You will no doubt be familiar by now with my blogs on the subject of RIPA (Regulation of Investigatory Powers Act 2000) and my attempts to use the Freedom of Information Act to obtain some kind of insight into how Police Forces may be using RIPA to monitor their officers’ use of social media (SM). So far I have not been very successful and this has led me to abandon my use of the Freedom of Information Act because it has turned into a Head vs Brick Wall scenario. I have, however, vowed to monitor and pursue my requests which are still outstanding.
This blog will very likely be my last on the subject of RIPA and I apologise in advance that it is not interspersed with humour. It will most likely be a bit dry and technical, but I’ve reached the stage of this particular rant where humour isn’t really appropriate.
If you are new to this subject you can find my previous blogs on this subject as follows;
In the last few days I have received responses from West Midlands Police and the Met in reply to my requests for an Internal Review of their Refusals to answer my questions relating to their use of RIPA.
If any of you AGREE with their refusals please let me know so that I can stop banging my head against this particular brick wall with a clear conscience.
I have already written to the Information Commissioner about Dyffed-Powys’s refusal to, in any way, answer my request. I await their response.
West Midlands have issued the much anticipated confirmation that they have reviewed their response to my request and that their original Refusal Notice stands.
The Met (MPS) too have confirmed their original refusal, but much, much more comprehensively. The main difference being that it includes an apology for a breach of the Freedom of Information Act for not replying to me originally within the prescribed timescale.
I did think, however, that since all of this is now in the public domain, I would share some of their eloquent prose with you and please, please let me know whether you agree with them or not. If sufficient of you disagree with the MPS I may find the strength to write another Victor Meldrew letter to the Information Commissioner.
So sit comfortably, buckle up, and here goes;
“The Metropolitan Police Service (MPS) has completed its review and has decided to vary the original decision by upholding the original exemptions stated (section 23(5) – Information supplied by, or concerning, certain Security bodies; section 44(2) – Prohibitions on disclosure, section 30(3) Investigations and proceedings conducted by a public authority, section 40(5) Personal Information) and additionally engage section 31(3) – Law enforcement of the Freedom of Information Act 2000 (FoIA).”
So there’s the first thing, I ask for a Review and their response is to ADD one more reason why they shouldn’t even answer.
“I would like to apologise for the delay to your request and for any inconvenience caused by our failure to process it correctly. I hope to reassure you that the MPS takes compliance with the Act very seriously and is committed to promoting good practice in this area.”
Very good of them I’m sure.
“The review acknowledges your comment ‘Questions 1, 3 and 4 only require a number as their answer, and Question 2 only requires a Schedule of Offences’. With this in mind it is the potential value of the number in the public domain that must be considered and in this context the number may be significant.
Anyone know how a number might be significant?
“The review gives attention to your comment ‘I do not accept that this is a valid arguement for refusing to Confirm/Deny and Refusal as I specifically aimed my request at 2011 with the clear intention of avoiding such a problem as ongoing, current investigations. I most certainly would not want to be responsible for alerting an officer to the possible investigation of his/her activities, and so chose a date which should contain no current investigations.’ and as stated in the original response that section 1(1) (a) of FoIA requires a public authority to inform a requestor whether it holds the information specified in the request. This is known as the ‘the duty to confirm or deny’. The Information Commissioner’s Office (ICO) guidance states ‘there may be occasions when complying with the duty to confirm or deny under section 1(1)(a) would itself disclose sensitive or potentially damaging information that falls under an exemption…in these circumstances the Act allows a public authority to respond by refusing to confirm or deny whether it holds the requested information. This is called a ‘neither confirm nor deny’ (NCND) response.’ Further reference can be found by way of this link:
Again MPS I don’t see how “there may be occasions when complying with the duty to confirm or deny under section 1(1)(a) would itself disclose sensitive or potentially damaging information that falls under an exemption..” is relevant. What you really mean is that you don’t want the great British Public to know whether you utilise RIPA to investigate your officers or not. I see no valid reason for withholding the information I have requested.
“The ICO further reminds public authorities that they can only refuse to confirm or deny whether it holds the information, ‘if this would itself reveal information that falls under an exemption’. In this case the MPS has neither confirmed nor denied information is or is not held by virtue of sections 23(5), 30(3), 44(2) and 40(5).”
“Section 23(5) of the FoIA states that: The duty to confirm or deny does not arise if, or to the extent that, compliance with section1 (1) (a) would involve the disclosure of any information (whether or not already recorded) which was directly or indirectly supplied to the public authority by, or relates to, any of the bodies specified in subsection (3). The full list of bodies specified in section 23(3) can be viewed by way of this link http://www.legislation.gov.uk/ukpga/2000…
In a recent Information Commissioner’s Office (ICO) Decision Notice FS50443643
the Commissioner’s opinion was that ‘the exemption contained at section 23(5) should be interpreted so that it is only necessary for a public authority to show that either confirmation or denial as to whether the requested information is held would involve the disclosure of information relating to a security body. It is not necessary for a public authority to demonstrate that both responses would disclose such information. Whether or not a security body is interested or involved in a particular issue is in itself information relating to a security body.’
In FS50443643 the ICO states ‘…it can be seen that section 23(5) has a very wide application. If the information requested is within what could be described as the ambit of security bodies’ operations, section 23(5) is likely to apply. This is consistent with the scheme of FOIA because the security bodies themselves are not subject to its provisions. Factors indicating whether a request is of this nature will include the functions of the public authority receiving the request, the subject area to which the request relates and the actual wording of the request.’
With these considerations in mind, the review is satisfied that section 23(5) is appropriately engaged in this case.”
A superb Get Out Of Jail Free Card is it not? To confirm or deny might reveal whether we do or do not hold any information that may or may not have been supplied by Security Services etc, so we don’t have to answer you. Brilliant.
“The review has regard for your comment ‘RIPA should only be used in cases of alleged Crime. If Police Officers are involved in the commission of crimes this is of public interest and why should the police service not be held to account? I do not see this as a valid reason for not Confirming/Denying and Refusing my request…Yet again the information that I am actually requesting would in no way identify resources available, it is not a closely guarded secret that people’s Twitter or Facebook accounts can be monitored by almost anyone, so there are no secrets to be divulged by answering the question.’ And can advise you that section 30(3) of the FoIA states the duty to confirm or deny does not arise in relation to information which is (or if it were held by the public authority would be) exempt information by virtue of subsection (1) or (2).
The ICO has published guidance on the exemption for criminal investigations and proceedings (which can be found by way of this link:
This guidance states ‘section 30 creates an exemption for information:
· Which is or has been held for the purposes of a criminal investigation;
· Which is or has been held for criminal proceedings conducted by a public authority; or,
· Which was obtained or recorded for various investigative functions and relates to the obtaining of information from confidential sources.’
The ICO advises ‘before complying with section 1(1)(a) public authorities should consider both whether any harm would arise from confirming that information is held and whether harm would arise from stating that no information is held. Otherwise, if the same (or same type of) requests were made on several occasions, a changing response could reveal whether information was held.’ And in this respect the review gives attention to the initial MPS response which states ‘the MPS will not divulge whether information is or is not held if to do so would undermine ongoing investigations…there is a very strong public interest in safeguarding the integrity of police investigations and operations.’
With these considerations in mind, the review is satisfied that section 30(3) is appropriately engaged in this case.”
Am I just being thick here or does this exemption mean that Crime Figures should actually be exempt from release to the public by virtue of the reasons above, or are the MPS merely trying to hide behind a tenuous exemption?
“The review acknowledges your comments ‘Once again I am not requesting details of methodology, merely a numerical response and a Schedule of Offences. I require no further information than that. I fail to see how this would compromise anything… Once again the information that I have requested, if supplied, would not dissuade anyone from supplying information to the police as it is only a number and a Schedule of Offences that I have requested.’ and in this respect is satisfied that by confirming or denying such information is or is not held would be detrimental to the function of law enforcement in the prevention and detection of crime, by providing those individuals who would wish to cause harm with invaluable intelligence and, as a consequence, making it more difficult for the MPS to police effectively. This adverse effect was highlighted in the original response namely ‘to disclose investigative information could dissuade people from providing information to the police in the future thus reducing the flow of information to the service…’ thereby hampering our law enforcement functions.
With these considerations in mind, the review is satisfied that section 31(3) is appropriately engaged in this case.”
Could someone please explain this response to me. How on earth would answering my questions dissuade law-abiding citizens from providing the Police with information and/or hamper the investigation of crime?
“Is the requested information personal data?
The review has regard for your comment ‘Once again, I am only requesting numbers and a Schedule of Offences relating to 2011. I am absolutely certain that any fully trained officers are aware of RIPA and the possible use of RIPA against them should the circumstances dictate.’ And can advise that Personal data is defined in section 1(1) of the Data Protection Act 1998 (DPA) as:
‘data which relate to a living individual who can be identified from those data, or from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller, and includes any expression of opinion about the individual and any indication of the intention of the data controller or any other person in respect of the individual.’
You have requested information in relation to how many RIPA applications were made by members of your Force in relation to Police Officers’ use of Social Media or e-mail and that they are the focus of the information which would be revealed. The review is therefore satisfied that the requested information is personal data within the meaning of section 1(1) of the DPA. The review is satisfied that confirming or denying whether the MPS holds the requested information would reveal personal data. The result of any searches including the absence of any data would reveal information about individuals.
Would complying with section 1(1)(a) contravene any of the Data Protection Principles?
Section 1(1)(a) FoIA states ‘any person making a request for information to a public authority is entitled (a) to be informed in writing by the public authority whether it holds information of the description specified in the request.’
For section 40(5)(b)(i) FoIA to apply, complying with the duty under section 1(1)(a) must reveal personal data and contravene any of the data protection principles. The MPS has found that the first data protection principle to be the relevant in this case, which states ‘Personal data shall be processed fairly and lawfully and in particular shall not be processed unless a) at least one of the conditions in DPA schedule 2 is met, and b) in the case of sensitive personal data, at least one of the conditions in schedule 3 is also met’.
The review is also mindful of the legislation under section 2 DPA which defines ‘sensitive personal data’ as personal data consisting of information as to (g) the commission or alleged commission by him of any offence. http://www.legislation.gov.uk/ukpga/1998…. The nature of the information being requested by you, if held, is therefore likely to fall into the category of ‘sensitive personal information’ category and/or enable such inferences to be made. Therefore, any statement confirming or denying whether this information is or is not held could disclose sensitive personal data either in isolation or when combined with other information which may be in the public domain.
The ICO further states ‘There may be circumstances, for example requests for information about criminal investigations or disciplinary records, in which simply to confirm whether or not a public authority holds that personal data about an individual can itself reveal something about that individual. To either confirm or deny that the information is held could indicate that a person is or is not the subject of a criminal investigation or a disciplinary process. If to do so would contravene data protection principles, for example because it would be unfair, then the public authority is not obliged to confirm or deny that it holds the information.’ Further details can be found by way of this link http://www.ico.gov.uk/for_organisations/…
With these considerations in mind, the review is satisfied that section 40(5) is appropriately engaged in this case.”
Genius!! So now a simple number is regarded as Sensitive Personal Information. Once again that must mean that half the stats that are issued must be sensitive personal information as the numbers relate to people somewhere along the line. I fail to see how giving me a number will assist me in identifying individual officers (unless the answer is ONE) and it is not my intention to identify individual officers anyway.
“Section 44 – Prohibitions on disclosure
Section 44(2) states the duty to confirm or deny does not arise if the confirmation or denial that would have to be given to comply with section 1(1)(a) would (apart from this Act) fall within any paragraph (a) to (c) of subsection (1), namely (a) is prohibited by or under any enactment, (b) is incompatible with any Community obligation, or (c) would constitute or be punishable as a contempt of court.
The ICO guidance clarifies that ‘section 44(2) provides an exemption from the duty to confirm or deny whether information is held. It may, on rare occasions, be necessary neither to confirm nor deny that information is held if this is a requirement under other legislation, or under certain conditions or processes as specified in s44…although the number of occasions when a public authority will be justified in neither confirming nor denying that it holds information requested may not be very large, the Act acknowledges that such occasions may arise.’
In this respect the review takes account of the original MPS response which mentions ‘under Chapter 1 of part 1 of the RIPA legislation, it may actually be a criminal offence to do so (Section 19)’ and can advise that section 19 Regulation of Investigatory Powers Act 2000 (RIPA) creates an offence for unauthorised disclosures as follows:
(1) Where an interception warrant has been issued or renewed, it shall be the duty of every person falling within subsection (2) to keep secret all the matters mentioned in subsection (3).
(2)The persons falling within this subsection are—
(a) the persons specified in section 6(2);
(b) every person holding office under the Crown;
(c) every member of the staff of the Serious Organised Crime Agency;]
(ca) every member of the Scottish Crime and Drug Enforcement Agency;]
(e) every person employed by or for the purposes of a police force;
(f) persons providing postal services or employed for the purposes of any business of providing such a service;
(g) persons providing public telecommunications services or employed for the purposes of any business of providing such a service;
(h) persons having control of the whole or any part of a telecommunication system located wholly or partly in the United Kingdom.
(3)Those matters are—
(a) the existence and contents of the warrant and of any section 8(4) certificate in relation to the warrant;
(b) the details of the issue of the warrant and of any renewal or modification of the warrant or of any such certificate;
(c) the existence and contents of any requirement to provide assistance with giving effect to the warrant;
(d) the steps taken in pursuance of the warrant or of any such requirement; and
(e) everything in the intercepted material, together with any related communications data.”
At last, the first part of their Refusal that I can actually understand and agree with. In the light of this exemption I shall draw my own conclusions.
Once again I must apologise for the length of this post, I hope you have found it worthwhile.Last Updated on