEDURES FOR DEALING WITH DISCLOSED MATERIAL

Procedures for dealing with disclosed key material

8.1 The Act clearly indicates^[18] that it is the duty of every person^[19] whose officers or employees include persons with duties that involve the giving of section 49 notices to ensure that arrangements are in force to safeguard keys and key material obtained by the imposition of disclosure requirements.

• ^[18] Section 55 of the Act.
• ^[19] In particular the Secretary of State and every other Minister of the Crown in charge of a government department, every chief officer of police, the Director General of the Serious Organised Crime Agency and the Commissioners of Revenue and Customs.

8.2 Such persons should ensure necessary arrangements are in force:

• that any disclosed key is used only for obtaining access to, or putting into intelligible form, protected information described in the notice as a result of which the key was disclosed (or could have been described in such a notice had the key not already been disclosed);
• that the use of any disclosed key is reasonable with regard both to the uses to which the person with the key is entitled to put any protected information to which the key relates and to the other circumstances of the case (in other words only reasonable use may be made of any disclosed key);
• that the use of and retention of any disclosed key is proportionate to what is sought by its use or retention, and where any key is retained, its retention must be reviewed at appropriate intervals to confirm that the justification for its retention remains valid (otherwise it should be destroyed);
• that the number of persons to whom any disclosed key is made available and the number of copies made of the key, if any, are each limited to the minimum necessary for the purpose of putting the protected information in an intelligible form;
• that any disclosed key is stored, for as long as it is retained, in a secure manner. The appropriate level of security for any disclosed key should be proportionate to intrinsic or financial value or to the sensitivity of the information protected by the key;
• that all records of any disclosed key are destroyed as soon as the key is no longer required for the purpose of enabling protected information to be put into an intelligible form.^[20]

• ^[20] See paragraph 8.10

8.3 Such arrangements shall be recorded in writing setting out provision for the disclosure, copying, storage and destruction of any disclosed key material, and shall be agreed with the appropriate Commissioner.

8.4 Extra care and security should be afforded to a key (a 'multi-use key') that has been used to protect information in addition to the protected information in the possession of the public authority or likely to come into its possession. Even though a person given notice is able to choose which key to disclose, they may disclose a multi-use key. The person to whom disclosure is made should so far as is practicable ensure that if a multi-use key is disclosed he is aware of that and can protect the key appropriately.

8.5 Key material must be stored in a physically secure way such that it cannot be accessed through any means other than physically. For example the use of a floppy disk or USB stick may be appropriate but a laptop would not as it could theoretically be accessed remotely.

8.6 Data should be secured behind an appropriate number of security zones using, where possible, different methods of security. For example material requiring the highest level of security should be stored in a combination safe, inside a locked store in an access controlled office which itself is within a 24 hour guarded building. Access to the data should not be possible by one person acting alone, requiring at least two people to have to conspire to unlawfully use any key. For example the combination to a safe in a locked store should not be known by a key holder of the store.

8.7 Where keys or copies of keys are made available to a person other than the person to whom the key was disclosed a full audit trail must be maintained and be available for inspection by the appropriate Commissioner.

8.8 The number of persons to whom the detail of any key or the fact of possession of a disclosed key is made available must be limited to the absolute minimum necessary to allow protected information to be made intelligible.

8.9 Neither the key, the detail of any key, nor the fact of possession of a key may be disclosed to any person unless that person's duties are such that he (or she) needs to know the information to carry out his (or her) duties. This obligation applies equally to disclosure to additional persons within an agency or public authority, to disclosure outside the agency or public authority and to any data processing facility.

8.10 Under normal circumstances where protected information is put into an intelligible form using a disclosed key, and that intelligible information is used in evidence or is disclosed in criminal proceedings, copies of the key will similarly be required for evidential or disclosure purposes.

8.11 Where a requirement for disclosure of a key is necessary in relation to protected information obtained in exercise of a statutory power, that key will be handled with the due care and attention required for any sensitive or valuable evidential material. It shall be the duty of the person to whom the key is disclosed or the official in charge of any processing facility to afford it a higher level of security if that is necessary in the particular circumstances of the case and to protect the key material from unauthorised disclosure.

Posted by wtwu at 07:32 PM | Permalink | Comments (2)

Procedures for dealing with disclosed intelligible material

8.12 Intelligible information which is disclosed in compliance with a notice should be handled with the same care and attention as other material that has been obtained by means of a statutory power to seize or otherwise require the production of documents or other property.

Posted by wtwu at 07:34 PM | Permalink | Comments (0)

Damages

8.13 Should any person who has made a disclosure having been given a section 49 notice or whose own protected information or whose own key has been disclosed as a consequence of a notice incur any loss or damage in consequence of:

• any breach by a person on whom the duties to safeguard disclosed keys apply, or
• any contravention of the arrangements for those safeguards made by any person who is under the control of a person to whom section 55 of the Act applies;

8.14 Any court hearing such proceedings shall have regard to any opinion with respect to which the proceedings relate that is or has been given by a relevant Commissioner.

Posted by wtwu at 07:35 PM | Permalink | Comments (0)

APPROPRIATE PERMISSION FOR THE GIVING OF NOTICES

9.1 Any person using the powers in Part III, and specifically any person giving a section 49 notice, must have appropriate permission to do so. Circumstances in which appropriate permission may be granted or persons have the appropriate permission are described in Schedule 2 to the Act.

9.2 In general the permission to give a notice must be given by a person with at least the same level of authority as that required for the exercise of any power to obtain the protected information. With certain exceptions, the appropriate permission to give a notice should, so far as is practical, be given by the same person authorising, or who authorised, the use of any power to obtain the protected information.

9.3 Appropriate permission can never be given for a notice in respect of protected information that has been obtained unlawfully by a public authority.

Posted by wtwu at 07:37 PM | Permalink | Comments (0)

Appropriate permission granted by a judicial authority

9.4 Public authorities may always seek appropriate permission for giving a section 49 notice from a judicial authority. Any member of a public authority will have appropriate permission if, and only if, written permission for giving the notice has been granted by:

• a Circuit judge, in England and Wales;
• a sheriff, in Scotland; or
• a county court judge, in Northern Ireland

9.5 Where such a judicial authority has granted appropriate permission to give a section 49 notice, no further permission from any other person is required.

Appropriate permission granted by a person holding judicial office

9.6 Public authorities may obtain appropriate permission for giving a section 49 notice from persons holding judicial office where protected information is likely to be, or has been, obtained under a warrant issued by such a person holding judicial office, that is to say:

• any judge of the Crown Court or of the High Court of Justice;
• any sheriff;
• any justice of the peace;
• any resident magistrate in Northern Ireland; or
• any person holding any such judicial office as entitles him to exercise the jurisdiction of a judge of the Crown Court or of a justice of the peace.

9.7 Appropriate permission may be given by the person who issues or issued the warrant or by a person holding judicial office who would have been entitled to issue the warrant. Such permission might be granted, for example, in relation to a search warrant or production order under the Police and Criminal Evidence Act 1984 as amended or the Drug Trafficking Act 1994 as amended.

9.8 Any person will have appropriate permission if:

• protected information is obtained, the warrant contained explicit permission for giving section 49 notices in relation to protected information to be obtained under the warrant or,
• subsequent to the issue of the warrant, written permission is granted for giving section 49 notices in relation to protected information obtained under the warrant.

9.9 Only a person who was entitled to exercise the power conferred by the warrant or who is a person on whom the power conferred by the warrant was, or could have been, conferred may have appropriate permission in relation to protected information obtained, or to be obtained, under a warrant issued by a person holding judicial office.

9.10 Where protected information is obtained under a statutory power without a warrant in the course of, or in connection with, the execution of a warrant containing appropriate permission, or where material unconnected with a search warrant is lawfully seized, for example under section 19 of the Police and Criminal Evidence Act 1984 ('PACE'), appropriate permission for giving a notice in respect of that additional information will be required.

Posted by wtwu at 07:39 PM | Permalink | Comments (0)

Appropriate permission granted by the Secretary of State

9.11 Where protected information is likely to be, or has been, obtained under a warrant issued by the Secretary of State (for example an interception warrant under section 8 of the Act, or a warrant for interference with wireless telegraphy, entry or interference with property under section 5 of the Intelligence Services Act 1994) appropriate permission for giving a section 49 notice in respect of that information may be obtained from the Secretary of State.

9.12 Only persons holding office under the Crown, the police, a member of staff of the SOCA or HMRC may have the appropriate permission in relation to protected information obtained, or to be obtained, under a warrant issued by the Secretary of State.

9.13 Such persons have appropriate permission if the warrant issued by the Secretary of State contains permission for giving section 49 notices in relation to protected information to be obtained under the warrant or, subsequent to the issue of the warrant, the Secretary of State grants written permission for giving section 49 notices in relation to protected information obtained under the warrant.

9.14 The Secretary of State may also grant written permission for giving section 49 notices where protected information has come, or is likely to come, into the possession of any of the intelligence services without a warrant or where protected information has been, or is likely to be, obtained lawfully by any of the intelligence services using a statutory power but without the exercise of a warrant^[21] or where protected information is in the possession of any of the intelligence services, or is likely to come into their possession, for example material voluntarily disclosed or provided to any of the intelligence services.^[22]

• ^[21] See paragraph 3 of Schedule 2 to the Act.
• ^[22] See paragraph 5(2) of Schedule 2 to the Act.

9.15 Where the Secretary of State's permission is sought he must grant the permission personally in writing or, in an urgent case,^[23] expressly authorise the grant of permission in which case a senior official may sign it.^[24]

• ^[23] See paragraph 4.23
• ^[24] See paragraph 8 of Schedule 2 to the Act.

Posted by wtwu at 07:42 PM | Permalink | Comments (0)

Appropriate permission granted by an authorising officer

9.16 Where protected information is likely to be, or has been, obtained in consequence of an authorisation under Part III of the Police Act 1997 (authorisation of otherwise unlawful action in respect of property) appropriate permission for giving a section 49 notice may be obtained from an authorising officer within the meaning of section 93 of the 1997 Act or, in urgent cases, section 94 of that Act.

9.17 Any person will have appropriate permission if, before protected information is obtained, the authorisation contained permission for giving notices in relation to protected information to be obtained under the authorisation or, subsequent to the issue of the authorisation, written permission is granted for giving notices in relation to protected information obtained under the authorisation.

9.18 Only the police, SOCA and HM Revenue and Customs may have the appropriate permission in relation to protected information obtained, or to be obtained, under an authorisation under Part III of the Police Act 1997.

Posted by wtwu at 07:45 PM | Permalink | Comments (0)

Appropriate permission granted by a person exercising a statutory function

9.19 The police, SOCA, HMRC and members of HM Forces have appropriate permission, without requirement for permission to be granted by a judicial authority, in relation to protected information:

• likely to be, or has been, obtained by the exercise of a statutory power (and is not information obtained under a warrant issued by the Secretary of State or a person holding judicial office, or an authorisation under Part III of the Police Act 1997, or information obtained by the intelligence services), for example material obtained by the police under section 19 of PACE;
• that is likely to be provided or disclosed, or has been provided or disclosed, in pursuance of a statutory duty;
• that is likely to come into possession of, or is in the possession of, the police, SOCA, HMRC or a member of HM Forces under statute.

9.20 In these circumstances, if a section 49 notice is to require disclosure, such permission may be given in line with the general requirements relating to appropriate permission.

9.21 Otherwise a person shall not have the appropriate permission unless he is the person:

• exercised the statutory power (or is a person who could have exercised it); or
• to whom the protected information was provided or disclosed (or is a person to whom provision or disclosure of the information would have discharged the statutory duty); or
• is such a person when the power is exercised or the protected information provided or disclosed.

Posted by wtwu at 07:47 PM | Permalink | Comments (0)

General requirements relating to appropriate permission

9.22 Paragraph 6 of Schedule 2 to the Act sets out general requirements relating to persons having appropriate permission in the police, SOCA, HMRC and who are members of HM Forces. A person has appropriate permission in relation to any protected information if he has possession of the protected information, or is likely to have possession of it, or is authorised to act on behalf of such a person.

9.23 Where protected information has come into the possession of the police by means of the exercise of powers conferred by section 44 of the Terrorism Act 2000 (power to stop and search), the appropriate permission to give a section 49 notice in relation to that information must be granted by an officer holding at least the rank of Assistant Chief Constable of a police force or the rank of Commander in the Metropolitan Police Service or the City of London Police.

9.24 Where protected information has come into the possession of the police, SOCA, HMRC or a member of HM Forces, a person shall not have appropriate permission unless that person holds certain rank or designation:

• Poliice - superintendent or above;
• SOCA - Director General or a member of staff of the SOCA of or above such level as the Director General may designate for this purpose;
• HMRC - the Commissioners for Revenue and Customs themselves or an officer of their department of or above such level as they may designate for this purpose;
• HM Forces - Lieutenant Colonel or its equivalent or above

Posted by wtwu at 07:49 PM | Permalink | Comments (0)

Appropriate additional permission for giving directions for the disclosure of keys

9.25 Where a disclosure requirement can only be met by disclosure of a key, appropriate additional permission for giving such a direction is required in the following circumstances:

• for a direction by any constable (except a constable who is a member of the staff of the SOCA), and a member of Her Majesty's forces who is a member of the police, by or with the permission of a chief officer of police;
• for a direction by SOCA, by or with the permission of the Director General of the SOCA;
• for a direction by HMRC, by or with the permission of the Commissioners for Her Majesty's Revenue and Customs;
• for a direction by a member of Her Majesty's forces who is not a member of the police force, by or with the permission of, or above, the rank of Brigadier (or equivalent).

9.26 Any permission granted for giving a direction that a disclosure requirement can only be met by disclosure of a key must be given expressly in relation to the specific direction.

9.27 Any direction to disclose a key given by or with the permission of a chief officer of police, the Director General of the SOCA or the Commissioners for Her Majesty's Revenue and Customs shall be notified to the Chief Surveillance Commissioner

9.28 Any direction to disclose a key given by a member of Her Majesty's forces shall also be notified to the Chief Surveillance Commissioner except where the direction is given by a member of Her Majesty's forces who is not a member of a police force and is in connection with Her Majesty's forces other than those in Northern Ireland in which case notification must be given to the Intelligence Services Commissioner.

9.29 Notification to the appropriate Commissioner of any direction to disclose a key must be given in writing or electronically as soon as practicable and within no more than 7 days of the direction being given.

Posted by wtwu at 07:50 PM | Permalink | Comments (0)

Duration of appropriate permission

9.30 Permission granted to any person to give a section 49 notice can cease to have effect.

9.31 Permission, once granted, has effect - regardless of the cancellation, expiry or discharge of any warrant or authorisation in which that permission is contained or to which it relates - until such time, if any, as that permission:

• expires in accordance with any limitation on its duration that was contained in the terms of the permission, or
• is withdrawn by the person who granted the permission or by a person holding any office or other position that would have entitled that person to grant the permission.

9.32 All persons who grant permission for the giving of notices must attach an appropriate duration to all such permissions. Permission lasting for a lengthy period will always need careful consideration particularly with regard to whether in the specific circumstances the notice remains necessary and appropriate.

Posted by wtwu at 07:52 PM | Permalink | Comments (0)

OFFENCES

10.1 The Act provides for two criminal offences: failure to comply with a notice (Section 53) and making an unauthorised disclosure (tipping-off) (Section 54).

Posted by wtwu at 07:53 PM | Permalink | Comments (0)

Failure to comply with a notice

10.2 Where a person given a section 49 notice knowingly fails to make the disclosure required they commit an offence. If the disclosure required is necessary in the interests of national security they may be convicted on indictment to a maximum of 5 years imprisonment^[25] or in any other case 2 years. On summary conviction they may be liable to a maximum six-month term of imprisonment or a fine not exceeding the statutory maximum or both.

• ^[25] Section 53 as amended by Section 15, Terrorism Act 2006

10.3 In proceedings against any person for failing to comply with a notice, if it is shown that he (or she) was in possession of a key to the protected information at any time before the notice was given, that person shall be considered to be in possession of that key at all subsequent times unless it is shown that the key was not in his possession after the giving of the notice and before the time that he (or she) was required to disclose it.

10.4 If the person fails to raise some doubt as to whether he (or she) had the key when the notice was given or before any subsequent time by which he (or she) was required to make the disclosure, that person shall be taken to have continued to be in possession of that key.

10.5 A person shall be taken to have shown they were not in possession of a key to protected information at a particular time if sufficient evidence of that fact is adduced to raise an issue with respect to their not having had possession of the key.

The prosecutor has to prove the contrary beyond reasonable doubt.

10.6 It is a defence for a person to show it was not reasonably practicable to make the disclosure required within the time limit given in the notice but that the disclosure was made as soon afterwards as was reasonably practicable.

Posted by wtwu at 07:55 PM | Permalink | Comments (0)

Tipping off

10.7 Section 49 notices may contain a provision requiring the person to whom the notice is given and every other person who is permitted to or who necessarily becomes aware of it or of its contents to keep secret the giving of the notice, its contents and the things done to comply with it. The inclusion of a secrecy requirement in a notice requires the consent of the person granting permission for the notice to be given or for the person giving the notice to have that permission.

10.8 This secrecy requirement is designed to preserve - but only where necessary - the covert nature of an investigation and to deter deliberate and intentional behaviour designed to frustrate statutory procedures and assist others to evade detection.

10.9 The circumstances in which a secrecy requirement may be imposed are restricted in section 54 of the Act. There are two conditions;

• the first condition is that the protected information has come, or is likely to come, into the possession of the police, SOCA, HMRC or the intelligence services;
• the second condition is that the means by which the information was obtained needs to be kept secret in order to maintain the effectiveness of an investigation or operation or of investigative techniques generally, or in the interests of the safety or well being of any person.

10.10 Any public authorities other than those specified in section 54 may not include a secrecy requirement in their disclosure notices

10.11 In imposing any secrecy requirement it is enough for any person giving consent for that requirement or giving a notice including such a requirement to have considered that there is a particular person from whom it is reasonable to withhold the information.

10.12 Where a secrecy requirement is imposed, the notice must make this clear and the person given notice and any other person who needs to know about the notice should be made aware explicitly of that requirement. The notice should also inform the recipient that he (or she) may nonetheless approach a professional legal adviser for advice about the effect of the provisions of Part III of the Act and that he (or she) may revoke any key that is disclosed provided the underlying reason for its revocation is not disclosed.

10.13 The tipping-off offence is committed by a person who makes a disclosure to any other person of anything that he (or she) is required by the section 49 notice to keep secret.

Posted by wtwu at 07:56 PM | Permalink | Comments (1)

Automatic tipping-off

10.14 For security purposes, certain software has been designed to give an automatic warning when a key has been disclosed or has ceased to be secure. This can conflict with a secrecy requirement, although the person seeking permission to give the notice should, so far as is practicable, establish whether the intended recipient of the notice uses such software and if so what reasonable steps they can take to prevent or defer such disclosure.

10.15 Where a disclosure occurs contrary to a secrecy requirement it is a defence for a person to show that the disclosure was automatic and effected entirely by the operational software designed to indicate that a key to protected information ceases to be secure and they could not reasonably have prevented that taking place, whether after being given the notice or becoming aware of it or its contents.

10.16 It is also a defence for a person to show that the disclosure was made by or to a professional legal adviser as part of giving advice to a client of his about the effect of the provisions of Part III of the Act and that the person to whom or by whom the disclosure was made was the client or a representative of the client; or where a disclosure was made by a legal adviser in connection with any proceedings before a court or tribunal.

10.17 If a disclosure is made by or to a legal professional adviser with a view to furthering any criminal purpose that disclosure shall not be a defence in proceedings for a Section 54 offence.

Posted by wtwu at 07:58 PM | Permalink | Comments (0)

Authorised disclosure

10.18 It is not the intention of the Act to penalise individuals within organisations who, for example, have been given a notice imposing a disclosure requirement but need the assistance of another colleague in order to comply with the notice.

10.19 In section 54(9) the Act provides a statutory defence to unauthorised disclosure where the disclosure was made to a relevant Commissioner or was authorised by a Commissioner; by the terms of the notice; by, or on behalf of, the person who gave the notice or by, or on behalf of, a person in lawful possession of the protected information to which the notice relates.

Posted by wtwu at 07:59 PM | Permalink | Comments (0)

OVERSIGHT

11.1 The Act provides for Commissioners whose remit is to provide independent oversight of the exercise and performance of the powers and duties contained in Part III

• except where those powers and duties are being exercised by a judicial authority.

11.2 There are three independent Commissioners with relevant oversight responsibilities:

• the Interception of Communications Commissioner who keeps under review:
  • the exercise and performance by the Secretary of State of the powers and duties conferred or imposed on him by or under Part III, particularly the grant of appropriate permission for the giving of a section 49 notice in relation to information obtained under Part I (intercepted material and other related communications data), and
  • the adequacy of the arrangements for complying with the safeguards in section 55 in relation to key material for protected information obtained under Part I.

• the Intelligence Services Commissioner who keeps under review (so far as they are not required to be kept under review by the Interception of Communications Commissioner):
  • the exercise and performance by the Secretary of State of the powers and duties conferred or imposed on him by Part III particularly the grant of appropriate permission for the giving of a section 49 notice in connection with, or in relation to, the activities of the intelligence services and the activities (other than activities in Northern Ireland) of the Ministry of Defence ('MOD') and members of HM Forces;
  • the exercise and performance by members of the intelligence services of the powers and duties conferred or imposed on them by or under Part III;
  • the exercise and performance, in places other than Northern Ireland, by officials of the MOD and members of HM Forces of the powers and duties conferred or imposed on such officials or members of HM Forces by or under Part III, and
  • the adequacy of the arrangements for complying with the safeguards in section 55 in relation to members of the intelligence services and, in connection with any of their activities in places other than Northern Ireland, in relation to officials of the MOD and members of HM Forces.

• the Chief Surveillance Commissioner who keeps under review, so far as they are not kept under review by the other Commissioners:
  • the exercise and performance, by any person (other than a judicial authority) of the powers and duties conferred or imposed, otherwise than with the permission of a judicial authority, by or under Part III, and
  • the adequacy of the arrangements for complying with the safeguards in section 55 by those persons whose conduct is subject to review by the Chief Surveillance Commissioner.

11.3 This code does not cover the exercise of the Commissioners' functions. It is the duty of any person who uses the powers conferred by Part III, or on whom duties are conferred, to comply with any request made by a Commissioner to provide any information he requires for the purposes of enabling him to discharge his functions.

11.4 Should any Commissioner establish that an individual has been adversely affected by any wilful or reckless failure by any person within a public authority exercising or complying with the powers and duties under Part III of the Act he shall inform the affected individual of the existence of the Tribunal and its role. The Commissioner should disclose sufficient information to the affected individual to enable him or her to effectively engage the Tribunal.

Posted by wtwu at 08:00 PM | Permalink | Comments (1)

COMPLAINTS

12.1 The Act established an independent Tribunal ('the Investigatory Powers Tribunal'). The Tribunal is made up of senior members of the judiciary and the legal profession and is independent of the Government. The Tribunal has full powers to investigate and decide any case within its jurisdiction, which includes the giving of a notice under section 49 or any disclosure or use of a key to protected information.

12.2 This code does not cover the exercise of the Tribunal's functions. Details of the relevant complaints procedures can be obtained from the following address:

The Investigatory Powers Tribunal,
PO Box 33220
London
SW1H 9ZQ

020 7035 3711

Investigation of Protected Electronic Information
A public consultation

ISBN - 1-84473-916-3

HO_00472_G

Posted by wtwu at 08:04 PM | Permalink | Comments (0)