A very welcome Letter to the Editor from ANNE SKEOGH, who writes to clarify the legalities behind Scarborough Borough Council’s unlawful practice and policy of intercepting email communications between members of the public and elected Councillors – confirming views expressed by several North Yorks Enquirer contributors.
NYEnquirer articles re Scarborough Borough Council (SBC) officers’ interpretation of the Regulation of Investigative Powers Act 2000 (RIPA) and the associated Telecommunications Regs 2000 make interesting reading.
SBC officers’ preventing or interfering with transmission of emails across its system and accessing the contents of emails – without either the senders’ knowledge or, apparently, the Councillors’ as intended recipients – is potentially in breach of numerous pieces of legislation and guidance, not just RIPA 2000 and the Telecomms Regs. Certainly, officers make no reference in their justification to legislation which is regarded as having a significant bearing, and that RIPA use provides protection for public authorities (my bold, and comments in italics):
1/ Human Rights Act 1998 (HRA)
“Interpretation of legislation.
- So far as it is possible to do so, primary legislation and subordinate legislation must be read and given effect in a way which is compatible with the Convention rights.”
“Right to respect for private and family life.
- Everyone has the right to respect for his private and family life, his home and his correspondence.
- There shall be no interference by a public authority with the exercise of this right except such as is in accordance with the law and is necessary in a democratic society in the interests of national security, public safety or the economic well-being of the country, for the prevention of disorder or crime, for the protection of health or morals, or for the protection of the rights and freedoms of others.”
3/ EU Working Party on email privacy re Article 8 – from as early as 2006:
“Interception, opening, reading, delaying reception of letters or putting up barriers to the sending of letters have all been considered to be interfering with Article 8 of the ECHR. From the case law of Commission and the Court of Human Rights, it may be concluded that email communications almost certainly will be covered by Article 8 ECHR, by combining both the notions of “private life” and “correspondence”. Communication partners that use emails may reasonably expect that their communications will not be inspected by third public or private parties.”
4/ Data Protection Act 1998 (DPA) (repealed but incorporated into the 2018 Act).
Information Commissioner’s Office guidance (ICO) for Councillors and their responsibilities for notifying ICO under the Acts:
Councillors are deemed to be data controllers in the following circumstances –
“As a representative of the residents of their ward
When councillors represent residents of their ward, they are likely to have to register in their own right. For example, if they use personal information to timetable surgery appointments or take forward complaints made by local residents.”
ICO guidance on the differences between the roles, and the responsibilities, of both data controllers and data processors is here. In summing up it states:
“… a processor has the freedom to use its technical knowledge to decide how to carry out certain activities on the data controller’s behalf. However, it cannot take any of the over-arching decisions, for example what the personal data will be used for or what the content of the data is. Such decisions must only be taken by the data controller.”
SBC, in facilitating an email conduit to Councillors, is doing so as a data processor. SBC is a data controller and processor for its own functions, but here it is simply a processor and must act only at the direction of the controller (the Councillor).
It’s difficult to see how this requirement squares with Councillors’ apparent ignorance of even the existence of emails addressed to them.
5/ DPA 1998 S55
“55 Unlawful obtaining etc. of personal data
(1) A person must not knowingly or recklessly, without the consent of the data controller—
(a) obtain or disclose personal data or the information contained in personal data, or
(b) procure the disclosure to another person of the information contained in personal data.
(2) Subsection (1) does not apply to a person who shows—
(a) that the obtaining, disclosing or procuring—
(i) was necessary for the purpose of preventing or detecting crime, or
(ii) was required or authorised by or under any enactment, by any rule of law or by the order of a court,
(b) that he acted in the reasonable belief that he had in law the right to obtain or disclose the data or information or, as the case may be, to procure the disclosure of the information to the other person,
(c) that he acted in the reasonable belief that he would have had the consent of the data controller if the data controller had known of the obtaining, disclosing or procuring and the circumstances of it, or
(d) that in the particular circumstances the obtaining, disclosing or procuring was justified as being in the public interest.
(3) A person who contravenes subsection (1) is guilty of an offence.”
It would appear that the only application SBC might claim is (2)(a)(i), “preventing or detecting crime” – but I understand many of the emails being re-directed/withheld without any consent are harmless, with no evidence of a crime.
DPA 2018 S170 is the parallel section in the new Act.
6/ The Protection of Freedoms Act (PFA) 2012:
Here is Eric Pickles, then Secretary of State for Communities and Local Government, on the PFA in 2012:
“Reflecting pledges made by Conservatives in Opposition, the Coalition Agreement committed the Government to ban the use of powers in the Regulation of Investigatory Powers Act by local authorities, unless they were signed off by a magistrate and required for stopping serious crime.
The Protection of Freedoms Act brings this into law, ensuring the public can be confident that overzealous town hall bureaucrats do not use powers intended for terrorism or serious criminal investigations for trivial issues.”
“For public bodies, funded by and working for the taxpayer, to be using RIPA yet so vociferously trying to avoid accountability is simply unacceptable.”
7/ Home Office guidance issued to local authorities (separately issued to magistrates) re PFA 2012 and amendments above, states at Section 2, with specific regard to the use of RIPA 2000 and communications:
“Communications data (CD) is the ‘who’, ‘when’ and ‘where’ of a communication, but not the ‘what’ (i.e. the content of what was said or written).
RIPA groups CD into three types:
- ‘traffic data’ (which includes information about where the communications are made or received);
- ‘service use information’ (such as the type of communication, time sent and its duration); and
- ‘subscriber information’ (which includes billing information such as the name, address and bank details of the subscriber of telephone or internet services).
- Under RIPA a local authority can only authorise the acquisition of the less intrusive types of CD: service use and subscriber information. Under no circumstances can local authorities be authorised to obtain traffic data under RIPA.
- Local authorities are not permitted to intercept the content of any person’s communications and it is an offence to do so without lawful authority”.
Minutes from the SBC Cabinet meeting on 17/11/15 (page 115 on) show that SBC had certainly incorporated the RIPA changes into its 2015 policy – indeed, its March 2018 update has very few amendments.
A failure to observe RIPA could potentially constitute a breach of data protection and human rights legislation. In other words, RIPA adherence affords a protection to a public authority in the event of a data protection or human rights challenge.
David Kitson’s, SBC endorsed, email to Councillors is characterised by omission, contradiction and error.
SBC appears to be acting without the assurances the requirement for “lawful authority” affords, and its contention that the Telecomms Regs apply is not valid – see appendix below. Its subsequent use of an ‘unreasonable behaviour’ policy to justify ‘lawful’ interception is simply laughable.
There seems to be nothing that permits the unauthorised interception of email communications where the express intention is to scrutinise the contents, and plenty that protects privacy.
It’s difficult to believe that officers at SBC were unaware of the position, and that Councillors have not been misled.
Anne SKEOGH, Richmond. 21st September 2018.