Last updated: 
1 week 1 day ago
Blog Manager
One of Jisc’s activities is to monitor and, where possible, influence regulatory developments that affect us and our customer universities, colleges and schools as operators of large computer networks. Since Janet and its customer networks are classified by Ofcom as private networks, postings here are likely to concentrate on the regulation of those networks. Postings here are, to the best of our knowledge, accurate on the date they are made, but may well become out of date or unreliable at unpredictable times thereafter. Before taking action that may have legal consequences, you should talk to your own lawyers. NEW: To help navigate the many posts on the General Data Protection Regulation, I've classified them as most relevant to developing a GDPR compliance process, GDPR's effect on specific topics, or how the GDPR is being developed. Or you can just use my free GDPR project plan.

Group administrators:

Investigatory Powers Act - new orders to prepare for

Thursday, January 12, 2017 - 15:15

[UPDATE: I've added links to the draft Codes of Practice that authorities are proposing to use when preparing each of the orders]

Under the current Regulation of Investigatory Powers Act 2000 (RIPA), organisations that operate their own private computer networks may receive three different orders relating to those systems. Any organisation that receives an order is, subject to feasibility, required by law to do what it says. The new Investigatory Powers Act 2016 (IPA) adds some new orders to this list and provides a new basis for two of the existing ones.

Although it's impossible to predict which of these orders may actually be directed to which (if any) organisations, or what requirements those orders may contain, it's worth checking that you have the right processes in place, if you do receive one, to ensure it is handled promptly and effectively. Note that altering your systems to prepare, "in case" you receive one of these orders, is likely to breach data protection and possibly also interception law. It is also likely to forgo the opportunity in s.249 to claim a contribution from the Government towards the costs of responding to any order that is subsequently received.

The orders are as follows:

  • To disclose specified communications data held by the organisation [currently RIPA s.22]: The existing power for the police and other authorities to order disclosure of information about the use of computers and networks is moved to s.61 of the IPA. The current limitation that this can only cover information about the use of the systems the organisation itself provides has been removed. If the organisation holds information about the use of other, third-party, communications systems then that may also be subject to a disclosure order (s.61(5)(c)). [Communications Data draft code of practice]
  • To intercept specified communications on networks [currently RIPA s.5]: The existing power of the Home Secretary to authorise targeted interceptions is moved to s.19 of the IPA. For investigations relating to Scotland, the relevant Scottish Minister can also exercise this power. [Interception of Communications draft code of practice]
  • To provide access to specified encrypted material [currently RIPA s.49]: This power does not appear to be altered by the new Act. Orders relating to encrypted material will still be made under RIPA. [RIPA Code of Practice for investigation of protected electronic information]
  • To retain or collect communications data [NEW]: s.87 of the IPA allows relevant Ministers to order any telecommunications operator to retain specific communications data for up to 12 months. This power previously only covered public network operators under, most recently, the Data Retention and Investigatory Powers Act 2014. The IPA extends them to anyone who controls networking or communications equipment (s.261(10)(b)&(13)). Nowadays that probably covers all organisations and most homes. Unlike the communications disclosure orders above, it appears (by s.87(4)) that data retention orders cannot cover third-party data. [there doesn't appear to be a new Data Retention code of practice; this is the one used under the Data Retention and Investigatory Powers Act 2014]
  • To "interfere with equipment" [NEW]: under s.99 of the Act, relevant Ministers may order any person (including organisations) to "interfere with equipment" in order to obtain either communications or information about the equipment. The Act gives examples of "monitoring, observing or listening to a person's communications or other activities" and making recordings. [Equipment Interference draft code of practice]
  • To implement specified technical facilities to support future disclosure, interception or interference orders [NEW]: s.253 of the Act allows relevant Ministers to order any telecommunications operator to "ha[ve] the capability to provide any assistance which the operator may be required to provide in relation to any [communications data, interception or equipment interference order]". Under RIPA such orders could only be made against operators of public networks, and were apparently used to require them to maintain permanent interception capabilities. The IPA extends them to anyone who controls networking or communications equipment (s.261(10)(b) &(13)) and appears to cover a wider range of technical facilities. [technical capabilities are covered in section 10 of the Communications Data draft code of practice]

Most organisations will already handle RIPA s.22 communications data orders (most often to identify the person who was allocated a particular IP or e-mail address at a specified time) as a matter of routine. The other orders seem likely to be much rarer. Since they involve legal, technical, financial and operational considerations, and will often be subject to secrecy obligations, organisations' processes should ensure that they receive appropriate consideration across all those fields.