UK SURVEILLANCE LAW
In July 2015 English comedian Michael McIntyre found himself the unexpected subject of a spying row. The National Police Air Support unit (NPAS) spotted the foppish funnyman crossing the road, snapped his picture from the sky and then posted the image to Twitter, asking followers to guess who it was. Silly move. They swiftly deleted the tweet after vocal criticism from privacy campaigners. However, they didn’t actually break any law. Human rights lawyer Simon McKay explained to the BBC how the police were technically on the right side of the law, but they may have breached a code of practice: "In a nutshell, the taking of the photograph is unlikely to be an invasion of privacy.
However, its needless publication almost certainly is, assuming Michael McIntyre didn't consent, which seems likely. The Metropolitan Police is a data controller and this is personal data, so there are compliance issues. On the face of it it also breaches the CCTV Code of Practice. The courts have held the arbitrary publication of photographs by the police without a pressing need to do so is unlawful. A Metropolitan Police spokesperson said in a statement that "this tweet does not, as far as we know, constitute a breach of data protection legislation.” Which brings us neatly onto something we’ve been meaning to address for a while.
How do users of spy equipment stand when it comes to the law? Well, there are two key things to remember when considering whether your actions are legal or illegal; firstly does the subject have a reasonable expectation of privacy and secondly, do they give their consent? The latter typically supersedes the former. You can’t have a reasonable expectation of privacy if you consent to working in an office where your conversations will be recorded, for example.
A reasonable expectation of privacy
The key measurement, should you need to defend yourself against accusations of illegal or unethical use of spy equipment, is that the subject had a reasonable expectation of privacy. In short, that’s why it’s legal for you to bug your own office but not the bathroom. There are exceptions to this. For example, it’s legal for the police to bug your house. You may have a reasonable expectation of privacy in your own home but if you’re suspected of criminal activity, the pursuit of justice and protection of the public takes precedence. The concept of consent is very important too. While most people may take issue with having their likeness or voice recorded and stored, they regularly imply consent to this without really considering the implications. For example, the words “calls are recorded for training and quality purposes” are effectively soliciting implied consent. If you stay on the line, you accept these conditions.
Relevant UK Legislation for Spy Equipment
The use of spy equipment falls under one or more of six separate pieces of UK legislation. There is no specific law on privacy like the Privacy Act of 1974 in the States, but our right to privacy is covered mainly by the Human Rights Act.
The Data Protection Act governs how data handlers, for example the local council, police or bank, manage and protect your personal data. If you are a data handler (hint: most employers are data handlers, otherwise how do they pay their employees?), you must comply with the Data Protection Act too, or face heavy fines or even imprisonment. So, if for example, you legally record a conversation taking place during office hours at your business, and then post that online, you could potentially be in breach of the Data Protection Act. The employee may have given consent to be recorded by signing their employment contract, but it’s unlikely they’ll have given their consent to having those conversations made public or shared.
The CCTV Code of Practice is potentially where the use of the police helicopter footage of Michael McIntyre slips up. It’s not illegal to record him but it does breach this non-legislative code of conduct. In order to operate certain pieces of equipment, for example closed circuit networks, one needs to sign up to specific codes of practice.
The 1998 Wireless Telegraphy Act covers the use of discreet or hidden recording devices. Significantly, it’s an idiosyncratic piece of law that actually seems to protect the spy more than the subject.
The Lawful Business Practice Regulations Act covers the monitoring of employee behaviour, typically computer and telephone usage. The relevant parts are in the main there to protect employee privacy and prevent them from being unduly snooped on. Public bodies, such as the police, HMRC or spy agencies are subject to the Regulation of Investigatory Powers Act, which limits and controls their powers to record, monitor and gather information on members of the public.
Spy Cameras and the Law in the UK
Under UK law you are generally permitted to use spy cameras, under certain conditions. Elements of the Data Protection Act and the Human Rights Act govern where you can and can’t conduct recording, but in general, their use is legal.
Here are a number of key considerations for legally using spy cameras in the UK:
- It is illegal to fit spy cameras to a business or residential property that you do not own or in which you don’t have legal occupancy.
- It is legal to set up a camera in your own home or business.
- It is illegal to use spy cameras in areas where subjects may have reasonable expectation privacy. The office is fine, the toilets or locker rooms are not.
- You can fit and operate a CCTV system to the outside of your property, provided it doesn’t infringe on anyone else’s right to privacy. For example, you may breach the Human Rights Act if your CCTV camera is pointing directly into a neighbour’s bedroom.
- It is illegal to make sound recordings on CCTV networks.
- All CCTV systems recording in public must be registered with the Information Commissioner’s Office.
- All CCTV systems used in public must be accompanied by signs that alert members of the public that CCTV is in operation.
- You must take reasonable steps to safeguard and protect any footage gathered via a public CCTV system. Failure to do this, for example leaving a DVD of CCTV footage unattended or uploading footage to YouTube, could be a breach of the Data Protection Act.
- You must not share footage from CCTV without express permission from those captured unless as part of a legitimate criminal investigation.
Phone Monitoring, Phone Tapping and the Law in the UK
The laws surrounding phone monitoring in the UK aren’t as cut and dried as those surrounding spy cameras. The biggest grey area has to do with the definition of the word ‘legitimate.’ It varies according to who is doing the listening. The police, spy agencies, intelligence services and even HM Revenue and Customs are considered legitimate users of phone tapping without notice, but they are subject to Regulation of Investigatory Powers Act (RIPA) standards. So if you’re suspected of not paying the right amount of tax, HMRC may legitimately tap your phone. But they’ll need a warrant signed by the Home Secretary. As a private citizen or business owner, you are also allowed to monitor phone calls, but under stricter conditions.
Here are the key things to remember if you’re planning on using call monitoring devices:
- You can record any phone conversation you have with another person, without telling them, provided you don’t intend to share the information with a third party, even if that comes as part of a legitimate investigation by the police or legal proceedings. That’s why phone call recordings made without consent are generally inadmissible as evidence. If you obviously intend to share the content, for example by streaming it live to a third party or uploading it, you are breaking the law.
- You can record conversations between your employees and customers or other employees provided implied consent is given. Assuming both parties are aware that they are being recorded, transcripts and recordings may be used as evidence as part of a legitimate investigation or used by yourself for training, quality and monitoring purposes. You may also just want to hear what your employees talk about on the phone. Ethically and commercially this probably isn’t the best move, but there’s no law to stop you doing this, assuming you’ve got their consent.
- It is illegal to record other people’s private phone calls (i.e. not work calls made on work phones). No ifs or buts. This is considered a breach of their reasonable expectation of privacy. Note however, that listening to other people’s phone calls is not always a breach of that expectation. For example, if someone is talking loudly on their phone, you can listen all you like and tell people what you heard. You’ll get a reputation as a gossip of course, but the law will be on your side.
- It is illegal to make the contents of a phone conversation between two parties available to a third party. So if you’re legally listening in, you can’t invite all sundry to listen in with you.
- Tapping - making the content of another person’s call available to someone not involved in their conversation - is illegal unless the contents of the call are required for a legitimate criminal or civil investigation.
- It is not lawful to share information from a phone call you have been part of and recorded if the other person believed it was confidential.
- It is legal to record someone without their permission if it is in the public interest to do so. For example, if you are recording to gather evidence of criminal or corrupt behaviour, the crime you document is more serious than the civil offence you are potentially committing by recording.
Counter-Surveillance and The Law in the UK
If you have concerns that your computer use, phone calls, movements or other behaviour are being monitored, you’re entitled to put in place a series of counter-intelligence measures. This is for your own safety, privacy and commercial protection. As far as the law goes, problems only arise when your legitimate counter-intelligence activities begin to infringe on the privacy and other rights of people around you. For example, hacking into someone else’s computer or otherwise unlawfully monitoring their computer usage to check if they’ve been spying on you is illegal.
Here are some key things to remember with regards to counter surveillance and the law in the UK:
- Counter-surveillance is generally legal, so using bug detectors is fine.
- As well as detecting surveillance, you may wish to prevent surveillance by using encrypted devices such as walkie-talkies and encrypted USB flash sticks.
- It’s illegal to use mobile phone network jammers, wifi jammers and GSM jammers in the UK. These disrupt other people’s ability to communicate. Only the police and security services are legally allowed to use these devices.
- It is also illegal, although ethically ambiguous, to knowingly use counter-surveillance measures against a government body.
GPS Car Trackers and the Law in the UK
There are a number of legitimate uses for using GPS car trackers in the UK. The most typical uses for vehicle tracking are commercial, to ensure that employees are driving safely, efficiently and aren’t wasting company time and resources on unnecessary detours or diversions. It is a business fact that employee productivity increases with the presence of management. However, it’s not possible to be present in every car with every employee. GPS trackers mitigate this business risk by enabling you and your colleagues to keep employees motivated by knowing their movements are being lawfully monitored. A high proportion of road accidents involve people who drive for a living, so there are safety benefits to in-car tracking too. It may even result in lower insurance premiums for your business, providing a tangible cost saving.
GPS workplace vehicle tracking is generally legal, provided you follow a few important steps:
- You must obtain permission from any employee you intend to track. This can be done by including a clause in their employment contract.
- You must make reasonable efforts to protect and safeguard any data collected from your GPS vehicle tracking activity. Failure to do this could result in you or your business breaching the Data Protection Act. This is especially true of employees who use a company car for private as well as business use.
- It may breach the Data Protection Act if employees who have dual use of a car are unable to disable tracking during their personal time. It could be seen as a breach of privacy to provide an employee with a car in lieu of another benefit which is then used to track their movements during non-business hours. There are also quite serious data protection implications concerning this.
- If they regularly park the car at the same address over night, it’s fair to assume that this could be their home address. The home address of an individual counts as “personal data” under the DPA as it can be used to personally identify them. You must therefore treat this data with the same care and diligence as you would their bank details or medical history.
Domestic and private vehicle tracking
As with commercial vehicle tracking, domestic and private vehicle tracking is generally legal provided you don’t breach the Data Protection Act. In most cases, domestic vehicle tracking is conducted on family cars, or cars driven by sons or daughters, with all parties aware. This can provide an insurance benefit and also builds trust between parents (often the people responsible for paying for the car insurance) and inexperienced young drivers. Because GPS vehicle trackers may be deployed to track any vehicle (some trackers are magnetic to permit ease of fitting to the vehicle’s exterior), it’s extremely important that you pay close attention to the law.
Here’s a rundown of the key things to remember when using GPS vehicle trackers:
- It is illegal to track anyone without their permission or knowledge.
- It is illegal to share or make public any personal data collected via the GPS vehicle tracking device.
Computers and Computer Forensics and the Law in the UK
You may wish to monitor computer usage for a number of legitimate reasons, including fraud prevention, business and risk compliance or monitoring and protecting your children using a home computer from accessing inappropriate material. Due to the potential for abuse, computer monitoring by members of the public is subject to the Data Protection Act. The overarching principle governing computer monitoring and computer forensics centres around the concept of possession. You are generally permitted to install whatever devices or software onto your own computer that you wish. Persons then using your computer may be monitored, but if you intend to use the data that you gather, for example as part of investigation or civil case, you must first warn the person that their use of your computer may be being monitored.
While this does somewhat defeat the object if you are monitoring computer usage to identify criminal or unethical use, it is important to comply. Not complying may put you in breach of the Data Protection Act. Employers have special responsibilities under the Data Protection Act to get consent from their employees if they plan to monitor their usage. Once consent is given, employers may monitor Internet usage, record keystrokes and store any data pertaining to the use of computers that they own. However, the use of that data is subject to the Data Protection Act.
Here are the key things to remember for employers monitoring employee computer usage:
- You must get consent from the employee. This is typically done via the employee terms of employment.
- You must not share or make public any personal data or personally identifying information gathered while monitoring employee computer usage.
- You must take reasonable steps to ensure that data gathered during employee computer use monitoring is protected and safeguarded.
- You must only use data and information gathered while monitoring employee computer use for legitimate reasons, for example including fraud prevention, protecting sensitive commercial information, preventing misconduct, unethical behaviour, or suspected criminal activity.
- You must operate within the framework and guidelines of the Lawful Business Practice Regulations Act.
Here are the key things to remember on the legalities of domestic computer monitoring and forensics:
- It is illegal to monitor usage of any computer apart from those owned by you.
- It is illegal to hack into or otherwise access without permission any computer owned by another person.
- It is legal to monitor computer usage of others using your computer.
- It is illegal to share or make public any data gathered monitoring third party use of your computer unless you have warned said third party that their computer usage may be monitored.
- It is illegal to share private or personal data of any individual using your computer, even if you warned them that you were monitoring their computer usage. This goes against their reasonable expectation of privacy. For example, if someone uses your computer and your monitoring software tracks their keystrokes and subsequently captures their bank login details, it is highly illegal for you to share or otherwise make use of this information.
- It is legal to monitor the computer usage of any person under the age of 18 using a computer owned by you without their consent or permission.
The vast majority around the legalities of using spy equipment is common sense. Don’t breach privacy, don’t put people’s personal information at risk and don’t spy on people who you have no legitimate reason to spy on. However, the law is complex and seemingly legitimate actions can land you in legal trouble, so it’s smart to keep as up-to-date as possible.