Covert human intelligence sources: code of practice

Code of practice in relation to covert human intelligence sources issued under section 24 of the Regulation of Investigatory Powers (Scotland) Act 2000.

4. Special considerations for authorisations

Vulnerable individuals

4.1. A vulnerable individual is a person who is or may be in need of community care services by reason of mental or other disability, age or illness and who is or may be unable to take care of himself, or unable to protect himself against significant harm or exploitation. Any individual of this description should only be authorised to act as a CHIS in the most exceptional circumstances. In these cases, Annex A lists the authorising officer for each public authority permitted to authorise the use of a vulnerable individual as a CHIS.

Juvenile sources

4.2. Special safeguards also apply to the use or conduct of juveniles, that is, those under 18 years old, as sources. On no occasion should the use or conduct of a CHIS under 16 years of age be authorised to give information against their parents or any person who has parental responsibility for them. In other cases, authorisations should not be granted unless the special provisions contained within The Regulation of Investigatory Powers (Juveniles) (Scotland) Order 2002; SSI No. 206 are satisfied. Authorisations for juvenile sources should be granted by those listed in the table at Annex A. The duration of such an authorisation is one month from the time of grant or renewal (instead of 12 months). For these purposes, the age test is applied at the time of the grant or renewal of the authorisation.

Relationship with the Regulation of Investigatory Powers Act 2000 ( RIPA)

4.3. RIPA is the appropriate legislation for authorisation of a source whose use or conduct:

  • will mainly take place outwith Scotland;
  • will start outwith Scotland; or
  • is for reserved purposes such as national security or economic well-being.

4.4. Where the conduct authorised is likely to take place in Scotland, authorisation should be granted under RIP(S)A, unless the authorisation is being obtained by certain public authorities (see section 46 of RIPA and the Regulation of Investigatory Powers (Authorisations Extending to Scotland) Order 2009; SI No. 3403). RIP(S)A is the appropriate legislation and should be used by Scottish public authorities for all other use or conduct of covert human intelligence sources.

4.5. RIPA contains provisions to allow cross border operations. An authorisation under RIP(S)A will allow Scottish public authorities to use or conduct a source anywhere in the UK for a period of up to three weeks at a time (see section 76(2) of RIPA). This three-week period will restart each time the border is crossed by the source, provided it remains within the original validity period of the authorisation.

4.6. RIPA authorises the conduct or use of a source in Scotland by public authorities (listed in Schedule 1 of RIPA) other than those specified in section 8(3) of RIP(S)A.

Online covert activity

4.7. Any member of a public authority, or person acting on their behalf, who conducts activity on the internet in such a way that they may interact with others, whether by publicly open websites (such as an online news and social networking service) or more private exchanges (such as e-messaging sites) in circumstances where the other parties could not reasonably be expected to know their true identity, [12] should consider whether the activity requires a CHIS authorisation. A directed surveillance authorisation should also be considered, unless the acquisition of that information is or will be covered by the terms of an applicable CHIS authorisation.

4.8. Where someone, such as an employee or member of the public, is tasked by a public authority to establish or maintain a covert relationship with an individual or group online, or otherwise undertakes such activity on behalf of the public authority, in order to obtain or provide access to information, a CHIS authorisation is likely to be required. For example:

  • an investigator using the internet to engage with a subject of interest at the start of an operation, in order to ascertain information or facilitate a meeting in person;
  • directing a member of the public (such as an informant) to use their own or another internet profile to establish or maintain a relationship with a subject of interest for a covert purpose; or
  • joining chat rooms with a view to interacting with a criminal group in order to obtain information about their criminal activities.

4.9. A CHIS authorisation will not always be required for online investigation or research. Some websites require a user to register by providing personal identifiers (such as name and phone number) before access to the site will be permitted. Where a member of a public authority sets up a false identity for this purpose, this does not in itself amount to establishing a relationship, and a CHIS authorisation would not immediately be required, although, consideration should be given to the need for a directed surveillance authorisation if the conduct is likely to result in the acquisition of private information, and the other relevant criteria are met.

4.10. Where a website or social media account requires a minimal level of interaction (such as sending or receiving a friend request before access is permitted) this may not in itself amount to establishing a relationship. Equally, the use of electronic gestures such as "like" or "follow" in order to react to information posted by others online would not in itself constitute forming a relationship. However, it should be borne in mind that entering a website or responding on these gestures may lead to further interaction with other users. A CHIS authorisation should be obtained if it is intended to engage in such interaction to obtain, provide access to or disclose information.

Example: An officer maintains a false persona, unconnected to law enforcement, on social media sites in order to facilitate future operational research or investigation. As part of the legend building activity he "follows" a variety of people and entities and "likes" occasional posts without engaging further. No relationship is formed and no CHIS authorisation is needed.

Example: An officer sends a request to join a closed group known to be administered by a subject of interest, connected to a specific investigation. A directed surveillance authorisation would be needed to cover the proposed covert monitoring of the site. Once accepted into the group it becomes apparent that interaction is necessary. This should be authorised by means of a CHIS authorisation.

4.11. When engaging in conduct as a CHIS, a member of a public authority should not adopt the identity of a person known, or likely to be known, to the subject of interest or users of the site without considering the need for authorisation. Full consideration should be given to the potential risks posed by that activity.

4.12. Where use of the internet is part of the tasking of a CHIS, the risk assessment carried out in accordance with section 6.13 of this code should include consideration of the risks arising from that online activity including factors such as the length of time spent online and the material to which the CHIS may be exposed. This should also take account of any disparity between the technical skills of the CHIS and those of the handler or authorising officer, and the extent to which this may impact on the effectiveness of oversight.

4.13. If a CHIS is acting on behalf of one of the bodies to which the equipment interference provisions of the IPA apply, and is required as part of his tasking to interfere with equipment in order to obtain communications, equipment data or other information, that interference should be authorised separately by an equipment interference warrant under the IPA.

4.14. Where it is intended that more than one officer will share the same online persona, each officer should be authorised separately. Clear information should be provided in the application about the conduct required of each officer and individual risk assessments should be undertaken.


Back to top