The police and other law enforcement agencies may need assistance to prevent, detect or investigate criminal activity involving networks or computers at Janet sites.
As this may involve organisations doing things that would normally be prohibited by law (for example disclosing personal information, contrary to the Data Protection Act 1998), the law has a number of provisions and processes to permit cooperation.
This page describes those most likely to be encountered by Janet sites.
Co-operation and best practice
The processes have been designed to ensure the best balance between providing good information or evidence for investigating authorities and protecting organisations or individuals. It is therefore important for all parties to follow the appropriate process for each situation.
Some of these processes require the organisation to cooperate, whereas in others the organisation must assess whether cooperation is necessary and proportionate before it agrees or refuses cooperation accordingly.
In most cases the law enforcement agency will make informal contact with an organisation before serving a formal notice on it. This provides an opportunity for the agency and the organisation to discuss what relevant information may be available and could be released so that the contents of the notice, when it is served, should be clear and acceptable to both parties.
In most cases this contact will be made by a trained single point of contact for the agency, who is already familiar with the types of information likely to be available from computers and networks.
By far the most common request made by the police is to identify an individual user or to provide information about their on-line activity. Information about communications and the individuals who made them (e.g. the identity of users of a particular email or IP address, when they logged in and to whom they sent emails), but not including the content of any files or communications, is covered by the Regulation of Investigatory Powers Act 2000 (RIPA), where it is referred to as 'communications data'.
Section 22 of RIPA allows law enforcement, and other authorities listed in the Regulation of Investigatory Powers (Communications Data) Order 2003,to serve a notice on an organisation requiring that communications data be disclosed. The Home Office Code of Practice for acquisition and disclosure of communications data states that these authorities must always use RIPA s.22, and not any other process, to obtain communications data.
A notice under this section must be given in a form that allows a permanent record to be kept - other than in exceptional circumstances this will be in writing, using a standard form. An organisation receiving a notice must comply with it by disclosing the information specified in the notice: normally the authority will contact the organisation before issuing a notice to confirm that the information is available.
Disclosing other information
Information that is not communications data, and therefore not covered by the Regulation of Investigatory Powers Act 2000, includes the content of e-mails and files.
Two different processes (one mandatory, one not) cover the disclosure of this type of information.
A court may make an order that an organisation must disclose specified information to the court, usually for use as evidence. The most common orders are those issued by judges under Schedule 1 of the Police and Criminal Evidence Act 1984 (PACE), known as PACE Production Orders as they require the recipient to produce (disclose) information that they would otherwise be under a legal duty to keep confidential.
An organisation that receives such an order must comply with it, generally by disclosing the required information to a police constable, or explain to the court why it is unable to do so. Failure to comply, without good reason, is likely to constitute a criminal offence.
Sections 28 and 29 of the Data Protection Act 1998 allow an organisation that holds personal data (including the content of e-mails and files) to choose to disclose data if it is persuaded that the disclosure is both necessary and proportionate in the interests of national security (s.28) or of the detection, investigation or prevention of crime (s.29). In both cases it is the responsibility of the organisation that has the data to ensure that the risk of harm if the information is not disclosed justifies the breach of privacy that will be caused by disclosing it.
Agencies concerned with crime and national security can therefore ask an organisation if it is willing to disclose information under either of these sections, but there is no legal requirement to comply with such a request.
Further guidance on what to disclose
Standard forms (eg from the Internet Crime Forum) have been designed on which the agency can make the case for disclosure: organisations that are persuaded that a request is necessary and proportionate and decide to disclose information on that basis are strongly recommended to keep a copy of the request, together with a record of the process by which the organisation reached the decision to disclose. These will be needed as evidence if the organisation is subsequently sued for having breached its obligation under the Data Protection Act to keep personal data secure.
Removing material from publication
Universities and colleges in England, Wales and Northern Ireland have a statutory duty to protect free speech by their members under section 43 of the Education (No.2) Act 1986 (similar provisions also apply to universities and colleges in Scotland).
However, where information published by a university or college, or one of its members, breaks the criminal or civil law (these are generally also breaches of the Janet Acceptable Use Policy), this duty may be overridden and the publication may be altered or removed.
The normal situation under UK law is contained within the Electronic Communications (EC Directive) Regulations 2002. This protects organisations that provide services such as web hosting from liability so long as they act promptly when informed of a particular publication that may be unlawful. If the publication continues after a complaint, the organisation will be held to have approved the content of the publication and may be liable if the publication is later found to break the law. See our guide to hosting liability.
For the particular case of material relating to terrorism, sections 3 and 4 of the Terrorism Act 2006 set out a more detailed and demanding process. A police constable may issue a written notice to a senior representative of the organisation (usually the secretary or registrar) informing them that they are publishing terrorist material. The organisation must remove or amend the material within two working days or else it will be held to have approved the publication of the material. Following receipt of a notice the organisation is also required to take all reasonable steps to prevent re-publication.
A complaint does not have to take any particular form, but it must give specific information that allows the publication to be identified. Organisations should therefore have efficient processes to receive and consider complaints of unlawful material on their websites and to remove or alter any material that they would not be prepared to defend in court. Note that the organisation should not disclose the identity of the person responsible for the publication other than under one of the processes above.
Data retention and data preservation
There is no requirement in UK law for private networks to routinely collect or retain data solely for the purpose of assisting investigating authorities. Indeed the Data Protection Act 1998 prohibits the collection or retention of any personal data that the organisation does not itself need.
Following major terrorist incidents the police have occasionally asked organisations to retain a copy of all information currently in logfiles and on their systems in case this may contain evidence. As there is no statutory provision for this data preservation this can only be a request: sections 28 or 29 of the Data Protection Act 1998 may allow the organisation to comply but the organisation is responsible for determining, with police advice, how much data it is necessary and proportionate to retain and for how long.
Should the authorities subsequently need to see the preserved information, disclosure will be achieved by one of the processes described above.