The Investigatory Powers Act was brought in order to support the Human Rights Act and increases the protection of your privacy. The main purpose is to ensure that relevant investigatory powers are used in accordance with your human rights.
These powers are:
- the interception of communications
- the acquisition of communications data (such as billing data)
- intrusive surveillance (such as on residential premises or in private vehicles)
- covert surveillance in the course of specific operations
- the use of covert human intelligence sources (such as agents, informants, and undercover officers)
- access to encrypted data
For each of these powers, the Act will ensure that the law clearly covers:
- the purposes for which they may be used
- which authorities can use the powers
- who should authorise each use of the power
- the use that can be made of the material gained
- independent judicial oversight
- a means of redress for the individual
Not all of these matters need be dealt with in this Act. In many cases existing legislation already covers the ground. The Act will work in conjunction with existing legislation, in particular the Intelligence Services Act 1994, the Police Act 1997 and the Human Rights Act 1998.
Key points about investigatory powers
Interception of communications and the acquisition and disclosure of communications data
This section repeals earlier law and provides for a new regime for the interception of communications of any sort, incorporating the changes proposed in the consultation paper. These changes go beyond what is strictly required for human rights purposes and provide also for the changed nature of the communications industry since 1985.
The provisions also implement an article, which requires member states to safeguard the confidentiality of communications.
Surveillance and covert human intelligence sources
The Act states that specific people in authority, for example undercover officers and intelligence agencies, may use surveillance, but use of it is restricted to safeguard invasions of the public's privacy.
Investigation of electronic data protected by encryption
This maintains the effectiveness of existing law in preventing criminal use of encryption. It will introduce a power to require disclosure of protected data.
Scrutiny of investigatory powers and codes of practice
Specific people will check other people's power, when necessary, to make sure that they are not overstepping or abusing it. The Secretary of State may issue Codes of Practice covering the use of the powers covered by the Act.
Everyone has the right to respect for his private and family life, his home and his correspondence
The Regulation of Investigatory Powers Act 2000 (RIPA) allows the government to access a person's electronic communications in a more unrestricted manner, compared to postal correspondence. The Act:
- enables the government to demand that a business that provides communications services (such as an Internet Service Provider) gives access to a customer's communications, and does so in secret
- enables mass surveillance of communications in transit
- enables the government to demand commmuniction service providers fit equipment to facilitate surveillance
- enables the government to demand that someone hands over keys to protected information
- allows the government to monitor people's Internet activities
- prevents the existence of interception warrants and any data collected with them from being revealed in court
In addition, the government can demand that a public telecommunications service intercepts an individual's communications. The Home Secretary can serve interception warrants to perform mass surveillance, and, under certain circumstances, can order that the "external communications" of a telecommunications service be intercepted (that means all the internet traffic flowing through a particular business' servers).
Interception warrants can be issued for the purposes of protecting national security, preventing or detecting serious crime or safeguarding the economic well-being of the UK. These terms are so vague as to be applicable to just about anyone.
The definition of public telecommunications services is broad and could apply to internet services providers, phone companies, or even a business that operates a web site that allows communication through it.
As a business, there is no need to put in place any policy document that covers this (such as including policy in your privacy notice). You might make reference to it, to remind your customers that you are bound by the law. But since the law affects your business, and not your business relationship wth your customers, and because any demand must be kep secret and must be complied with, there is no requirement to put in place specific customer-facing policies.
The government can require businesses to fit equipment that enables them to do perform surveillance. The government will, however, contribute to the costs of doing so.
In theory, this could leave your security systems open to abuse by others, such as from hackers. In practice, this is unlikely. Businesses that are requested to have open systems are likely to be large and sophisticated enough to have the expertise to ensure that security in general is strong.
The government can demand that encryption and decryption keys be handed over in order to access protected information, where the person concerned has or has had the keys and does not have the information. It is an offence not to hand over such a key with a punishment of 2 years imprisonment.
You are deemed to have possessed the key if you knew it at any time before the disclosure notice was served, unless you can show you did not have it after the time the notice was served and before the time you were required to disclose it. You are taken to show that you did not possess it at the relevant time if you can adduce sufficient evidence to raise an issue with respect to this matter and the contrary is not proved beyond reasonable doubt.
Access to Internet traffic
The government can access Internet traffic data for the purposes of national security, prevention or detection of crime, in the interests of the UK's economic well-being, in the interests of public safety, for protecting public health, for tax assessment or collection, for preventing death or injury or damage to a person's health in the event of an emergency and for any reason the Secretary of State deems fit.
The state can thus gather information such as what websites you visit and when, who you e-mail, who e-mails you, what newsgroups you read, all the phone numbers you call, what software you've downloaded, what documents you've downloaded, where and when you log on to a machine and from where you logged on.
Essentially any government department or any police officer can demand this information, as long as it is deemed to be required under the grounds listed above.
As such, it is a good idea to limit what your employees may do using your IT systems while at work through use of an employment policy relating to information systems usage. The probability of disruption to your business is small, but the consequence of it would be fairly disruptive.