Last updated: 
3 months 3 weeks ago
Blog Manager
One of Jisc’s activities is to monitor and, where possible, influence regulatory developments that affect us and our customer universities, colleges and schools as operators of large computer networks. Since Janet and its customer networks are classified by Ofcom as private networks, postings here are likely to concentrate on the regulation of those networks. Postings here are, to the best of our knowledge, accurate on the date they are made, but may well become out of date or unreliable at unpredictable times thereafter. Before taking action that may have legal consequences, you should talk to your own lawyers. NEW: To help navigate the many posts on the General Data Protection Regulation, I've classified them as most relevant to developing a GDPR compliance process, GDPR's effect on specific topics, or how the GDPR is being developed. Or you can just use my free GDPR project plan.

Group administrators:

"Bassam's Doormat" RIP?

Wednesday, June 6, 2012 - 10:47

Chris Pounder has pointed out that the Director of Public Prosecutions has apparently joined privacy lawyers in suggesting that ten years' conventional wisdom (and guidance from the Information Commissioner) may have been wrong on when an e-mail stops being "in transmission" and therefore covered by the Regulation of Investigatory Powers Act 2000 (RIPA). The Act says that interception only takes place if the content of a message is made available "while in transmission" over a communications network. Once it stops being transmitted, RIPA no longer applies, though other laws (notably Article 8 of the European Convention on Human Rights, via the Human Rights Act 1998) may still do so.

In the original debate in the House of Lords, Lord Bassam explained that a letter stops being "in transmission" when it lands on the doormat. After a certain amount of head-scratching, it was generally presumed that this meant that an e-mail stopped being "in transmission" when it was read. Thus it has been considered that inboxes contained a mixture of (unread) messages that were subject to RIPA and (read) messages that were not. However it has now been pointed out (in the context of voicemail boxes, which are bit closer than letters to e-mail) that section 2(7) of RIPA says that "transmission" includes "any time when the system by means of which the communication is being, or has been, transmitted is used for storing it in a manner that enables the intended recipient to collect it or otherwise to have access to it". There's no mention of the communication being read or not, or having a read/unread flag on it, which may not always be the same thing!

It seems that this may create a simpler rule - "inboxes are subject to RIPA". In fact it may be even simpler, as the new definition seems also to cover messages that have been received and filed elsewhere on the same system, in other words any message still on the central mail store (I do know that folders aren't always on the same system as the inbox, but I wouldn't like to have to explain that to a judge!). So maybe the rule is actually "mail stores are subject to RIPA"? In fact that shouldn't make much difference to universities and colleges since the whole mail store is already subject to the Human Rights Act, which has much the same requirements for justifying access to the content of communications. So processes for accessing mail messages should already be checking that access is necessary and proportionate for a legitimate purpose. But it may be worth checking that those HRA-compliant purposes are also justified by either RIPA (mostly section 3(3)) or the secondary Lawful Business Practice Regulations.

[UPDATE: There's a discussion of the various possible interpretations, with a suggestion that this wider interpretation of Interception should be used, in paragraphs 15-35 of the Home Affairs Select Committee Report on Unauthorised Access to Mobile Phone Communications]