Equipment interference code of practice

1 Introduction

Background

1.1 This code of practice provides guidance on targeted equipment interference by the Police Service of Scotland and the Police Investigations and Review Commissioner. Throughout the remainder of this code, these bodies will be referred to as the "relevant agencies." The Investigatory Powers Act 2016 (the Act) provides a statutory framework for authorising equipment interference when the European Convention on Human Rights ( ECHR) and/or the Computer Misuse Act 1990 ( CMA) are likely to be engaged. Chapter 2 of this code provides further guidance on the CMA, and when targeted equipment interference warrants are required under the Act.

1.2 This code is issued pursuant to section 24 of the Regulation of Investigatory Powers (Scotland) Act 2000 ( RIP(S)A), which provides that the Scottish Ministers shall issue one or more codes of practice relating to the exercise and performance of powers and duties conferred or imposed by or under a number of Acts, including part 5 of the 2016 Act, so far as it relates to the relevant agencies.

1.3 This code is publicly available and should be readily accessible by members of any of the equipment interference agencies seeking to use the Act to authorise equipment interference.

1.4 For the avoidance of doubt, the guidance in this code takes precedence over any contrary content of a relevant agency's internal advice or guidance.

1.5 Further guidance relating to equipment interference can also be obtained in the Equipment Interference Code of Practice issued by the Home Office, which provides, among other things, information pertaining to the obtaining of warrants from the Scottish Ministers by the security and intelligence agencies.

Effect of code

1.6 Section 26 of RIP(S)A provides that all codes of practice in force at any time under RIP(S)A are admissible as evidence in criminal and civil proceedings. If any provision of this code appears relevant to any court or tribunal, including the Investigatory Powers Tribunal ( IPT) established under the Regulation of Investigatory Powers Act 2000 ( RIPA), or to a supervisory authority ^[2] , it must be taken into account. The relevant agencies may also be required to justify, with regard to this code, the use of targeted equipment interference warrants in general or the failure to use warrants where appropriate.

1.7 Examples are included in this code to assist with the illustration and interpretation of certain provisions. Examples are not provisions of the code, but are included for guidance only. It is not possible for theoretical examples to replicate the level of detail to be found in real cases. Consequently, the relevant agencies should avoid allowing superficial similarities with the examples to determine their decisions and should not seek to justify their decisions solely by reference to the examples rather than to the law, including the provisions of this code. The examples should not be taken as confirmation that any particular relevant agency undertakes the activity described; the examples are for illustrative purposes only.

Equipment interference to which this code applies

1.8 Part 5 of the Act provides for the issue of targeted equipment interference warrants authorising interference with any equipment for the purpose of obtaining communications, equipment data or other information.

1.9 Targeted equipment interference warrants may authorise both physical interference (e.g. covertly downloading data from a device to which physical access has been gained) and remote interference (e.g. installing a piece of software on to a device over a wired and/or wireless network in order to remotely extract information from the device).

1.10 A targeted equipment interference warrant provides lawful authority to carry out the acquisition of communications stored in or by a telecommunications system.

1.11 Chapters 2 and 3 of this code provide a description of targeted equipment interference activities and the circumstances when a targeted equipment interference warrant is required, along with definitions of terms, exceptions and examples.

Basis for lawful equipment interference activity

1.12 The Human Rights Act 1998 gives effect in UK law to the rights set out in the ECHR. Some of these rights are absolute, such as the prohibition on torture and the right to a fair trial, while others are qualified, which means that it is permissible for public authorities to interfere with those rights if certain conditions are satisfied.

1.13 Amongst the qualified rights is a person's right to respect for their private and family life, home and correspondence, as provided for by Article 8 of the ECHR. It is Article 8 that is most likely to be engaged when the relevant agencies seek to obtain personal information about a person by means of equipment interference. Such conduct may also engage Article 1 of the First Protocol, the right to peaceful enjoyment of possessions ^[3] , and Article 6 of the ECHR, in cases where items subject to legal privilege may be obtained. The relevant agencies require to properly consider the protection of these rights in their decision making process.

1.14 The use of targeted equipment interference techniques may require interference with computers. Interfering with the functions of a computer or otherwise accessing it where there is no lawful authority to do so may, in certain circumstances, amount to a criminal offence. The offences related to unauthorised interferences with computers are set out in the CMA and are explained further in Chapter 2 of this code.

1.15 Part 5 of the Act provides a statutory framework under which equipment interference activities which engage the ECHR and/or would otherwise constitute an offence under the CMA can be authorised and conducted lawfully.

Personal data

1.16 Personal data is data which relates to a living individual who can be identified from that data or from that data and other information which is in the possession of, or is likely to come into the possession of, the data controller. It is likely that much of the private information obtained by the methods described in this code will be personal data if it is recorded by the relevant agency. Where this is the case, data protection law will apply to the processing of that personal data until it is securely destroyed. ^[4]