Last updated: 
3 months 2 weeks ago
Blog Manager
One of Jisc’s activities is to monitor and, where possible, influence regulatory developments that affect us and our customer universities, colleges and schools as operators of large computer networks. Since Janet and its customer networks are classified by Ofcom as private networks, postings here are likely to concentrate on the regulation of those networks. Postings here are, to the best of our knowledge, accurate on the date they are made, but may well become out of date or unreliable at unpredictable times thereafter. Before taking action that may have legal consequences, you should talk to your own lawyers. NEW: To help navigate the many posts on the General Data Protection Regulation, I've classified them as most relevant to developing a GDPR compliance process, GDPR's effect on specific topics, or how the GDPR is being developed. Or you can just use my free GDPR project plan.

Group administrators:

Investigatory Powers Act - process details

Friday, December 7, 2018 - 11:03

The Government's powers make orders relating to information about communications have now moved from the Regulation of Investigatory Powers Act 2000 to the Investigatory Powers Act 2016. The associated Code of Practice provides useful information on the process for issuing three types of notice in particular: Communications Data Requests, Technical Capabilities Orders and Data Retention Notices.

Under the new Act, all three of these powers can be applied to private networks like Janet and its customer networks – under RIPA Technical Capabilities and Data Retention were limited to public networks – so it's worth checking that your own processes would do the right thing if one of these were to arrive.

Communications data requests (as under RIPA s22, which had pretty much the same process) can just arrive without warning. Normally (s6.21) they are in writing, but they may be oral in urgent cases. You're not required (6.25) to do anything which it is not reasonably practical to do: in particular there's a useful warning to those making requests that just IP+time is often not enough to identify a connection, something they must take into account both when deciding how to specify the order and when considering how much collateral intrusion the order may involve. Normally (6.27) a response is expected within ten working days.

Technical capabilities orders to adapt networks and systems to make communications data orders easier to fulfil will (12.2) "only be given to operators required to give effect to authorisations on a recurrent basis". Under RIPA these were limited by law to public networks: this volume test seems likely to limit any expansion to private networks. Operators are consulted in advance (12.10) on technical and economic feasibility, at this stage they can also agree who any notice should be sent to. If there is no agreement then (12.18) it must be served on a "senior executive", which addresses the concern that the Act appeared to allow notices to be sent to junior network technicians. Orders must be reviewed at least every two years (12.31) and this must include consultation with the operator.

Data retention notices. Importantly, the Code confirms (16.1) that "the default position is that no operator is required to retain any data under the Act until given a notice". The Code seems to say (17.3) that notices will only be issued if you are receiving more Communications Data Requests than you can handle; but there is also mention of the possibility (17.8-17.10) of placing a requirement on all wifi providers in a particular geographic area. The latter presumably links to the use case suggested by the Home Office during the debate on the Act, if a particular cyber-café became popular with terrorists, in which case only public wifi would be relevant. The Home Office must consult before issuing a notice (17.2) and "in practice, informal consultation is likely to take place long before a notice is given in order that the operator(s) understands the requirements that may be imposed and can consider the impact" (17.12), so there should be plenty of warning.

For both retention and technical capabilities, cost recovery must be agreed before any implementation begins (22.10) so there’s a lot to agree before any notice is put into effect.

Finally, if an you receive any of these orders, your organisation should keep a record for two years in case of any investigation by the Regulator. The Code sets out (24.10-24.16) what needs to be recorded: for communications data requests the identity of the authority making the request, the unique reference number, and the dates when the required information was specified and delivered.