Corporate Policy & Procedures Document on the Regulation of Investigatory Powers Act 2000 (RIPA) and the Investigatory Powers Act 2016 (IPA)
· Use of Directed Surveillance
· Use of Covert Human Intelligence Sources
· Accessing Communications Data
Version: January 2026
Contents
Authorising Officers Responsibilities
Conduct and Use of a Covert Human Intelligence Source (CHIS)
Use of the Internet, Social Media and Online Selling Platforms ………………………………………...15
Juvenile Sources and Vulnerable Individuals
Acquisition of Communications Data under IPA …………………………………………………………20
Serious Crime and Non RIPA Surveillance
Consequences of Non Compliance
Appendix 1: RIPA and IPA roles
Appendix 2: Flow chart outlining process for Directed Surveillance and CHIS
Appendix 3: List of Useful Websites
Appendix 4: Guidance for Authorising Officers
Appendix 5: Guidance for Applicants
 |
This document is based on the requirements of the Regulation of Investigatory Powers Act 2000 (RIPA) and the Home Office’s Covert Surveillance Code of Practice, Covert Human Intelligence Sources (CHIS) Code of Practice and the Investigatory Powers Act Codes of Practice in relation to communications data. It takes into account the oversight provisions contained in the revised Covert Surveillance Code of Practice and Part 3 of the Investigatory Powers Act which came into force in June 2019 and replaced many elements of the Regulation of Investigatory Powers Act 2000.
The authoritative position on RIPA is the Act itself and any Officer who is unsure about any aspect of this document should contact the Head of Regulatory Services or the Head of Law, for advice and assistance.
This document has been approved by elected membersand is available from the Head of Regulatory Services.
The Corporate Director for City Operations will maintain the Central Register of all authorisations, reviews, renewals, cancellations and rejections. It is the responsibility of the relevant Authorising Officer to ensure that relevant form is submitted, for inclusion on the register,within 1 week of its completion.
This documentwill be subject to an annual reviewby the Head of Regulatory Services and will be approved by elected members.
In terms of monitoring e-mails and internet usage, it is important to recognise the interplay and overlap with the Council’s Information Technology policies and guidance, the Telecommunications (Lawful Business Practice)(Interception of Communications) Regulations 2000, the Data Protection Act 2018 and its Code Of Practice and the General Data Protection Regulations. RIPA forms should only be used where relevant and they will only be relevant where the criteria listed are fully met.
The Counciltakes its statutoryresponsibilities seriously and will at all times act in accordance with the law and take necessary and proportionate action in these types of matters. In that regard the Head of Regulatory Services is duly authorised to keep this document up to date and amend, delete, add or substitute relevant provisions, as necessary. For administrative and operational effectiveness, the Head of Regulatory Services is authorised to add or substitute Authorising Officers with the agreement of the Senior Responsible Officer.
It is this Council’sPolicy that
· All covert surveillance exercises conducted by the Councilshould comply with the requirements of RIPA
· An Authorisation will only be valid if initialled by a gatekeeper and signed by an authorising officer.
· Authorising 'Access to Communications data' will be restricted to the Head of Regulatory Services and the Trading Standards Operations Manager. The National Anti Fraud Network is the Single Point of Contactfor purposes of Access to Communications Data.
The revised Code of Practice recommends that each public authority appoints a Senior Responsible Officer. This officer will be responsible for the integrity of the process in place within the public authorityto authorise directedsurveillance; compliance with the relevantActs and Codes of Practice; engagement with the Commissioners and Inspectors when they conduct their inspections and where necessary overseeing the implementation of any post inspection action plans recommended or approved by a Commissioner.
The Senior Responsible Officer should be a member of the corporate management team and for the purposes of this policy the Corporate Director City Operations has been so delegated. It is the responsibility of the Senior Responsible Officerto ensure that all authorising officers are of an appropriate standard in light of any recommendations in the inspection reports prepared by the Investigatory Powers Commissioner's Office. Where an inspection report highlights concerns about the standards of authorising officers, it is the responsibility of the Senior Responsible Officer to ensure these concerns are addressed.
The Regulation of Investigatory Powers (Directed Surveillance and Covert Human Intelligence Sources) Order 2010 specify the seniorityof officers who are able to authorisesurveillance activity . These are Directors, Head of Service, Service Manager or equivalent.
It is essential that Senior Managers and Authorising Officers take personalresponsibility for the effective and efficient operation of this document.
It is the responsibility of the Senior Responsible Officer in conjunction with the Head of Regulatory Services to ensure that sufficient numbersof Authorising Officersreceive suitable trainingon RIPA and this document, and that they are competent.
It will be the responsibility of those Authorising Officers to ensure that relevant members of staff are also suitably trained as ‘Applicants’.
An authorisation must not be approveduntil the Authorising Officer is satisfied that the activity proposed is necessary and proportionate.
However, it will be the responsibility of the gatekeeper to review any applications prior to submission to the Authorising Officer. They should ensure that the correct form has been used. These are the latest Home Office forms and are available on gov.uk and that the applicant has obtained a Unique Reference Number (URN) from the Corporate Director City Operations Corporate Leadership Assistant. The gatekeeper should also ensure that the form has been correctly completed and contains sufficient detail and information to enable the authorising officer to make an informed decision whether to authorise the application.
The gatekeeper should also scrutinise the form to ensure that it complies with the necessity and proportionality requirements before the authorising officer receives the form. A gatekeeper should be a person with sufficient knowledge and understanding of the enforcement activities of the relevant public body, who should vet the applications as outlined above. Once the gatekeeper is satisfied with the application they should initial the form and submit any comments on the application in writing to the Authorising Officer and provide necessary feedback to the applicant. In order that there is consistency with the quality of applications the Head of Regulatory Services and Trading Standards Operation Manager will act as gatekeepers for the Council. It should be noted that the Head of Regulatory Services will not act as gatekeeper and Authorising Officer on the same application.
· Necessary in this context includesconsideration as to whether the information soughtcould be obtained by other less invasive means, and that those methods have been explored and been unsuccessful or could have compromised the investigation. The Authorising Officer must be satisfied that there is necessity to use covert surveillance in the proposed operation. To be satisfied there must be an identifiable offence to prevent or detect before an authorisation can be granted on the grounds falling within sec 28(3)(b) and 29(3)(b) of RIPA. The application should identify the specific offence being investigated (including the Act and section) and the specific point(s) to prove that the surveillance is intended to gather evidence about. The applicant must show that the operation is capable of gathering that evidence and that such evidence is likely to prove that part of the offence.
· Deciding whether the activityis proportionate includes balancing the right to privacy against the seriousness of the offencebeing investigated. Consideration must be given as to whether the activity could be seen as excessive. An authorisation should demonstrate how the Authorising Officer has reached the conclusion that the activity is proportionate to what it seeks to achieve; including an explanation of the reasons why the method, tactic or technique proposed is not disproportionate to what it seeks to achieve. A potential model answer would make it clear that the 4 elements of proportionality had been fully considered.
1. Balancing the size and scope of the operation againstthe gravity and extent of the perceived mischief,
2. Explaining how and why the methodsto be adopted will cause the least possible intrusion on the target and others,
3. That the activityis an appropriate use of the legislation and the only reasonable way, having considered all others, of obtaining the necessary result and,
4. Evidencing what other methodshad been considered and why they were notimplemented.
Authorising Officersmust pay particular attention to Health & Safety issuesthat may be raised by any proposed surveillance activity. Approval must not be given until such time as any health and safety issue has been addressed and/or the risks identified are minimised.
Authorising Officers must ensure that staff who reportto them follow this documentand do not undertake any form of surveillance, or access communications data,without first obtainingthe relevant authorisation in compliance with this document.
Authorising Officers must ensure when sending copies of any forms to the Corporate Director City Operations for inclusion in the CentralRegister, that they are sent via email marked Strictly Private & Confidential.
The HumanRights Act 1998 (which broughtmuch of the EuropeanConvention on HumanRights and Fundamental Freedom 1950 into UK domestic law) requires the City Council, and organisations working on its behalf,to respect the private and family life of citizens, his home and his correspondence.
The European Convention did not make this an absolute right, but a qualified right. Therefore, in
certain circumstances, the City Councilmay interfere in an individual’s right as mentioned above, if that interference is:-
b. Necessary; and
The Regulation of Investigatory Powers Act 2000 (RIPA) provides a statutory mechanism (i.e. ‘in accordance with the law’) for authorising covert surveillance and the use of a ‘covert human intelligence source’ (‘CHIS’)– e.g. undercover agents. It seeks to ensure that any interference with an individual’s right under Article 8 of the European Convention is necessary and proportionate. In doing so, the RIPA seeks to ensure both the public interest and the human rights of individuals are suitably balanced.
Directly employedCouncil staff and externalagencies working for the City Council are covered by the Act for the time they are working for the City Council. All external agencies must, therefore, comply with RIPA and the work carried out by agencies on the Council’s behalf must be properly authorised by an Authorising Officer after scrutiny by a gatekeeper.
The Protection of Freedoms Act 2012 introduced two significant changes to the use of RIPA
1) All local authority authorisations to use RIPA can only be given effect once an order approving the authorisation is given by a Justice of the Peace.
2) Applications for directed surveillance by local authorities must first meet the ‘directed surveillance crime threshold’. Directed surveillance may only be authorised to prevent or detect criminal offences that;
• Are punishable by a maximum term of at least 6 months imprisonment, or,
• Are related to the sale of alcohol or tobacco to underage persons.
In cases of conflict between the Policy or Reference Guide and relevant statutes or the statutory Code of Practice, the statute or statutory Code shall prevail.
A list of officers who may authorise Directed Surveillance is kept by the Corporate Director City Operations and the current list is attachedat Appendix 1. This list will be updatedannually. The designated gatekeepers for the Council are the Principal Trading Standards Operations Manager and the Head of Regulatory Services.
If the correct procedures are not followed, evidence may be dis-allowed by the courts,a complaint of mal-administration could be made to the Ombudsman, and/or the Council could be ordered to pay compensation. Such action would not, of course, promote the good reputation of the City Council and will, undoubtedly, be the subject of adverse press and media interest.
A flowchart of the procedures to be followedappears at Appendix 2. A list of useful websites is available at Appendix 3.
· Requires prior authorisation of directed surveillance
· Prohibits the Councilfrom carrying out intrusive surveillance
· Requires authorisation of the conductand use of a CHIS
· Require safeguards for the conductand use of a CHIS
· Requires proper authorisation to obtain communication data
· Prohibits the Councilfrom accessing ‘trafficdata’
· Make unlawful conductwhich is otherwise lawful
· Prejudice or dis-applyany existing powersavailable to the City Councilto obtain information by any means not involving conduct that may be authorised under this Act. For example, it does not affect the Council’s current powers to obtain information via the DVLA or to get information from the Land Registry as to the ownership of a property.
If the Authorising Officer or any Applicant is in any doubt, they should ask the Head of Regulatory Services or the Head of Law before any directed surveillance, CHIS, or Access to Communications is authorised, renewed, cancelled or rejected.
‘Surveillance’ includes
· Monitoring, observing, listeningto persons, watchingor following their movements, listening to their conversations and other such activities or communications.
· Recording anything mentioned above in the case of authorised surveillance
· Surveillance, by or with, the assistance of appropriate surveillance device(s).
Most surveillance activity will be done overtly,that is, there will be nothing secretive, clandestine or hidden about it. In many cases, officers will be behaving in the same way as a normal member of the public (e.g. in the case of most test purchases), and/or will be going about Council business openly (e.g. a Neighbourhood Warden walking through the estate).
Similarly, surveillance will be overt if the subject has been told it will happen (e.g. where a noisemaker is warned (preferably in writing) that noise will be recorded if the noise continues, or where an entertainment licence is issued subject to conditions, and the licenseeis told that officers may visit without notice or identifying themselves to the owner/proprietor to check that the conditions are being met.
· Activity that is observedas part of normal duties,e.g. by an officer in the course of day-to-day work.
· CCTV cameras (unlessthey have been directed at the requestof investigators) – these are overt or incidental surveillance, and are regulated by the Data Protection Act.
Covert Surveillance is carriedout in a mannercalculated to ensurethat the personsubject to the surveillance is unaware of it taking place. (Section 26(9)(a) RIPA) It is about the intention of the surveillance, not about whether they are actually aware of it; it is possible to be covert in Council uniform where, for example, the person is intended to mistake the reason for the officer being there.
RIPA regulatestwo types of covert surveillance, (Directed Surveillance and Intrusive Surveillance) and the use of Covert Human Intelligence Sources (CHIS).
Directed Surveillance is surveillance which: -
· Is covert; and
· Is not intrusive surveillance;
· Is not carried out in an immediate response to events which would otherwise make seeking authorisation under the Act unreasonable, e.g. spotting something suspicious and continuing to observe it; and
· It is undertaken for the purposeof a specific investigation or operation in a manner likelyto obtain private information about an individual (whether or not that person is specifically targeted for purposes of an investigation).
Private information in relation to a person includes any information relatingto his private and family life, his home and his correspondence. The fact that covert surveillance occurs in a public place or on business premises does not mean that it cannot result in the obtaining of private information about a person. Prolonged surveillance targeted on a single person will undoubtedly result in the obtaining of private information about him/her and others that s/he comes into contact, or associates, with.
|
Examples of Expectations of Privacy: |
|
Two people are holding a conversation on the street and, even though they are talking together in public, they do not expect their conversation to be overheard and recorded by anyone. They have a ‘reasonable expectation of privacy’ about the contents of that conversation, even though they are talking in the street. The contents of such a conversation should be considered as private information. A directed surveillance authorisation would therefore be appropriate for a public authority to record or listen to the conversation as part of a specific investigation or operation and otherwise than by way of an immediate response to events.
A Surveillance officer intends to record a specific person providing their name and telephone number to a shop assistant, in order to confirm their identity, as part of a criminal investigation. Although the person has disclosed these details in a public place, there is nevertheless a reasonable expectation that the details are not being recorded separately for another purpose. A directed surveillance authorisation should therefore be sought. |
For the avoidance of doubt, only those officers designated as ‘Authorising Officers’ for the purpose of RIPAcan authorise ‘DirectedSurveillance’ IF, AND ONLY IF, the RIPA authorisation procedures detailed in this document, are followed.
|
Reconnaissance- Examples |
|
Officers wish to drive past a café for the purposes of obtaining a photograph of the exterior. Reconnaissance of this nature is not likely to require a directed surveillance authorisation as no private information about any person is likely to be obtained or recorded. If the officers chanced to see illegal activities taking place, these could be recorded and acted upon as ‘an immediate response to events’. If, however, the officers intended to carry out the exercise at a specific time of day, when they expected to see unlawful activity, this would not be reconnaissance but directed surveillance, and an authorisation should be considered. Similarly, if the officers wished to conduct a similar exercise several times, for example to establish a pattern of occupancy of the premises |
This is when it: -
· Is covert;
· Relates to residential premises and privatevehicles; and
· Involves the presence of a person in the premises or in the vehicle or is carried out by a surveillance device in the premises/vehicle. Surveillance equipment mounted outside the premises will not be intrusive, unless the device consistently providesinformation of the same quality and detail as might be expected if they were in the premises/vehicle.
Only police and other law enforcement agencies can carry out this form ofsurveillance.
|
Notes about ‘Intrusive’ |
|
Surveillance is generally ‘Intrusive’ only if the person is on the same premises or in the same vehicle as the subject(s) of the surveillance. Carrying out surveillance using private residential premises (with the consent of the occupier) as a ‘Static Observation Point’ does not make that surveillance ‘Intrusive’. A device used to enhance your external view of property is almost never an intrusive device. A device would only become intrusive where it provided a high quality of information from inside the private residential premises A device used to enhance your external view of property is almost never an intrusive device. A device would only become intrusive where it provided a high quality of information from inside the private residential premises. If premises under surveillance are known to be used for legally privileged communications, that surveillance must also be treated as intrusive. |
|
Examples: |
|
Officers intend to use an empty office to carry out surveillance on a person who lives opposite. As the office is on the 4th floor, they wish to use a long lens and binoculars so that they can correctly identify and then photograph their intended subject covertly. This is NOT intrusive surveillance, as the devices do not provide high quality evidence from inside the subject’s premises. Officers intend using a surveillance van parked across the street from the subject’s house. They could see and identify the subject without binoculars but have realised that, if they use a 500mm lens, as the subject has no net curtains or blinds, they should be able to see documents he is reading. This IS intrusive surveillance, as the evidence gathered is of a high quality, from inside the premises, and is as good as could be provided by an officer or a device being on the premises. |
|
Type of Surveillance |
Examples |
|
Overt |
· Police Officer or Parks Warden on patrol · Sign-posted Town Centre CCTV cameras (in normal use) · Recording noise coming from outside the premises after the occupier has been warned that this will occur if the noise persists. · Most test purchases (where the officer behaves no differently from a normal member of the public). |
|
Covert but not requiring prior authorisation |
· CCTV cameras providing general traffic, crime or public safety information. |
|
Directed (must be RIPA authorised) |
· Officers follow an individual or individuals over a period, to establish whether s/he is working when claiming benefit or off long term sick from employment. · Test purchases where the officer has a hidden camera or other recording device to record information that might include information about the private life of a shop-owner, e.g. where s/he is suspected of running his business in an unlawful manner. |
|
Intrusive |
· Planting a listening or other device (bug) in a person’s home or in their private vehicle. THE COUNCIL CANNOT CARRY OUT THIS ACTIVITY AND FORBIDS ITS OFFICERS FROM CARRYING IT OUT
|
A Covert Human Intelligence Source (CHIS) is someonewho establishes or maintains a personal or other relationship for the covert purpose or facilitating anything falling under the following bullet points;
· Covertly uses such a relationship to obtain information or to provideaccess to any information to another person or,
· Covertly discloses information obtained by the use of sucha relationship, or as a consequence of the existence of such a relationship.
RIPA may or may not apply in circumstances where membersof the public volunteer information to the Council or to contact numbers set up to receive such information (such as benefit fraud hotlines). It will often depend on how the information was obtained. If an individual has obtained the information in the course of or as a result of a personal or other relationship it may be that they are acting as a CHIS. The contrast is between such a person and one who has merely observed the relevant activity from ‘behind his (actual or figurative) net curtains.
A relationship is covert if it isconducted in a manner that is calculated to ensure that one of the parties to the relationship is unaware of its purpose.
If a person who volunteers information is then asked to obtain furtherinformation, it is likely that they would either become a CHIS or that a directed surveillance authorisation should be considered.
|
Examples of a CHIS may include: |
|
· Licensing officers, working with the Police, covertly building a business relationship with a cab company which is believed to be using unlicensed drivers. · Food safety officers posing as customers to get information on what is being sold at premises and developing a relationship with the shopkeeper beyond that of supplier and customer |
Officers must not createor use a CHIS withoutprior authorisation. If thereis any doubt as to whether an individual is acting as a CHIS advice should be sought from the Head of Regulatory Services.
· Creating (or “Conduct of”) a CHIS means procuring a person to establish or maintain a relationship with a person so as to secretly obtain and pass on information. The relationship could be a personal or ‘other’ relationship (such as a business relationship) and obtaining the information may be eitherthe only reasonfor the relationship or be incidental to it. Note that it can also include asking a person to continue a relationship which they set up of their own accord.
· Use of a CHIS includes actionsinducing, asking or assisting a person to act as a CHIS and the decision to use a CHIS in the first place.
Use of the Internet, Social Media and Online Selling Platforms
The growth of the internet and the scale of information available online create significant opportunities for public authorities to gather material that can assist in preventing or detecting crime, carrying out statutory functions, and understanding or engaging with the public. Public authorities should make full and lawful use of such information. Much can be accessed without RIPA authorisation, and use of the internet prior to an investigation will not normally engage privacy considerations. However, if reviewing an individual’s online presence becomes persistent, or if material is extracted, recorded, and retained such that privacy may be engaged, RIPA authorisations should be considered.
Use of the internet may itself constitute a covert surveillance technique where the subject is unaware monitoring is occurring. If conducted covertly for a specific investigation or operation and likely to yield private information, consider directed surveillance authorisation.
Where reasonable steps are taken to inform the public/individuals that monitoring may occur, activity may be overt and a directed surveillance authorisation will not normally be available. Information openly and commonly accessible (e.g., telephone directories, Companies House) generally carries a reduced expectation of privacy. Similarly, content posted to communicate with a wide audience may carry reduced expectations.
Where access controls/privacy settings are applied, the author generally has a reasonable expectation of privacy. Where such settings are available but not applied, data may be considered open source and authorisation is not usually required—but repeat viewings of “open source” content can, on a case-by-case basis, amount to directed surveillance.
Directed surveillance authorisation should be considered where online monitoring is systematic/persistent, directed at a person or group, and is likely to obtain private information, or where information is extracted and retained to build an intelligence picture (e.g., identity, habits, associations, pattern of life). If it is necessary and proportionate to covertly breach access controls, the minimum requirement is directed surveillance authorisation.
If someone acting for a public authority establishes or maintains a relationship online (i.e., goes beyond merely viewing/reading content) without disclosing their identity, a CHIS authorisation may be required. It is not unlawful to create a false identity, but doing so for a covert purpose without authorisation is inadvisable. Using photographs of other persons without permission to support a false identity may infringe other laws.
Preliminary, oneoff checks to see if a site or content is of interest—will usually not interfere with a reasonable expectation of privacy and will not normally require authorisation. Once activity becomes persistent or information is extracted/recorded/retained (particularly to build a profile), consider directed surveillance (and CHIS if relationships are formed/maintained).
Name/number search: A simple search (name, address, number) to locate an online presence is unlikely to need authorisation. If the profile is then monitored or information extracted for retention because it is relevant to an investigation, authorisation should be considered.
Initial profile check: A one-off visit to assess relevance is unlikely to need authorisation. If, during that visit, information is extracted and recorded to develop a profile (identity, pattern of life, habits, intentions, associations), it may be advisable to have authorisation even for that single visit (purpose, scope, and likely privacy impact are key).
General monitoring (no specific investigation): Broad scanning to identify trends, indicators, or themes does not require RIPA. If this leads to discovery of previously unknown subjects and a decision is made to monitor them as part of an investigation or operation, authorisation should be considered.
Factors when deciding whether directed surveillance authorisation is required include:
· whether the proposed online activity:
· Is directed towards an identifiable individual or organisation;
· Is likely to result in obtaining private information about a person or group;
· Involves visiting internet sites to build an intelligence picture or profile;
· Will result in information being recorded and retained;
· Is likely to reveal a pattern of life;
· Will be combined with other sources such that it amounts to information about a person’s private life;
· Forms part of an ongoing piece of work involving repeated viewing;
· Is likely to capture third party information (friends/family/associates), creating collateral intrusion.
· Internet searches by a third party or use of a search/monitoring tool on behalf of a public authority may still require directed surveillance authorisation, depending on the purpose, persistence, and privacy impact. Using automated tools to detect generic terminology linked to illegal activity, or conducting general data analysis (e.g., predictive hotspotting, trend analysis) is not usually directed surveillance when not targeted at specific individuals as part of an investigation.
· Officers must adhere to the following prohibitions and constraints to prevent basic research from becoming surveillance:
· No setting up of false profiles.
· No bypassing of security/access controls.
· No gathering of private information.
· No repeated viewing of individuals’ accounts, even if public/unprotected.
Any approved research should be recorded, including date, sites visited, and reason/necessity. Records must be available for inspection by the Investigatory Powers Commissioner’s Office (IPCO). If research identifies a need to capture online evidence (e.g., screenshots of an offence), this should be recorded and stored in line with local policy. These measures help eliminate the risk of basic online research slipping into covert surveillance without appropriate authorisation.
Example 1: A police officer undertakes a simple internet search on a name, address or telephone number to find out whethera subject of interest has an online presence. This is unlikely to need an authorisation. However, if having found an individual’s social media profile or identity, it is decided to monitor it or extract information from it for retention in a record because it is relevant to an investigation or operation, authorisation should then be considered.
Example 2: A customs officer makes an initial examination of an individual’s online profile to establish whether they are of relevance to an investigation. This is unlikely to need an authorisation. However, if during that visit it is intended to extract and record information to establish a profile including information such as identity, pattern of life, habits, intentions or associations, it may be advisableto have in place an authorisation even for that single visit. (As set out in the following paragraph, the purpose of the visit may be relevant as to whether an authorisation should be sought.)
Example 3: A public authority undertakes general monitoring of the internet in circumstances where it is not part of a specific, ongoing investigation or operation to identify themes, trends, possible indicators of criminality or other factors that may influence operational strategies or deployment. This activitydoes not requireRIPA authorisation. However,when this activityleads to the discovery of previously unknown subjects of interest, once it is decided to monitor those individuals as part of an on- going operation or investigation, authorisation should be considered.
Special safeguards apply to the use or conduct of juvenile sources (i.e. under18 year olds). On no occasion can a child under 16 years of age be authorised to give information against his or her parents.
Authorisations for juvenile CHIS must not be grantedunless: -
· A risk assessment has been undertaken as part of the application, covering the physical dangers and the psychological aspects of the use of the child
· The risk assessment has been considered by the Authorising Officer and he is satisfiedthat any risks identified in it have been properly explained; and
· The Authorising Officerhas given particular consideration as to whether the child is to be asked to get information from a relative, guardian or any other person who has for the time being taken responsibility for the welfare of the child.
A Vulnerable Individual is a person who is or may be in need of community care services by reason of mental or other disability, age or illness and who is or may be unable to take care of himself or herself, or unable to protect himselfor herself against significant harm or exploitation.
Carrying out test purchases will not require the purchaser to establish a relationship with the supplier with the covert purpose of obtaining information and, therefore, the purchaser will not normally be a CHIS. For example, authorisation would not normally be required for test purchases carried out in the ordinary course of business (e.g. walking into a shop and purchasing a product over the counter).
By contrast, developing a relationship with a person in the shop, to obtain information about the seller’s suppliers of an illegal product (e.g. illegally imported products) will require authorisation as a CHIS. Similarly, using mobile hiddenrecording devices or CCTV camerasto record what is going on in the shop will require authorisation as directed surveillance. A combined authorisation can be given for a CHIS and also directed surveillance.
Please also see below under ‘SeriousCrime’
Persons who complain about anti-social behaviour, and are asked to keep a diary,will not normally be a CHIS, as they are not required to establish or maintain a relationship for a covert purpose.
Recording the level of noise (e.g.the decibel level)will not normallycapture private information and, therefore, does not require authorisation.
Recording sound (witha DAT recorder) on privatepremises could constitute intrusive surveillance, unless it is done overtly. For example, it will be possible to record if thenoisemaker is warned that this will occur if the level of noise continues.
Placing a covert stationary or mobile videocamera outside a building to record anti social behaviour on residential estates will require prior authorisation.
Acquisition of Communications Data under IPA
There are circumstances when “Communications Data” (CD) is permitted to be obtained from Communications Service Providers (CSPs). Part 3 of the Investigatory Powers Act 2016 (IPA) contains provisions relating to authorisations for obtaining communications data. This part of the Act came into force on 11 June 2019 and replaced many of the provisions in RIPA.
IPA governs how Local Authorities use the investigatory powers available to them. These powers provide for the lawful acquisition of Communications. Communications Data includes the ‘who’, ‘when’, ‘where’, and ‘how’ of a communication, but not the content i.e. what was said or written. Local Authorities may only acquire less intrusive types of Communications Data; “Entity data” (e.g. the identity of the person to whom services are provided) or “Events Data” (e.g. the date and time sent, duration, frequency of communications). Local Authorities are prohibited from obtaining the content of any communication.
The acquisition of Communications Data by a local authority is no longer subject to judicial approval by a magistrate. Applications for Communications Data are subject to independent examination, scrutiny and approval by the Investigatory Powers Commissioner’s Office. Local Authority Service (e.g. Trading Standards) applications for Communications Data are submitted to the IPCO through a service provided by the National Anti-Fraud Network (NAFN).
The Trading Standards Service collaborates with NAFN to maintain compliance with IPA and to ensure any application follows best practice. The Trading Standards Service consults and works with NAFN throughout the application process to ensure the legal basis for all applications are met. NAFN will act as a Single Point of Contact between both the CSPs and the Trading Standards Service concerning the request and provision of Communications Data. More practical guidance on the process and procedure for making Communications Data checks is available directly from Trading Standards.
Trading Standards will not acquire Communications Data unless an application for authorisation is approved by the Investigatory Powers Commissioner’s Office (IPCO). In respect of applications for Communications Data made under the IPA, the “applicable crime purpose” must be met concerning all applications for both Entity Data and Events Data. The applicable crime purpose is defined differently in relation to each of these data types. Where the Communications Data sought is Entity Data, the applicable crime purpose is the prevention or detection of crime or the prevention of disorder. Where the Communications Data is wholly or partly Events Data, the applicable crime purpose is defined as preventing or detecting serious crime (the serious crime threshold).
IPCO will only retain the Communications Data applications and decisions for a limited period of time, therefore the Trading Standards Service keep records of both the applications and the decisions received from the IPCO, as required.
Directed surveillance and the use of a CHIS can only be lawfully carriedout if properly authorised, and in strict accordance with the terms of the authorisation. Appendix 2 provides a flow chart of the process to be followed.
Directed surveillance and or the use of CHIS can only be authorised by the officers listed in this document attached at Appendix 1. Authorising officers should ensure that they undertake at least one refresher training course on RIPA during each calendaryear. The list will be kept up to date by the Corporate Director City Operations and amended as necessary. The SRO can add, delete or substitute posts to this list as required.
Authorisations under RIPA are separate from delegated authority to act under the Council’s Scheme of Delegation and internaldepartmental Schemes of Management. RIPA authorisations are for specific investigations only and must be renewed or cancelled once the specific surveillance is complete or about to expire.
Only the Chief Executive can authorise the use of a CHIS who is a juvenileor a vulnerable person or in cases where it is likely that confidential information will be obtained through the use of surveillance.
A certificate of attendance will be given to anyone undertaking training in relationto the use of RIPA. Training will be recorded on their individual learning and development plan.
Only the currently approvedforms, available on the Home Office website,may be used. Any other forms will be rejected by the gatekeeper/authorising officer.
A gatekeeper role will be undertaken by either the Head of Regulatory Services or the Trading Standards Operations Manager who will check that the applications have been completed on the correct forms, have a URN and that they contain sufficient grounds for authorisation. They will provide feedback to the applicant and will initial the forms before being submitted to the authorising officer.
The Head of Regulatory Services can fulfil both the role as gatekeeper and authorising officerbut will not fulfil both roles for an individual application.
Directed Surveillance or the Conduct and Use of the CHIS can be authorised by an Authorising Officer where he believesthat the authorisation is necessary in the circumstances of the particular case. For local authorities the only groundthat authorisation can be granted is;
· For the prevention or detection of crime
· Or preventing disorder
From 1st November2012, the Protection of Freedoms Act introduced an additional requirement for officers seeking to use directed surveillance or CHIS. From this date, with the exception of Trading Standards’ work regarding test purchases for alcohol and tobacco, all applications must meet the ‘serious crime’ threshold. This has been identified as any offence for which the offender could be imprisoned for 6 months or more. An analysis of relevant offences indicates that covert surveillance may therefore be used by, Trading Standards (various offences including doorstep crime and counterfeiting), Waste Enforcement (fly tipping), Fraud against the Council and Child Protection and Adult Safeguarding issues. Where an offence meets the serious crime threshold, the applicant will apply to the Authorising Officer in the normal way via a gatekeeper, but will then need to attend Magistrate’s Court to obtain judicial sign off.
This new process will automatically restrict the use of surveillance activity under the RIPA framework by a number of ourservices as the offences they deal with do not meet the serious crime threshold.
RIPA does not grant any powers to carry out surveillance, it simply provides a framework that allows authorities to authorise surveillance in a mannerthat ensures compliance with the European Convention on Human Rights. Equally, RIPA does not prohibit surveillance from being carried out or require that surveillance may only be carried out following a successful RIPA application.
Whilst it is the intention of this Authority to use RIPA in all circumstances where it is available, for a Local Authority, this is limited to preventing or detecting crime and from 1st November 2012 to serious crime. The Authority recognises that there are times when it will be necessary to carry out covert directed surveillance when RIPA is not available to use. Under such circumstances, a RIPA application must be completed and clearly endorsedin red ‘NON-RIPA SURVEILLANCE’ alongthe top of the first page. The application must be submitted to a RIPA Authorising Officer in the normal fashion, who must consider it for Necessity and Proportionality in the same fashion as they would a RIPA application. The normal procedure of timescales, reviews and cancellations must be followed. Copies of all authorisations or refusals, the outcome of reviews or renewal applications and eventual cancellation must be notified to the Corporate Director City Operations who will keep a separate record of Non-RIPA activities, and monitor theiruse in the same manneras RIPA authorised activities.
Before an Authorising Officerauthorises an application, they must Be mindful of this Corporate Policy & Procedures Document Satisfy themselves that the RIPA authorisation is
· Necessary in the circumstances of the particular case on the ground specifiedabove; and
· Proportionate to what it seeks to achieve This means that they must consider
· whether other less invasive methodsto obtain the information have been considered. The least intrusive method will normally be considered the most proportionate unless for example it is impractical or would undermine the investigation.
· balance the right of privacy against the seriousness of the offence under investigation. When consideringnecessity and proportionality, an authorising officershould spell out in terms of the 5 W’s, (who, what, why, where, when and how) what specific activity is being sanctioned.
· Take account of the risk of intrusion into the privacyof persons otherthan the specifiedsubject of the surveillance (Collateral Intrusion).
· Ensure that measuresare taken whereverpracticable to avoid or minimisecollateral intrusion.
· Set a date for reviewof the authorisation and reviewon only that date whereappropriate.
· Ensure that the form carriesa unique reference number
· Ensure that the applicant has sent a copy to the Corporate Director City Operations for inclusion in the Central Register within 1 week of the authorisation.
· Ensure that the application is cancelled when required.
NB the application MUST make it clear how the proposed intrusion is necessary and how an absence of this evidence would prejudice the outcome of the investigation. If it does not then the application SHOULDbe refused. Some guidanceon how to complete the form for both authorising officers and applicants is available at Appendix 4 and Appendix 5
Where the product of surveillance could be relevant to pending or future legal proceedings, it should be retained in accordance with established disclosure requirements for a suitable further period. This should be in line with any subsequent review. Attention should be drawn to the requirements of the Code of Practiceissued under the Criminal Procedures and Investigations Act 1996.This states that material obtainedin the course of a criminalinvestigation and which may be relevant to the investigation must be recorded and retained.
There is nothing in RIPA 2000 which prevents material obtained from properly authorised surveillance being used in other investigations. However we must be mindful to handle store and destroy material obtained through the use of covert surveillance appropriately. It will be the responsibility of the Authorising Officerto ensure compliance with the appropriate data protection
requirements and to ensure that any material is not retainedfor any longerthan is necessary. It will also be the responsibility of the Authorising Officer to ensure that the material is disposed of appropriately.
Particular care should be taken where the subject of the investigation or operation might reasonably expect a high degree of privacy,or where confidential information is involved.
Confidential Information consists of matters subject to legal privilege, confidential personal information or confidential journalistic information. So for example extra care should be taken where through the use of surveillance, it would be possible to obtain knowledge of discussions between a minister of religion and an individual relating to the latter’s spiritualwelfare, or where matters of medical or journalistic confidentiality, or legal privilege may be involved.
Similar considerations to those involving legally privileged information must also be given to authorisations that involve the above. Confidential personal information is information held in confidencerelating to the physical or mental healthor spiritual counselling concerning an individual (whether living or dead) who can be identified from it. This information can be either written or oral and might include consultations between a doctor and patient or information from a patient’s medical records. Spiritual counselling means conversations betweenan individual and a Ministerof Religion acting in an official capacity, where the individual being counselled is seeking or the Minister is imparting forgiveness, absolution or the resolution of conscience with the authority of the Divine Being(s) of their faith.
Confidential journalistic material includes materialacquired or createdfor the purpose of journalism and held subject to an undertaking to hold it in confidence, as well as communications resulting in information being acquired for the purposes of journalism and held subject to such an undertaking.
When authorising the conductor use of a CHIS, the Authorising Officer mustalso
· Be satisfied that the conduct and/or use of the CHIS is proportionate to what is sought to be achieved;
· Be satisfied that appropriate arrangements are in place for the management and oversight of the CHIS and this must address health and safety issues through a risk assessment; At all times there will be a person designated to deal with theCHIS on behalf of the authority and for the source’s security and welfare. This person should be in at least the position of Head of Service.
· Consider the likelydegree of intrusion of all those potentially affected;
· Consider any adverseimpact on communityconfidence that may result from the use or conduct or the information obtained; and
· Ensure recordscontain particulars and are not available except on a need to know basis
Records must bekept that containthe information set out in Statutory Instrument 2000/2725 – The Regulation of Investigatory Powers (Source Records) Regulations 2000. Further guidance on the requirements can be obtained from the Head of Regulatory Services.
The application form mustbe reviewed in the time stated and cancelled once it is no longer needed. The ‘authorisation’ to conduct the surveillance lasts for a maximum of 3 months for Directed Surveillance and 12 months for a Covert Human Intelligence Source.
Authorisations can be renewedin writing when the maximum periodhas expired. The Authorising Officer must consider the matter afresh, including taking into account the benefits of the surveillance to date, and any collateral intrusion that has occurred.
The renewal will begin on the day when the authorisation would have expired.
Urgent authorisations, if not ratifiedby written authorisation, will cease to have effectafter 72 hours, beginning from the time when the authorisation was granted.
If an officer wishesto utilise the CCTV systemoperated by the Police
Directed Surveillance Authorisation must be obtainedbefore an approachis made to the Control Room. If immediate action is required an Authorisation must be obtained within 72 hours of the request being made.
When some other agency has been instructed on behalf of the City Council to undertake any action under RIPA,this Document and the Forms in it must be used (as per normalprocedure) and the agency advised or kept informed, as necessary, of the various requirements. They must be made aware explicitly what they are authorised to do.
When another Enforcement Agency(e.g. Police, HMRC etc):
- Wish to use the City Council’s resources (e.g. CCTV surveillance systems), that agencymust use its own RIPA procedures. Before any Officer agrees to allow the City Council’s resources to be used for the other agency’s purposes, they must obtain a copy of that agency’s RIPA form, or written confirmation that a Directed Surveillance Authorisation is in place.
- Wish to use the City Council’s premisesfor their own RIPA action,the Officer should,normally, co- operate with the same, unless there is security or other good operational or managerial reasonsas to why the City Council’s premises should not be used for the agency’s activities. Suitable insurance or other appropriate indemnities may be sought, if necessary, from the other agency for the City Council’s co-operation in the agent’s RIPA operation. In such cases, however, the City Council’s own RIPA forms should not be used as the City Council is only ‘assisting’ not being ‘involved’ in the RIPA activity of the external agency.
A CentralRegister of all Authorisation Forms will be maintained and monitored by the Coporate Director City Operations
· A copy of the Forms together with any supplementary documentation and notification of the approval given by the Authorising Officer;
· A record of the periodover which the surveillance has taken place;
· The frequency of reviews prescribed by the Authorising Officer;
· A record of the result of each review of the authorisation;
· A copy of any renewalof an authorisation, together with supporting
· Documentation submitted when the renewalwas requested;
· The date and time when any instruction was given by the Authorising Officer;
· The Unique Reference Number for the authorisation (URN).
Authorising Officers must forward detailsof each form to the Corporate Director City Operations Corporate Leadership Assistant for the Central Register, within 1 week of the authorisation, review, renewal, cancellation or rejection.
Records will be retained for six years from the ending of the authorisation. The Investigatory Powers Commissioner’s Office (IPCO) and the Interception Commissioner can audit/review the City Council’s policies and procedures, and individual authorisations.
Where covertsurveillance work is being proposed, this Policy and Guidance must be strictly adhered to in order to protect both the Council and individual officers from the following:
· Inadmissible Evidence and Loss of a CourtCase / Employment Tribunal / Internal Disciplinary Hearing – there is a risk that, if Covert Surveillance and Covert Human Intelligence Sources are not handled properly, the evidence obtained may be held to be inadmissible. Section 78 of the Police and Criminal EvidenceAct 1984 allows for evidence that was gathered in a way that affects the fairness of the criminal proceedings to be excluded. The Common Law Rule of Admissibility means that the court may exclude evidence because its prejudicial effect on the person facing the evidence outweighs any probative value the evidence has (probative v prejudicial).
· Legal Challenge – as a potentialbreach of Article 8 of the European Convention on Human Rights, which establishes a “right to respect for private and family life, home and correspondence”, incorporated into English Law by the Human Rights Act (HRA) 1998. This could not only cause embarrassment to the Council but any person aggrieved by the way a local authoritycarries out Covert Surveillance, as defined by RIPA, can apply to a Tribunal – see section 15.
· Offence of unlawful disclosure – disclosing personal data as defined by the DPA that has been gathered as part of a surveillance operation is an offence under Section 55 of the Act. Disclosure can be made but onlywhere the officerdisclosing is satisfied that it is necessary for theprevention and detection of crime, or apprehension or prosecution of offenders. Disclosure of personal data must be made where any statutory power or court order requires disclosure.
· Fine or Imprisonment – Interception of communications withoutconsent is a criminal offence punishable by fine or up to two years in prison.
· Censure – the Investigatory Powers Commissioner’s Office conduct regularaudits on how local authorities implement RIPA. If it is found that a local authority is not implementing RIPA properly, then this could result in censure.
· Elected Members shall have oversight of the Authority’s policy and shallreview that policy annually.
· The report to members shall be presentedto the Elected Members by the SRO. The report must not contain any information that identifies specific persons or operations.
· Alongside this report,the SRO will report detailsof ‘Non-RIPA’ surveillance in precisely the same fashion
· Elected Members may not interfere in individual authorisations. Their function is to, with reference to the reports; satisfy themselves that the Authority’s policy is robust and that it is being followed by all officers involved in this area. Although it is elected members who are accountable to the public for councilactions, it is essential that there should be no possibility of political interference in law enforcement operations.
Where thereis an interference with the right to respect for private life and familyguaranteed under Article 8 of the European Convention on Human Rights, and where there is no other source of lawful authority for the interference, or if it is held not to be necessary or proportionate to the circumstances, the consequences of not obtaining or following the correct authorisation procedure may be that the action (and the evidence obtained), is held to be inadmissible by the Courts pursuant to Section 6 of the Human Rights Act 1998.
Obtaining an authorisation under RIPA and following this document will ensure, therefore, that the action is carried out in accordance with the law and subject to stringent safeguards against abuse of anyone’s human rights.
Authorising Officers should be suitably competent and must exercise their minds every time they are asked to sign the request. They must never sign or rubber stamp form(s) withoutthinking about their personal and the City Council’s responsibilities.
Any boxes not neededon the Form(s) must be clearly marked as being‘NOT APPLICABLE’, ‘N/A’ or a line put through the same. Great care must also be taken to ensure accurate information is used and is inserted in the correct boxes. Reasons for any refusal of an application must also be kept on the form and the form retained for future audits.
For furtheradvice and assistance on RIPA, pleasecontact the Head of Regulatory Services.
Directed Surveillance/CHIS Forms can be obtained from the Home Office websiteor from NAFN in relation to Access to Communications Data.
· National Anti Fraud Network (NAFN)
Process for authorising Directed Surveillance
Process for authorising a CHIS
· The most up-to-date RIPA forms must always be used. These are availablefrom the Home Office website and may be found by following this link : www.gov.uk/government/collections/ripa-forms--2
· The full text of the RIPA Codes of Practice are available here : www.gov.uk/government/collections/ripa-codes#current-codes-of-practice
· The full text of the IPA Codes of Practice are available here :
www.gov.uk/government/publications/communications-data-code-of-practice
· The Regulation of Investigatory Powers Act 2000 t is available here: http://www.legislation.gov.uk/ukpga/2000/23/contents
· The Investigatory Powers Act 2016 is available here:
/www.legislation.gov.uk/ukpga/2016/25/contents
· The Investigatory Powers Commissioner’s Office website has some useful information and advice and is available here :
