Acquisition of communications data under the IPA 2016 explained
How public authorities obtain communications data from companies in the UK
TL;DR
This newsletter is about the acquisition of communications data by UK public authorities from telecommunications operators. It looks at the data that can be obtained under these authorisations, the procedure for obtaining these authorisations and the bulk version of this power.
Here are the key takeaways:
Under the Investigatory Powers Act 2016, relevant public authorities can obtain authorisation for the acquisition of communications data from telecommunications operators. This includes the metadata of a communication rather than the content of communications, including internet connection records.
A wide range of public authorities in the UK can obtain authorisations to obtain communications data. This includes not just MI5, MI6 and GCHQ (the security and intelligence agencies), but also, among others, the police, the National Crime Agency, the Competitions and Markets Authority, the Financial Conduct Authority and the Office of Communications.
Data acquisition authorisations can be sought for the purposes of a specific investigation or a specific operation. The grounds on which authorisations may be granted include, among others, national security and preventing or detecting serious crime.
Once granted, a data acquisition authorisation can be served on a telecommunications operator. The authorisation must therefore specify the operator concerned and the nature of the requirements to be imposed.
Acquisition authorisations can also come in bulk form, of which is subject to the double lock mechanism. However, only the security and intelligence agencies can apply for these bulk acquisition warrants.
What are data acquisition authorisations?
Under the Investigatory Powers Act 2016 (IPA 2016), relevant public authorities can obtain authorisation for the acquisition of communications data from telecommunications operators. Some authorisations can be obtained from certain personnel within a relevant public authority, whereas other authorisations require independent authorisation from the Investigatory Powers Commissioner (IPC). Acquisition authorisations can come in bulk form, of which is subject to the double lock mechanism, but only the SIAs can apply for these bulk acquisition warrants.
Which public authorities can obtain data acquisition authorisations?
Under the IPA 2016, a "relevant public authority" includes a wide range of public authorities in the UK. This includes not just MI5, MI6 and GCHQ (the security and intelligence agencies, or the SIAs), but also, among others, the police, the National Crime Agency, the Competitions and Markets Authority, the Financial Conduct Authority and the Office of Communications.1
What is the procedure for obtaining data acquisition authorisations?
The IPA 2016 requires public authorities to have a "designated senior officer" (DSO), which somebody with a certain rank, office or position who are involved in the procedure for obtaining data acquisition authorisations.2 The required rank, office or position depends on the public authority in question. For example, the minimum rank in GCHQ for authorising the acquisition of communications data is a G8 Officer.3
The process for authorising the acquisition of communications data is as follows:
The applicant - A person within a public authority involved in an investigation or operation makes an application for the acquisition of communications data that would aid that investigation or operation. The application must be made in writing or in a manner that produces a record of its having been applied.4
The single point of contact - Applicants must consult a person within the relevant public authority who is acting as a single point of contact (SPoC) in relation to the making of applications.5 DSOs must also consult SPoCs before granting an authorisation. These SPoCs are “trained to facilitate the lawful acquisition of communications data and effective cooperation between a public authority, the Office for Communications Data Authorisations and telecommunications operators”.6
The authorising individuals - Authorisation for the acquisition of communications data may be obtained in one of three ways:
Certain public authorities may only obtain authorisation from the IPC,7 including local authorities.8 These duties of the IPC are delegated, in accordance with the IPA 2016,9 to their staff who sit in a body known as the Office for Communications Data Authorisations (OCDA).10 The requirement for independent authorisation depends on the grounds on which an application for data acquisition is made and which public authority is making the application. For example, if the Department of Health and Social Care is applying for a data acquisition authorisation in the interests of public safety,11 independent authorisation from the OCDA will be required and the Department may obtain both entity data and events data. The OCDA will need to consider the necessity and proportionality of each application.12
Authorisations can be made by a DSO within a relevant public authority where the acquisition data is requested on certain grounds.13 That DSO will have to consider the necessity and proportionality of the application.14
If the OCDA or a DSO has authorised the acquisition of communications data for the purpose of identifying or confirming a source of journalistic information, then the approval of a Judicial Commissioner is also required.15
What data can be obtained under a data acquisition authorisation?
Acquisition authorisations permit the collection of communications data. As explained in my post on retention notices under the IPA 2016:
Retention notices can be used to obtain 'relevant communications data' from telecommunications operators.
"Communications data" effectively means the metadata of a communication. This includes information about things like the recipient, sender and timing of the communication. The IPA 2016 itself defines the specific pieces of metadata within the scope of communications data, namely entity data and events data:
'Entity data' means data about an entity which could be a person or a thing.
'Events data' means any data identifying or describing an event on, in or by means of a telecommunication system where the event consists of one or more entities engaging in a specific activity at a specific time.
Together, communications data means any data "generated, held or obtained in the provision, delivery and maintenance of communication services." This could include:
Those involved in the communication (i.e., the sender and recipient)
When the communication was made
The duration of the communication
The type and method of communication
The telecommunication system used for the communication
The location of the telecommunication system
For acquisition authorisations, certain DSOs are only permitted to authorise the obtaining of entity data whereas other DSOs of a higher rank, office or position are permitted to authorise the obtaining of both entity and events data. For instance, an inspector within the Metropolitan police force may authorise the acquisition of entity data only, whereas a superintendent may authorise the acquisition of both entity and events data.16
Communications data also includes what the IPA 2016 defines as 'internet connection records', which also explained in my post on data retention notices:
An internet connection record is a type of communications data that satisfies the following two conditions:
It can be used to identify a communication that has been transmitted to a telecommunications service via a telecommunication system to obtain access to or run a computer file or program
It comprises data generated or processed by a telecommunications operator in the process of supplying the telecommunications service to the sender of the communication (whether or not a person)
ICRs therefore consist of information that identifies an internet service that a person has been using. This could include a wide range of data, such as IP addresses or a customer account reference like an account number.
The websites a person has visited can also constitute an ICR. However, the definition of an ICR excludes certain elements of a person's web browsing history. For example, if a person visits 'https://www.thecybersolicitor.com/s/state-surveillance', the only part of this URL that would constitute 'communications data' for the purposes of the IPA 2016 includes the host name ('www.thecybersolicitor.com). The remainder of the URL, namely the resource ('/s/state-surveillance') would be classed as the content of a communication under the Act and therefore not fall within the definition of an ICR.
The IPA “recognises the additional sensitivities associated with ICRs and restricts public authority access accordingly”.17 Accordingly, neither the OCDA nor a DSO can authorise the acquisition of communications data which is, or can be obtained by processing, an ICR.18 There are limited exceptions to this rule, which effectively pertain to when an ICR is used:
To identify those who are using a service on the internet only where the service and the time of use are already known.19
To identify the internet communications service being used by a known person or apparatus, including when and how it is used.20
To identify the internet service being used, including when and how, by a known person or apparatus.21
Obtain access to, or run, a computer file or program by a known person or apparatus involving, wholly or mainly, the making available or acquisition of material the possession of which is a crime.22
On what grounds can a data acquisition authorisation be sought?
Any acquisition authorisation can be sought if it necessary to obtain communicationa data for the purposes of:23
A specific investigation or a specific operation
Testing, maintaining or developing equipment, systems or other capabilities relating to the availability or obtaining of communications data
Either of those activities must be connected with one of the statutory grounds provided under the IPA 2016. The OCDA may authorise the acquisition of communications data on any of the following grounds:24
In the interests of national security.
For the purpose of preventing or detecting serious crime (where the communications data is wholly or partly events data) or, in any other case, for the purpose of preventing or detecting crime or of preventing disorder.25 Serious crime is defined as a criminal offence that involves conduct entailing the use of violence, results in substantial financial gain or is conduct by a large number of persons in pursuit of a common purpose.26
In the interests of the economic well-being of the UK so far as those interests are also relevant to the interests of national security.
In the interests of public safety.
For the purposes of preventing death or injury or any damage to a person’s physical or mental health, or of mitigating any injury or damage to a person’s physical or mental health.
To assist investigations into alleged miscarriages of justice.
Where a person (P) has died or is unable to identify themselves because of a physical or mental condition, so as to assist in identifying P or to obtain information about P’s next of kin or other persons connected with P or about the reasons for P’s death or condition.
DSOs may authorise the acquisition of communications data on a much narrower set of grounds:
In the interests of national security.
For the purpose of preventing or detecting serious crime, i.e., a criminal offence that involves conduct entailing the use of violence, results in substantial financial gain or is conduct by a large number of persons in pursuit of a common purpose.27
In the interests of the economic well-being of the UK so far as those interests are also relevant to the interests of national security.
However, the grounds on which an authorisation may be granted by a DSO are wider where an application is made by a public authority in an urgent case:
For the purpose of preventing or detecting serious crime (where the communications data is wholly or partly events data) or, in any other case, for the purpose of preventing or detecting crime or of preventing disorder.33 Serious crime is defined as a criminal offence that involves conduct entailing the use of violence, results in substantial financial gain or is conduct by a large number of persons in pursuit of a common purpose.28
In the interests of public safety.
For the purposes of preventing death or injury or any damage to a person’s physical or mental health, or of mitigating any injury or damage to a person’s physical or mental health.
To assist investigations into alleged miscarriages of justice.
Where a person (P) has died or is unable to identify themselves because of a physical or mental condition, so as to assist in identifying P or to obtain information about P’s next of kin or other persons connected with P or about the reasons for P’s death or condition.
The DSO may only grant an authorisation in urgent cases if it considers that it is necessary and proportionate and there is an urgent need to obtain the data.29 An example of an urgent case is where there is “an immediate threat of loss or serious harm to human life”.30 However, that “any part of an investigation or operation is undertaken urgently must not be taken to mean that all requirements to obtain communications data in connection with that investigation of operation can be undertaken using the urgent process”.31 Therefore, the application must make clear why it is not possible to use the standard process in the particular circumstances of the case.32
What conduct can be permitted by a data acquisition authorisation?
Under an acquisition authorisation, a public authority may engage in any conduct which is for the purpose of obtaining communications data from any person relating to a telecommunication system.33 In particular, that authorised conduct may include any of the following:34
The authorised officer obtains the communications data themselves.
The authorised officer asks any person that the officer believes is, or may be, in possession of communications data or capable of obtaining it to obtain that data and disclose it to the public authority.
The authorised officer serves an acquisition notice on a telecommunications operator that the officer believes is, or may be, in possession of the communications data and is capable of obtaining that data and disclosing it to the public authority.
In addition, an authorisation may:35
Relate to data that may not exist at the time of the authorisation.
Authorise a person other than the authorised officer to obtain and disclose communications data or carry out any other conduct that enables or facilitates the obtaining of communications data.
Require a telecommunications operator to obtain or disclose communications data from a telecommunications service provided by another operator.
Who can be served with data acquisition notices?
As stated beforehand, an authorisation for the acquisition of communications data can authorise a public authority to obtain the data from a telecommunications operator. If so, the authorisation imposing such requirements on an operator must specify the operator concerned and the nature of the requirements to be imposed.36
An acquisition notice must then be provided to the telecommunications operator. That notice, of which must be given in writing or in a manner that produces a record of its having been given, must specify:37
The office, rank or position held by the person within the public authority giving the notice
The requirements being imposed
The operator to whom the requirements are being imposed
Any notice given “should contain enough information to allow the telecommunications operator to comply with the requirements of the notice”.38 This includes a description of “the communications data to be obtained or disclosed under the notice specifying, where relevant, any historic or future date(s) and, where appropriate, time period(s)”.39 The notice should also “specify the manner in which the data should be disclosed and specify or describe the person(s) to whom the data is to be, or may be, disclosed or how to identify such person(s)”.40 Although, an operator will usually only ever be required to disclose data to the public authority, typically the SPoC.41 An authorisation notice is cancelled when the corresponding authorisation is cancelled.42
It is the duty of a telecommunications operator subject to an acquisition notice to comply with the requirements in the notice.43 In doing so, the operator must only obtain or disclose the amount of data needed in order to comply with the notice.44 Such duties are enforceable by the Secretary of State by civil proceedings.45 However, an operator is not required to take steps to comply with an acquisition notice that are not reasonably practicable to take.46
It is a criminal offence for telecommunications operator or its employees to disclose, without a reasonable excuse, the existence of an acquisition notice or its contents.47 The IPA 2016 does not specify what might constitute a “reasonable excuse” except for when the disclosure is made with the permission of the relevant public authority, of which can be contained in the notice itself.48
The Secretary of State must ensure that arrangements are in place for telecommunications operators to receive an appropriate contribution in respect of the cost of complying with an acquisition notice.49
What are bulk data acquisition warrants?
Scope of bulk acquisition warrants
A bulk acquisition warrant authorises a person to secure by any conduct one or more of a series of specified activities that relate to the acquisition of communications data.50 Those specified activities include:51
Requiring a telecommunications operator to obtain and disclose communications data to a public authority, including data which may not be in the possession of the operator if the operator is capable of obtaining such data. A bulk acquisition warrant may relate to data whether or not in existence at the time of the issuing of the warrant.52
The selection for examination of communications data obtained under the warrant.
The disclosure of communications data to the person to whom the warrant is addressed or to any person acting on the person’s behalf.
Furthermore, a bulk acquisition warrant can authorise any conduct that is necessary to undertake in order to do what is expressly required by the warrant. This includes conduct by a person in pursuance of a requirement under the warrant in order to provide assistance to the person to whom the warrant is addressed.53 However, the communications data that can be obtained under a bulk acquisition warrant is data relating to the acts and intentions of persons outside of the British Islands.54
Restrictions on bulk acquisition warrants
Only the head of an SIA can apply for a bulk acquisition warrant. That application must be made to the Secretary of State, and from there the application is subject to the double lock mechanism involving Judicial Commissioners.55
In addition to this, bulk acquisition warrants must also satisfy three other conditions:
The examination of the communications data sought must be necessary for specified operational purposes.56 Those operational purposes must be sourced from a list of operational purposes maintained by the SIAs57 that is approved by the Secretary of State.58 The Prime Minister is also responsible for reviewing that list at least once a year.59
The examination of the communications data for each operational purpose must be necessary on the relevant statutory grounds.60
There must be satisfactory arrangements in place consisting of safeguards relating to the retention and disclosure of data.61
The relevant statutory grounds include:62
In the interests of national security63
For the purpose of preventing or detecting serious crime, i.e., a criminal offence that involves conduct entailing the use of violence, results in substantial financial gain or is conduct by a large number of persons in pursuit of a common purpose64
In the interests of the economic well-being of the UK so far as those interests are also relevant to the interests of national security
The safeguards that must be in place for a bulk acquisition warrant relate to the copying, storage, dissemination and destruction of communications data in that such processing must be kept to the minimum necessary for the authorised purposes.65 Those “authorised purposes” include the grounds on which a bulk acquisition warrant is issued,66 but also include, for example, where such processing is necessary for facilitating the carrying out of any functions of the Judicial Commissioners or the Investigatory Powers Tribunal.67 Public authorities must ensure that “all copies, extracts and summaries of communications data obtained under a bulk acquisition warrant [are] handled and stored securely, so as to minimise loss or theft”.68 Only those with the appropriate security clearance should be able to access the data.69
Serving bulk acquisition warrants
Bulk acquisition warrants may also be served on telecommunications operators. Public authorities may act through, or together with, other persons so that such persons can provide assistance in giving effect to the warrant.70 This can be done by serving a copy of the warrant on the assisting person,71 of whom can be outside of the UK.72 It must be served in a way that the contents of the warrant are brought to the attention of the assisting person.73 In particular, the warrant “must specify the communications data to be obtained” and should also detail the steps “required to take to give effect to the warrant”.74 The specification of “any other details regarding the means of acquisition of the data and delivery” should also be included.75
An assisting person can be a telecommunications operator. That operator must take all the necessary steps to give effect to the warrant as instructed by the public authority.76 Such a duty may be enforced by the Secretary of State by civil proceedings,77 however the operator is not required to take any steps which it is not reasonably practicable for the operator to take.78
The Secretary of State must ensure that arrangements are in place for telecommunications operators to receive an appropriate contribution in respect of the cost of complying with a bulk acquisition warrant.79
A telecommunications operator served with a warrant must keep it confidential80 unless there is a reasonable excuse for disclosure, such as the permission of the Secretary of State.81 Non-compliance with this duty of confidentiality is a criminal offence.82
Operational case for the acquisition of communications data
Public authorities use communications data “to develop intelligence leads, to help them focus on individuals who may be a threat to national security, or to discount individuals seen in contact with those under investigation”.83 For example, in 2015, MI5 was able to use bulk communications data to identify a foreign national associated with ISIL who had visited the UK for a period of time.84 Through the analysis of that data, MI5 “identified a previously unknown telephone used by the individual and this enabled MI5 to understand the purpose of his travel and whether he had been involved in attack planning”.85
In addition, it can be used to “illuminate networks and associations between groups and plots”.86 In 2015, “intelligence indicated that a number of individuals had travelled to Europe in order to conduct attacks in European capital cities”.87 While the names of these individuals were unknown, “MI5 was able to use bulk acquisition data to identify one individual who had travelled to the UK and then on to another European country”.88
Overall, communications data can “help decide quickly, with minimal intrusion and cost, whether contacts of ‘subjects of interest’ are innocent and of no further interest, or are potential co-conspirators”.89 For GCHQ, bulk communications data is the primary way it discovers threats in the UK “together with communications data obtained through bulk interception”.90
Investigatory Powers Act 2016, Schedule 4.
Investigatory Powers Act 2016, s.70(3).
Investigatory Powers Act 2016, Schedule 4.
Investigatory Powers Act 2016, s.64(4).
Investigatory Powers Act 2016, s.76(A1).
Home Office, Communications Data Code of Practice (November 2018), para. 4.4.
Investigatory Powers Act 2016, s.70(2A).
Investigatory Powers Act 2016, s.73(1).
Investigatory Powers Act 2016, s.238(5).
Home Office, Communications Data Code of Practice (November 2018), para. 4.11.
Investigatory Powers Act 2016, s.60A(7)(d).
Investigatory Powers Act 2016, s.60A(1).
Investigatory Powers Act 2016, s.70(5A).
Investigatory Powers Act 2016, s.61(1).
Investigatory Powers Act 2016, s.77(2).
Investigatory Powers Act 2016, Schedule 4.
Home Office, Communications Data Code of Practice (November 2018), para. 9.3.
Investigatory Powers Act 2016, ss.62(A2) and 62(2).
Investigatory Powers Act 2016, s.62(3).
Investigatory Powers Act 2016, ss.62(4)(b)(i) and 62(5)(c)(i).
Investigatory Powers Act 2016, ss.62(4)(b)(iii) and 62(5)(c)(iii).
Investigatory Powers Act 2016, ss.62(4)(b)(ii) and 62(5)(c)(ii).
Investigatory Powers Act 2016, ss.60A(1)(b) and 61(1)(b).
Investigatory Powers Act 2016, s.60A(7).
Investigatory Powers Act 2016, s.60A(8).
Investigatory Powers Act 2016, s.263(1).
Investigatory Powers Act 2016, s.263(1).
Investigatory Powers Act 2016, s.263(1).
Investigatory Powers Act 2016, s.61A(1).
Home Office, Communications Data Code of Practice (November 2018), para. 5.13.
Home Office, Communications Data Code of Practice (November 2018), para. 5.29.
Investigatory Powers Act 2016, s.64(1).
Investigatory Powers Act 2016, s.61(2).
Investigatory Powers Act 2016, s.61(4).
Investigatory Powers Act 2016, s.61(5).
Investigatory Powers Act 2016, s.64(2).
Investigatory Powers Act 2016, s.64(3).
Home Office, Communications Data Code of Practice (November 2018), para. 6.22.
Home Office, Communications Data Code of Practice (November 2018), para. 6.23.
Home Office, Communications Data Code of Practice (November 2018), para. 6.23.
Home Office, Communications Data Code of Practice (November 2018), para. 6.26.
Investigatory Powers Act 2016, s.65(7)(b).
Investigatory Powers Act 2016, s.66(1).
Investigatory Powers Act 2016, s.66(2).
Investigatory Powers Act 2016, s.66(5).
Investigatory Powers Act 2016, s.66(3).
Investigatory Powers Act 2016, s.82(1).
Investigatory Powers Act 2016, s.82(3).
Investigatory Powers Act 2016, s.249(1).
Investigatory Powers Act 2016, s.158(5).
Investigatory Powers Act 2016, s.158(6).
Investigatory Powers Act 2016, s.158(8).
Investigatory Powers Act 2016, s.159(7).
Investigatory Powers Act 2016, s.158(3).
Investigatory Powers Act 2016, ss.158(1) and 159.
Investigatory Powers Act 2016, s.158(1)(c)(i).
Investigatory Powers Act 2016, s.161(4).
Investigatory Powers Act 2016, s.161(6).
Investigatory Powers Act 2016, s.161(10).
Investigatory Powers Act 2016, s.158(1)(c)(ii).
Investigatory Powers Act 2016, s.158(1)(d).
Investigatory Powers Act 2016, s.158(2).
Investigatory Powers Act 2016, s.158(1)(a)(i).
Investigatory Powers Act 2016, s.263(1).
Home Office, Bulk Acquisition of Communications Data Code of Practice (March 2018), para. 9.5.
Investigatory Powers Act 2016, s.171(3)(a).
Investigatory Powers Act 2016, s.171(3)(c).
Home Office, Bulk Acquisition of Communications Data Code of Practice (March 2018), para. 9.5.
Home Office, Bulk Acquisition of Communications Data Code of Practice (March 2018), para. 9.5.
Investigatory Powers Act 2016, s.168(1).
Investigatory Powers Act 2016, s.168(2).
Investigatory Powers Act 2016, s.168(3).
Investigatory Powers Act 2016, s.169(2).
Home Office, Bulk Acquisition of Communications Data Code of Practice (March 2018), para. 7.3.
Home Office, Bulk Acquisition of Communications Data Code of Practice (March 2018), para. 7.3.
Investigatory Powers Act 2016, s.170(1).
Investigatory Powers Act 2016, s.170(5).
Investigatory Powers Act 2016, s.170(3).
Investigatory Powers Act 2016, s.249(1).
Investigatory Powers Act 2016, s.174(1).
Investigatory Powers Act 2016, s.174(2).
Investigatory Powers Act 2016, s.174(3).
Intelligence and Security Committee, Access to Communications Data by the Intelligence and Security Agencies (Cm 85134, 2013), p.9.
David Anderson QC, Report of the Bulk Powers Review (Cm 9326, 2016), Annex 9 Case Studies – Bulk Acquisition, Case study A9/8.
David Anderson QC, Report of the Bulk Powers Review (Cm 9326, 2016), Annex 9 Case Studies – Bulk Acquisition, Case study A9/8.
Intelligence and Security Committee, Access to Communications Data by the Intelligence and Security Agencies (Cm 85134, 2013), p.9.
David Anderson QC, Report of the Bulk Powers Review (Cm 9326, 2016), Annex 9 Case Studies – Bulk Acquisition, Case study A9/1.
David Anderson QC, Report of the Bulk Powers Review (Cm 9326, 2016), Annex 9 Case Studies – Bulk Acquisition, Case study A9/1.
Intelligence and Security Committee, Access to Communications Data by the Intelligence and Security Agencies (Cm 85134, 2013), p.9.
David Anderson QC, Report of the Bulk Powers Review (Cm 9326, 2016), para. 6.5.