We value your privacy

We use cookies to enhance your browsing experience, serve personalized ads or content, and analyze our traffic. By clicking "Accept All", you consent to our use of cookies.

Customize Consent Preferences

We use cookies to help you navigate efficiently and perform certain functions. You will find detailed information about all cookies under each consent category below.

The cookies that are categorized as "Necessary" are stored on your browser as they are essential for enabling the basic functionalities of the site. ... 

Always Active

Necessary cookies are required to enable the basic features of this site, such as providing secure log-in or adjusting your consent preferences. These cookies do not store any personally identifiable data.

No cookies to display.

Functional cookies help perform certain functionalities like sharing the content of the website on social media platforms, collecting feedback, and other third-party features.

No cookies to display.

Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics such as the number of visitors, bounce rate, traffic source, etc.

No cookies to display.

Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.

No cookies to display.

Advertisement cookies are used to provide visitors with customized advertisements based on the pages you visited previously and to analyze the effectiveness of the ad campaigns.

No cookies to display.

Categories
Articles

Investigatory Powers Act – new orders to prepare for

[UPDATE: I’ve added links to the Codes of Practice that authorities will use when preparing each of the orders]

Under the current Regulation of Investigatory Powers Act 2000 (RIPA), organisations that operate their own private computer networks may receive three different orders relating to those systems. Any organisation that receives an order is, subject to feasibility, required by law to do what it says. The new Investigatory Powers Act 2016 (IPA) adds some new orders to this list and provides a new basis for two of the existing ones.

Although it’s impossible to predict which of these orders may actually be directed to which (if any) organisations, or what requirements those orders may contain, it’s worth checking that you have the right processes in place, if you do receive one, to ensure it is handled promptly and effectively. Note that altering your systems to prepare, “in case” you receive one of these orders, is likely to breach data protection and possibly also interception law. It is also likely to forgo the opportunity in s.249 to claim a contribution from the Government towards the costs of responding to any order that is subsequently received.

The orders are as follows:

  • To disclose specified communications data held by the organisation [currently RIPA s.22]: The existing power for the police and other authorities to order disclosure of information about the use of computers and networks is moved to s.61 of the IPA. The current limitation that this can only cover information about the use of the systems the organisation itself provides has been removed. If the organisation holds information about the use of other, third-party, communications systems then that may also be subject to a disclosure order (s.61(5)(c)). [Communications Data code of practice]
  • To intercept specified communications on networks [currently RIPA s.5]: The existing power of the Home Secretary to authorise targeted interceptions is moved to s.19 of the IPA. For investigations relating to Scotland, the relevant Scottish Minister can also exercise this power. [Interception of Communications code of practice]
  • To provide access to specified encrypted material [currently RIPA s.49]: This power does not appear to be altered by the new Act. Orders relating to encrypted material will still be made under RIPA. [RIPA Code of Practice for investigation of protected electronic information]
  • To retain or collect communications data [NEW]: s.87 of the IPA allows relevant Ministers to order any telecommunications operator to retain specific communications data for up to 12 months. This power previously only covered public network operators under, most recently, the Data Retention and Investigatory Powers Act 2014. The IPA extends them to anyone who controls networking or communications equipment (s.261(10)(b)&(13)). Nowadays that probably covers all organisations and most homes. Unlike the communications disclosure orders above, it appears (by s.87(4)) that data retention orders cannot cover third-party data. [there doesn’t appear to be a new Data Retention code of practice; this is the one used under the Data Retention and Investigatory Powers Act 2014]
  • To “interfere with equipment” [NEW]: under s.99 of the Act, relevant Ministers may order any person (including organisations) to “interfere with equipment” in order to obtain either communications or information about the equipment. The Act gives examples of “monitoring, observing or listening to a person’s communications or other activities” and making recordings. [Equipment Interference code of practice]
  • To implement specified technical facilities to support future disclosure, interception or interference orders [NEW]: s.253 of the Act allows relevant Ministers to order any telecommunications operator to “ha[ve] the capability to provide any assistance which the operator may be required to provide in relation to any [communications data, interception or equipment interference order]”. Under RIPA such orders could only be made against operators of public networks, and were apparently used to require them to maintain permanent interception capabilities. The IPA extends them to anyone who controls networking or communications equipment (s.261(10)(b) &(13)) and appears to cover a wider range of technical facilities. [technical capabilities are covered in section 10 of the Communications Data code of practice]

Most organisations will already handle RIPA s.22 communications data orders (most often to identify the person who was allocated a particular IP or e-mail address at a specified time) as a matter of routine. The other orders seem likely to be much rarer. Since they involve legal, technical, financial and operational considerations, and will often be subject to secrecy obligations, organisations’ processes should ensure that they receive appropriate consideration across all those fields.

By Andrew Cormack

I'm Chief Regulatory Advisor at Jisc, responsible for keeping an eye out for places where our ideas, services and products might raise regulatory issues. My aim is to fix either the product or service, or the regulation, before there's a painful bump!

Leave a Reply

Your email address will not be published. Required fields are marked *