Dealing with demands for communications data under the Investigatory Powers Act 2016
This blog post looks at the obligations imposed on telecommunications operators under the Investigatory Powers Act 2016, to provide communications data in response to a notice from UK public authorities (including the police).
This is a tricky area, with the potential for significant repercussions for both you and the subject of an investigation if you get it wrong.
Are you a "telecommunications operator"?
If you are, you have obligations to respond to official requests from UK police and other UK public authorities.
The definition of "telecommunications operator" is broad, and rather convoluted.
If you are providing an Internet access service, or a voice telephony service, to people in the United Kingdom, you are likely to be a telecommunications operator.
The definition does not distinguish between providing services to the public and providing services to private, closed user group, so you're also a telecommunications operator if you give other people access to your home broadband through a wireless (or wired!) router.
"Non-traditional" services - sometimes called "over the top services" - can also be telecommunications operators. For example, providers of online gaming platforms, or in-game chat, as well as cloud storage services.
Even if you just have a website for use by people in the UK / operated from the UK, you're likely to be a telecommunications operator. Paragraph 2.4 of the Communications Data Code of Practice says:
The definition of a telecommunications operator also includes application and website providers but only insofar as they provide a telecommunications service. For example an online market place may be a telecommunications operator as it provides a connection to an application/website. It may also be a telecommunications operator if and in so far as it provides a messaging service. This means that numerous businesses will be considered telecommunications operators in respect of some of their operations, even where the majority of their work is unrelated to telecommunications services or telecommunication systems.
In other words, while the definition is not without limits, it is very broad indeed, by design.
Is the request for communications data?
Under the Investigatory Powers Act 2016, public authorities can require telecommunications to provide "communications data".
This includes both information about who or what used your services (known as "entity data"), and how they used those services - for example, who called who from where and when (known as "events data").
Communications data does not include the content of a communication. The definition of "content" refers to the "meaning" of a communication, but what this means in practice is far from clear, especially in the context of communications carried over the Internet.
If the data relate to the service or functionality which makes you a telecommunications operator - e.g. a supply address in the context of broadband services, or call records for a SIP voice service - they are likely to be communications data if they are not "content".
If, however, you are a telecommunications operator because you provide a website, but the data do not relate to the site itself (e.g. you run an online store, and the request is for what someone has bought, or you run a dating website and the request is for private profile information, rather than for the IP address used to connect to your site/service), then there is a stronger chance that the request is not for communications data.
This is not always clear-cut.
If you are not confident that what you are being asked to provide is "communications data", you should check this before responding.
However, since most authorisations under the Investigatory Powers Act 2016 go through an independent approvals process before they reach you, it should be rare that a demand for something which is not communications data slips through the net.
Have you received a notice to provide communications data?
Notices requiring you to provide communications data must be in writing (e.g. email) or, if not in writing, given to you in a manner which produces a record of having been given.
In my experience, email or other electronic notification is the most common route for giving a notice.
A notice is only valid if it:
sets out the office, rank or position held by the person giving it,
sets out the requirements that are being imposed, and
identifies / names you, as the person on whom the obligations are being imposed.
You must do what the notice demands, if that is reasonably practicable
You are obliged to comply with any requirement notified to you under a communications data acquisition notice, but only insofar as doing so is "reasonably practicable".
In other words, you are not required to do something which is not "reasonably practicable".
"Reasonably practicable" is a lovely lawyerly phrase, and what it means in practice will depend on what you are being asked to do, what capabilities you have, and the financial ramifications of the request.
If in doubt, get advice on this, but many requests for historic communications data can be handled easily and at minimal cost. Forward-looking requests - requests that ask for data which do not yet exist, or which you are being required to generate - can be more complex.
Don't tell anyone about the request unless you have a "reasonable excuse"
Disclosing the existence or the content of an authorisation or notice for communications data under the Investigatory Powers Act 2016 is a criminal offence, unless you have a "reasonable excuse".
You have a "reasonable excuse" if the requesting authority has said that you can disclose it.
It's not easy to reconcile this secrecy requirement with your obligations of transparency under the UK GDPR, so you'll likely want to think through how you approach this. The Home Office's view is that:
It is very unlikely to be a reasonable excuse for a telecommunications operator ... to disclose [information about communications data acquisition authorisations or notices] in the interests of transparency to its customers without the permission of the relevant public authority.
In my view, you are likely to have a reasonable excuse if you consult a solicitor for legal advice on how to comply with a notice given to you - it seems highly unlikely that a court would decide you were prohibited from taking legal advice, especially on something as complicated as this.
If you get this type of request on a reasonably regular basis, you might want to update your general transparency information, to mention the potential for disclosure of data to public authorities in response to legally-binding orders, on the basis that some transparency may be better than no transparency.
Has the request definitely come from a public authority?
You'll want to check that the request has genuinely come from the police (or other public authority), and not from someone pretending to be the police. After all, it's very easy to spoof an email address.
How you do that would depend on the organisation purportedly asking, and what resources you have available to you. As a rule of thumb, attempting to verify the validity of a request using any contact details contained in the request, or a message accompanying it, is unwise (since the contact details could be false too).
Find another way of contacting the public authority, and ask for confirmation of the validity of the request, if you are unsure.
What happens if you make a mistake?
Mistakes can have significant consequences, so obviously do your best to avoid mistakes. However, mistakes happen, and what matters if how you deal with it.
Telecommunications operators have no obligation to report errors under the Investigatory Powers Act 2016, and, in fact, cannot make errors under the Investigatory Powers Act - only public authorities can commit relevant errors.
However, the Communications Data Code of Practice includes error recording and reporting provisions which do apply to telecommunications operators.
On top of that, there are requirements to report personal data breaches under the ePrivacy and data protection frameworks.
The interplay of these obligations is a mess, legally and in practice.
I've been working towards getting clarity, and a sensible process, for a long time now, working with both the ICO and the Investigatory Powers Commissioner's Office (and its predecessor, which shows for just how long this has been rumbling on).
I'm biased, clearly, but the best I can say right now is to get expert advice as promptly as you can, if you think you've made a mistake, with a focus on redressing that mistake. (Have you spotted a theme to this post yet...?)
I've received a subject access request for information about disclosures made under the Investigatory Powers Act 2016
In which case, someone has opened a can of worms, and thrown it in your direction.
As a rule of thumb, you'll probably need to ask the public authority or authorities which made the request(s), and see if they object to the disclosure. If they do not, you can disclose. If they do, you'll want to ask for the reasoning, to enable you to assess the potential application of an exemption under the Data Protection Act 2018.
I might try to write a more detailed blog post about this in the future, but it's a complicated area, so the best I can do for now is to draw your attention to the complexity, and the potentially competing obligations (IPA, GDPR, and potentially even Official Secrets Act), and the risk of committing a criminal offence if you get it wrong, and suggest that you get in touch for a chat.
What about requests made under the Data Protection Act 2018?
If you are a telecommunications operator, and a public authority wishes to require you to provide communications data, they should be going through the Investigatory Powers Act. They should not be asking for voluntary disclosures under the data protection framework.
However, you may not be a telecommunications operator (or may not be a telecommunications operator for the data at issue), or the data may not be communications data. In that case, the public authority would not be able to use the Investigatory Powers Act to compel you to provide the data.
Although there's no such thing as a request for data under the Data Protection Act 2018, it is reasonably common for the police, and other public authorities, to send in a "DPA request" for information.
What they typically mean is that they are asking you to consider disclosing the data in question to them voluntarily, perhaps exercising an exemption under the Data Protection Act 2018 if necessary.
That's a topic for another blog post, but, in essence, if you wanted to assist, you would need to consider if you could do so while complying with your obligations under the UK GDPR. If you're not sure, that's a good sign you should get advice.
What about requests made under $SomeOtherFramework?
The Investigatory Powers Act 2016 has removed a lot of powers to acquire information comprising communications data from telecommunications operators. While most public authorities seem to have picked up on the changes, that's not true across the board, and I occasionally (although, fortunately, increasingly rarely) see requests made under legislation which is no longer available.
Looking on the horizon is also the spectre of requests made directly to UK telecommunications operators by the USA, under the UK/USA data access agreement, which is a sufficiently tricky area that it deserves its own post (in the future).
Get in touch!
We've got significant experience helping with this type of request, so please do just get in touch.
You are also welcome to talk with us about any other parts of the Investigatory Powers Act 2016, and we have numerous ways in which you can communicate with us at a level appropriate to the sensitivity of the conversation.