Corporate Policy and Procedures Document on Accessing Communications Data
Authorisation and approval procedure
Applications for the acquisition of Communications Data should only be made where it is necessary for an Applicable Crime Purpose as defined at Section 60(A)(8) of the IPA (see section 5 below). This allows for applications to be made for Entity Data (formerly known as subscriber data) and Events Data (formerly known as service or traffic data).
Authorisation cannot be granted where an application is for any purpose other than the Applicable Crime Purpose. Under S11 of the IPA, it is an offence to knowingly or recklessly obtain communications data without lawful authority. Any person guilty of this offence will be liable to imprisonment for a term not exceeding 12 months and/or a fine.
Making an honest mistake will not amount to an offence. The conduct must have been intentional and voluntary, or the consequences of such conduct must have been foreseeable.
Communications Data does not include the content of any communications held by any telecommunications operator or postal operator and nothing in this policy authorises Council officers to access such data.
Council officers are also unable to acquire Internet Connection Records which provide details of the internet service that a specific device has been connected to.
A Council officer who wishes to access Communications Data must notify a Designated Senior Officer (DSO) before submitting an application electronically through the central NAFN Portal (www.nafn.gov.uk).
The DSO does not authorise or approve the application and as such is not required to be operationally independent. The DSO's role is to have an awareness of the application made, and to confirm this to the SPoC.
The application should contain the following information:
- a description of the Communications Data required;
- information as to time periods or any historic or future date(s);
- the purpose for which the data is required, by reference to the Applicable Crime Purpose under the IPA;
- a unique reference number;
- the name and position held by the person making the application;
- whether the Communications Data relates to a suspect, a witness, a complainant, a victim, next of kin, vulnerable person or other person relevant to the investigation or operation;
- the timescale within which the data is required;
- an explanation as to why the acquisition of that data is considered necessary and proportionate
- a description of any meaningful Collateral Intrusion and the extent to which the rights of individuals who are not under investigation may be infringed, and any
- justification for this in relation to the circumstances;
- where data is sought from a telecommunications operator or postal operator whether or not those operators may inform the subject(s) that an application has been made requesting Communications Data relating to them.
The role of the Single Point of Contact (SPoC)
Wiltshire Council is a member of the National Anti-Fraud Network (NAFN) an accredited body who provides SPoC services.
The SPoC facilitates the lawful acquisition of Communications Data, acting as a point of contact between the Council, the Office for Communications Data Authorisations (OCDA) and telecommunications operators and postal operators.
The SPoC will review the application for errors and advise as to the most appropriate methodology for the acquisition of data and assess any cost and resource implications.
The SPoC will also assist with good practice and provide advice regarding interpretation of the IPA to ensure that the Council acts in an informed and lawful manner.
If the SPoC is of the opinion that the application requires further work, it will be returned to the applicant who will have 14 days to make any amendments required and to resubmit the application.
If the SPoC is satisfied with the application, the SPoC will send the application for consideration by OCDA.
The Role of the Office for Communications Data Authorisations
OCDA provides independent authorisation and assessment of all Communications Data applications on behalf of the Investigatory Powers Commissioner.
An Authorising Officer from OCDA will only approve applications where s/he considers that it is necessary for the Applicable Crime Purpose.
Should an Authorising Officer refuse the request submitted, the Council can decide not to proceed with the request, or to resubmit the application with a revised justification or course of conduct to acquire Communications Data.
The application may also be resubmitted without amendment seeking a review of the decision by OCDA, but the applicant must seek approval from the SRO in order to do so and the application must be resubmitted within 7 days.
The SPoC will notify the applicant of the outcome, and where an authorisation has been received the SPoC shall:
(a) serve the request notice on the telecommunications or postal operator requesting the Communications Data;
(b) liaise with the telecommunications or postal operator in order to obtain the Communications Data required; and
(c) provide the Communications Data to the applicant once it is received
Duration of authorisations and notices
An authorisation becomes valid on the date upon which the authorisation is granted. Authorisations can only be issued for a maximum time period of one month and any conduct authorised should be commenced or any notice should be served within this period.
A notice may be given to a telecommunications operator or postal operator requiring the operator to obtain any communications data, if that data is not already within the operators' possession. The giving of a notice is appropriate where the operator is able to obtain or retrieve and disclose specific data. The SPoC will issue any notices on the Council's behalf and such notices will remain in force until complied with or until the authorisation under which the notice was given is cancelled.
Where a request relates to data that may not be generated until the future, the future period can be no more than one month from the date of the authorisation.
Renewal of authorisations
Authorisations must be renewed where there is a continuing requirement to acquire or obtain data which is outside of the original authorisation period.
The original authorisation may be renewed for a period of up to one month which will take effect upon the expiry of the original authorisation.
The reasons for seeking renewal should be set out in the application which should be sent to the SPoC for review in the same way as the original application.
Cancelling an authorisation
The applicant must notify the SPoC immediately if it considers that the information being obtained under the authorisation granted is no longer necessary or the obtaining of it is no longer proportionate to the operation.
The SPoC will then cease the authorised action and will notify the telecommunications or postal operator accordingly.