PROCEDURES FOR DEALING WITH DISCLOSED MATERIAL paras 8.1 to 8.11
PROCEDURES FOR DEALING WITH DISCLOSED MATERIAL
Procedures for dealing with disclosed key material
8.1 The Act clearly indicates that it is the duty of every person whose officers or employees include persons with duties that involve the giving of section 49 notices to ensure that arrangements are in force to safeguard keys and key material obtained by the imposition of disclosure requirements.
-  Section 55 of the Act.
-  In particular the Secretary of State and every other Minister of the Crown in charge of a government department, every chief officer of police, the Director General of the Serious Organised Crime Agency and the Commissioners of Revenue and Customs.
8.2 Such persons should ensure necessary arrangements are in force:
- that any disclosed key is used only for obtaining access to, or putting into intelligible form, protected information described in the notice as a result of which the key was disclosed (or could have been described in such a notice had the key not already been disclosed);
- that the use of any disclosed key is reasonable with regard both to the uses to which the person with the key is entitled to put any protected information to which the key relates and to the other circumstances of the case (in other words only reasonable use may be made of any disclosed key);
- that the use of and retention of any disclosed key is proportionate to what is sought by its use or retention, and where any key is retained, its retention must be reviewed at appropriate intervals to confirm that the justification for its retention remains valid (otherwise it should be destroyed);
- that the number of persons to whom any disclosed key is made available and the number of copies made of the key, if any, are each limited to the minimum necessary for the purpose of putting the protected information in an intelligible form;
- that any disclosed key is stored, for as long as it is retained, in a secure manner. The appropriate level of security for any disclosed key should be proportionate to intrinsic or financial value or to the sensitivity of the information protected by the key;
- that all records of any disclosed key are destroyed as soon as the key is no longer required for the purpose of enabling protected information to be put into an intelligible form.
-  See paragraph 8.10
8.3 Such arrangements shall be recorded in writing setting out provision for the disclosure, copying, storage and destruction of any disclosed key material, and shall be agreed with the appropriate Commissioner.
8.4 Extra care and security should be afforded to a key (a 'multi-use key') that has been used to protect information in addition to the protected information in the possession of the public authority or likely to come into its possession. Even though a person given notice is able to choose which key to disclose, they may disclose a multi-use key. The person to whom disclosure is made should so far as is practicable ensure that if a multi-use key is disclosed he is aware of that and can protect the key appropriately.
8.5 Key material must be stored in a physically secure way such that it cannot be accessed through any means other than physically. For example the use of a floppy disk or USB stick may be appropriate but a laptop would not as it could theoretically be accessed remotely.
8.6 Data should be secured behind an appropriate number of security zones using, where possible, different methods of security. For example material requiring the highest level of security should be stored in a combination safe, inside a locked store in an access controlled office which itself is within a 24 hour guarded building. Access to the data should not be possible by one person acting alone, requiring at least two people to have to conspire to unlawfully use any key. For example the combination to a safe in a locked store should not be known by a key holder of the store.
8.7 Where keys or copies of keys are made available to a person other than the person to whom the key was disclosed a full audit trail must be maintained and be available for inspection by the appropriate Commissioner.
8.8 The number of persons to whom the detail of any key or the fact of possession of a disclosed key is made available must be limited to the absolute minimum necessary to allow protected information to be made intelligible.
8.9 Neither the key, the detail of any key, nor the fact of possession of a key may be disclosed to any person unless that person's duties are such that he (or she) needs to know the information to carry out his (or her) duties. This obligation applies equally to disclosure to additional persons within an agency or public authority, to disclosure outside the agency or public authority and to any data processing facility.
8.10 Under normal circumstances where protected information is put into an intelligible form using a disclosed key, and that intelligible information is used in evidence or is disclosed in criminal proceedings, copies of the key will similarly be required for evidential or disclosure purposes.
8.11 Where a requirement for disclosure of a key is necessary in relation to protected information obtained in exercise of a statutory power, that key will be handled with the due care and attention required for any sensitive or valuable evidential material. It shall be the duty of the person to whom the key is disclosed or the official in charge of any processing facility to afford it a higher level of security if that is necessary in the particular circumstances of the case and to protect the key material from unauthorised disclosure.