In view of the message on Requests for data by the Police, I am sending this
previous message to the list again. Has this form been substantially
changed?
Mike Lloyd
ISaCS
University of Glamorgan
> ----------
> From: Yaman Akdeniz
> Reply To: [log in to unmask]
> Sent: Friday, September 18, 1998 4:18 PM
> To: [log in to unmask]
> Subject: Data Protection Act s28(3) form and ACPO and ISPs
>
> Duncan Campbell, the author of the Guardian Online article just
> posted this to another list and I wonder what the members of the list
> think about this ?
>
> Yaman
>
>
> The document following is the proposed form which was seen being
> discussed on Channel 4 News on Wednesday and which the police wish to
> standardise for obtaining data from ISPs without a court order or
> warrant. It is different to the forms which they have been using in
> the recent past, in that this form has had significant recent input
> from the Data Protection Registrar's Office. I'm posting it to the
> list for the sake of discussion and comment.
>
> Duncan Campbell
>
> Data Protection Act s28(3) form
>
> Agreed by ACPO and the ISP industry
>
> Introduction
>
> ACPO and the ISP industry have been working together to produce a
> standardised form for requests for data under section 28(3) of the
> Data Protection Act 1984. This note is divided into four parts:
>
> 1. This introduction.
>
> 2. The form itself. This has been cast as an HTML form, which will
> look a little different from the printed form that will also be
> distributed.
>
> 3. The short-form notes to be printed on the back of the form.
>
> 4. The long-form guidance material to be provided to police forces and
> ISPs.
>
> ----------------------------------------------------------------------
> -----
>
> REQUEST FOR DISCLOSURE OF PERSONAL DATA
>
> Under section 28(3) of the Data Protection Act 1984 c.35
>
> To: [note 1] ISP reference: [note 2]
>
> Please provide the data concerning the following subject [note3]:
>
> Please provide the following information:
>
> Name and address
>
> Account name or number
>
> Other (specify): [note 4]
>
> Offence being investigated:
>
> Reason that the information is necessary [note 5]:
>
> I certify that completing the above section would itself prejudice the
> prevention or detection of crime [note 6].
>
> __ pages of further information [note 7] are attached.
>
> I certify that the data is required for the prevention or detection of
> crime or for the apprehension or prosecution of offenders, and that
> failure to disclose the data would be likely to prejudice these
> matters.
>
> The requested data are required for case reference [note 8] but may be
> used for any other investigation for which the above declaration
> applies.
>
> I understand that if any information on this form is omitted or wrong
> I may be committing an offence under section 5(6) of the Data
> Protection Act.
>
> Signed: Date: Name and number:Rank
>
> Authorised: Date: Name and number:Rank:
>
> This application must be authorised by a person who is senior to the
> requesting officer, and of a rank no lower than Inspector. See note 9.
>
> ----------------------------------------------------------------------
> -----
>
> NOTES
>
>
> REQUEST FOR DISCLOSURE OF PERSONAL DATA
>
> Under section 28(3) of the Data Protection Act 1984 c.35
> REQUEST FOR DISCLOSURE OF PERSONAL DATA
>
> Under section 28(3) of the Data Protection Act 1984 c.35
>
> Note 1: give the company name here, and any particular contact name on
> the covering letter or fax.
>
> Note 2: this space is reserved for the information provider.
>
> Note 3: give here the identifying information that you have available.
> It will be assumed that you want information on all accounts matching
> that information.
>
> * If specifying an IP address, you must attach an explanation why an
> IP address is being specified.
>
> * If specifying a URL, a printout of the page should be attached to
> the request (if possible) to enable the ISP to confirm the URL is
> correct.
>
> Note 4: state here what specific information is being requested and
> why. Do not ask for "all information known about the account" or
> something similar. If in doubt, discuss the matter with the ISP's
> contact before making the request.
>
> Note 5: give here enough information that the recipient can make a
> decision whether to disclose in accordance with your declaration.
>
> Note 6: if this applies, tick the box to the left and leave the
> previous section blank.
>
> Note 7: tick this if you have attached any information mentioned in
> these notes, or any other material that the ISP may find useful for
> processing the request. Show how many pages have been attached, number
> those pages, and place the case reference (see note 8) on each page.
>
> Note 8: give here a case number, file number, case name, or any other
> reference that identifies the investigation being made. It is not
> necessary to specify the details of the case or any other names.
>
> Note 9: the authorising officer must be senior to the requesting
> officer and of the rank of Inspector or above. You must give full
> details of both officers.
>
> ----------------------------------------------------------------------
> -----
>
> GUIDANCE ON USE OF THE FORM
>
>
> REQUEST FOR DISCLOSURE OF PERSONAL DATA
>
> Under section 28(3) of the Data Protection Act 1984 c.35
>
> This form has been designed by a committee representing both Police
> forces and Internet Service Providers and meeting under the auspices
> of ACPO. This committee aimed to produce a single form that would be
> recognised by all ISPs and contained precisely the information they
> needed. Police forces are therefore requested to use the form exactly
> as provided except of course for replacing the Force name, logo, and
> details with their own and possibly modifying the notes on the back to
> refer to their specific procedures. Use of this form will allow ISPs
> to streamline the handling of requests for personal data.
>
> Section 28(3) of the Data Protection Act gives ISPs the authority to
> release personal data to the police provided that certain criteria are
> met; in addition, the Data Protection Registrar has placed further
> interpretations on the Act. Failure to meet these criteria could mean
> that the ISP, the requesting officer, or both are committing a
> criminal offence. For these reasons the form must be completed
> properly and the wording must not be changed.
>
> Note 1
>
> The form should be addressed to the ISP as a company, and not to a
> specific person or department. The form would normally be sent with a
> covering letter or fax, and that can of course be addressed more
> specifically.
>
> Note 2
>
> This space is reserved for the ISP to use. If you have contacted the
> ISP ahead of time they may provide you with a reference to place
> there. Otherwise leave it blank. If you contact the ISP again about
> this request you should quote that reference.
>
> Note 3
>
> There tend to be two kinds of request:
>
> 1. A "real world" datum - such as a name, address, or telephone number
> - is known and the requesting officer has reason to believe the
> subject has an account with the ISP and wishes to identify that
> account.
>
> + If a name is given, the ISP will search for accounts held in that
> + name.
> Unless the name is an unusual one, other information such as an
> address or telephone number will probably be necessary. Section 28(3)
> may not be used for "trawling" ISP records, and the ISP should refuse
> to give details if more than about four unrelated accounts match the
> data given.
>
> + If an address or telephone number is given, the ISP will search for
> + accounts
> where the customer's records include that address or telephone number.
> Officers should be aware that not all ISPs are able to search by
> address or by telephone number.
>
> 2. A "cyberspace" datum - such as email address, account name, or web
> page URL - is known and the requesting officer is attempting to
> identify the person behind that identifier.
>
> + If an email address is given, the ISP will provide details of the
> + account
> that has that address. In general an email address looks like
> [log in to unmask] and will always include an @ sign. An email address will
> sometimes have the format Fred Bloggs <[log in to unmask]> where there is a
> "comment" associated with the address. This comment is created by the
> person sending the email and so need bear no resemblance to the actual
> account holder's name. Therefore the complete email address should
> always be quoted. It is easy to forge email addresses in many
> contexts, and therefore the complete message or posting that is being
> used as a source of information - including any header lines - should
> be attached to the request.
>
> + If an IP address is given an explanation of why this is provided
> + must be
> attached. If the date and time that the address was used is known,
> this should be included as well. Some ISPs allocate IP addresses from
> a central pool, and so the address alone does not identify an account
> because it would have been used by many different accounts.
>
> + If a web URL is provided the ISP will provide details of the account
> operating the relevant web site or part of the site. A URL is the
> "address" of a web page, and typically looks like
> http://www.xxx.com/abc/def.html - it will be displayed by a web
> browser when viewing the page. Whenever possible a printout of the
> page should be included with the form to allow the ISP to confirm that
> the correct page is being viewed.
>
> Some web sites use a technique called "frames", where two or more
> pages are displayed on the screen at the same time. When this happens
> the URL displayed by the browser will be that of one of the pages and
> does not identify the other pages (which could be part of a different
> site). In this case the actions taken to reach the page should be
> described and a printout must be attached, annotated to indicate which
> specific page is of interest.
>
> Note 4
>
> If other information is required, it should be specified here and an
> explanation of why it is needed should be attached to the form. It is
> not acceptable to request "all information known about the account".
> Not all ISPs may not be able to provide certain kinds of information
> conveniently or even at all, and some data may only be held for a
> certain length of time. If in doubt, the specifics of the situation
> should be discussed informally with the ISP before making the request;
> it may be possible to identify some item of data that meets the Police
> requirement while being convenient for the ISP to provide.
>
> Note 5
>
> Give here enough information that the recipient can make an decision
> whether to disclose in accordance with your declaration. This
> information must relate to the specific case that is being
> investigated, and a clear explanation must be given as to why you need
> this information and why you will be hindered if it is not provided.
>
> Note 6
>
> There are some rare situations where such an explanation would itself
> prejudice the case (for example, where you have evidence pointing at
> an unknown member of the ISP's staff) and in these cases you can tick
> this and leave the previous section blank.
>
> Note 7
>
> The requesting officer should attach any relevant items mentioned in
> this guidance, and any other material that the ISP might find useful
> for processing the request. The attachments should be numbered and
> carry the case reference given on the form (see note 8). The ISP can
> only make use of material attached in this way when determining
> whether or not to respond to the request.
>
> If any information is attached, the box on the form must be ticked and
> the number of pages given.
>
> Note 8
>
> The requesting officer should specify the case number, file number,
> case name, or any other reference that identifies the investigation
> being made. It is possible that the ISP will need to contact the Force
> making the request months or even years later, and it is essential
> that the specific case can be identified without needing to contact
> the original requesting officer. Individual Police forces will have
> their own policies for this identifier, and it need not be meaningful
> to the ISP (except that it should be clear when several requests
> relate to the same investigation).
>
> The Data Protection Act only allows release of information where both
> the information is required for one of the purposes listed and failure
> to disclose the data would be likely to prejudice the matter. This
> form must not be used where the only purpose is to confirm known
> facts, for general intelligence, or for administrative reasons.
>
> Note 9
>
> The ISP is only permitted to reveal personal data if they are
> reasonably convinced that the two conditions mentioned above are true,
> and the Data Protection Registrar has issued guidance concerning
> statements from Police officers. To protect both the ISPs and the
> requesting officer from inadvertently breaching the Act, it has been
> agreed that the ISP will refuse this request if
>
> o the form has not been signed by both requesting officer and
> authorising officer and their full details given, or
>
> o the authorising officer is not of a rank senior to that of the
> requesting officer, or
>
> o the authorising officer is below the rank of Inspector.
>
> The requesting and authorising officers should be aware that they are
> each making a statement that the two conditions are true, and that
> obtaining personal data under false pretences may be a criminal
> offence.
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> Yaman Akdeniz <[log in to unmask]>
> Cyber-Rights & Cyber-Liberties (UK) at: http://www.cyber-rights.org
>
> Read the new CR&CL (UK) Report, Who Watches the Watchmen, Part:II
> Accountability & Effective Self-Regulation in the Information Age,
> August 1998 at http://www.cyber-rights.org/watchmen-ii.htm
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>
>
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|