Anderson Review

RIPA Part I, DRIPA 2014 and Part 3 of CTSA 2015 should be replaced by a
comprehensive new law, drafted from scratch, which:
(a) affirms the privacy of communications;
(b) prohibits interference with them by public authorities, save on terms specified; and
(c) provides judicial, regulatory and parliamentary mechanisms for authorisation, audit and oversight of such interferences.

The new law should amend or replace RIPA Part IV. If Recommendation 82 below
is adopted, changes will also be needed to Police Act 1997 Part III, RIPA Parts II and
III and RIP(S)A.

The new law should be written so far as possible in non-technical language.

The new law should be structured and expressed so as to enable its essentials to be
understood by intelligent readers across the world.

The new law should cover all essential features, leaving details of implementation
and technical application to codes of practice to be laid before Parliament and to guidance which should be unpublished only to the extent necessary for reasons of national security.

The following should be brought into the new law and/or made subject to equivalent conditions to those recommended here:
(a) the general power under TA 1984 s94, so far as it relates to matters covered by this Review (cf. ISC Report, Recommendation VV);

(b) equipment interference (or CNE) pursuant to ISA 1994 ss5 and 7, so far as it is
conducted for the purpose of obtaining electronic communications (cf. ISC
Report, Recommendations MM-PP);
(c) interception pursuant to WTA 2006 ss48-49 (cf. ISC Report, Recommendations
XX-ZZ); and
(d) the acquisition and use of bulk personal data (cf. ISC Report, Recommendation X).

The new law should repeal or prohibit the use of any other powers providing for interference with communications. But for the avoidance of doubt, no recommendations are made in relation to the use of court orders to access stored communications (e.g. PACE s9) or the searching of devices lawfully seized, save
that it is recommended that oversight should be extended to the former
(Recommendation 92(d) below).

The new law should define as clearly as possible the powers and safeguards
governing:
(a) the receipt of intercepted material and communications data from international
partners; and
(b) the sharing of intercepted material and communications data with international
partners;
(Recommendations 76-78 below).

Existing and future intrusive capabilities within the scope of this Review that are used
or that it is proposed be used should be (cf. ISC Report, Recommendation BBB):
(a) promptly avowed to the Secretary of State and to ISIC;
(b) publicly avowed by the Secretary of State at the earliest opportunity consistent
with the demands of national security; and, in any event,
(c) used only if provided for in statute and/or a Code of Practice in a manner that
is sufficiently accessible and foreseeable to give an adequate indication of the
circumstances in which, and the conditions on which, communications may be accessed by public authorities.

Within the constraints imposed by national security, the current restrictions and
prohibitions relating to the disclosure of warrants and intercepted material (RIPA
ss15 and 19, Official Secrets Act 1989 s4) should be clarified and reviewed (cf. ISC Report, Recommendation C) in order to ensure, in particular, that:
(a) there is no legal obstacle to explaining the uses (and utility) of warrants to Parliament, courts and public, and that

(b) as recommended by the Police Ombudsman for Northern Ireland in his report
of 30 October 2014 on the Omagh bombing, there is “ absolute clarity as to how
specific aspects of intelligence can be shared in order to assist in the
investigation of crime ”.

Breach of Codes of Practice should not automatically constitute a criminal offence:
any new criminal offence or enhanced penalty (cf. JCDCDB Report paras 227 and 229; ISC Report, Recommendation T) should be specifically identified in the new law.

The definitions of content and of communications data, and any subdivisions, should be reviewed, with input from all interested parties including service providers, technical experts and NGOs, so as to ensure that they properly reflect both current and anticipated technological developments and the privacy interests attaching to different categories of material and data. Content and communications data should
continue to be distinguished from one other, and their scope should be clearly
delineated in law.

ATCSA 2001 Part 11 should be repealed, and the voluntary code of practice issued under it should be withdrawn.

The Home Secretary should be able by Notice (as under DRIPA 2014 s1 and CTSA 2015 s21) to require service providers to retain relevant communications data for periods of up to a year, if the Home Secretary considers that the requirement is
necessary and proportionate for purposes laid down in Article 15(1) of the e-Privacy
Directive.

In relation to the subject matter of the 2012 Communications Data Bill, Government
should initiate an early and intensive dialogue with law enforcement and CSPs in
order to formulate an updated and coordinated position, informed by legal and
technical advice, on the operational case for adding web logs (or the equivalent for non-web based OTT applications) to the data categories currently specified in the Schedule to the Data Retention Regulations 2014 for the purposes of:
(a) resolving shared IP addresses or other identifiers (in particular, to identify the user of a website);
(b) identifying when a person has communicated through a particular online service provider (so as to enable further enquiries to be pursued in relation to that provider); and/or
(c) allowing websites visited by a person to be identified (to investigate possible criminal activity).

Full consideration should be given to alternative means of achieving those purposes,
including existing powers, and to the categories of data that should be required to be
retained, which should be minimally intrusive. If a sufficiently compelling operational
case has been made out, a rigorous assessment should then be conducted of the
lawfulness, likely effectiveness, intrusiveness and cost of requiring such data to be retained. No detailed proposal should be put forward until that exercise has been performed.

The rules regarding retention of data by CSPs should comply (to the extent that it may be applicable) with EU law as contained e.g. in Joined Cases C-293/12 and C­594/12 Digital Rights Ireland and with the ECHR, particularly as regards:
(a) limits on the data whose retention may be required;
(b) ensuring that retention periods are no longer than necessary;
(c) ensuring the protection and security of data and their destruction when the retention period ends; and
(d) the location in which data are stored.

To the extent that a requirement is placed on CSPs that may result in them retaining
partial or complete web logs or equivalent , the circumstances in which access may
be sought by public authorities and the conditions on which access should be granted
should be the subject of guidance in a Code of Practice and/or from ISIC, and sufficient records should be kept to allow ISIC to verify through regular audit and
inspection that requests have been properly authorised.

There should be no question of progressing proposals for the compulsory retention of third party data before such time as a compelling operational case may have been made, there has been full consultation with CSPs and the various legal and technical issues have been fully bottomed out. None of those conditions is currently satisfied.

The capability of the security and intelligence agencies to collect and analyse intercepted material in bulk should be maintained, subject to rulings of the courts, but used only subject to the safeguards in Recommendations 40-49 and 72-80 below,
and only in cases where it is necessary to achieve an objective that cannot be
achieved by the new and less extensive power in Recommendation 42(b) below.

In relation to interception and the acquisition of communications data, the following
types of compulsory warrant and authorisation should be available:
(a) For the interception of communications in the course of transmission,

 an specific interception warrant
 a combined warrant
 a bulk interception warrant.
(b) For the acquisition of communications data in bulk, a bulk communications data
warrant.
(c) For the acquisition of communications data otherwise than in bulk, an authorisation.

To the extent that Recommendation 6 above is adopted, the analogous activities there referred to should be subject to equivalent procedures.

Specific interception warrants, combined warrants, bulk interception warrants and bulk communications data warrants should be issued and renewed only on the authority of a Judicial Commissioner.

Authorisations for the acquisition of communications data otherwise than in bulk should be issued only on the authority of a DP authorised to do so by the authorising
body.

It is not recommended that service providers wishing to offer services in the UK should be required to have a licence, or that they should be required to store data in the UK. But in order to address deficiencies in access to material from overseas
service providers, the Government should:
(a) seek the cooperation of overseas service providers, including by explaining so
far as possible the nature of the threat, how requests are authorised and overseen, and the steps that are taken to ensure that they are necessary and
proportionate;
(b) seek the improvement and abbreviation of MLAT procedures, in particular with
the US Department of Justice and the Irish authorities; and
(c) take a lead in developing and negotiating a new international framework for data-sharing among like-minded democratic nations.

Pending a satisfactory long-term solution to the problem, extraterritorial application
should continue to be asserted in relation to warrants and authorisations (DRIPA
2014 s4), and consideration should be given to extraterritorial enforcement in appropriate cases.

Only those persons currently specified in RIPA s6 should be entitled to apply for a specific interception warrant.

Specific interception warrants should be limited to a single person, premises or
operation. Where a warrant relates to an operation, each person or premises to which
the warrant is to apply, to the extent known at the time of the application, should be
individually specified on a schedule to the warrant, together with the selectors (e.g.
telephone numbers) applicable to that person or premises.

The only purposes for which a specific interception warrant can be issued should be, as under RIPA s5(3):
(a) preventing or detecting serious crime (including by giving effect to a mutual legal assistance agreement), or
(b) in the interests of national security (including safeguarding the economic well­being of the UK in a respect directly linked to the interests of national security).

Applications for interception warrants should contain the following information:
(a) The background to the operation or investigation in the context of which the warrant is sought;
(b) The person(s) or premises to which the application relates, to the extent known at the time of application, and how they feature in the operation;
(c) A description of the communications to be intercepted, details of the service provider(s) and an assessment of the feasibility of the interception to the extent known at the time of application;
(d) A description of the conduct to be authorised or the conduct it is necessary to
undertake in order to carry out what is authorised or required by the warrant;
(e) An explanation of why that conduct is considered to be necessary for one or
more of the permitted statutory purposes;
(f) An explanation of why any likely intrusion into privacy is proportionate to what is sought to be achieved by that conduct, explaining why less intrusive alternatives have not been or would not be as effective;
(g) Consideration of any collateral intrusion and why that intrusion is justified in the circumstances;
(h) Whether the application is made for the purposes of determining matters that are privileged or confidential such as (for example) the identity or a witness or
prospective witness being contacted by a lawyer or the identity of or a
journalist’s confidential source ;
(i) Whether the application relates to a person who is known to be a member of a profession that handles privileged or confidential information (including medical doctors, lawyers, journalists, Members of Parliament or ministers of religion),
and if so what protections it is proposed will be applied;

(j) Where an application is urgent, the supporting justification;
(k) An assurance that all material intercepted will be kept for no longer than
necessary in accordance with the applicable rules, and handled in accordance
with the applicable procedures for minimisation, secure holding and
destruction.

When a specific interception warrant is sought for the purpose specified in Recommendation 28(b) above (national security) and that purpose relates to the
defence of the UK and/or the foreign policy of the Government, the Secretary of State
should have the power to certify that the warrant is required in the interests of the defence and/or foreign policy of the UK. In such cases, the Judicial Commissioner in determining whether to issue the warrant (Recommendation 31 below) should be able to depart from that certificate only on the basis of the principles applicable in judicial
review.

A specific interception warrant should be issued only if it is established to the
satisfaction of a Judicial Commissioner that:
(a) the warrant is necessary for one or both of the permitted statutory purposes
(Recommendation 28 above);
(b) the conduct authorised by the warrant is proportionate to what is sought to be
achieved by that conduct; and
(c) the assurances regarding the handling, retention, use and destruction of the intercepted material, including in relation to privileged or confidential material,
are satisfactory.

Arrangements should be put in place for the prompt consideration of urgent
applications for specific interception warrants from any part of the UK and at any time.

Should an application for a specific interception warrant be rejected, the Judicial Commissioner should give reasons for rejection. In the event of rejection, the
applicant for a warrant should be able to:
(a) re-submit an amended application, addressing the defects or omissions
identified by the Judicial Commissioner; or
(b) request a final ruling on the original application from the Chief Judicial Commissioner, by way of appeal from the original rejection.
The Chief Judicial Commissioner may consider any such appeal in conjunction with
one or more other Judicial Commissioners.

It should normally be for a Judicial Commissioner to make major modifications to a specific interception warrant, e.g. the addition of a new person or premises to the
schedule. So far as applicable, the information listed at Recommendation 29 above
should be supplied and considered before such a modification is authorised. However, a Judicial Commissioner should have the power to authorise a DP meeting

the requirements set out in Recommendations 56 and 57 below to make major
modifications to a specific interception warrant on the basis that such modifications
are then notified promptly to the Judicial Commissioner. The circumstances in which
this could be appropriate should be specified in a Code of Practice and might include,
for example, (1) urgent or fast moving cases, and (2) cases in which the interference with privacy is always likely to be small, or to be consistent across possible targets.

Provision should be made for minor modifications (e.g. the addition of a new
telephone number for an existing target) to be made, after consideration of the
implications if any for privacy, collateral intrusion and proportionality, by a DP meetin g
the requirements set out in Recommendations 56 and 57 below.

A Judicial Commissioner should have the power to cancel a specific interception warrant at any time, if it appears to the Judicial Commissioner that one or more of the
conditions for its issue are no longer satisfied.

Specific interception warrants should have a duration of six months. The Judicial
Commissioner who issues the warrant should have a discretion to require that it be reviewed by a Judicial Commissioner at a specified time before its expiry.

Warrant renewals should take effect from the date of expiry of the warrant (as currently under RIPA Part I Chapter 2) rather than from the date of renewal (as currently under RIPA Part I Chapter 1).

Combined warrants should be subject to the same rules as interception warrants,
save that:
(a) They may authorise, in the context of a given operation, more than one of (1)
interception, (2) intrusive surveillance and (3) property interference.
(b) They must explain why the conditions for each type of warrant are satisfied, and why it is necessary and proportionate for a combined warrant to be issued.

Only the Director General of MI5, the Chief of MI6 and the Director of GCHQ, in each case with the approval of the Secretary of State, should be eligible to apply for bulk warrants.

The restrictions in Recommendation 27 should not apply to bulk warrants.

There should be two types of bulk warrant:
(a) bulk interception warrants, which would allow content and related communications data to be obtained; and
(b) bulk communications data warrants, which would allow only communications
data to be obtained.

A bulk interception warrant should never be applied for, approved or authorised in
circumstances where a bulk communications data warrant would suffice.

The purposes for which a bulk warrant is sought should be:
(a) limited to the permitted statutory purposes (Recommendation 28 above);
(b) in lieu of the certificate provided for by RIPA s8(4)(b)), limited to one or more
specific operations or mission p urposes (e.g. “ attack planning by ISIL in
Iraq/Syria against the UK ”).

Bulk interception warrants should, in addition, be required to be targeted at the recovery of intercepted material comprising the communications of persons believed to be outside the UK at the time of those communications. It should be determined (if Recommendation 42(b) is adopted) whether an analogous restriction is necessary
or desirable in relation to bulk communications data warrants.

Applications for bulk warrants should contain the following information:
(a) The specific operation(s) or mission purpose(s) in respect of which they are
sought;
(b) Description of the communications to be intercepted or acquired, details of the
CSP(s) and an assessment of the feasibility of the interception or acquisition;
(c) Description of the conduct to be authorised, or the conduct it is necessary to
undertake in order to carry out what is authorised or required by the warrant;
(d) A statement specifying both the statutory purpose(s) and, as precisely as possible, the operations or mission purposes in relation to which material is
sought;
(e) An explanation, backed by evidence, of why the interception or acquisition is
considered to be necessary for one or more of the permitted statutory purposes and for the operations or mission purposes identified;
(f) An explanation of why any likely intrusion into privacy is proportionate to what
is sought to be achieved by that conduct, explaining why less intrusive
alternatives have not been or would not be as effective;
(g) Consideration of any collateral intrusion and why that intrusion is justified in the circumstances;
(h) Whether the application could result in acquisition of material or data that is privileged or confidential material, and if so what protections it is proposed will be applied;
(i) In the case of a bulk interception warrant, an explanation of why a bulk communications data warrant would not be an adequate alternative;

(j) In the case of a bulk communications data warrant, an explanation of why an
authorisation would not be an adequate alternative;
(k) Where an application is urgent, supporting justification;
(l) Details of the use that it is proposed to make of the data that is recovered,
including in relation to possible sharing and use in combination with other datasets;
(m) An assurance that all material recovered will be retained no longer than
necessary, looked at, used or analysed only for certified purposes and in
accordance with the applicable rules, and handled in accordance with the applicable procedures for minimisation, secure holding and destruction.

When approving a bulk warrant that is sought in whole or in part for the purpose
referred to in Recommendation 28(b) above (national security), and when that
purpose relates to the defence of the UK and/or the foreign policy of the Government,
the Secretary of State should certify:
(a) that the warrant is required in the interests of the defence and/or foreign policy of the UK; and
(b) that it is required for the operation(s) and/or mission purpose(s) identified.

In such cases, the Judicial Commissioner in determining whether to issue the warrant (Recommendation 48 below) may depart from that certificate only on the basis of the principles applicable in judicial review.

A bulk warrant should be issued only if it is established to the satisfaction of a Judicial
Commissioner that:
(a) its purpose and targets are limited by reference to the factors identified in
Recommendations 43 and 44 above;
(b) it is necessary for one or more of the permitted statutory purposes;
(c) it is necessary for the mission purpose(s) and/or operation(s) identified;
(d) in the case of a bulk interception warrant, it is necessary for the warrant to apply to content as well as communications data;
(e) the conduct authorised by the warrant is proportionate to what is sought to be
achieved by that conduct; and that
(f) the assurances regarding the handling, retention, use and destruction of the
intercepted material or acquired data, including in relation to privileged or confidential material, are satisfactory.

Recommendations 32-38 above should apply also to bulk warrants, save that any
modification to a bulk warrant must be authorised by a Judicial Commissioner.

Public authorities with relevant criminal enforcement powers should in principle be
able to acquire communications data. It should not be assumed that the public
interest is served by reducing the number of bodies with such powers, unless there are bodies which have no use for them. There should be a mechanism for removing public authorities (or categories of public authorities) which no longer need the
powers, and for adding those which need them.

The issue of which (if any) categories of communications data should be unavailable
to certain public authorities should be reviewed, in the light of Recommendation 12 above and any revision of procedures for authorisation and review. (Some examples
of the potential value to local authorities of what is currently known as traffic data are
at Annex 16 to this report.)

The grounds on which communications data may be acquired should remain as set
out in RIPA s22(2), subject to any limitation (relating, for example, to the need for crime to exceed a certain threshold of seriousness, which would not necessarily need
to be set at the same level as in RIPA s81(2)(b)) that may be required by EU law or
the ECHR.

Communications data should be acquired only after the grant by a DP of an
authorisation. Details of the authorisation should be served on a CSP where it appears to the DP that the CSP is or may be in possession of, or capable of obtaining,
any communications data. The distinction between an authorisation and a notice
(RIPA s22) is unnecessary and should be abandoned.

The application for an authorisation should set out the matters specified in the Acquisition and Disclosure of Communications Data Code of Practice (March 2015) 3.5-3.6.

An authorisation should be granted only if the DP is satisfied, having taken the advice of the SPoC and considered all the matters specified in the application, that it is necessary and proportionate to do so.

DPs should be persons of the requisite rank or position with the requesting public
authority or another public authority. The Regulation of Investigatory Powers
(Communications Data) Order 2010 should be revised after consultation in the light
of:
(a) Recommendation 12 above;
(b) the comments of IOCCO (December 2014 submission to the Review, 3.3) on
the appropriate rank of DPs and the need for consistency across public authorities and in relation to comparable methods of surveillance; and

(c) The new functions placed on DPs and summarised at Recommendations 59(b)
and 60 below.

DPs should be adequately trained in human rights principles and legislation (including
in relation to privileged or confidential material), and may grant authorisations only
when and to the extent that it is necessary and proportionate to do so in the specific circumstances.

As recently stated in the ISC Report, Recommendation HH: “ there should always be
a clear line of separation within the Agencies between investigative teams who request approval for a particular activity, and those within the Agency who authorise it”. DPs (including in the security and intelligence agencies) should be required by
statute to be independent from operations and investigations when granting authorisations related to those operations and investigations, and this requirement
should be implemented in a manner consistent with the ECHR and EU law.

The function of DPs should be:
(a) To authorise the acquisition of communications data (Recommendation 55
above);
(b) To make references to ISIC on applications for privileged/confidential material and, where appropriate, on novel/contentious applications (Recommendations 68 and 70 below).

In addition, DPs appointed by the nine bodies entitled to intercept communications data should be entitled to authorise minor modifications to specific interception
warrants (Recommendation 35 above).

No authorisation should be granted (save in exceptional circumstances specified in
the new law) without the prior opinion of an accredited SPoC. The purpose of the SPoC should be:
(a) to ensure that only practical and lawful requirements for communications data are undertaken; and
(b) to facilitate the lawful acquisition of communications data, and effective co­operation between a public authority and CSPs.

The functions of the SPoC should be set out in statute along the lines of the March
2015 Code of Practice on the Acquisition and Disclosure of Communications Data,
para 3.22.

SPoCs should not have to be located within the requesting authority. For example, there would be no obstacle to police SPoCs being organised on a regional or national
level, as is NAFN.

In the case of local authorities, the SPoC function should continue to be compulsorily
performed through a SPoC at NAFN.

In the case of the other “ minor users ”, responsible between them for less than 1% of
requests for communications data in 2014, the SPoC function should in future also
be compulsorily performed by a SPoC at NAFN, which will need to be resourced for that purpose.

The requirement in RIPA 2000 ss23A-B of judicial approval by a magistrate or sheriff
for local authority requests for communications data should be abandoned.
Approvals should be granted, after consultation with NAFN, by a DP of appropriate
seniority within the requesting public authority.

When the communications data sought relates to a person who is known to be a
member of a profession that handles privileged or confidential information (including
medical doctors, lawyers, journalists, Members of Parliament or ministers of religion), the new law should provide for the DP to ensure that (1) special consideration is given to the possible consequences for the exercise of rights and freedoms, (2) appropriate
arrangements are in place for the use of the data, and (3) the application is flagged
for the attention of ISIC inspectors.

If communications data is sought for the purposes of determining matters that are privileged or confidential such as (e.g.) (1) the identity or a witness or prospective witness being contacted by a lawyer or (2) the identity of or a journalist’s confidential
source, the DP should be obliged either to refuse the request or to refer the matter to
ISIC for a Judicial Commissioner to decide whether to authorise the request.

A Code of Practice, and/or ISIC guidance, should specify (1) the rare circumstances in which it may be acceptable to seek communications data for such a purpose, and (2) the circumstances in which such requests should be referred to ISIC.

In recognition of the capacity of modern communications data to produce insights of a highly personal nature, where a novel or contentious request for communications data is made, the DP should refer the matter to ISIC for a Judicial Commissioner to
decide whether to authorise the request .

A Code of Practice, and/or ISIC guidance, should specify the circumstances in which
such requests should be referred to ISIC.

Safeguards at least equivalent to those in RIPA s15, as elaborated in Part 7 of the
Interception of Communications draft Code of Practice, should ensure that the

domestic disclosure, dissemination, copying, storage and retention of intercepted
material is limited to the minimum necessary for the authorised purposes.

Equivalent statutory safeguards should be provided in relation to communications
data. In particular, the new law and a Code of Practice issued under it, with the
involvement of the Information Commissioner as appropriate, should make provision for:
(a) why, how and where data are retained within public authorities;
(b) who may access them within the public authority;
(c) with whom the data may be shared, and under what conditions;
(d) the special rules needed as regards the treatment of data that appear to be
privileged or confidential (see Recommendations 67-69 above), and data
relating to a victim or a witness;
(e) the processing of data for reasons going beyond their acquisition;
(f) the use of data in conjunction with other datasets;
(g) the processes for determining which data should be destroyed or further
retained; and
(h) compliance with DPA 1998.

These safeguards should be enforced and backed up by ISIC audits (as currently performed by IOCCO), examining:
(a) how the material and/or data were used or analysed;
(b) whether they were used for the stated or intended purpose;
(c) what actual interference or intrusion resulted, and whether it was proportionate to the aim set out in the original authorisation;
(d) whether the conduct became disproportionate to what was foreseen at the point of authorisation, and if so whether the operational team initiated the withdrawal of the authorisation;
(e) retention, storage and destruction arrangements; and
(f) whether any errors or breaches resulted from the interference or intrusion.

On the basis that MI5, MI6 and GCHQ each apply the safeguards referred to in Recommendations 72-73 above, they should be permitted to share intercepted
material and communications data between them for the purposes of their respective functions.

Any receipt of intercepted material or communications data from third countries
should be on the basis of clearly-defined safeguards, published save insofar as is
necessary for the purposes of national security and monitored by ISIC, including a
warrant governing any intercepted material that is sought (ISC Report,
Recommendations QQ-TT).

Any transfer of intercepted material or communications data to third countries should be on the basis of clearly-defined safeguards, published save insofar as is necessary
for the purposes of national security and monitored by ISIC.

The new law should make it clear that neither receipt nor transfer as referred to in
Recommendations 76-77 above should ever be permitted or practised for the purpose of circumventing safeguards on the use of such material in the UK.

Content that is acquired pursuant to a bulk interception warrant and that relates to a communication involving a person believed to be in the UK should be made available to be read, looked at or listened to only on the basis of a specific interception warrant issued by a Judicial Commissioner (Recommendations 26-38 above): cf. in part ISC
Report, Recommendations Q and R.

The new law should in addition provide for appropriately rigorous and rights-compliant
procedures for the purposes of authorising access to:
(a) content that is acquired pursuant to a bulk warrant and that does not relate to a communication involving a person believed to be in the UK; and
(b) (if Recommendation 42(b) is adopted), communications data that are obtained pursuant to a bulk warrant.

The bar in RIPA s17 on using intercepted material as evidence in legal proceedings (recently endorsed after lengthy consideration in Cm 8989) did not form part of this
Review. Consideration should however be given to adding to the list of exceptions in
RIPA s18, without prejudice to any other possible additions, proceedings before (1) the Parole Commissioners for Northern Ireland and (2) the Sentence Review Commissioners in Northern Ireland.

The Interception of Communications Commissioner’s Office (IOCCO), the Office of Surveillance Commissioners (OSC) and the Intelligence Services Commissioner (ISCommr) (the current Commissioners) should be replaced by a new Independent
Surveillance and Intelligence Commission (ISIC).

It should be the duty of every relevant person to disclose or provide to ISIC all such
documents and information as ISIC may require for carrying out its functions, as is
the case for the current Commissioners under RIPAs s58 and 60 and the Police Act
1997 s107(5)(a).

ISIC (through its Judicial Commissioners: see Recommendations 106-107 below)
should be granted powers:
(a) to issue and renew warrants (Recommendation 22 above);
(b) to make major modifications to specific interception warrants and combined
warrants (Recommendations 34 and 39 above);
(c) to make modifications to bulk warrants (Recommendation 49 above);
(d) to cancel warrants that it has issued (Recommendations 36, 39 and 49 above);
(e) to authorise applications for communications data referred to it by public
authorities pursuant to Recommendations 68 (privileged and confidential material) and 70 (novel and contentious) above; and
(f) to issue guidance (cf. the OSC’s Procedures and Guidance of December 2014) to public authorities in relation to issues arising in relation to applications for warrants and the grant of authorisations, which would supplement the new law
and any codes of practice issued under it and which should be published where
the constraints of national security permit.

The functions referred to in Recommendation 84 above should only be performed by Judicial Commissioners who hold or have held high judicial office (High Court or above), subject to the possibility of delegating certain functions to persons who hold or have held judicial office at least at the level of Circuit Judge. As currently with the OSC, the judicial authorisation function should be independent from and in no sense
subordinate to the other functions of ISIC.

Judicial Commissioners should use their power where appropriate to request further
clarification, information or documents from the requesting public authority, and/or to consult standing counsel on any point of legal difficulty. Public authorities should
have a right of appeal to the Chief Judicial Commissioner (Recommendation 33(b)
above).

ISIC (through its Judicial Commissioners) should also take over from the OSC its
equivalent functions (in relation to public authorities other than the security and intelligence agencies) in relation to intrusive surveillance, property interference and
unde rcover officers under RIPA Part II, RIP(S)A and the Police Act 1997.

ISIC should be resourced so as to enable it to provide a prompt, efficient and reliable
warrantry service in all jurisdictions of the UK.

The existing audit and inspection functions of the current Commissioners should be
transferred to the ISIC, including:
(a) all those set out in RIPA Parts I-III, RIP(S)A and the Police Act 1997, to the extent that they are consistent with the arrangements in the new law;
(b) the audit of the use by security and intelligence agencies of their holdings of bulk personal datasets (cf. ISC Report, Recommendations X and Y); and
(c) the recently granted power to oversee the operation of directions under TA
1984 s94 (IOCCO Report, March 2015, section 10), to the extent that such power may survive the introduction of the new law.

ISIC should have the power to review compliance with the terms of any warrant, authorisation or guidance that may have been issued by the Judicial Commissioners. Where error is found, an Inspector should be able to recommend that the warrant in question be reviewed by a Judicial Commissioner with a view to its possible
modification or cancellation.

In addition, ISIC should have the power to inspect:
(a) The exercise by DPs of all the functions summarised in Recommendations 59
and 60 above;
(b) The treatment by public authorities of privileged and confidential material;
(c) The retention, storage, processing and destruction of all communications data acquired by public authorities (not just, as currently for IOCCO, communications data only when it is related to intercepted material);
(d) The use of such data, including in combination with other datasets (cf. ISC Report, Recommendation Y);
(e) The use by public authorities of open-source intelligence (OSINT);
(f) The sharing of intercepted material and communications data within the UK Government;
(g) The receipt of intercepted material and communications data from, and the
transfer of such material and data to, foreign governments (Recommendations
76-78 above).

Additional gaps in the arrangements relating to IOCCO’s current activities (explained in IOCCO’s su bmission of December 2014 to this Review) should be filled when ISIC
is constituted. In particular:

(a) Express provision should be made for error reporting, and for a procedure for
arriving at and keeping under review the definition of an error where interception
is concerned.
(b) There should be a statutory requirement for ISIC to review the giving of notices by the Secretary of State (currently under DRIPA 2014 s1) requiring the retention of specific communications data by a CSP.
(c) ISIC should have the power to report on refusals by service providers
(including overseas service providers, given the extraterritorial effect of the law) to intercept communications or disclose communications data when a lawful request is made of them.
(d) There should be statutory provision for oversight of the operation of powers for
interception and/or obtaining communications data other than in the new law,
to the extent that such powers survive, including the power to access stored
data by order of the court under PACE s9.

Though strictly outside the scope of this Review, it would also be appropriate to review the existing powers of the OSC and of the ISCommr so as to identify any other
gaps that should be filled when constituting the ISIC.

ISIC (like IOCCO before it) should have the capacity to inspect the work of analysts,
investigators, SPoCs and DPs on live cases as well as on cases that are closed.

ISIC should have the power to report on, to issue guidance on and to participate in the preparation of Codes of Practice for any activity which it has the power to inspect.

ISIC should inherit the intelligence oversight functions of the ISCommr, including:
(a) oversight of the Consolidated Guidance to Intelligence Officers and Service
Personnel; and
(b) keeping under review the activities of the security and intelligence agencies or
others engaging in intelligence activity, as directed by the Prime Minister under
RIPA s59A.

Consideration could be given to granting ISIC a more general supervisory power over the activities of the security and intelligence agencies, but subject to
Recommendations 118 and 119 (no duplication of functions and resources).

ISIC should be subject to the same obligation as the current Commissioners (RIPA
s68(2)) to provide assistance to the IPT, and should be kept informed of proceedings relevant to its functions (as by RIPA s68(3)).

ISIC should further be given the power, on its own initiative or at the suggestion of a
public authority or CSP, and subject to a duty not to disclose anything that would be
damaging to national security or prejudice ongoing operations, to:
(a) inform a subject of an error on the part of a public authority or CSP; and
(b) inform the subject of his right to lodge an application to the IPT;
in any case in which in the opinion of ISIC it is possible that the scale or nature of the error might entitle the subject of the error to compensation.

To the extent that Recommendation 6 is adopted, the powers and functions set out
in Recommendations 84-99 above should apply in an equivalent manner to the
activities there referred to.

There should be a report at least once in every year dealing with all aspects of the work of ISIC, and supplemented as may be feasible by more regular statistical releases.

As an expert, apolitical body with a strong judicial ethos, ISIC should also have the
power to carry out inquiries and produce reports into matters falling within its remit,
at the request of the Prime Minister or on its own initiative.

The Prime Minister should have the power to redact ISIC’s annual report on narrowly
specified grounds (cf. RIPA s58(7)). The Prime Minister should be obliged to lay
ISIC’s annual report before Parliament within a certain number of days (or sitting
days) of receipt.

The Chief Commissioner should be a person of unquestioned professional distinction
and independence, committed not only to leading the work of ISIC but to accounting
publicly and to Parliament for that work, and to building public awareness of ISIC and
its role. The Chief Judicial Commissioner should be eligible to serve also as Chief Commissioner, but need not necessarily do so: some possibilities are illustrated in
the diagrams at Annex es 17 and 18 to this Report.

The Chief Commissioner should be appointed by the Prime Minister. Consideration should be given to allowing the ISC a voice in the appointment or confirmation of the Chief Commissioner.

Judges entitled to authorise warrants should be known as Judicial Commissioners
(or Assistant Judicial Commissioners) so as to emphasise their distinct and
independent status. There should be regular dialogue and sharing of experience
between the Judicial Commissioners and the inspectorate.

Judicial Commissioners could be full-time or (as currently in the OSC) part-time judges on duty according to a rota. They should be capable of providing prompt and
efficient service for applications from all parts of the UK. It will be necessary to
provide 24-hour cover (as currently provided by the Secretary of State) for cases
where urgent applications for warrants and authorisations arise out of hours.

An inspectorate should be provided for the audit and inspection functions entrusted
to ISIC.

ISIC should have staff with the necessary expertise (including technical expertise)
and resources in relation to:
(a) each power whose operation it audits or inspects (including interception and
encryption, communications data, directed and intrusive surveillance, property
interference and CHIS/undercover operations); and
(b) each function relating to intercepted material and data (including acquisition, use, storage, retention, dissemination, sharing and destruction).

ISIC should have an in-house legal presence and one or more security-cleared standing counsel, appointed on a part-time basis from the independent practising Bar, whose function would be, on request:
(a) to give advice on recent developments in the law;
(b) to advise ISIC on possible legal vulnerabilities in the arrangements whose
operation it reviews;
(c) to advise (at the request of the Judicial Commissioners) in relation to
applications for warrants or requests for authorisations on proposed communications data authorisations;
(d) to assist with the legal aspects of formulating guidance and contributing to Codes of Practice; and
(e) by these means to help ISIC ensure that the activities it authorises, audits or reviews are lawful, and that the public authorities it oversees have due warning of legal difficulties.

Within the necessary constraints of security:
(a) ISIC should be public-facing, transparent and open to diverse ideas (including
from all sectors of the community in all parts of the UK, from other countries,
from international institutions and from young people who have grown up online).
(b) It should be willing to draw on expertise from the worlds of intelligence,
computer science, technology, academia, law and the NGO sector, and should
engage with and support compliance officers and compliance mechanisms within public authorities, DPs and SPoCs.
(c) As much as possible of its output (including, within the constraints of nationa l
security, any guidance that it may issue) should be published on a user-friendly
website.
(d) Commissioners and staff should attend and participate in conferences, invite
dialogue, assist the conduct of research and be alert to the adoption and dissemination of international best practice.
(e) ISIC should make itself accessible to traditional media, and have an active social media presence.

ISIC should be sufficiently resourced to enable it to perform functions which are more extensive than those performed by the almost 40 full-time and part-time current Commissioners and staff.

The jurisdiction of the IPT should be expanded (or clarified) to cover circumstances where it is a CSP rather than a public authority which was at fault (for example, by intercepting the wrong communications address and/or disclosing the wrong
communications data).

There should be a right of appeal to an appropriate court from rulings of the IPT, on
points of law only, permission being required in the normal way from either the IPT or the appellate court (cf. ISC Report, Recommendation LL).

The IPT (which is chaired by a High Court Judge or Lord Justice of Appeal) should be given the same power as the High Court to make a declaration of incompatibility under HRA 1998 s4, particularly (but not exclusively) should Recommendation 114 not be adopted.

The IPT should have the resources it needs to operate in a practical and expeditious
manner. Those resources should be independent of those allocated to ISIC and the
ISC, whose conduct may from time to time be in issue before the IPT.

The IPT should where appropriate require ISIC to provide it with assistance,
particularly of an investigative nature, as it has several times required the existing
Commissioners to do pursuant to RIPA s68(2).

There should continue to be a committee of parliamentarians with oversight of the work of the security and intelligence agencies and trusted by them with classified information, not only because parliamentary oversight is desirable in principle but
because of the knowledge and understanding that its members bring to parliamentary
debates with national security implications, e.g. in relation to terrorism legislation and proscription orders.

The functions of ISIC and the ISC should not overlap. In particular, there should be
no duplication of reporting functions or resources between the ISC and ISIC.

It should be for Parliament to consider whether:
(a) to retain the system of Prime Ministerial appointment but require the Chair to
be a member of a political party not represented in government;
(b) to transfer the ISC’s investigative resource in due course to ISIC; and/or
(c) to recast the ISC as a Select Committee (either on its own or merged with the Defence Select Committee) whose members would be elected in the normal way, and to which ISIC would report where necessary in closed session.

It should be recognised that the operation of covert powers is and should remain
secret, and that transparency in relation to operational matters is not a realistic goal.

Public authorities should however be as open as possible (cf. ISC Report,
Recommendation BBB). They should consider how they can better inform Parliament and the public about why they need their powers, how they interpret those powers, the broad ways in which those powers are used and why any additional capabilities
might be required. They should contribute to any consultations on the new law, so
as to ensure that policy-making is informed by the best evidence.

The statistics provided by ISIC should be as informative as possible: the proposals put forward by IOCCO in its December 2014 submission to this Review provide a
useful starting point.

Both ISIC and the IPT should be as open as possible in their work, and should seek
actively to make the public aware of their role as a check on the powers of public authorities.