Communications Data Standard Operating Procedure

Transcription

1 Communications Data Standard Operating Procedure Notice: This document has been made available through the Police Service of Scotland Freedom of Information Publication Scheme. It should not be utilised as guidance or instruction by any police officer or employee as it may have been redacted due to legal exemptions Owning Department: Version Number: Specialist Crime Division 4.00 Date Published: 25/01/2018 Version 4.00 RESTRICTED

2 Compliance Record Equality Impact Assessment: Date Completed / Reviewed: 16/01/2018 Information Management Compliant: Yes Health and Safety Compliant: Yes Publication Scheme Compliant: No Version Control Table Version Number: History of Amendments: Date: V1.00 Initial authorised version 06/08/2013 V2.00 V3.00 V4.00 Amended to reflect changes to current working practices, advances in technology, recommendations made during Interception of Communications Commissioners Office (IOCCO) annual inspection of Police Scotland in June 2014 and incorporating key points from the revised Home Office Acquisition and Disclosure of Communications Data Codes of Practice (March 2015) Change made to Prioritisation Grading s to reflect National Code of Practice Amended following Criminal Justice Act (Scotland) /11/ /01/ /01/2018 Version 4.00 RESTRICTED 2

3 Contents 1. Purpose 2. Legal Basis 3. Definition of Communications Data 4. Authorisations and Notices 5. Acquiring Communications Data 6. National Prioritisation Grading s 7. Roles and Responsibilities 8. Application / Authorisation Process 9. Life At Immediate Risk Situations 10. Dropped / Silent / 999 or 112 Calls 11. Service Providers Cost Recovery 12. Information Available From Mobile Phones 13. Radio Frequency Propagation Survey (RFPS) 14. Engagement with Private Companies 15. Communications Data As Evidence 16. Malicious and Nuisance Communications 17. Role of the Interception of Communications Commissioner s Office (IOCCO) Version 4.00 RESTRICTED 3

4 Appendices Appendix A Appendix B Appendix C Appendix D Appendix E Appendix F List of Associated Legislation List of Associated Reference Documents List of Associated Forms Glossary of Terms CIU Contact Details CycComms Link Version 4.00 RESTRICTED 4

5 1. Purpose 1.1 This Standard Operating Procedure (SOP) establishes procedures that ensures the Police Service of Scotland (hereinafter Police Scotland ) manages its acquisition and use of communications data (CD) in accordance with legislation, and the Home Office Acquisition and Disclosure of Communications Data Codes of Practice This SOP also aims to give police officers and police staff guidance on how to apply for and/or use CD as part of their operational duties whilst also providing direction to senior officers (Designated Person) who may be required to authorise the obtaining and/or use of CD. 1.3 The role of the Communications Data Single Point of Contact (SPoC) is a challenging role balancing the needs of investigators and safety of the public combined with expertise and knowledge of Communication Service Providers (CSPs) to assist with the analysis and interpretation of CD. SPoCs have the responsibility of adhering to the Regulation of Investigatory Powers Act 2000 (RIPA) and the European Convention on Human Rights (ECHR) on behalf of the Police Service of Scotland, hereinafter referred to as Police Scotland. 1.4 Most applications are straightforward but the SPoC is there to help applicants, to advise on the best way to proceed, and provide guidance on how CD should be used. When you are faced with something out of the ordinary they should be able to offer advice and assistance. 2. Legal Basis 2.1 The procedures described in this SOP are founded on the provisions of the Regulation of Investigatory Powers Act 2000, (RIPA) Part 1, Chapter 2 (the Act) which provides a legal basis for the lawful access to CD by public authorities including police forces. 2.2 The main purpose of the Act is to ensure that the relevant investigatory powers are used in accordance with ECHR. 2.3 The Act requires that human rights principles are followed. Officers must ask themselves the following questions before utilising any of the powers under this Act: Is the proposed action lawful? Is the proposed action necessary (for a legitimate aim)? Is the proposed action proportionate to the crime or incident being investigated (not a sledgehammer to crack a nut)? Is the proposed action non-discriminatory? Version 4.00 RESTRICTED 5

6 2.4 In 2014, the Data Retention and Investigatory Powers Act 2014 (DRIPA) was introduced. This was in response to the European Court of Justice (ECJ) judgment of 8th April 2014 which declared a previous Data Retention Directive (2006/24/EC) invalid. DRIPA makes clear that anyone providing a communications service to customers in the UK, regardless of where that service is provided from, should comply with lawful requests made under the Act and requires relevant companies to retain certain types of CD for up to 12 months, so this may later be acquired by law enforcement and used in evidence. 2.5 Human Rights The access to CD in accordance with the relevant legislation ensures compliance with the Human Rights Act 1998 and the principles of ECHR. The legislation provides a basis for accessing CD in relation to a wide variety of crimes and offences within the general confines of proportionality and necessity It is vital that the management of all access and subsequent use of CD is subject to the highest possible standards of professional integrity so that due cognisance is taken of, and protection afforded to, individual human rights Moreover, in so doing the entire process is safeguarded and can withstand independent scrutiny and examination including an extensive annual audit conducted by the Interception of Communications Commissioners Office (IOCCO) Police Scotland is a designated public authority and as such is required to act in a way and apply legislation so that it is consistent with ECHR. One of the underlying principles of the Convention is that a public authority can only infringe certain rights, such as the right to privacy (Article 8), or freedom of expression (Article 10) if there is a legal framework that allows it to do so Article 8 - Right to Respect for Private & Family Life, states the following: Everyone has the right to respect for his private and family life, his home and his correspondence. There shall be no interference by a public authority except as in accordance with the law and is necessary in a democratic society in the interests of national security, public safety or the economic well-being of the country, for the prevention of disorder or crime, for the protection of health or morals, or for the protection of the rights and freedoms of others Article 10 - Everyone has the right to freedom of expression, states the following: This right shall include freedom to hold opinions and to receive and impart information and ideas without interference by public authority and regardless of frontiers. Version 4.00 RESTRICTED 6

7 2.6 Code of Practice (CoP) The Acquisition and Disclosure of Communications Data Code of Practice (CoP) was issued by the Home Office and approved by Parliament on 1 October 2007 and subsequently amended on 25 March The CoP provides guidance to public authorities on the correct procedures for accessing CD under the provision of the Act. The CoP is deemed admissible in evidence in both criminal and civil proceedings. 3. Definition of Communications Data 3.1 Part 1, Chapter 2 Regulation of Investigatory Powers Act 2000 (RIPA) (the Act) defines communication data into three separate types. These being: 1. Information held by the CSP on a Person (section 21(4)(c)) this includes subscriber details, method of payment details, billing address, other records. Authorisation rank for data under S21(4)(c) Inspector or above 2. Use Made of a Communication Service (section 21(4)(b)) - itemised billing of calls, web sites visited and other similar records. Authorisation rank for data under S21(4)(b) Superintendent or above 3. Traffic Data (section 21(4)(a)) data comprised in or attached to a communication for the purpose of the postal or communication service incoming call data, cell site / location information, call line identity, and other records. Authorisation rank for data under S21(4)(a) Superintendent or above 3.2 The Act provides two different ways of authorising access to CD, referred to as Authorisation and Notice. 4. Authorisations and Notices 4.1 Authorisation This provides for persons (the SPoC) within a public authority to engage in specific conduct relating to a postal service or Communications Service Provider (CSP) system, to obtain CD. An authorisation may be appropriate where: there is an agreement in place between a public authority and a CSP relating to appropriate mechanisms for disclosure of CD, or a Designated Person (DP) considers there is a requirement to identify a person to whom a service is provided but a CSP has yet to be conclusively determined as the holder of the CD; or a CSP is not capable of obtaining or disclosing the CD. Version 4.00 RESTRICTED 7

8 4.2 Notice This is given to a postal or CSP and requires that service provider to collect or retrieve the data and provide it to the public authority which served the notice Authorisations and Notices will only be valid for one month and can be renewed for a further period if required The authorisation or notice should be cancelled as soon as it is no longer necessary or the conduct is no longer proportionate to what is sought to be achieved The Communications Investigation Unit (CIU) will manage the authorisation / notice process on behalf of Police Scotland and provide the necessary guidance to the DP in this regard. 5. Acquiring Communications Data (CD) 5.1 The obtaining and use of CD is now an essential investigative tool which can be utilised, in accordance with certain conditions, for the investigation of all levels of crime, disorder and public safety. 5.2 CD can take many forms from basic subscriber information required to confirm the owner of a telephone, telephone call data, postal information, through to complex internet enquiries where Internet Protocol (IP) addresses are required along with log in history and other technical data. 5.3 CD includes: Information relating to the use of a postal service or a CD system but does not include the content of the communication itself, content of s or interactions with websites; Data in relation to a postal item means anything written on the outside of the item. 5.4 In other words the term communications data embraces the who, when and where of a communication but not what was said or written (the content). 5.5 It includes the manner in which, and by what method, a person or machine communicates with another person or machine. It excludes what they say or what data they pass on within a communication (with the exception of traffic data to establish another communication such as that created from the use of calling cards, redirection services, or in the commission of dial through fraud and other crimes where data is passed on to activate communications equipment in order to fraudulently obtain communications services). Version 4.00 RESTRICTED 8

9 5.6 Postal services are described as any service which consists of the collection, sorting, conveyance, distribution and delivery of postal items and is offered or provided as a service the main purpose of which, or one of the main purposes of which, is to transmit postal items from place to place (see section 2(1) of the Act). 5.7 Communication services are described as any service which consists of the provision of access to, and for making use of, any communications system (whether or not one provided by the person providing the service) the purpose of which is to transmit communications using electrical or electro-magnetic energy. (See section 2(1) of the Act). 5.8 CD may only be sought if a DP believes it is necessary for one or more of the following statutory purposes: In the interests of national security (S22(2)a); For the purpose of preventing or detecting crime or of preventing disorder (S22(2)b); In the interests of the economic well-being of the United Kingdom (S22(2)c); In the interests of public safety (S22(2)d); For the purpose of protecting public health (S22(2)e); For the purpose of assessing or collecting any tax, duty, levy or other imposition, contribution or charge payable to a government department (S22(2)f); For the purpose, in an emergency, of preventing death or injury or any damage to a person s physical or mental health, or of mitigating any injury or damage to a person s physical or mental health (S22(2)g); To assist investigations into alleged miscarriages of justice (Article 2(a)); For the purpose of assisting in identifying any person who has died otherwise than as a result of crime or who is unable to identify himself because of a physical or mental condition, other than one resulting from crime (Article 2(b)(i)); For the purpose of obtaining information about the next of kin or other connected persons of such a person or about the reason for his death or condition (Article 2(b)(ii)). 5.9 Not all statutory purposes can legally be used by law enforcement agencies and the Communications Investigation Unit (CIU) will be able to provide the proper advice on the most suitable statutory purpose for an investigation. Where the enquiry does not relate to a listed statutory purpose CD will be unable to be obtained. Version 4.00 RESTRICTED 9

10 5.10 Detecting crime includes establishing by whom, for what purpose, by what means and generally in what circumstances any crime was committed. For the gathering of evidence for use in any legal proceedings and the apprehension of the person (or persons) by whom any crime was committed, see section 81(5) of the Act Given the ever changing and rapidly developing world of communications devices and the internet access capability of many devices, the data which can be retrieved by law enforcement agencies changes almost weekly. In order to achieve the best outcome for each communications enquiry, advice and guidance should be sought from one of the three CIU offices (East, North or West) for each and every investigation. 6. National Prioritisation Gradings 6.1 Due to the volume of enquiries received by the CSPs, a national prioritisation grading scale has been devised. This is applied by the SPoC to all requests for CD. This ensures that the CSPs can prioritise each enquiry and respond within the appropriate time period. 6.2 The grades can be categorised as follows: Grade 1 An immediate threat to life; Grade 2 An exceptionally urgent operational requirement for the prevention or detection of serious crime or a credible and immediate threat to national security; Grade 3 matters that are routine but, where appropriate, will include specific or time critical issues such as bail dates, court dates, or where persons are in custody or where a specific line of investigation into a serious crime and early disclosure by the CSP will directly assist in the prevention or detection of that crime. The emphasis within Grade 1 and 2 is that the urgent provision of the communications data will have an immediate and positive impact on the investigation or operation. Note: Serious Crime where a person over 21 years old would expect 3 years in prison even if a first offence. 6.3 The SPoC will determine the grading to be applied to each application in consultation the DP. A 24/7 provision exists for Grade 1 or 2 urgent oral applications as per the National Priority Grading and your local CIU office who should be consulted timeously to discuss this. The CIU West will provide cover nationally out with the normal working hours of the CIU East and CIU North offices (See Appendix E ). Version 4.00 RESTRICTED 10

11 7. Roles / Responsibilities 7.1 Applicant RESTRICTED The applicant is a person involved in conducting an investigation or operation for a relevant public authority who makes an application in writing or electronically for the acquisition of CD A Police Scotland applicant will complete an application form, via the CycComms electronic workflow system, setting out for consideration by the Designated Person, the necessity and proportionality of a specific requirement for acquiring CD Applications may be made orally in exceptional urgent circumstances but a record of that application must be made by the SPoC demonstrating the consideration given to the circumstances and the decisions taken to include times and DP considerations On no account should an applicant make direct contact with the CSPs. Contact with CSPs can only be carried out by an accredited SPoC Consideration should be given by the applicant to carrying out open source checks on telephone numbers etc. prior to applying for subscriber information as the data required may already be available to the general public via the internet, telephone directories, police systems etc. 7.2 Digital Media Investigator (DMI) The Digital Media Investigator (DMI) is a role created to assist major investigation or serious organised crime teams collate and coordinate on all matters related to CD and other technology media such as CCTV and ANPR. They will also support local investigation teams on volume crime, missing person enquiries etc The DMI will obtain contributions from SPoCs, Digital Forensics, Open Source and other technology teams and support the related elements of analysis and case preparation In conjunction with the SIO they will develop an effective technology and data strategy for the investigation / operation. 7.3 Single Point of Contact The Single Point of Contact (SPoC) is either an accredited individual or a group of accredited individuals trained to facilitate lawful acquisition of CD and effective co-operation between a public authority and a CSP. To become accredited, an individual must complete a course of training appropriate for the role and have been issued a SPoC Personal Identification Number (PIN). Details of all accredited individuals are available to service providers for authentication purposes. Version 4.00 RESTRICTED 11

12 7.3.2 An accredited SPoC promotes efficiency and good practice in ensuring only practical and lawful requirements for CD are undertaken. The SPoC is responsible for providing objective judgement and advice to both the applicant and the DP. In this way, the SPoC provides a guardian and gatekeeper function ensuring that public authorities act in an informed and lawful manner The SPoC role will be undertaken by staff of the CIU or staff within the Confidential Unit The SPoC should be in a position to: assess whether the acquisition of specific CD from a CSP is reasonably practical or whether the specific data required is inextricably linked to other data; advise applicants on the most appropriate methodology for acquisition of data where the data sought engages a number of CSPs; advise applicants and Designated Persons on the interpretation of the Act, particularly whether an authorisation or notice is appropriate; provide assurance to Designated Persons that authorisations and notices are lawful under the Act and free from errors; provide assurance to service providers that authorisations and notices are authentic and lawful; assess whether CD disclosed by a service provider in response to a notice fulfils the requirement of the notice; assess whether CD obtained by means of an authorisation fulfils the requirement of the authorisation; assess any cost and resource implications to both the public authority and the CSP of data requirements. 7.4 Designated Person (DP) The DP is a person holding a prescribed office in a relevant public authority. Within Police Scotland this will be suitably trained Inspectors or Superintendents dependent on the CD to be acquired Inspectors and Superintendents who undertake the role of a DP must have current working knowledge of human rights principles and legislation, specifically those of necessity and proportionality, and how they apply to the acquisition of CD under the Act and the Home Office Code of Practice The DP is responsible for considering the application for CD and where they believe the request is necessary and proportionate in the specific circumstances, can grant an authorisation or a notice. Version 4.00 RESTRICTED 12

13 7.4.4 The DP must ensure that they grant authorisations or give notices only for purposes and only in respect of types of CD that a DP of their office, rank or position in the relevant public authority may grant or give The DP must assess the necessity for any conduct to acquire or obtain CD taking into account any advice provided by the SPoC The DP must be independent from operations and investigations when granting authorisations or giving notices related to those operations, and confirm this fact within their written considerations The only exception would be where it is deemed necessary to act urgently, in circumstances where it is not possible to call upon the services of another DP who is independent from the investigation or operation Where occasions arise where a DP is not independent from the investigation or operation their involvement and their justification for undertaking the role of the DP must be explicit in their recorded considerations. 7.5 Senior Responsible Officer Every relevant public authority must appoint a Senior Responsible Officer (SRO) who is responsible for: the integrity of the process in place within the public authority to acquire CD; compliance with Part 1 Chapter 2 of the Act, the Home Office CoP and with this SOP; and oversight of the reporting of errors to IOCCO and the identification of both the cause(s) of errors and the implementation of processes to minimise repetition of reported errors The SRO for Police Scotland is the Detective Superintendent, Specialist Crime Division, Technical Collections. 7.6 Communications Investigation Unit (CIU) The focal point for the acquisition and disclosure of CD will be the CIU Police Scotland CIU is situated at 3 hubs: CIU West (Scottish Crime Campus (SCC), Gartcosh); CIU East (Fettes, Edinburgh); CIU North (Queen Street, Aberdeen) (See Appendix E for contact details). Version 4.00 RESTRICTED 13

14 7.6.3 The CIU will act as the guardian and gatekeeper and ensure that officers and staff of Police Scotland act in an informed and lawful manner Therefore all applications for CD will be directed through the CIU who will provide any necessary advice on their completion and arrange for approval by the appropriate level of DP Accredited staff within the CIU are the nominated SPoCs in relation to CD and therefore they are the only persons authorised to engage with CSPs The CIU will be responsible for the upkeep of all records in respect of requests for CD Officers must immediately notify the CIU when the requirement for obtaining CD is complete or no longer required and the authorisation / notice will be duly cancelled Applicants who receive CD in response to an application must check its accuracy numbers, date/time periods and any other information that is authorised and report any errors immediately. 8. Application / Authorisation Process 8.1 Application Process When an officer considers that obtaining CD is necessary and believes the action is justified and proportionate to what it seeks to achieve, the officer should complete the formal Communications Data Application Form, by using the CycComms electronic workflow system CycComms can be found by using a link on the Police Scotland Intranet. (See Appendix F.) Should there be an occasion where no access to the CycComms system is available, applicants may be required to revert to a manual application form Application for Communications Data (Force Form ) which should be ed to the appropriate CIU (see Appendix E ) with an explanation stating why CycComms has not been utilised A DP cannot approve anything that is not specified in the application, even if it is implied. It is best practice therefore that the application form should contain detailed information within the body of text contained within each section and must include a reference to the nature of the investigation, any complainer, suspect and what type of data is being requested from the service provider. Version 4.00 RESTRICTED 14

15 8.1.5 The following information must be provided in applications for CD: the name (or designation) and the office, rank or position held by the person making the application; a unique reference number (automatically created by CycComms system); the operation name (if applicable) to which the application relates; the purpose for which the data is required, by reference to a statutory purpose under 22(2) of the Act (see Section 5.8 above); describe the CD required, specifying, where relevant, any historic or future date(s) and, where appropriate, time period(s); when a communications address is provided (i.e. mobile telephone number), care must be taken to ensure the correct number is described on the application and this should be confirmed by original documentation; describe whether the CD relates to a victim, a witness, a complainant, a suspect, next of kin, vulnerable person or other person relevant to the investigation or operation; explain why the acquisition of that CD is considered necessary and proportionate to what is sought to be achieved by acquiring it; consider and, where appropriate, describe any meaningful collateral intrusion the extent to which the privacy of any individual not under investigation may be infringed and why that intrusion is justified in the circumstances; and identify and explain the time scale within which the data is required. 8.2 Necessity In order to justify the application it is necessary for the applicant to cover three main points: crime / offence / circumstances ( the event ) under investigation; suspect(s) / offender(s) / witness(es) / victim(s) ( the person ) and how the person(s) is/are linked to the event; telephone number(s), IP Address(es) etc. ( the communication ) and how this/these relate or link the person and the event Sensitive sources of intelligence or covert investigation techniques should not be referred to in the application. Version 4.00 RESTRICTED 15

16 8.2.3 In essence, necessity should be a short explanation of the a) event, b) the person and c) the communication and how these three link together. Event Person Communication The SPoC officer, in conjunction with the DP, will determine the grading to be applied to each application. 8.3 Proportionality Applicants require to outline how obtaining the data will benefit the investigation or operation. Two basic questions which must be answered are: What are you looking for within the data to be acquired? If the data contains what you are looking for, what will be your next course of action? This must apply for each type of data set being applied for within the application The relevance of any time periods requested must be explained outlining how these periods are proportionate to the event under investigation. Do not apply for 2 weeks of data when you are only concerned with a 3 day window An explanation as to how CD will be used, once acquired, and how it will benefit the investigation or operation will enable the applicant to set out the basis of proportionality An investigation or operation which is seeking to acquire several sets of traffic data or service use data should engage with the SPoC to develop strategies (or collection plans) to obtain the CD and the detail of that strategy may be included within the application. 8.4 Consequential Subscribers At the time of giving a notice or granting an authorisation to obtain specific traffic data or service use data, a DP may also authorise, to the extent necessary and proportionate at that time, the consequential acquisition of specific subscriber information relating to the traffic data or service use data to be obtained. This is relevant where there is a necessary and proportionate requirement to identify with whom a person has been in communication. Version 4.00 RESTRICTED 16

17 8.4.2 An applicant must outline why it is necessary and proportionate to obtain the consequential future subscribers in their application. They are required to outline what analytical work they intend to conduct on the service use / traffic data to identify the relevant numbers. Giving a general statement such as when the data has been received the results will be analysed and subscribers requested to progress the investigation does not sufficiently describe how the data will be analysed and what the applicant is looking for in the data. Applicants should therefore ensure that they outline in detail what they are attempting to achieve, how the data will be analysed and what they are looking for in the data to be acquired, i.e. those most recently called, those called within specified time periods etc A system is available within CycComms to allow for the acquisition of consequential subscribers. 8.5 Collateral Intrusion Collateral Intrusion forms part of the Proportionality considerations and becomes increasingly relevant when applying for traffic data or service use data Applicants should outline specifically what collateral intrusion may occur; how the time periods requested impact on the collateral intrusion; whether they are likely to obtain data which is outside the realm of their investigation and outline their plans for managing it For example: during the course of an investigation and to establish certain facts it may be necessary and proportionate for an investigator (applicant) to require access to CD that relates to witnesses as well as the associates of a suspect or target The question to be asked is, Will the data set to be acquired result in collateral intrusion to persons outside the line of enquiry the data is being obtained for? For example, due to the very specific nature of telephone subscriber check/s, collateral intrusion on a person other than the subscriber detail/s will be consistently absent whereas itemised billing on the subject s family home will be likely to contain calls made by the family members. 8.6 Amendment / Approval Process On receipt of the completed application form, the CIU will quality assure the form and thereafter prepare it for onward transmission to a DP Where the application does not meet the requirements of the RIPA legislation and Home Office CoP to progress to the DP the SPoC will return it to the applicant with appropriate advice on amending the application accordingly. If the data is still required the application can be resubmitted once all the points outlined by the SPoC are addressed. Version 4.00 RESTRICTED 17

18 8.6.3 Once an application contains the relevant level of information it will be forwarded to the DP who must consider the necessity, proportionality and justification of the CD being applied for. If the data request is subsequently approved the SPoC will thereafter apply for the relevant CD on the applicants behalf. 8.7 Cancellation Authorisations or notices served on a CSP must be cancelled where the requirement for the requested CD ceases In other words when a service provider is requested to provide CD and the grounds for obtaining the data are no longer justified, for whatever reason, the authorisation must be immediately cancelled The applicant must timeously notify the CIU (SPoC) that the CD they have requested is no longer required specifying the reason for the cancellation On receipt of the notification that the CD is no longer required the CIU will timeously notify the CSP of the requirement to cease providing the data requested. Dependent on the circumstances this can be carried out verbally but must always be followed by a formal written notification of cancellation. 8.8 Records Retention, Review and Disposal An application for CD and all corresponding records will be subject to the appropriate retention, review and disposal in accordance with the Force Record Retention SOP, especially relating to Crime and Productions (section 6) and Intelligence (section 11). 8.9 Errors Where CD is acquired or disclosed wrongly, an error occurs and must be recorded. It is the responsibility of the applicant to promptly inform the CIU when wrong or excess data is obtained An error can only occur after a DP: Has granted an authorisation and the acquisition of data has been initiated; or Has given notice and the notice has been served on a CSP It is vital for the applicant to take all reasonable steps to ensure the data they provide on a CD application is accurate. They should electronically copy communications addresses into applications when the source is in electronic form (for example forensic reports relating to mobile phones, call data records etc.). Communications addresses acquired from other sources must be properly checked to reduce the scope for error. The SPoC must thereafter confirm the accuracy of the communications address before proceeding. Version 4.00 RESTRICTED 18

19 8.9.4 The CIU must create an error report for each error made. Errors can have very significant consequences on an affected individual s rights with details of their private communications being disclosed and, in extreme circumstances, being wrongly arrested or wrongly accused of a crime as a result of that error In cases where an error has occurred without data being acquired or disclosed wrongly, a recordable error will be created. These records must be available for inspection by IOCCO. The records kept for recordable errors must include details of the error, explain how the error occurred and provide an indication of what steps have been, or will be, taken to ensure that a similar error does not reoccur. The SRO of Police Scotland will undertake a regular review of the recording of such errors In cases where an error has occurred and data has been acquired or disclosed wrongly, a reportable error will be created. When a reportable error has been made, the CIU will require establishing the facts and reporting the error to the SRO, the DP who approved the obtaining of the data and IOCCO within no more than five (5) working days of the error being discovered In circumstances where a reportable error is deemed to be of a serious nature, IOCCO may investigate the circumstances that led to the error and assess the impact of the interference on the affected individual s rights. IOCCO may inform the affected individual, who may make a complaint to the Investigatory Powers Tribunal (IPT) Where wrongly acquired data is obtained has no connection or relevance to the investigation or operation, that data and any copy of it (including copies contained in or as attachments in electronic mail) should be destroyed as soon as the report to IOCCO has been made Examples of reportable or recordable errors include: Reportable errors An authorisation or notice made for a statutory purpose, or for a type of data, which we cannot lawfully obtain; Human error, such as incorrect transposition of information from an application to an authorisation or notice where CD is acquired or disclosed; Disclosure of wrong data by a CSP when complying with a notice or authorisation. Recordable errors A notice has been given which is impossible for a CSP to comply with and attempts to impose the requirement are made; Failure to review information already held, for example unnecessarily seeking the acquisition or disclosure of data already acquired or obtained for the same investigation or operation; Version 4.00 RESTRICTED 19

20 Failure to serve written notice (or where appropriate an authorisation) upon a CSP within one working day of urgent oral notice being given or an urgent oral authorisation granted; and Human error, such as incorrect transposition of information from an application to an authorisation or notice where CD is not acquired or disclosed Excess Data Where an authorised Application for CD results in the acquisition of excess data, all the data acquired or disclosed should still be retained Under disclosure principles, there will be a requirement to record and retain data which is relevant to a criminal investigation, even if that data was disclosed or acquired beyond the scope of a valid notice or authorisation. If a criminal investigation results in proceedings being instituted all material that may be relevant must be retained at least until the accused is acquitted or convicted or the prosecutor decides not to proceed If, having reviewed the excess data, it is intended to make use of it in the course of the investigation or operation, the applicant must set out in an addendum to the authorising DP, the reason(s) for requiring to use it. The DP will then consider the reason(s) and review all the data and consider whether it is necessary and proportionate for the excess data to be used in the investigation or operation Communications data involving certain professions CD is not subject to any form of professional privilege the fact a communication took place does not disclose what was discussed, considered or advised However the degree of interference with an individual s rights and freedoms may be higher where the CD being sought relates to a person who is a member of a profession that handles privileged or otherwise confidential information (including medical doctors, lawyers, journalists, Members of Parliament, or ministers of religion). It may also be possible to infer an issue of sensitivity from the fact someone has regular contact with, for example, a lawyer or journalist Such situations do not preclude an application for CD being made. However applicants must draw attention to such circumstances that might lead to an unusual degree of intrusion or infringement of rights and freedoms, particularly regarding privacy and, where it might be engaged, freedom of expression and give special consideration to the necessity and proportionality sections. Particular care must be taken by DPs when considering such applications, including additional consideration of whether there might be unintended consequences of such applications and whether the public interest is best served by the application. Version 4.00 RESTRICTED 20

21 Applicants must clearly record if a person within an application is known to be in a profession that handles privileged or otherwise confidential information, (including medical doctors, lawyers, journalists, Members of Parliament, or ministers of religion) The CD application form (via the CycComms portal) has fields to record the profession of a subject(s) of such an application Issues surrounding the infringement of the right to freedom of expression may arise where a request is made for the CD of a journalist. There is a strong public interest in protecting a free press and freedom of expression in a democratic society, including the willingness of sources to provide information to journalists anonymously. Where an application is intended to determine the source of journalistic information, there must therefore be an overriding requirement in the public interest Where the application is for CD of a journalist, or an intermediary, but is not intended to determine the source of journalistic information (for example, where the journalist is a victim of crime or is suspected of committing a crime unrelated to their occupation), there is nevertheless a risk of collateral intrusion into legitimate journalistic sources. In such a case, particular care must therefore be taken to ensure that the application considers whether the intrusion is justified, giving proper consideration to the public interest. The necessity and proportionality assessment also needs to consider whether alternative evidence exists, or whether there are alternative means for obtaining the information being sought Applications to determine the source of journalistic information - Judicial Authorisation CD that may be considered to determine journalistic sources includes data relating to: Journalists communications addresses; The communications addresses of those persons suspected to be a source; and Communications addresses of persons suspected to be acting as intermediaries between the journalist and the suspected source In the specific case of an application for CD, which is required to be made in order to identify a journalist s source, communication MUST be made with the CIU who will assist in the authorisation procedure which will require judicial approval (i.e. Court Warrant). Note: The exact process for this is still to be finalised with the Crown Office and Procurator Fiscal Service (COPFS) however the CIU will be in a position to advise on the correct process to be adopted. Version 4.00 RESTRICTED 21

22 The application should draw the DPs attention to relevant matters including why the police suspect wrong-doing that includes communications with a journalist. The application must fully consider whether that conduct is criminal and of a sufficiently serious nature for the subjects rights to freedom of expression to be interfered with where CD is to be acquired for the purpose of identifying a journalist s source Where there is substantial ground for believing that there is an immediate threat of loss of human life, such that a person s life might be endangered by the delay inherent in the process of judicial authorisation, law enforcement agencies may continue to use the existing internal authorisation process under the Act. Such applications must be flagged to IOCCO as soon as reasonably practicable. If additional CD is later sought as part of the same investigation, but where a threat to life no longer exists, judicial authorisation must be sought The requirement for judicial oversight does not apply where applications are made for the CD of those known to be journalists but where the application is not to determine the source of journalistic information. This includes, for example, where the journalist is a victim of crime or is suspected of committing a crime unrelated to their occupation All applications that relate to a profession that handles privileged or otherwise confidential information will be subject to inspection by the IOCCO during their annual inspection of the Force. 9. Life at Immediate Risk Situations 9.1 Arrangements are in place for accredited SPoCs to provide the necessary urgent support in respect of immediate life at risk situations. During normal office hours your local CIU should be contacted in the first instance, however the CIU West will provide 24/7 cover outwith the normal working hours of the CIU East and CIU North offices (see Appendix E ). The conduit for calling a SPoC for immediate life at risk situations should be via a senior officer; however the local area control room should be contacted in the first instance. 9.2 In life at immediate risk situations (Grade 1), a DP may provide oral authority to obtain CD from the relevant service provider. This authority MUST be given to a SPoC. To justify an oral authority the circumstances that may be appropriate include: An immediate threat of loss of human life, or for the protection of human life, such that a person s life might be endangered if the application procedure were undertaken in writing from the outset. (This may include safeguarding the welfare of vulnerable people, including children at imminent risk of being abused or otherwise harmed); An exceptionally urgent operational requirement where, within no more Version 4.00 RESTRICTED 22

23 than 48 hours of the notice being given or the authorisation being granted orally, the acquisition of CD will directly assist the prevention or detection of the commission of a serious crime and the making of arrests or the seizure of illicit material, and where that operational opportunity will be lost if the application procedure is undertaken in writing from the outset; or A credible and immediate threat to national security or a time-critical and unique opportunity to secure, or prevent the loss of, information of vital importance to national security where that threat might be realised, or that opportunity lost, if the application procedure were undertaken in writing from the outset. 9.3 DPs can only give authority for the level of activity in accordance with the standard authorising processes. The time the authority is agreed, together with the details of the activity approved should be recorded in writing by the SPoC to whom the DP spoke. 9.4 The same quality of information as required for a written application will be given verbally to the DP when making oral application. DPs giving oral authority will make and keep a suitable record of the authority. Retrospective forms are not required to be completed by the applicant but a full record of activity will be recorded by the SPoC through the CycComms system. 9.5 The DP must retrospectively confirm their agreement with the SPoCs comments provided on the CycComms system and/or provide additional information about their verbal considerations. 10. Dropped / Silent / 999 or 112 Calls 10.1 There exists a golden hour or emergency period which is within one hour of the termination of an emergency call. Following the initial receipt of a dropped or silent 999 / 112 call where concern exists as to the reason for the 999 call the Contact Centre / Area Control Room (ACR) supervisor can call upon an Emergency Operator or relevant service provider to disclose data (subscriber and location information) about the call maker to enable the provision of emergency assistance The Command and Control incident should be tagged / marked where subscriber information is obtained within the Golden Hour. This will allow a suitable audit to be carried out to ensure compliance with the legislation and code of practice The CIU Managers should conduct regular spot checks of the local Command and Control system to ensure that the process is being properly adhered to. Version 4.00 RESTRICTED 23

24 10.4 The Command and Control incident should also contain the following details to allow a resume of the incident to be maintained for audit purposes: Command and Control incident number; Telephone number subject to subscriber check; Time call received; Communications Service Provider involved; Details of the ACR staff member who makes the request to the CSP; Manner in which the CSP is contacted (automated system / verbal request etc.); Time CSP contacted; and the result. 11. Service Providers Cost Recovery 11.1 It is nationally recognised that CSPs incur costs in complying with notices and authorisations to disclose CD, and the Act allows for arrangements for making appropriate payments to them to facilitate the timely disclosure of CD Timely disclosure means that ordinarily a CSP should disclose data within ten working days of being required to do so The major CSPs have established Police Liaison Units to accommodate formal requests for CD. A number have also created on-line systems which have been made available to accredited SPoCs via the secure PNN system CD requests have cost implications. An approximate cost will be calculated by the SPoC as part of their assessment section of the application form and the DP will be informed accordingly to allow them to consider the costs involved when considering the application. Version 4.00 RESTRICTED 24

25 12. Information available from Mobile Telephones including Voic 12.1 There are two main areas where information can be stored on a mobile telephone, the actual handset and the Subscriber Identity Module (SIM) card. Each holds various information and data from both can be retrieved using specialist software and made available to the Enquiry Officer. These can include details of: Short Message Service (SMS) messages - text messages; Address book; Call history; Dialled numbers; and Pictures/images Only information held on the mobile telephone or SIM card when it was seized can be retrieved during the course of an examination SMS (text) messages are physically stored on the mobile telephone or SIM card. Messages that were already on the mobile telephone when it was taken possession of can, therefore, be retrieved during the forensic examination process. Similarly, photographs taken using the mobile telephone are physically stored on the telephone and can, therefore, be retrieved Voic messages, however, are stored on the remote server of the relevant CSP and can only be accessed by dialling a specific voic number. They cannot, therefore, be retrieved as part of the forensic examination process To listen to, download and/or record mobile phone voic messages lawfully the essential point is where the voic information is held. In the case of mobile telephone voic , and similarly the British Telecom (BT) 1571 service, the voic is not held on the recipient s device, but is held on a platform owned by the service provider There are essentially four ways of obtaining this information lawfully: 1 Interception warrant for intelligence purposes only; 2 Sheriff s warrant; 3 Written consent from one party of the communication with a directed surveillance authority governing the lack of consent from the other party; and 4 Written consent from both parties subject of the communication (caller and recipient). Version 4.00 RESTRICTED 25