If you work in an organisation that uses the Regulation of Investigatory Powers Act (RIPA) to undertake surveillance activity or to deploy Covert Human Intelligence Sources (CHIS), or the Investigatory Powers Act (IPA) to obtain communications data, then you are probably already aware of the independent regulator - the Investigatory Powers Commissioners Officer (IPCO) that conducts regular inspections of your organisation to ensure that you are complying with the legislation.
IPCO have been continuing their inspections virtually, throughout the pandemic and so there has been no escape for organisations. From their findings, IPCO have produced an annual report giving observations on their inspections. These will have been viewed by the Prime Minister and Parliament, and made public via their website.
It is fair to say that IPCO are extremely objective in their inspections and views. They are tough on organisations that have, in their opinion, transgressed the boundaries of compliance. For example, in their latest report, several organisations were singled out for critical comment and some of them had to have extraordinary inspections to ensure that their compliance with the legislation was improved.
Reading through the report, there are number of broad-brush observations that identify good and bad practice within organisations. Below, I have extracted a number of these to assist you to see if you need to address anything in your organisation or hopefully, to take some reassurance that you are doing it correctly.
Over a series of articles, we will seek to examine some of these areas and share some guidance.
The Authorising Officer
In this article let’s look at the role of the Authorising Officer. The role of the authorising officer is, not unsurprisingly, to authorise applications for covert activity. Applications for communications data are now mainly authorised by the independent body - the Office for Communications Data Authorisations (OCDA). so we will focus on surveillance and CHIS.
There are a number of requirements placed on the authorising officer before they can authorise the activity. These are both legal and to some degree, operational. For example, they need to apply 6 legal tests under RIPA. Cases have been lost where this hasn’t been completed correctly., They need to understand the capability of the technical equipment and how the objectives can be achieved through covert activities. It is crucial that authorising officers are trained correctly and to ensure they perform this role, which is often in addition to other demanding managerial responsibilities, to the best of their ability.
Some of the observations of the authorising officer role made by IPCO include:
- We have challenged (the organisation’s) policy of noting authorising officer comments for surveillance only in exceptional cases. In the vast majority of cases, this means that there is no record of any consideration by the authorising officer. We recommended that it would be more appropriate for a routine notation of considerations to be made in each case. We believe that this would give authorising officers greater ownership of the process and would increase our level of confidence in this process… the consideration recorded by authorising officers on DSA forms, as well as the internal review processes, are inadequate. Reviews are conducted in a sporadic manner.
- It was disappointing that only limited progress had been made in relation to previous recommendations regarding the lack of written input from AOs. (The organisation’s) forms for initial authorisation and renewal of directed surveillance do not provide space for AOs to comment on the necessity, proportionality or collateral intrusion.
- (the organisation) did not have an adequate review process in place for this commonly used power, which meant that authorising officers were not properly setting out their considerations of necessity, proportionality and collateral intrusion for continued operations during the period for which a DSA was authorisedA certain degree of flexibility in the scope of the authorisation should allow authorising officers sufficient oversight while leaving room for trained surveillance officers to work effectively during dynamic operations.
- RIPA paperwork of (the organisation) demonstrates inconsistent written evidence of oversight and governance of CHIS activity by authorising officers.
- It remains the case, however, that authorising officers do not always lay out clear parameters under which the CHIS may operate and we have recommended that there should be greater consistency in this area.
- We also saw little improvement in review procedures for existing authorisations, which are required under the Code of Practice (CoP).
As we can see, IPCO have, understandably, high expectations of the people that perform the role of the authorising officer.
As the authorising officer is a role that is specified in law and the requirements of the authorisations are also enshrined in the Acts and the relevant Codes of Practice, then it is important that when writing authorisations, they comply with the legal requirements. Failing to do so can and will lead to cases being challenged, not around the evidence, but the circumstances under which it was allowed to be gathered.
The Bond Solon RIPA courses that I deliver, I discuss various cases where this has led to serious cases being lost, including defendants in the case of murdering a child to walk free from court because the RIPA process had not been applied correctly. It is important that even when the evidence obtained is compelling, defendants can be acquitted purely down to the way the authorising officer has undertaken their role.
Whether we think that is right or wrong that defendants are allowed to be acquitted purely due to the way an authorising officer has undertaken their role, particularly when the evidence obtained was compelling, is mute. This is avoidable if the authorising officer complies with the requirements of their role and act in good faith when doing so. In many of the cases that have been lost, it is apparent that authorising officers weren’t trained or chose to ignore the training they had received.
At Bond Solon, we offer first class initial RIPA Authorising Officer training at various levels which can lead to an externally awarded qualification as an Authorising Office. By attending, you will be able to demonstrate that you are occupationally competent in your role. We also offer refresher training to ensure that your knowledge and skills are current or if you have been out of the role for a while update training to get your knowledge back to where it needs to be. Find out more about our RIPA training.
It is also important that if you are involved in authorising activity that supports criminal investigation, that you understand the links between RIPA, the Criminal Procedures & Investigations Act regarding disclosure and the Data Protection Act. We now offer a half day public course which examines these links, so you understand how and where they overlap. Find out more about the inextricable link between RIPA/CPIA and DPA course.
The final word goes to IPCO from their latest report, ‘Training is also the only effective mechanism by which staff can be taught how to operate within the law.’
Author: Adrian Ramdat, Director of Covert, Intel & Specialist Training at Bond Solon