Guest post by @Super__Cyan
Draconian new regulations threaten innocent tenants’ privacy.
Imagine junior staff of local councils being able request your bank details, your itemised phone bills? Keep calm, now is not the time for fear that comes later when this may soon be the law! Local councils may soon be given powers to authorise employees to request personal information if they suspect you are committing social housing fraud. This clearly raises issues of privacy, it looks pretty illegal, undermines the government’s position on civil liberties, such powers may already exist with better safeguards and it is of public importance even more so because it is being sneaked in through the back door!
The Prevention of Social Housing Fraud (Power to Require Information) (England) Regulations 2014 (the Regulations) is a draft statutory instrument that allows for local councils (Regulation 3) to authorise a member of staff to use powers granted by Regulation 4. Regulation 4 enables staff to require information from specified persons for housing fraud investigation purposes which are the prevention, detection or securing evidence for the conviction of one of the offences listed in section 7(7) of the Prevention of Social Housing Fraud Act 2013 (PoSHFA).
Regulation 4(2)(a) allows authorised staff to require information from a person falling within paragraph (3) (listed later) and 4(2)(b) has or may have possession of or access to any information about any matter that is relevant to housing fraud investigation purposes.
The person(s) information can be required from include:
- any bank,
- any lender
- any water company
- any gas company
- any electricity company
- any person who provides a telecommunications service,
- any servant or agent of any person mentioned above.
That is a pretty hefty list, but I’ll only deal with one of these person(s), telecommunications service providers (or telcos), you know the guys that give you the internet, your phone network etc? Yup, them.
Regulation 4(6) makes clear that an authorised staff cannot request a specific type of communications data from telcos, that being traffic data.
So if we make our way to the Regulation of Investigatory Powers Act 2000 (RIPA) section 21 we can see that traffic data is mentioned in section 21(4)(a) and section 21(6). This is to be excluded, but on the other hand everything else in section 21 seems to be fair game, if we look at section 21(4)(b) and (c) with the former stating:
any information which includes none of the contents of a communication (apart from any information falling within paragraph (a)) and is about the use made by any person— .
(i) of any postal service or telecommunications service; or .
(ii) in connection with the provision to or use by any person of any telecommunications service, of any part of a telecommunication system;
And the latter stating:
any information not falling within paragraph (a) or (b) that is held or obtained, in relation to persons to whom he provides the service, by a person providing a postal service or telecommunications service.
What does this even mean? Section 21 of RIPA itself is vague and it is only made sense of if you look at the Acquisition and Disclosure of Communications Data Code of Practice (main page here). This Code of Practice is pursuant to section 71 of RIPA. This defines more comprehensively the types of communications data which can be requested by the authorised officer (see Chapter 2, paras 2.23-2.29) such as numbers called, duration and timing of a call etc. It is interesting that an itemised telephone call record (2.24) which according to the Code falls under use data would or should actually also fall under traffic data because who you call ‘identifies, or appears to identify, any person’ you’ve called. It may be poor drafting from the Code because it fails to recognise that either who you call falls under traffic data or use data or both.
But should this be the case if a power to access communications data already exists? Regulation 3(2) allows a local council to grant requesting authorisation to an individual employed by that authority or any individual employed by another local authority or joint committee that carries out functions relating to housing fraud investigation purposes on behalf of that authority. Section 37 of the Protection of Freedoms Act 2012 (PoFA) (which inserts a section 23A into RIPA) requires judicial approval for the obtaining or disclosing of communications data. The ‘relevant person’ mentioned in section 23A(1) is defined as an individual holding an office, rank or position in a local authority (section 23A(6)(a)(i) and (ii). And for the avoidance of doubt The Regulation of Investigatory Powers (Communications Data) Order 2010 in Schedule 2 Part 2, local councils (which fall within the section 11(8) definition of local councils in the PoSHFA) are an additional public authority which can acquire communications data for s22(2)(b) RIPA purposes, this states:
It is necessary on grounds falling within this subsection to obtain communications data if it is necessary…for the purpose of preventing or detecting crime or of preventing disorder.
An authorised staff in the Regulations only need reasonable suspicion which seems to be in contradiction with section 22(2)(b).
Where are the safeguards? Why is it that judicial approval is required under the PoFA but not under the Regulations? I very rarely make political points, but I think this is important. The 2010 Coalition Agreement expressly stated that:
We will implement a full programme of measures to reverse the substantial erosion of civil liberties and roll back state intrusion (page 11).
We will ban the use of powers in the Regulation of Investigatory Powers Act (RIPA) by councils, unless they are signed of by a magistrate and required for stopping serious crime (page 12).
Not many things reek as bad as political double standards, but that is a textbook example of it. Firstly, the PoFA may have improved ECHR compliance by implementing an ECtHR judgment on DNA retention. But this Regulation is contrary to that agreement, furthermore it is no longer true that councils require approval from magistrates to make de facto RIPA requests therefore circumventing section 23A in oblivious fashion. The Greeks would be proud of this Trojan horse of a statutory instrument. The Regulations do not even state the level of seniority which authorisation can be granted to, hence this could be junior staff (Regulation 3(2)). Should junior staff or an assistant be able to request such personal information from a wide range of persons?
This clearly has privacy implications and issues with other various rights. But I’ll deal only with Article 8 of the European Convention on Human Rights which notes that:
- Everyone has the right to respect for his private and family life, his home and his correspondence.
- There shall be no interference by a public authority with the exercise of this right except such as is in accordance with the law and is necessary in a democratic society in the interests of national security, public safety or the economic well-being of the country, for the prevention of disorder or crime, for the protection of health or morals, or for the protection of the rights and freedoms of others.
A simplified expression of Article 8 is this. Every individual has privacy rights and the state should steer clear of those rights except for in circumstances proscribed by Article 8(2). For your privacy rights to apply they must be interfered with or ‘engaged.’ This is straight forward, the European Court of Human Rights (ECtHR) in Copland v UK  ECHR 253, at para 43 noted that:
[T]he use of information relating to the date and length of telephone conversation and in particular the numbers dialled can give rise to an issue under Article 8 as such information constitutes an ‘integral element of the communications made by telephone’…The mere fact that these data may have been legitimately obtained … is no bar to finding an interference with rights guaranteed under Article 8…Moreover, storing of personal data relating to the private life of an individual also falls within the application of Article 8 §1…Thus, it is irrelevant that the data held … were not disclosed or used against the applicant in disciplinary or other proceedings.
What this means is regardless of how private information was obtained or if it was used or not, the fact that it has been accessed is enough engage Article 8 and therefore requires justification under Article 8(2).
Interference or engaging privacy must be in accordance with the law, whereby requesting information must have some basis in domestic law (para 193). The Grand Chamber (GC) of the ECtHR in Stafford v United Kingdom  ECHR 470 (at para 63) held that the law should be accessible to the person concerned and foreseeable as to its effects. The GC in Amann v. Switzerland  ECHR 88 ruled that ‘a rule is “foreseeable” if it is formulated with sufficient precision to enable any individual – if need be with appropriate advice – to regulate his conduct (para 56). Publication of the law would seem to satisfy accessibility (Leander v Sweden  ECHR 4 para 52-53).
If we take what was said in Malone v United Kingdom (1984) 7 EHRR 14, at para 67 ‘thus implies – and this follows from the object and purpose of Article 8 (art. 8) – that there must be a measure of legal protection in domestic law against arbitrary interferences by public authorities with the rights safeguarded by paragraph [Article 8(1)].’ This is to prevent the authorised staff from requesting information randomly. Regulation 4(5)(a) makes it so that authorised staff can request information of people who have committed, is committing or intends to commit an offence listed in section 7(7). It is worrying that authorised staff can request information based on the intention to commit an offence, I was not aware that authorised staff had developed the ability of telepathy. So there is no requirement for suspicion of attempted fraud merely suspicion of future intention. How are you supposed to regulate your conduct appropriately if staff are making assumptions about your mental state?
It does not stop there, Regulation 4(5)(b) allows information to be requested if the authorised staff have reasonable grounds to believe a person to be a relative of the suspect. This includes spouse/partner, (grand)parents, (grand)children, (half)siblings, aunts/uncles and nephews/nieces under section 113 of the Housing Act 1985 imported by Regulation 4(11). Authorised staff do not even need actual proof of familial relations to be able to request information. Information can be requested irrespective of whether they are even living in the same property as the suspect. So family members who have no fraudulent involvement or household associations with the suspect can have their privacy invaded. Ironically Regulation 4(5)(b) does not capture non-family members who may live with the suspect.
The arbitrary nature of the power is of further concern because once authorised staff make a request, under Regulation 5 it is an offence to (a) intentionally delay, obstruct authorised staff or (b) refuse or fail to provide the requested information without reasonable excuse. So a company may be reluctant to query the requests that seem unreasonable or disproportionate simply because of the offence of non-compliance. Therefore there does then seem to be an in accordance with a flaw, this would be enough for a violation without considering anything else (para 63). I suppose this gives the title more meaning now.
Even if the Regulation was somehow deemed to be in accordance with the law the ECHR requires measures to be necessary and proportionate. As you can see, fraud would fall under this umbrella term of 22(2)(b) of RIPA and Article 8(2). If such a similar and even broader power exists are these Regulations necessary? Having said that, the term ‘broader power’ probably isn’t the right word because for instance RIPA requests only dealt with communications data. Is such an exhaustive list necessary for the function of the authorised staff? Should this be a job for the police and not employees of a local council?
Necessity requires the least restrictive measure in pursuit of an objective (Mark Elliott, ‘Proportionality and deference: the importance of a structured approach’ in Christopher Forsyth et al (Ed), Effective Judicial Review: A Cornerstone of Good Governance (Oxford University Press 2010)). How can the Regulations be seen as the least restrictive approach to privacy when the authorised staff could make requests from a variety of sources, or all of them if they reasonably believed it was needed? This only strengthens the point that the power exercised by authorised staff is arbitrary.
I’m aware that the Regulations are specifically targeted at social housing fraud, but I do not think that there is any need for a disparity between the approach authorised staff must take under RIPA and the Regulations. As draconian as RIPA is, the approach taken i.e. necessity (section 22(2)) and proportionality (22(5)) is more likely to conform to the ECHR’s standard of human rights protection and the Coalition’s own stated commitments. But it does seem that both provisions fail to strike the right balance, on the one hand the Regulations are only aimed at tackling social housing fraud, and it seems that only employees that deal with social housing fraud investigation can be authorised officers, but there is no necessity or proportionality requirement nor is there any judicial oversight, nor any insight into the seniority of the employees who can request substantial amounts of private information, and it most spectacularly bypasses the (better defined) safeguards of RIPA. With the PoFA it seems that anyone employed by a local authority can gain access to communications data under the vague terms under section 22(2)(b) of RIPA, but yet is subject to judicial oversight. The idea that specific officers can gain access to communications data for specific legal purposes is a much better safeguard against abuse than having the power employed in a broad manner.
Having said that, if these Regulations are going to become law, they need more careful scrutiny and a quick blog post just to highlight the Regulations’ existence isn’t sufficient. Very importantly The Prevention of Social Housing Fraud (Detection of Fraud) (Wales)Regulations 2014 (which almost mirrors the Regulations) which still need approval should be rejected by National Assembly for Wales for the same reasons expressed above in relation to the Regulations. Can this be said to be necessary in a democratic society, when giving staff of local councils sweeping powers to snoop on citizens by stealth? This should not only interest privacy advocates, housing and human rights legal folk but every individual citizen because it is the citizens who will be subject to these laws.
The Government: You’re making a big mistake (saying that these Regulations are likely to be unlawful)!
Super Cyan: Not as big as yours, I fear.
High fives to @RichGreenhill for the heads up, advice and comments on initial drafts.