Personal information charter

This privacy notice applies to data processed by OCDA and explains how we look after your information.

The Investigatory Powers Commissioner’s Office (IPCO) and the Office for Communications Data Authorisations (OCDA) support the Investigatory Powers Commissioner to carry out their statutory functions.

This privacy notice applies to data processed by OCDA. OCDA includes the Judicial Commissioners and their staff.

IPCO’s privacy notice can be viewed here.

The Investigatory Powers Commissioner (IPC) is the data controller for both organisations.

This privacy notice explains how we look after your information.

OCDA processes personal data for the main purpose of discharging the IPC’s function of authorising relevant public authorities to obtain communications data (see s.60A Investigatory Powers Act 2016).

We may also process personal data for ancillary purposes including:

  • business monitoring and planning purposes

  • compliance with applicable laws and regulations

  • maintaining, monitoring and developing OCDA’s IT systems to ensure the secure and effective protection of the data at all times

  • where data subjects have explicitly subscribed to communications, or given consent to be contacted for consultation purposes

  • where data subjects have contacted us directly and submitted a request for information

OCDA processes personal data in accordance with the UK General Data Protection Regulation (‘UK GDPR’). The lawful basis for the processing of personal data (including special category data) includes one or more of the following:

  • it is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the data controller (Article 6(1)(e) UK GDPR)

  • where special category or criminal records data is processed, processing is necessary for reasons of substantial public interest for the exercise of a function conferred on a person by an enactment (paragraph 6, schedule 1, Data Protection Act 2018). The authorisation of communications data is a function conferred on the IPC by statute and is carried out in the public interest (see section 60A, Investigatory Powers Act 2016)

  • processing is necessary for the performance of a contract to which the data subject is party or to take steps at the request of the data subject prior to entering into a contract (Article 6(1)(b)) UK GDPR)

  • processing is necessary for compliance with a legal obligation to which the controller is subject (Article 6(1)(c) UK GDPR)

  • the data subject has given consent to the processing of his or her personal data for one or more specific purposes (Article 6(1)(a) UK GDPR)

How we process your personal data

OCDA may process your personal data as part of the discharge of its function to authorise relevant public authorities to obtain communications data. This could include, but is not limited to, an OCDA Authorising Individual considering an application for a communications data authorisation in which you are named (for example as a suspect or victim of crime). The vast majority of the personal data which OCDA processes is provided to us by public authorities in order for us to discharge our statutory function.

We may also use information we hold about you to:

  • assist in verifying your identity if you contact us

  • fulfil other legal obligations

  • respond to correspondence sent to OCDA

  • support, manage and train staff

The IPC does not process personal data for staff recruitment or human resourcing purposes. The Home Office, as the legal employer for OCDA staff, is the data controller for recruitment and human resourcing data processing. The Home Office’s recruitment privacy notice can be found here.

Keeping personal information

We will keep your personal information for as long as is necessary for the purpose for which it is processed and in accordance with our managing information policy. However, in certain circumstances it may be necessary to retain personal data for longer in order to assist public inquiries or to defend legal proceedings which have already commenced.

Depending on the reasons why OCDA is processing your information it may be held for differing periods of time. We normally only retain applications for the use of investigatory powers for a maximum of one month.

Sharing information with others

Any personal information you provide will be held securely and processed in accordance with data protection and other relevant legislation, such as the Human Rights Act 1998 and the Investigatory Powers Act 2016. Where necessary, we may disclose your information to other public sector organisations so that the IPC can carry out his/her functions, or to enable others to perform theirs. Other organisations include, but are not limited to, the Investigatory Powers Tribunal, the Technology Advisory Panel, and the public authorities which the IPC oversees (such as the intelligence agencies, law enforcement organisations and local authorities). Any sharing of information will normally be limited to the discussion of the contents of an application for use of investigatory powers and normally discussion will be limited to the public authority which originally shared your data with us.

Depending on the reasons why OCDA is processing your information it may be shared with some other organisations, such as to fulfil legal obligations.

OCDA uses IT infrastructure provided by a number of other public authorities who act as its data processors.

International data transfers

Your personal data may be stored securely on OCDA’s IT infrastructure and shared with our data processors. OCDA will not transfer your data outside the UK.

How we protect your personal information

We have a duty to safeguard and ensure the security of your personal information. We do that by having systems and policies in place to limit access to your information and prevent unauthorised disclosure. Staff who access personal information must have appropriate security clearance and a business need for accessing the information, and their activity is subject to audit and review.

How to ask for your personal information

If OCDA holds any personal information about you, you have the right to ask for a copy of it through a subject access request (SAR). However, in certain circumstances we do not have to give you the information you have asked for.

The IPC’s primary function is to oversee the compliance of public authorities (including the intelligence services and law enforcement agencies) with legislation governing the exercise of covert investigatory powers. The vast majority of investigatory powers are exercised on either national security grounds, or for the prevention and detection of crime. This includes the authorisation of communications data by OCDA.

Consistent with guidance from the Information Commissioner’s Office, it is OCDA’s policy to neither confirm nor deny whether it holds any personal data as a result of its function to authorise public authorities to obtain communications data. This is because, to confirm any personal data holding, or only to apply an exemption (if applicable) in cases where we hold personal data, would carry a real risk of prejudicing the prevention and detection of crime. It would enable individuals to draw inferences such as whether a public authority which we oversee has any interest in them. If you make a subject access request for any data we hold in relation to the exercise of OCDA’s function to authorise communications data, we will consider whether there are any special circumstances in relation to your request to depart from our policy and we will inform you of our decision.

OCDA only holds personal data as a result of the exercise of its function to authorise communications data for as long as is necessary to perform that function. In most cases, data is only retained for a very short period and so, regardless of OCDA’s policy to neither confirm nor deny, OCDA is unlikely to hold any of your personal data in connection with this function.

OCDA’s ‘neither confirm nor deny’ policy does not apply to data we hold for other functions, such as Human Resourcing records (which are held on behalf of the Home Office) or correspondence with you.

When you write to us to make a subject access request you must provide the following:

  • confirmation of your identity: a copy of your passport, full driving licence or birth certificate (please do not send original documents)

  • confirmation of name and address: a copy of your full driving licence, a copy of a recent utility bill, bank or credit card statement, pension or child benefit book (or similar official document which shows your name and address). If you are writing on behalf of someone else, please include a signed declaration from the person you are acting for indicating that they have asked you to make an application on their behalf

If possible, you should also send:

  • details of all addresses you have used in previous correspondence with OCDA, including email addresses (if applicable) so that we can search our systems and

  • any information that might help us in locating the information in which you are interested (this might include details of any contacts you have had with OCDA at any time, and details of why you think we will hold information about you)

Once we receive all the above information, OCDA has one month within which to respond to your request. This may be extended by up to two months in complex cases.

Other data rights

In addition to requesting a copy of your personal data, you have other rights as a data subject. Your rights and how you may exercise them are fully detailed on the Information Commissioner’s Office website. In relation to your personal data held by OCDA, unless an exemption applies, you have the right to:

  • require us to restrict the processing of your data in certain circumstances

  • request your data be deleted or corrected

  • object to the processing of your data

  • lodge a complaint with the independent Information Commissioner’s Office (ICO) if you think we are not handling your data in accordance with the law. Their contact details are below

The exercise of some of these rights may engage OCDA’s NCND policy for the same reasons as a data subject access request.

Information management strategy

Our information management policies include how we:

  • respond to requests for disclosure of information

  • secure the information we hold

  • ensure that information created, collected and stored is proportionate to the business need, and is retained only for as long as it is needed

Further information

This privacy notice has been created to be understandable and concise. It does not include exhaustive detail about what information we hold, every organisation OCDA shares information with, how the information is collected or how long all information is kept. If you would like more information you should email us at data.protection@OCDA.org.uk.

Or write to us at:

Office for Communication Data Authorisations
C/O Investigatory Powers Commissioner's Office
PO Box 29105
London
SW1V 1ZU

OCDA has a data protection officer who can be contacted by email: data.protection@OCDA.org.uk

Reporting a concern

When we process your information we will comply with the law, including data protection legislation. Should you feel that your data is being processed in breach of data protection law or other legislation, you can report your concern to our Data Protection Officer using the contact details provided above, or contact the Information Commissioner’s Office at:

Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF

Telephone: 08456 30 60 60 or 01625 54 57 45

Fax: 01625 524510

You can also visit the Information Commissioner’s Office website.

Contents