The Investigatory Powers Commissioner’s Office (‘IPCO’) supports the Investigatory Powers Commissioner in the discharge of his/her statutory functions. This Privacy Notice applies to data processed by IPCO. ‘IPCO’ includes the Judicial Commissioners and their staff. The Investigatory Powers Commissioner (‘IPC’) is the data controller for IPCO.
This privacy notice explains how we look after your information.
IPCO processes personal data for the main purpose of discharging the IPC’s core oversight functions, as well as for the purpose of discharging the IPC’s function of authorising relevant public authorities to obtain communications data (see s.60A Investigatory Powers Act 2016).
We may also process personal data for ancillary purposes including:
- business monitoring and planning purposes;
- compliance with applicable laws and regulations;
- maintaining, monitoring and developing IPCO’s IT systems to ensure the secure and effective protection of the data at all times;
- where data subjects have explicitly subscribed to communications, or given consent to be contacted for consultation purposes; or
- where data subjects have contacted us directly and submitted a request for information.
The IPC will be a joint data controller with a public authority for the duration that he/she (or members of the organisation) is given direct access to a public authority’s systems in the course of the discharge of his/her oversight functions, such as for the purposes of an inspection and authorisation.
The legal basis for our processing
IPCO processes personal data in accordance with the UK General Data Protection Regulation (‘UK GDPR’). The lawful basis for the processing of personal data (including special category data) includes one or more of the following:
- it is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the data controller (Article 6(1)(e) UK GDPR);
- where special category or criminal records data is processed, processing is necessary for reasons of substantial public interest for the exercise of a function conferred on a person by an enactment (paragraph 6, Schedule 1 Data Protection Act 2018). The oversight of investigatory powers is a function conferred on the IPC by statute and is carried out in the public interest (see Chapter 1, Part 8 of the Investigatory Powers Act 2016);
- processing is necessary for the performance of a contract to which the data subject is party or to take steps at the request of the data subject prior to entering into a contract (Article 6(1)(b)) UK GDPR);
- processing is necessary for compliance with a legal obligation to which the controller is subject (Article 6(1)(c) UK GDPR);
- the data subject has given consent to the processing of his or her personal data for one or more specific purposes (Article 6(1)(a) UK GDPR).
How we process your personal data
IPCO may process your personal data as part of the discharge of the IPC’s oversight functions. This could include, but is not limited to, a Judicial Commissioner or Authorising Officer considering an application for a warrant/authorisation to use an investigatory power in which you are named. It could also include the review of records for the purposes of an inspection. The vast majority of the personal data which IPCO processes is provided to us by public authorities in order for us to exercise our oversight and statutory authorisation functions.
We may also use information we hold about you to:
- assist in verifying your identity if you contact us;
- fulfil other legal obligations;
- respond to correspondence sent to IPCO; or
- support, manage and train staff.
The IPC also processes personal data for the purposes of the appointment of Judicial Commissioners. The IPC is a joint data controller in respect of the appointment of Judicial Commissioners together with the Cabinet Office, the Lord Chancellor, the Lord Chief Justice of England and Wales, the Lord President of the Court of Session and the Lord Chief Justice of Northern Ireland.
The IPC does not process personal data for staff recruitment or human resourcing purposes. The Home Office, as the legal employer for IPCO staff, is the data controller for recruitment and human resourcing data processing. The Home Office’s Recruitment Privacy Notice can be found here.
Keeping personal information
We will keep your personal information for as long as is necessary for the purpose for which it is processed and in accordance with our managing information policy. However, in certain circumstances it may be necessary to retain personal data for longer in order to assist public inquiries or to defend legal proceedings which have already commenced.
Depending on the reasons why IPCO is processing your information it may be held for differing periods of time. We normally only retain applications for the use of investigatory powers for a maximum of one month.
Sharing information with others
Any personal information you provide will be held securely and processed in accordance with data protection and other relevant legislation, such as the Human Rights Act 1998 and the Investigatory Powers Act 2016. Where necessary, we may disclose your information to other public sector organisations so that the IPC can carry out his/her functions, or to enable others to perform theirs. Other organisations include, but are not limited to, the Investigatory Powers Tribunal, the Technology Advisory Panel and the public authorities which the IPC oversees (such as the intelligence agencies, law enforcement organisations or local authorities). Any sharing of information will normally be limited to the discussion of the contents of an application for use of investigatory powers and normally discussion will be limited to the public authority which originally shared your data with us.
Depending on the reasons why IPCO is processing your information it may be shared with some other organisations, such as to fulfil legal obligations.
IPCO uses IT infrastructure provided by a number of other public authorities who act as its data processors.
International Data Transfers
As your personal data may be stored on IPCO’s IT infrastructure, and shared with our data processors, it may be transferred and stored securely outside the UK. Where that is the case, it will be subject to equivalent legal protection through an adequacy decision or appropriate safeguards.
How we protect your personal information
We have a duty to safeguard and ensure the security of your personal information. We do that by having systems and policies in place to limit access to your information and prevent unauthorised disclosure. Staff who access personal information must have appropriate security clearance and a business need for accessing the information.
How to ask for your personal information
If IPCO holds any personal information about you, you have the right to ask for a copy of it through a subject access request (SAR). However, in certain circumstances we do not have to give you the information you have asked for.
The IPC’s primary function is to oversee the compliance of public authorities (including the intelligence services and law enforcement agencies) with legislation governing the exercise of covert investigatory powers. The vast majority of investigatory powers are exercised on either national security grounds or for the prevention and detection of crime.
Consistent with guidance from the Information Commissioner’s Office, it is IPCO’s policy to neither confirm nor deny (NCND) whether it holds any personal data as a result of the IPC’s oversight functions. This is because to confirm any personal data holding, or only to apply an exemption (if applicable) in cases where we hold personal data, would carry a real risk of prejudicing national security and/or the prevention and detection of crime. It would enable individuals to draw inferences such as whether a public authority which we oversee has any interest in them. If you make a subject access request for any data we hold in relation to the exercise of the IPC’s oversight functions, we will consider whether there are any special circumstances in relation to your request to depart from our policy and we will inform you of our decision.
IPCO only holds personal data as a result of the exercise of the IPC’s functions of oversight and the authorising of communications data applications for as long as is necessary to perform those functions. In many cases, data is only retained for a very short period and so, regardless of IPCO’s policy to neither confirm nor deny, IPCO is unlikely to hold any of your personal data in connection with these functions.
IPCO’s ‘neither confirm nor deny’ policy does not apply to data we hold for other functions, such as Human Resourcing records (which are held on behalf of the Home Office) or correspondence with you.
When you write to us to make a subject access request you must provide the following:
- confirmation of your identity: a copy of your passport, full driving licence or birth certificate (please do not send original documents); and
- confirmation of name and address: a copy of your full driving licence, a copy of a recent utility bill, bank or credit card statement, or similar official document which shows your name and address.
If you are writing on behalf of someone else, please include a signed declaration from the person you are acting for indicating that they have asked you to make an application on their behalf.
If possible, you should also send:
- details of all addresses you have used in previous correspondence with IPCO, including email addresses (if applicable) so that we can search our systems; and
- any information that might help us in locating the information in which you are interested (this might include details of any contacts you have had with IPCO at any time, and details of why you think we will hold information about you).
Once we receive all the above information, IPCO has one month within which to respond to your request. This may be extended by up to two months in complex cases.
Other Data Rights
In addition to requesting a copy of your personal data, you have other rights as a data subject. Your rights and how you may exercise them are fully detailed on the Information Commissioner’s Office website. In relation to your personal data held by IPCO, unless an exemption applies, you have the right to:
- require us to restrict the processing of your data in certain circumstances;
- request your data be deleted or corrected;
- object to the processing of your data; and
- lodge a complaint with the independent Information Commissioner’s Office (ICO) if you think we are not handling your data in accordance with the law. Their contact details are below.
The exercise of some of these rights may engage IPCO’s NCND policy for the same reasons as a data subject access request.
Information management strategy
Our information management policies include how we:
- respond to requests for disclosure of information;
- secure the information we hold; and
- ensure that information created, collected and stored is proportionate to the business need, and is retained only for as long as it is needed.
Further information
This privacy notice has been created to be understandable and concise. It does not include exhaustive detail about what information we hold, every organisation IPCO shares information with, how the information is collected or how long all information is kept. If you would like more information you should:
- email us at dpo@ipco.org.uk; or
- write to us at: Investigatory Powers Commissioner’s Office, PO Box 29105, London, SW1V 1ZU.
IPCO has a data protection officer who can be contacted via email:
- dpo@ipco.org.uk
Reporting a concern
When we process your information we will comply with the law, including data protection legislation. Should you feel that your data is being processed in breach of data protection law or other legislation, you can report your concern to our Data Protection Officer using the contact details provided above, or contact the Information Commissioner’s Office at:
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF
Telephone: 08456 30 60 60 or 01625 54 57 45. Fax: 01625 524510
You can also visit the Information Commissioner’s Office website.