[UPDATE: I’ve added links to the Codes of Practice that authorities will use when preparing each of the orders]
Under the current Regulation of Investigatory Powers Act 2000 (RIPA), organisations that operate their own private computer networks may receive three different orders relating to those systems. Any organisation that receives an order is, subject to feasibility, required by law to do what it says. The new Investigatory Powers Act 2016 (IPA) adds some new orders to this list and provides a new basis for two of the existing ones.
Although it’s impossible to predict which of these orders may actually be directed to which (if any) organisations, or what requirements those orders may contain, it’s worth checking that you have the right processes in place, if you do receive one, to ensure it is handled promptly and effectively. Note that altering your systems to prepare, “in case” you receive one of these orders, is likely to breach data protection and possibly also interception law. It is also likely to forgo the opportunity in s.249 to claim a contribution from the Government towards the costs of responding to any order that is subsequently received.
The orders are as follows:
- To disclose specified communications data held by the organisation [currently RIPA s.22]: The existing power for the police and other authorities to order disclosure of information about the use of computers and networks is moved to s.61 of the IPA. The current limitation that this can only cover information about the use of the systems the organisation itself provides has been removed. If the organisation holds information about the use of other, third-party, communications systems then that may also be subject to a disclosure order (s.61(5)(c)). [Communications Data code of practice]
- To intercept specified communications on networks [currently RIPA s.5]: The existing power of the Home Secretary to authorise targeted interceptions is moved to s.19 of the IPA. For investigations relating to Scotland, the relevant Scottish Minister can also exercise this power. [Interception of Communications code of practice]
- To provide access to specified encrypted material [currently RIPA s.49]: This power does not appear to be altered by the new Act. Orders relating to encrypted material will still be made under RIPA. [RIPA Code of Practice for investigation of protected electronic information]
- To retain or collect communications data [NEW]: s.87 of the IPA allows relevant Ministers to order any telecommunications operator to retain specific communications data for up to 12 months. This power previously only covered public network operators under, most recently, the Data Retention and Investigatory Powers Act 2014. The IPA extends them to anyone who controls networking or communications equipment (s.261(10)(b)&(13)). Nowadays that probably covers all organisations and most homes. Unlike the communications disclosure orders above, it appears (by s.87(4)) that data retention orders cannot cover third-party data. [there doesn’t appear to be a new Data Retention code of practice; this is the one used under the Data Retention and Investigatory Powers Act 2014]
- To “interfere with equipment” [NEW]: under s.99 of the Act, relevant Ministers may order any person (including organisations) to “interfere with equipment” in order to obtain either communications or information about the equipment. The Act gives examples of “monitoring, observing or listening to a person’s communications or other activities” and making recordings. [Equipment Interference code of practice]
- To implement specified technical facilities to support future disclosure, interception or interference orders [NEW]: s.253 of the Act allows relevant Ministers to order any telecommunications operator to “ha[ve] the capability to provide any assistance which the operator may be required to provide in relation to any [communications data, interception or equipment interference order]”. Under RIPA such orders could only be made against operators of public networks, and were apparently used to require them to maintain permanent interception capabilities. The IPA extends them to anyone who controls networking or communications equipment (s.261(10)(b) &(13)) and appears to cover a wider range of technical facilities. [technical capabilities are covered in section 10 of the Communications Data code of practice]
Most organisations will already handle RIPA s.22 communications data orders (most often to identify the person who was allocated a particular IP or e-mail address at a specified time) as a matter of routine. The other orders seem likely to be much rarer. Since they involve legal, technical, financial and operational considerations, and will often be subject to secrecy obligations, organisations’ processes should ensure that they receive appropriate consideration across all those fields.