Last updated: 
1 month 3 weeks ago
Blog Manager
One of Jisc’s activities is to monitor and, where possible, influence regulatory developments that affect us and our customer universities, colleges and schools as operators of large computer networks. Since Janet and its customer networks are classified by Ofcom as private networks, postings here are likely to concentrate on the regulation of those networks. Postings here are, to the best of our knowledge, accurate on the date they are made, but may well become out of date or unreliable at unpredictable times thereafter. Before taking action that may have legal consequences, you should talk to your own lawyers. NEW: To help navigate the many posts on the General Data Protection Regulation, I've classified them as most relevant to developing a GDPR compliance process, GDPR's effect on specific topics, or how the GDPR is being developed. Or you can just use my free GDPR project plan.

Group administrators:

Interception definition and mailboxes

Friday, October 4, 2013 - 09:15

If you look up "interception" in most dictionaries you’ll find that it happens before an action has completed: in sport a pass can no longer be “intercepted” once it reaches a teammate. In a legal dictionary, however, that turns out not to be true. According to section 2(2) of the Regulation of Investigatory Powers Act 2000 (RIPA) interception can take place at any time when a message is "in transmission", which is explained by section 2(7):

"For the purposes of this section the times while a communication is being transmitted by means of a telecommunication system shall be taken to include any time when the system by means of which the communication is being, or has been, transmitted is used for storing it in a manner that enables the intended recipient to collect it or otherwise to have access to it."

In the recent case of Edmondson & others v R  the judge confirmed that:

"the period of storage covered by [section 2(7)] does not come to an end on first access or collection by the intended recipient, but it continues for so long as the system is used to store the communication, and whilst the intended recipient has access to it in this way" (para.28)

The Edmondson case concerned voicemail messages, but its conclusion that a message remains subject to interception law so long as it remains accessible on the server seems to apply equally to modern e-mail systems such as IMAP and webmail. The judge thought e-mail was different, but seems to have had in mind older POP systems that delete messages from the server when they are first read by the client. With webmail or IMAP, like voicemail, the server "is used to store the communication, and ... the intended recipient ... ha[s] access to it" after it is first read. Indeed that seems to last until the message is deleted from the server either by the user or by some webmail providers that implement time- or quota-limited storage. And, as far as I can see, that still applies if the user moves the message to a different folder on the server: there’s nothing in the definition that restricts it to the Inbox.

The change shouldn’t make much difference to universities and colleges that operate mailservers. Even after a message ceases to be covered by RIPA a public sector organisation is still required to handle it in accordance with the Human Rights Act 1998. That imposes very similar privacy requirements: not surprising, as RIPA was passed to ensure UK law complied with the Human Rights Convention!

However it does seem to affect the possibilities for law enforcement agencies to access the content of mailboxes. So long as a message falls under RIPA, law enforcement authorities need a warrant under s.5 to order its disclosure (or, according to RIPA s.1(5), a search warrant or production order under the Police and Criminal Evidence Act 1984 – see also page 10 of the Home Office Interception Code of Practice). For personal data not covered by RIPA, a police officer can ask the organisation holding the information to disclose it. Under s.29 of the Data Protection Act 1998, the organisation is allowed to disclose the information if it believes that doing so is necessary and proportionate for the prevention, detection or investigation of crime. But if the Edmondson case means that all mailboxes and folders on the receiving server are covered by RIPA, then it seems that the DPA s.29 option may no longer be available for law enforcement to access those.

I’m still trying to confirm this with the Home Office but would be interested to hear if anyone has received a s.29 request for mailbox contents recently?

Note that this doesn’t affect the process for disclosing traffic data – who sent e-mail to whom, and when – which is covered by a different chapter (s.22) of RIPA that doesn’t depend on the “interception” definition and when it ceases to apply. That process, and the information accessible under it, remains the same.