This part of GOV.UK is being rebuilt – find out what beta means

HMRC internal manual

Enquiry Manual

Working the Enquiry: Regulation of Investigatory Powers Act 2000 (RIPA) - Powers, Safeguards and Procedures

What is the purpose of RIPA?

The Human Rights Act (HRA) 1998 enshrined the European Convention on Human Rights into UK Law. Article 8 protects a person’s right to respect for private and family life, their homes and correspondence.

The Regulation of Investigatory Powers Act (RIPA) 2000 provides a statutory framework that allows law enforcement agencies and other public bodies including HMRC to act lawfully when carrying out surveillance without disproportionately infringing a person’s rights.

The two parts of RIPA, that you must consider during a compliance check are

  • Part I Chapter II of RIPA - this governs the acquisition of communications data from Communications Service Providers (CSPs), that is, telecommunications and postal companies, internet service providers and the internet in general.
  • Part II of RIPA - this governs the use of covert surveillance and covert human intelligence sources (CHIS).

What is communications data?

Communications data is defined under three headings in RIPA 2000/S21 as

  • any data created by a Communications Service Provider (CSP), or which can be caused to be created by a CSP, concerning the delivery of a communication from sender to intended recipient, including data associated with intermediate points. In the Act this is defined in S21(4)(a) and is referred to as ‘traffic data’
  • any data created by a person’s use of a communications network, which is defined in S21(4)(b) of the Act and is referred to as ‘service data’
  • any data held by a CSP in relation to any person they provide a communications service too. In the Act this is defined in S21(4)(c) and is referred to as ‘any other data’.

What is surveillance and directed surveillance?

Surveillance is defined in RIPA section 48 and includes

  • monitoring, observing or listening to persons, their movements, their conversations or their other activities or communications
  • recording anything monitored, observed or listened to in the course of surveillance
  • surveillance by or with the assistance of a surveillance device, and
  • the use of human intelligence sources (CHIS).

RIPA 2000/S26(2) states that surveillance is directed if it is covert, but not intrusive, and is undertaken

  • for the purposes of a specific investigation or a specific operation
  • in such a manner as is likely to result in the obtaining of private information about a person (whether or not one specifically identified for the purposes of the investigation or operation), and
  • otherwise than by way of an immediate response to events or circumstances the nature of which is such that it would not be reasonably practicable for an authorisation to be sought for the carrying out of the surveillance.

What action must I take when RIPA might apply to my compliance check?

RIPA regulates the way you can use surveillance and communications data, safeguarding the public from unnecessary intrusions into their private lives, through strict regulatory and authorisation processes and procedures.  

For specific guidance on the use of the Internet and Social Media, see CH201620 to CH201740.

In all other cases where there is any uncertainty about whether you need to seek authorisation under RIPA, you must follow the guidance in the FIS Handbook.