LAW ENFORCEMENT ASSISTANCE VODAFONE GLOBAL POLICY STANDARD

Similar documents
Privacy. Purpose. Scope. Policy. Appendix A

House Standing Committee on Social Policy and Legal Affairs

INVESTIGATION OF ELECTRONIC DATA PROTECTED BY ENCRYPTION ETC DRAFT CODE OF PRACTICE

AIA Australia Limited

Inquiry into Comprehensive Revision of the Telecommunications (Interception and Access) Act 1979

REGULATION OF INVESTIGATORY POWERS BILL SECOND READING BRIEFING

Whistleblowing Policy

Telecommunications Information Privacy Code 2003

Investigatory Powers Bill

Covert Human Intelligence Sources Code of Practice

GROUP ANTI-BRIBERY POLICY SUMMARY FOR THIRD PARTY SUPPLIERS

APPENDIX. 1. The Equipment Interference Regime which is relevant to the activities of GCHQ principally derives from the following statutes:

Child Protection Legislation Amendment (Children s Guardian) Act 2013 No 31

1.2 The ABC will apply the following criteria in determining proportionate complaint handling:

Conducting surveillance in a public place

Law Enforcement processing (Part 3 of the DPA 2018)

European College of Business and Management Data Protection Policy

Telekom Austria Group Standard Data Processing Agreement

The Enforcement Guide

Memorandum of Understanding. between. HM Land Registry. and. Solicitors Regulation Authority (SRA)

Coordinated text from 10 August 2011 Version applicable from 1 September 2011

General Rulebook (GEN)

Code of Practice - Covert Human Intelligence Sources. Covert Human Intelligence Sources. Code of Practice

SELECT ILLINOIS RULES OF PROFESSIONAL CONDUCT

Q. What do the Law Commission and the Ministry of Justice recommend?

Policies and Procedures

SUPPLIER DATA PROCESSING AGREEMENT

2. Anti-Bribery and Corruption Policy

FUJITSU Cloud Service K5: Data Protection Addendum

Releasing personal information to Police and law enforcement agencies: Guidance on health and safety and Maintenance of the law exceptions

SUBSIDIARY LEGISLATION DATA PROTECTION (PROCESSING OF PERSONAL DATA IN THE POLICE SECTOR) REGULATIONS

Workplace Surveillance Act 2005

TERMS FOR TRUST, FIDUCIARY, FOUNDATION, FUND ADMINISTRATION AND CORPORATE SERVICES

INVESTIGATORY POWERS BILL EXPLANATORY NOTES

Anti-Fraud, Bribery and Corruption Policy and Response Plan

HAUT-COMMISSARIAT AUX DROITS DE L HOMME OFFICE OF THE HIGH COMMISSIONER FOR HUMAN RIGHTS PALAIS DES NATIONS 1211 GENEVA 10, SWITZERLAND

PRIVACY POLICY. 1. OVERVIEW MEGT is committed to protecting privacy and will manage personal information in an open and transparent way.

CITY OF LONDON INVESTMENT GROUP PLC ( the Company ) AUDIT COMMITTEE TERMS OF REFERENCE

Act CXII of on the Right of Informational Self-Determination and on Freedom of Information 1 CHAPTER I GENERAL PROVISIONS. 1.

Submission to the Joint Committee on the draft Investigatory Powers Bill

Anti-Fraud, Bribery and Corruption Response Policy. Telford and Wrekin Clinical Commissioning Group

WHISTLE BLOWING POLICY

Privacy Policy. Cabcharge will only collect personal information which is necessary for the operation of its business.

H. R (1) AMENDMENT. Chapter 121 of title 18, United States Code, is amended by adding at the end the following: Required preservation

Privacy Act; System of Records: Legal Case Management Records, State- to amend an existing system of records, Legal Case Management Records,

Regulation of Investigatory Powers Act 2000

Data Processing Agreement

PRIVACY MANAGEMENT PLAN

Joint Committee on the Draft Investigatory Powers Bill Information Commissioner s submission

Translation from Finnish Legally binding only in Finnish and Swedish Ministry of the Interior, Finland

Audit Committee Terms of Reference

Mandate of the Special Rapporteur on the promotion and protection of the right to freedom of opinion and expression

Data Protection Act 1998 Policy

PRIVACY POLICY DOT DM Corporation Commonwealth of Dominica cctld (.dm)

Trócaire General Terms and Conditions for Procurement

ENFORCEMENT GUIDE STATEMENT OF PRINCIPLES & GUIDANCE ON THE EXERCISE OF ENFORCEMENT POWERS. September

World Bank Group Directive

A Message to Legal Personnel

The Speak Up procedure is made available in several languages.

Access to Personal Information Procedure

Purpose specific Information Sharing Agreement. Community Safety Accreditation Scheme Part 2

Privacy Policy. This Privacy Policy sets out the Law Society's policies in relation to the management of Personal Information.

Whistle Blowing Policy

Memorandum of Understanding. between. The Legal Aid Agency (LAA) and. Solicitors Regulation Authority (SRA)

Cybercrime Legislation Amendment Bill 2011

Memorandum of Understanding. between. Solicitors Regulation Authority. and. The Claims Management Regulation Unit (CMR)

Whistleblowing & Serious Misconduct Policy

General Data Protection Regulation

Orient Cement Limited. Whistle Blower Policy

Law Commission Review of the Search and Surveillance Act 2012

Guidance on Telecommunications Directories Information Covering the Fair Processing of Personal Data

MERITOCRACY PRIVACY POLICY. Updated on March 27, 2017.

Council of the European Union Brussels, 1 February 2017 (OR. en)

Brussels, 16 May 2006 (Case ) 1. Procedure

Guidance for Children s Social care Staff around the use of Police Protection

IMPERIAL COLLEGE LONDON ORDINANCE D8. THE DISCIPLINARY PROCEDURE This Ordinance is made pursuant to Part III of the Appendix to the College s Statutes

Protection of Freedoms Bill. Delegated Powers - Memorandum by the Home Office. Introduction

MENTOR ENGAGEMENTS MASTER AGREEMENT

the general policy intent of the Privacy Bill and other background policy material;

Holy Trinity Catholic School. Whistle Blowing Policy 2017 BIRMINGHAM CITY COUNCIL WHISTLEBLOWING POLICY 2015 ADOPTED BY HOLY TRINITY CATHOLIC SCHOOL

Plea for referral to police for investigation of alleged s.1 RIPA violations by GCHQ

CCG CO06: Anti-Fraud, Bribery and Corruption Policy

Data Processing Agreement

CONSULTATIVE COUNCIL OF EUROPEAN PROSECUTORS (CCPE)

DATA PROTECTION ACT 1998 SUPERVISORY POWERS OF THE INFORMATION COMMISSIONER MONETARY PENALTY NOTICE

Law Enforcement Disclosure Report. Legal Annexe June Vodafone Power to you

Telecommunications (Interception Capability and Security) Bill

OTrack Data Processing Terms

ANTI BRIBERY AND CORRUPTION POLICY

THE DATA PROTECTION BILL (No. XIX of 2017) Explanatory Memorandum

Safeguarding your drinking water quality

PROCEDURE (Essex) / Linked SOP (Kent) Data Protection. Number: W 1011 Date Published: 24 November 2016

Telecommunications Carriers Forum. Code for the Transfer of Telecommunications Services ( The Customer Transfer Code )

CCTV CODE OF PRACTICE

PLEASE READ CAREFULLY BEFORE AGREEING TO THE TERMS AND CONDITIONS

WHISTLE BLOWING POLICY

Regulation of Investigatory Powers Bill

EMIR PORTFOLIO RECONCILIATION, DISPUTE RESOLUTION AND DISCLOSURE. (2) (full legal name of company) (the Counterparty).

APPLICATION FOR COMMUNICATIONS DATA (UNDER THE DATA PROTECTION ACT 1998) RESTRICTED

Memorandum of Understanding. between. Royal Institution of Chartered Surveyors (RICS) and. Solicitors Regulation Authority (SRA)

Transcription:

LAW ENFORCEMENT ASSISTANCE VODAFONE GLOBAL POLICY STANDARD Objective/Risk Create the governance and safeguards necessary to ensure we appropriately balance respect for our customers right to privacy and freedom of expression with other obligations necessary to a free and secure society. Scope and Compliance This Policy Standard applies to all Vodafone companies and joint ventures with an interest of 50% or more, or managed control, and to their employees, contractors, suppliers, and directors. Compliance levels will be monitored on a regular basis and results reviewed by appropriate governance bodies. Any breach will be treated as a serious disciplinary offence and may be subject to disciplinary actions in accordance with the provisions of the relevant local HR policy. Contents 1 The Principles... 2 1.1 Why is this important?... 2 1.2 What are the basic requirements?... 2 1.3 What do we mean by law enforcement authority?... 2 1.4 What do we mean by assistance?... 2 2 Controls and deliverables required for compliance... 3 2.1 Governance Committee... 3 2.2 Vodafone Support Companies and Suppliers... 3 2.3 Assisting foreign law enforcement authorities... 4 2.4 Reporting... 4 3 Roles and responsibilities... 4 3.1 Corporate Security/Legal... 4 3.2 Privacy Counsel... 4 3.3 Governance Committee... 5 3.4 Public Policy/External Affairs... 5 4 Exceptions... 5 5 Supporting documents... 5 Annex 1 - Law enforcement assistance requirements: mandatory assistance... 6 Annex 2 - Law Enforcement Assistance Requirements: Discretionary Assistance... 6 Annex 3 - Law Enforcement Assistance Requirements: Challenging Demands... 7 Page 1 of 7

1 The Principles 1.1 Why is this important? Vodafone s Privacy Commitments, as set out in the Code of Conduct, include a commitment to ensure that we balance respect for privacy (including the human rights and civil liberties of our customers) with other obligations necessary to a free and secure society, by working to minimize privacy impacts. 1.2 What are the basic requirements? Our commitment to respect the privacy of our customers must in certain circumstances be balanced with our obligations to cooperate with the governments and law enforcement agencies of the countries in which we operate. When we assist these bodies, we do so under prescribed circumstances and we always follow the requirements laid out here. We will provide assistance to law enforcement authorities only under certain carefully prescribed circumstances, and must follow the requirements applicable to each circumstance: When we are required by law to provide it (mandatory assistance): A country s laws may require us to provide law enforcement assistance. Here, we act only in accordance with Annex 1 Law enforcement assistance requirements: mandatory assistance. When we are not prevented by law from providing it (discretionary assistance): If law enforcement assistance is not mandated by law; and providing assistance would not break a law (for example, an applicable privacy or data protection law), then we may decide to provide assistance in accordance with Annex 2 Law enforcement assistance requirements: discretionary assistance. When we have a legitimate business purpose: To the extent reasonably necessary to protect a legitimate business interest, such as fraud or other crime committed against us, we may provide assistance, but only if doing so would not break a law. When we receive a demand from a law enforcement authority that falls outside these three categories, we must decline to assist or escalate the demand to the Governance Committee to consider challenging it in accordance with Annex 3 Law enforcement assistance requirements: challenging demands. 1.3 What do we mean by law enforcement authority? When we use the term law enforcement authority throughout this document, we mean it broadly. It could include: a) public law enforcement and security authorities (for example, the police, intelligence services, customs or immigration) b) regulatory bodies c) courts and tribunals or other judicial authorities d) any bodies given the status of a law enforcement authority by a relevant local law. 1.4 What do we mean by assistance? When we refer to assisting law enforcement in this document, this includes any of the ways we could be asked to cooperate with them in relation to our business and our networks, for example by: a) disclosing information about our customers or their use of our services b) real-time surveillance or monitoring, such as intercepting voice telephony, messaging content or data traffic c) collecting, retaining or preserving records (for example, Know-Your-Customer obligations), or the systematic use or retention of data on customers use of our services Page 2 of 7

d) implementing or developing surveillance capabilities (for example, technical or operational interception or data retention capabilities), or decrypting protected communications e) blocking, filtering, censoring or shutting down networks or telecommunication services like SMS. 2 Controls and deliverables required for compliance Each local market and group entity will ensure processes are in place to comply with the following requirements: 2.1 Governance Committee Vodafone Group and each Local Market shall establish a Governance Committee of senior management. The Governance Committee must: be chaired by the CEO (or a nominee reporting directly to the CEO) and include the Privacy Board Sponsor, Privacy Counsel, the Head of Corporate Security, and representatives from Legal and Government Affairs. This requirement could be met with an existing committee. The Governance Committee will meet at least quarterly to: review the exercise of discretion in accordance with Annex 2 Law enforcement assistance requirements: discretionary assistance. make determinations in accordance with Annex 3 Law enforcement assistance requirements: challenging demands.; and issue directions or guidance in accordance with this Standard. The Governance Committee can decide that their decisions should be used as a precedent for subsequent cases without referral back to the Committee. The CEO is accountable for the decisions of the Governance Committee. 2.2 Vodafone Support Companies and Suppliers 2.2.1 Vodafone Support Companies Vodafone Support Companies provide support services to other Vodafone companies and to other external parties; they essentially act as internal or external suppliers. If a Vodafone Support Company receives a demand to provide assistance related to data or services hosted or managed on behalf of another Local Market, the Vodafone Support Company must, to the extent permitted by law: decline to assist the law enforcement authority on the matter promptly notify the appropriate person within the Corporate Security Team and the Privacy Counsel so that the affected Local Market to take control of the demand in accordance with the requirements outlined in this Standard, and promptly notify the nominated contact in Group Security and Group Privacy. 2.2.2 External Suppliers External suppliers may not reply directly to demands they receive for assistance relating to Vodafone data. To the extent permitted by law, each Vodafone company must ensure that its contracts: Page 3 of 7

prohibit suppliers from responding to requests to provide law enforcement assistance; and require suppliers to notify any affected Vodafone company of such requests and allow the affected company to take control of the request. 2.3 Assisting foreign law enforcement authorities Vodafone Local Markets must provide assistance only to the law enforcement authorities of the country in which they are established. If a Local Market receives a request from the authorities of another country, it must decline to assist or refer the request to the Governance Committee to challenge or consider its response in accordance with Annex 3 Law enforcement assistance requirements: challenging demands. 2.4 Reporting The Disclosure Officer shall provide the aggregate number of individual warrants served received in their Local Market relating to lawful intercept and disclosure of communications data, respectfully, to the Group Corporate Security Team for publication in the annual Vodafone Law Enforcement Disclosure Report unless one of the following six circumstances apply: Disclosure unlawful No technical implementation of lawful interception Awaiting guidance government or a relevant agency or authority Unable to obtain guidance from government or a relevant agency or authority Cannot publish Government publishes In which case, the Disclosure Officer shall cite the relevant circumstance in their response to the Group Corporate Security Team. 3 Roles and responsibilities Each Local Market will ensure processes are in place and appropriate responsibilities allocated to meet this Standard. 3.1 Corporate Security/Legal Law enforcement assistance may only be conducted under the supervision of the relevant local Head of Corporate Security or Head of Legal. An appropriate person within the Corporate Security Team is responsible for helping the Privacy Counsel create the quarterly reports required by this Standard. The Head of Corporate Security is responsible for ensuring all employees involved in law enforcement assistance are appropriately trained and supported to conduct their duties in accordance with this Standard. 3.2 Privacy Counsel The Privacy Counsel is solely responsible for determining whether there is a legal obligation to provide law enforcement assistance. If a Local Market does not have such internal expertise available, it is responsible for seeking external legal advice. The Privacy Counsel, with the help of the Corporate Security Team, is responsible for creating the quarterly reports in accordance with this Standard. Page 4 of 7

3.3 Governance Committee The Governance Committee is responsible for reviewing the application of law enforcement assistance and issuing appropriate guidance as required by this Standard. 3.4 Public Policy/External Affairs Any external communication of local issues governed by this Policy Standard should be directed through the Local Market s External Affairs Department and Head of Corporate Security in consultation with the Privacy Counsel and Legal Director. Any external communication of issues relating to assisting law enforcement at a Group level should be directed through the Group External Affairs Department, the Director of Corporate Security and the Global Privacy Officer. 4 Exceptions There are no exceptions allowed for this Policy Standard. 5 Supporting documents This Policy Standard is part of the framework created by the privacy requirements of the Code of Conduct and should be guided by our Privacy Commitments. The following documents support this Policy Standard: Annex 1 Law enforcement assistance requirements: mandatory assistance. Annex 2 Law enforcement assistance requirements: discretionary assistance. Annex 3 Law enforcement assistance requirements: challenging demands. Page 5 of 7

Annex 1 - Law enforcement assistance requirements: mandatory assistance Vodafone will comply with applicable laws mandating law enforcement assistance. In doing so, each Operating Company is responsible for ensuring that the scope of the applicable law is evaluated by an appropriately qualified and senior lawyer, taking into account international laws and standards regarding the protection of privacy that the relevant country is a party to (e.g. International Covenant on Civil and Political Rights). In particular: i. Applicable laws and demands will be interpreted as narrowly as is lawfully possible to guard against unwarranted or over-broad disclosure or assistance. ii. iii. iv. In the event that a demand or request for law enforcement assistance appears over-broad, unlawful or otherwise inconsistent with applicable law and international laws and standards on privacy, the Operating Company shall seek clarification or modification from authorized officials. This may include requesting clear written communications from the relevant LEA that explains the legal basis for the demand, the name of the requesting LEA entity and the name, title and signature of the authorising official. Where a demand or request for law enforcement assistance is considered to be over-broad, unlawful or otherwise inconsistent with applicable law and international laws and standards on privacy, the decision on whether and how to respond shall be referred to the person responsible for disclosures within the local Corporate Security team (the Disclosures Officer ) and the Privacy Officer for a decision to refuse or challenge the demand, or to exercise discretion in accordance with exceptions to the general principle outlined in the global policy standard. Referrals to the Disclosures Officer and the Privacy Counsel under the previous paragraph shall be recorded, along with relevant details of the demand or request, the decision and the reasons upon which it was based, and made available to the Governance Committee. v. Vodafone will insist upon the relevant LEA observing lawful due process in making any relevant demand or request for law enforcement assistance. Annex 2 - Law Enforcement Assistance Requirements: Discretionary Assistance Vodafone may exercise its discretion to provide law enforcement assistance only where there are substantial grounds to believe that: i. The assistance is necessary and proportionate to prevent an imminent threat to national security or public safety, or the prevention of serious crime or risk to the life of, or serious personal injury to, any person; and ii. iii. iv. The information could not reasonably be obtained through any other route, person or means; and The demand is intended for use solely for legitimate law enforcement purpose; and Appropriate safeguards can be identified and implemented to minimise the intrusion into the privacy of any individuals affected by such assistance; and v. There are no other circumstances present that would cause Vodafone to suspect that the demand represents an unwarranted intrusion into the privacy of Vodafone s customers or users. Page 6 of 7

Every decision to exercise discretion should be approved by the Disclosures Officer and the Privacy Counsel. In such cases they are jointly responsible for ensuring that a record is retained, along with relevant details of the demand or request, the decision made and the reasons upon which it was based, classified as C4 and appropriately protected, and made available the Governance Committee. Annex 3 - Law Enforcement Assistance Requirements: Challenging Demands When presented with a law enforcement demand or request that cannot be appropriately handled under one of the three circumstances outlined in paragraph 1.2, the Governance Committee shall take into account the following factors in determining its response: i. the potential beneficial impact of declining or challenging a demand on the privacy of individuals affected; ii. iii. iv. the likelihood of success of such action; the severity of the case; its cost to Vodafone, including the potential personal risk to individuals or Vodafone assets or investments; and v. the representativeness of the case and whether the case is part of a larger trend. Decisions of the Governance Committee under this Annex must be recorded, along with the reasons upon which it is based, the identities of the Governance Committee that approved it, and classified as C4 and appropriately protected. Page 7 of 7

2024 © lawsdocbox.com Privacy Policy | Terms of Service | Feedback