Covert Surveillance Policy and Procedure
3. Covert surveillance
Under s48(2) Regulation of Investigatory Powers Act 2000 (“RIPA”), surveillance includes:
- monitoring, observing or listening or persons, their movements, their conversations or their other activities or communications
- recording anything monitored, observed or listened to in the course of surveillance
- surveillance by or with the assistance of a surveillance device
Most of the council’s surveillance activities will be overt. Under s26(9)(a) of RIPA, surveillance is “covert” if, and only if, it is carried out in a manner that is calculated to ensure that persons who are subject to the surveillance are unaware that it is or may be taking place.
Covert surveillance can be an important tool in assisting the council’s officers to fulfil their duties in relation to the prevention and detection of crime or the prevention of disorder. This includes the prevention and detection of anti-social behaviour.
RIPA distinguishes between two categories of covert surveillance, namely directed surveillance and intrusive surveillance.
Directed surveillance
“Directed surveillance” is defined under s.26(2) as covert surveillance that is not intrusive surveillance and is undertaken:
- for the purposes of a specific investigation or operation
- in such a manner as is likely to result in the obtaining of private information about a person (whether or not that person is a person subject to the investigation)
- otherwise than by way of an immediate response to events or circumstances the nature of which is such that it would not be reasonably practicable for an authorisation under RIPA to be sought for the carrying out of surveillance
This can include surveillance of Council employees. However, it should be noted that a public authority may only seek authorisation under RIPA when it is performing its ‘core functions’. ‘Core functions’ are the specific public functions undertaken by a particular public authority, in contrast to its ‘ordinary functions’ which are those undertaken by all authorities. For example, the disciplining of an employee is not a core function, although related criminal investigations may be.
“Private information” about a person should be taken generally to include any aspect of a person’s private or personal relationship with others, including family and professional or business relationships. The covert surveillance of a person’s activities in a public place may result in the obtaining of private information where a person has a reasonable expectation of privacy; and where a record is being made by a public authority of that person’s activities.
“Private information” includes personal data, such as names, telephone numbers and address details.
Regard must be had to the totality of any records held about a person, even where individual records do not constitute “private information”.
There are two further situations which may constitute directed surveillance:
- Where information is derived from surveillance devices which provide information about the location of a vehicle alone, and is coupled with other surveillance activity from which private information is obtained. However, the use of vehicle surveillance devices in itself does not necessarily involve the provision of “private information”.
- Where postal or telephone communications are intercepted and once either the sender or recipient has consented to the interception (and where there is no interception warrant).
Intrusive surveillance
Intrusive Surveillance is defined under s.26(3) as covert surveillance that is:
- carried out in relation to anything taking place on any residential premises or in any private vehicle; and
- involves the presence of an individual on the premises or in the vehicle or is carried out by means of a surveillance device on the premises or in the vehicle or is carried out by means of a surveillance device that, although not on the premises or in the vehicle, provides information of the same quality and detail as might be expected to be obtained from a device actually present on the premises or in the vehicle.
It is not necessary to consider whether intrusive surveillance is likely to result in the obtaining of “private information” . The categorisation of surveillance as “intrusive” relates to the location of the surveillance activity rather than the nature of the information obtained.
For the purposes of RIPA, residential premises include hotel rooms, hostel rooms and prisons but not common areas to which a person is allowed access in connection with occupation (for example a communal stairway, hotel reception area or dining room, or front garden or driveway which is readily visible to the public) .
The definition of “premises” under RIPA is broad, and extends to any place whatsoever, including any vehicle or moveable structure, whether or not occupied as land.
Under the Regulation of Investigatory Powers (Extension of Authorisation Provisions: Legal Consultations) Order 2010, directed surveillance shall be intrusive surveillance if carried out on the following premises:
- any place where persons serving sentences, in custody or on remand may be detained
- any place of detention pursuant to immigration powers
- police stations
- hospitals where high security psychiatric services are provided
- the place of business of any legal adviser
- any place used for the business of a court, tribunal, inquest or inquiry
The Council’s officers cannot authorise intrusive surveillance under RIPA.
Online covert surveillance
The Home Office Revised Code of Practice on Covert Surveillance and Property Interference, published in August 2018, provides the following guidance in relation to covert online activity:
‘The growth of the internet, and the extent of the information that is now available online, presents new opportunities for public authorities to view or gather information which may assist them in preventing or detecting crime or carrying out other statutory functions, as well as in understanding and engaging with the public they serve. It is important that public authorities are able to make full and lawful use of this information for their statutory purposes. Much of it can be accessed without the need for RIPA authorisation; use of the internet prior to an investigation should not normally engage privacy considerations. But if the study of an individual’s online presence becomes persistent, or where material obtained from any check is to be extracted and recorded and may engage privacy considerations, RIPA authorisations may need to be considered. The following guidance is intended to assist public authorities in identifying when such authorisations may be appropriate.
The internet may be used for intelligence gathering and/or as a surveillance tool. Where online monitoring or investigation is conducted covertly for the purpose of a specific investigation or operation and is likely to result in the obtaining of private information about a person or group, an authorisation for directed surveillance should be considered, as set out elsewhere in this code. Where a person acting on behalf of a public authority is intending to engage with others online without disclosing his or her identity, a CHIS authorisation may be needed (paragraphs 4.29 to 4.35 of the Covert Human Intelligence Sources code of practice provide detail on where a CHIS authorisation may be available for online activity).
In deciding whether online surveillance should be regarded as covert, consideration should be given to the likelihood of the subject(s) knowing that the surveillance is or may be taking place. Use of the internet itself may be considered as adopting a surveillance technique calculated to ensure that the subject is unaware of it, even if no further steps are taken to conceal the activity. Conversely, where a public authority has taken reasonable steps to inform the public or particular individuals that the surveillance is or may be taking place, the activity may be regarded as overt and a directed surveillance authorisation will not normally be available.
As set out below, depending on the nature of the online platform, there may be a reduced expectation of privacy where information relating to a person or group of people is made openly available within the public domain, however in some circumstances privacy implications still apply. This is because the intention when making such information available was not for it to be used for a covert purpose such as investigative activity. This is regardless of whether a user of a website or social media platform has sought to protect such information by restricting its access by activating privacy settings.
Where information about an individual is placed on a publicly accessible database, for example the telephone directory or Companies House, which is commonly used and known to be accessible to all, they are unlikely to have any reasonable expectation of privacy over the monitoring by public authorities of that information. Individuals who post information on social media networks and other websites whose purpose is to communicate messages to a wide audience are also less likely to hold a reasonable expectation of privacy in relation to that information.
Whether a public authority interferes with a person’s private life includes a consideration of the nature of the public authority’s activity in relation to that information. Simple reconnaissance of such sites (i.e. preliminary examination with a view to establishing whether the site or its contents are of interest) is unlikely to interfere with a person’s reasonably held expectation of privacy and therefore is not likely to require a directed surveillance authorisation. But where a public authority is systematically collecting and recording information about a particular person or group, a directed surveillance authorisation should be considered. These considerations apply regardless of when the information was shared online.’
In order to determine whether a directed surveillance authorisation should be sought for accessing information on a website as part of a covert investigation or operation, it is necessary to look at the intended purpose and scope of the online activity it is proposed to undertake. Factors that should be considered in establishing whether a directed surveillance authorisation is required include:
- whether the investigation or research is directed towards an individual or organisation;
- whether it is likely to result in obtaining private information about a person or group of people (taking account of the guidance [above]);
- whether it is likely to involve visiting internet sites to build up an intelligence picture or profile;
- whether the information obtained will be recorded and retained;
- whether the information is likely to provide an observer with a pattern of lifestyle;
- whether the information is being combined with other sources of information or intelligence, which amounts to information relating to a person’s private life;
- whether the investigation or research is part of an ongoing piece of work involving repeated viewing of the subject(s);
- whether it is likely to involve identifying and recording information about third parties, such as friends and family members of the subject of interest, or information posted by third parties, that may include private information and therefore constitute collateral intrusion into the privacy of these third parties
Internet searches carried out by a third party on behalf of a public authority, or with the use of a search tool, may still require a directed surveillance authorisation.
Aerial covert surveillance
The Home Office Revised Code of Practice also provides the following guidance in relation to aerial surveillance:
Where surveillance using airborne crafts or devices, for example helicopters or unmanned aircraft (colloquially known as ‘drones’), is planned, the same considerations outlined in chapters 3 and 5 of this code should be made to determine whether a surveillance authorisation is appropriate. In considering whether the surveillance should be regarded as covert, account should be taken of the reduced visibility of a craft or device at altitude.